1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
# File 'modules/dynamicproxy/manifests/api.pp', line 1
class dynamicproxy::api (
Stdlib::HTTPUrl $keystone_api_url,
String[1] $dns_updater_username,
String[1] $dns_updater_password,
String[1] $dns_updater_project,
String[1] $token_validator_username,
String[1] $token_validator_password,
String[1] $token_validator_project,
Stdlib::Host $mariadb_host,
String[1] $mariadb_db,
String[1] $mariadb_username,
String[1] $mariadb_password,
Stdlib::Host $redis_primary_host,
Stdlib::IP::Address::V4::Nosubnet $proxy_dns_ipv4,
Hash[String, Dynamicproxy::Zone] $supported_zones,
Optional[String] $acme_certname = undef,
Optional[Array[String]] $ssl_settings = undef,
Boolean $read_only = false,
) {
# for new enough python3-keystonemiddleware versions
debian::codename::require('bullseye', '>=')
file { '/usr/local/bin/invisible-unicorn.py':
source => 'puppet:///modules/dynamicproxy/api/invisible-unicorn.py',
owner => 'root',
group => 'root',
mode => '0555',
}
if debian::codename::eq('bullseye') {
# see https://phabricator.wikimedia.org/T340881
apt::package_from_bpo { 'python3-flask-sqlalchemy':
distro => 'bullseye',
}
}
ensure_packages([
'python3-flask',
'python3-flask-sqlalchemy',
'python3-flask-keystone', # this one is built and maintained by us
'python3-pymysql',
'python3-redis',
'python3-oslo.context',
'python3-oslo.policy',
])
uwsgi::app { 'invisible-unicorn':
settings => {
uwsgi => {
plugins => 'python3',
master => true,
socket => '/run/uwsgi/invisible-unicorn.sock',
mount => '/dynamicproxy-api=/usr/local/bin/invisible-unicorn.py',
callable => 'app',
manage-script-name => true,
workers => 4,
},
},
subscribe => File['/usr/local/bin/invisible-unicorn.py'],
}
file { '/etc/dynamicproxy-api':
ensure => directory,
owner => 'www-data',
group => 'www-data',
}
file { '/etc/dynamicproxy-api/zones.json':
content => $supported_zones.to_json_pretty(),
owner => 'root',
group => 'root',
mode => '0444',
notify => Uwsgi::App['invisible-unicorn'],
}
file { '/etc/dynamicproxy-api/config.ini':
content => template('dynamicproxy/api/invisible-unicorn.ini.erb'),
owner => 'root',
group => 'root',
mode => '0444',
show_diff => false,
notify => Uwsgi::App['invisible-unicorn'],
}
file { '/etc/dynamicproxy-api/schema.sql':
source => 'puppet:///modules/dynamicproxy/api/schema.sql',
owner => 'root',
group => 'root',
mode => '0555',
}
cinderutils::ensure { 'db_backups':
min_gb => 1,
max_gb => 20,
mount_point => '/srv/backup',
before => File['/srv/backup/README'],
}
file { '/srv/backup/README':
ensure => file,
source => 'puppet:///modules/dynamicproxy/api/BackupReadme',
owner => 'root',
group => 'root',
mode => '0644',
}
file { '/usr/local/sbin/proxydb-bak.sh':
ensure => file,
mode => '0555',
owner => 'root',
group => 'root',
source => 'puppet:///modules/dynamicproxy/api/proxydb-bak.sh',
}
systemd::timer::job { 'proxydb-backup':
ensure => present,
user => 'root',
description => 'create a backup of the proxy configuration database',
command => "/usr/local/sbin/proxydb-bak.sh ${mariadb_db}",
interval => {'start' => 'OnUnitInactiveSec', 'interval' => '24h'},
monitoring_enabled => false,
logging_enabled => false,
}
nginx::site { 'invisible-unicorn':
content => template('dynamicproxy/api/api.conf.erb'),
require => Uwsgi::App['invisible-unicorn'],
}
}
|