Puppet Class: envoyproxy

Defined in:
modules/envoyproxy/manifests/init.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ensure (Wmflib::Ensure)
  • admin_port (Stdlib::Port)
  • service_cluster (String)
  • pkg_name (Enum['envoy', 'envoyproxy', 'getenvoy-envoy'])
  • use_override (Boolean) (defaults to: true)
  • runtime (Hash) (defaults to: {}) 


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
 
# File 'modules/envoyproxy/manifests/init.pp', line 2

class envoyproxy(
    Wmflib::Ensure $ensure,
    Stdlib::Port $admin_port,
    String $service_cluster,
    Enum['envoy', 'envoyproxy', 'getenvoy-envoy'] $pkg_name,
    Boolean $use_override = true,
    Hash $runtime = {},
) {

    # Variables for zone-aware routing, useful if that is used.
    $service_node = $::fqdn
    $service_zone = $::site
    $envoy_directory = '/etc/envoy'
    $dir_ensure = stdlib::ensure($ensure, 'directory')

    ensure_packages('python3-yaml')
    package { $pkg_name:
        ensure => $ensure
    }

    file { $envoy_directory:
        ensure => $dir_ensure,
        owner  => 'root',
        group  => 'root',
        mode   => '0755'
    }

    # Ensure envoy.yaml has the correct permissions.
    # It will be overwritten by the exec below.
    file { "${envoy_directory}/envoy.yaml":
        ensure => $ensure,
        owner  => 'root',
        group  => 'root',
        mode   => '0644',
    }

    # Create the subdirectories where we will store:
    # Listener and cluster definitions
    file { ["${envoy_directory}/listeners.d", "${envoy_directory}/clusters.d"]:
        ensure  => $dir_ensure,
        owner   => 'root',
        group   => 'root',
        mode    => '0755',
        recurse => true,
        purge   => true,
    }

    # Configure proper log filtering and rotation
    systemd::syslog { 'envoy':
        ensure     => $ensure,
        force_stop => true,
        require    => Package['envoyproxy'], # 'envoy' user must exist
    }

    # build-envoy-config should generate all configuration starting from
    # the puppet-declared envoyproxy::listener and envoyproxy::cluster
    # definitions.
    #
    # It will also verify the new configuration and only put it in place if something
    # has changed.
    file { '/usr/local/sbin/build-envoy-config':
        ensure => $ensure,
        source => 'puppet:///modules/envoyproxy/build_envoy_config.py',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    $admin = {
        'access_log' => {
            'typed_config' => {
                '@type' => 'type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog',
                'path' => '/var/log/envoy/admin-access.log',
            },
        },
        'address' => { 'socket_address' => { 'address' => '0.0.0.0', 'port_value' => $admin_port } },
        # Don't apply global connection limits to the admin listener so we can still get metrics when overloaded
        'ignore_global_conn_limit' => true,
    }

    file { "${envoy_directory}/admin-config.yaml":
        ensure  => $ensure,
        content => to_yaml($admin),
        owner   => 'root',
        group   => 'root',
        mode    => '0555',
        notify  => Exec['verify-envoy-config'],
    }

    $runtime_ensure = $runtime ? {
        {}      => 'absent',
        default => $ensure
    }

    file { "${envoy_directory}/runtime.yaml":
        # If the hash is empty, leave out the file. In that case, build-envoy-config omits the runtime stanza.
        ensure  => $runtime_ensure,
        content => to_yaml($runtime),
        owner   => 'root',
        group   => 'root',
        mode    => '0555',
        notify  => Exec['verify-envoy-config'],
    }

    # Used by defines to verify the configuration.
    exec { 'verify-envoy-config':
        command     => "/usr/local/sbin/build-envoy-config -c '${envoy_directory}'",
        user        => 'root',
        refreshonly => true,
        notify      => Systemd::Service['envoyproxy.service'],
        require     => Package[$pkg_name],
    }


    $tpl = $use_override ? {
        true    => 'envoyproxy/systemd.override.conf.erb',
        default => 'envoyproxy/systemd.full.conf.erb',
    }

    # hot restarter script, taken from the envoy repository directly.
    file { '/usr/local/sbin/envoyproxy-hot-restarter':
        ensure => $ensure,
        source => 'puppet:///modules/envoyproxy/hot_restarter/hot-restarter.py',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    file { '/usr/local/sbin/envoyproxy-start':
        ensure => $ensure,
        source => 'puppet:///modules/envoyproxy/hot_restarter/start-envoy.sh',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    # We override the restart from puppet to become a reload, which sends
    # SIGHUP to the hot restarter.
    systemd::service { 'envoyproxy.service':
        ensure         => $ensure,
        content        => template($tpl),
        override       => $use_override,
        service_params => {'restart' => '/bin/systemctl reload envoyproxy.service',  },
    }
}