Puppet Class: dynamicproxy::api

Defined in:

modules/dynamicproxy/manifests/api.pp

Overview

Parameters:

• keystone_api_url (Stdlib::HTTPUrl)
• token_validator_username (String[1])
• token_validator_password (String[1])
• token_validator_project (String[1])
• acme_certname (Optional[String]) (defaults to: undef)
• ssl_settings (Optional[Array[String]]) (defaults to: undef)
• read_only (Boolean) (defaults to: false)

# File 'modules/dynamicproxy/manifests/api.pp', line 1

class dynamicproxy::api (
    Stdlib::HTTPUrl         $keystone_api_url,
    String[1]               $token_validator_username,
    String[1]               $token_validator_password,
    String[1]               $token_validator_project,
    Optional[String]        $acme_certname = undef,
    Optional[Array[String]] $ssl_settings = undef,
    Boolean                 $read_only = false,
) {
    # for new enough python3-keystonemiddleware versions
    debian::codename::require('bullseye', '>=')

    file { '/usr/local/bin/invisible-unicorn.py':
        source => 'puppet:///modules/dynamicproxy/invisible-unicorn.py',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    ensure_packages([
        'python3-flask',
        'python3-redis',
        'python3-flask-sqlalchemy',
        'python3-flask-keystone',  # this one is built and maintained by us
        'python3-oslo.context',
        'python3-oslo.policy',
        'sqlite3'
    ])

    uwsgi::app { 'invisible-unicorn':
        settings  => {
            uwsgi => {
                plugins            => 'python3',
                master             => true,
                socket             => '/run/uwsgi/invisible-unicorn.sock',
                mount              => '/dynamicproxy-api=/usr/local/bin/invisible-unicorn.py',
                callable           => 'app',
                manage-script-name => true,
                workers            => 4,
            },
        },
        subscribe => File['/usr/local/bin/invisible-unicorn.py'],
    }

    file { '/etc/dynamicproxy-api':
        ensure => directory,
        owner  => 'www-data',
        group  => 'www-data',
    }

    file { '/etc/dynamicproxy-api/config.ini':
        content => template('dynamicproxy/invisible-unicorn.ini.erb'),
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        notify  => Uwsgi::App['invisible-unicorn'],
    }

    file { '/data/project/backup':
        ensure => directory,
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }

    file { '/data/project/backup/README':
        source  => 'puppet:///modules/dynamicproxy/BackupReadme',
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
        require => File['/data/project/backup'],
    }

    file { '/usr/local/sbin/proxydb-bak.sh':
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/dynamicproxy/proxydb-bak.sh',
    }

    systemd::timer::job { 'proxydb-backup':
        ensure             => present,
        user               => 'root',
        description        => 'run proxydb-bak.sh',
        command            => '/usr/local/sbin/proxydb-bak.sh',
        interval           => {'start' => 'OnUnitInactiveSec', 'interval' => '24h'},
        monitoring_enabled => false,
        logging_enabled    => false,
        require            => File['/data/project/backup'],
    }

    # Create initial db file if it doesn't exist, but don't clobber if it does.
    file { '/etc/dynamicproxy-api/data.db':
        ensure  => file,
        source  => 'puppet:///modules/dynamicproxy/initial-data.db',
        replace => false,
        require => File['/etc/dynamicproxy-api'],
        owner   => 'www-data',
        group   => 'www-data',
    }

    nginx::site { 'invisible-unicorn':
        content => template('dynamicproxy/api.conf.erb'),
        require => Uwsgi::App['invisible-unicorn'],
    }

    # This is a GET-only front end that sits on port 5669.  We can
    #  open this up to the public even though the actual API has no
    #  auth protections.
    nginx::site { 'proxygetter':
        source => 'puppet:///modules/dynamicproxy/proxygetter.conf',
    }
}