Puppet Class: envoyproxy
- Defined in:
- modules/envoyproxy/manifests/init.pp
Overview
SPDX-License-Identifier: Apache-2.0
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
# File 'modules/envoyproxy/manifests/init.pp', line 2
class envoyproxy(
Wmflib::Ensure $ensure,
Stdlib::Port $admin_port,
String $service_cluster,
Enum['envoy', 'envoyproxy', 'getenvoy-envoy'] $pkg_name,
Boolean $use_override = true,
Hash $runtime = {},
) {
# Variables for zone-aware routing, useful if that is used.
$service_node = $::fqdn
$service_zone = $::site
$envoy_directory = '/etc/envoy'
$dir_ensure = stdlib::ensure($ensure, 'directory')
ensure_packages('python3-yaml')
package { $pkg_name:
ensure => $ensure
}
file { $envoy_directory:
ensure => $dir_ensure,
owner => 'root',
group => 'root',
mode => '0755'
}
# Ensure envoy.yaml has the correct permissions.
# It will be overwritten by the exec below.
file { "${envoy_directory}/envoy.yaml":
ensure => $ensure,
owner => 'root',
group => 'root',
mode => '0644',
}
# Create the subdirectories where we will store:
# Listener and cluster definitions
file { ["${envoy_directory}/listeners.d", "${envoy_directory}/clusters.d"]:
ensure => $dir_ensure,
owner => 'root',
group => 'root',
mode => '0755',
recurse => true,
purge => true,
}
# Configure proper log filtering and rotation
systemd::syslog { 'envoy':
ensure => $ensure,
force_stop => true,
require => Package['envoyproxy'], # 'envoy' user must exist
}
# build-envoy-config should generate all configuration starting from
# the puppet-declared envoyproxy::listener and envoyproxy::cluster
# definitions.
#
# It will also verify the new configuration and only put it in place if something
# has changed.
file { '/usr/local/sbin/build-envoy-config':
ensure => $ensure,
source => 'puppet:///modules/envoyproxy/build_envoy_config.py',
owner => 'root',
group => 'root',
mode => '0555',
}
$admin = {
'access_log' => {
'typed_config' => {
'@type' => 'type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog',
'path' => '/var/log/envoy/admin-access.log',
},
},
'address' => { 'socket_address' => { 'address' => '0.0.0.0', 'port_value' => $admin_port } },
# Don't apply global connection limits to the admin listener so we can still get metrics when overloaded
'ignore_global_conn_limit' => true,
}
file { "${envoy_directory}/admin-config.yaml":
ensure => $ensure,
content => to_yaml($admin),
owner => 'root',
group => 'root',
mode => '0555',
notify => Exec['verify-envoy-config'],
}
$runtime_ensure = $runtime ? {
{} => 'absent',
default => $ensure
}
file { "${envoy_directory}/runtime.yaml":
# If the hash is empty, leave out the file. In that case, build-envoy-config omits the runtime stanza.
ensure => $runtime_ensure,
content => to_yaml($runtime),
owner => 'root',
group => 'root',
mode => '0555',
notify => Exec['verify-envoy-config'],
}
# Used by defines to verify the configuration.
exec { 'verify-envoy-config':
command => "/usr/local/sbin/build-envoy-config -c '${envoy_directory}'",
user => 'root',
refreshonly => true,
notify => Systemd::Service['envoyproxy.service'],
require => Package[$pkg_name],
}
$tpl = $use_override ? {
true => 'envoyproxy/systemd.override.conf.erb',
default => 'envoyproxy/systemd.full.conf.erb',
}
# hot restarter script, taken from the envoy repository directly.
file { '/usr/local/sbin/envoyproxy-hot-restarter':
ensure => $ensure,
source => 'puppet:///modules/envoyproxy/hot_restarter/hot-restarter.py',
owner => 'root',
group => 'root',
mode => '0555',
}
file { '/usr/local/sbin/envoyproxy-start':
ensure => $ensure,
source => 'puppet:///modules/envoyproxy/hot_restarter/start-envoy.sh',
owner => 'root',
group => 'root',
mode => '0555',
}
# We override the restart from puppet to become a reload, which sends
# SIGHUP to the hot restarter.
systemd::service { 'envoyproxy.service':
ensure => $ensure,
content => template($tpl),
override => $use_override,
service_params => {'restart' => '/bin/systemctl reload envoyproxy.service', },
}
}
|