Puppet Class: openstack::puppet::master::encapi

Defined in:
modules/openstack/manifests/puppet/master/encapi.pp

Overview

Parameters:

  • mysql_host (Stdlib::Host)
  • mysql_db (String[1])
  • mysql_username (String[1])
  • mysql_password (String[1])
  • acme_certname (String[1])
  • keystone_api_url (Stdlib::HTTPSUrl)
  • token_validator_username (String[1])
  • token_validator_password (String[1])
  • token_validator_project (String[1])
  • labweb_hosts (Array[Stdlib::Fqdn])
  • openstack_controllers (Array[Stdlib::Fqdn])
  • designate_hosts (Array[Stdlib::Fqdn])
  • labs_instance_ranges (Array[Stdlib::IP::Address::V4::CIDR])
  • ensure (Wmflib::Ensure) (defaults to: present)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# File 'modules/openstack/manifests/puppet/master/encapi.pp', line 1

class openstack::puppet::master::encapi(
    Stdlib::Host                         $mysql_host,
    String[1]                            $mysql_db,
    String[1]                            $mysql_username,
    String[1]                            $mysql_password,
    String[1]                            $acme_certname,
    Stdlib::HTTPSUrl                     $keystone_api_url,
    String[1]                            $token_validator_username,
    String[1]                            $token_validator_password,
    String[1]                            $token_validator_project,
    Array[Stdlib::Fqdn]                  $labweb_hosts,
    Array[Stdlib::Fqdn]                  $openstack_controllers,
    Array[Stdlib::Fqdn]                  $designate_hosts,
    Array[Stdlib::IP::Address::V4::CIDR] $labs_instance_ranges,
    Wmflib::Ensure                       $ensure = present,
) {
    # for new enough python3-keystonemiddleware versions
    debian::codename::require('bullseye', '>=')

    acme_chief::cert { $acme_certname:
        ensure     => $ensure,
        puppet_svc => 'nginx',
    }

    if $ensure == 'present' {
        ensure_packages([
            'python3-flask',
            'python3-flask-keystone',  # this one is built and maintained by us
            'python3-oslo.context',
            'python3-oslo.policy',
            'python3-pymysql',
            'python3-yaml',
        ])
    }

    $python_version = $::lsbdistcodename ? {
        'bullseye' => 'python3.9',
    }

    file { "/usr/local/lib/${python_version}/dist-packages/puppet-enc.py":
        ensure => stdlib::ensure($ensure, 'file'),
        owner  => 'root',
        group  => 'root',
        mode   => '0444',
        source => 'puppet:///modules/openstack/puppet/master/encapi/puppet-enc.py',
    }

    file {'/etc/logrotate.d/puppet-enc':
        ensure => stdlib::ensure($ensure, 'file'),
        owner  => 'root',
        group  => 'root',
        mode   => '0644',
        source => 'puppet:///modules/openstack/puppet/master/puppet_enc_logrotate',
    }

    # Make sure we can write to our logfile
    file { '/var/log/puppet-enc.log':
        ensure  => stdlib::ensure($ensure, 'file'),
        owner   => 'www-data',
        group   => 'www-data',
        replace => false,
    }

    # The app will check that the requesting IP is in  ALLOWED_WRITERS
    #  before writing or deleting.
    $allowed_writers = ($labweb_hosts + $designate_hosts + $openstack_controllers).reduce([]) |Array $accumulate, Stdlib::Fqdn $host| {
        $accumulate + [
            ipresolve($host, 4),
            ipresolve($host, 6),
        ]
    }

    file { '/etc/puppet-enc-api':
        ensure => directory,
        owner  => 'www-data',
        group  => 'www-data',
    }

    file { '/etc/puppet-enc-api/config.ini':
        content   => template('openstack/puppet/master/encapi/config.ini.erb'),
        owner     => 'root',
        group     => 'www-data',
        mode      => '0440',
        show_diff => false,
        notify    => Uwsgi::App['puppet-enc'],
    }

    # We override service_settings because the default includes autoload
    #  which insists on using python2
    uwsgi::app { 'puppet-enc':
        ensure    => $ensure,
        settings  => {
            uwsgi => {
                plugins             => 'python3',
                'wsgi-file'         => "/usr/local/lib/${python_version}/dist-packages/puppet-enc.py",
                callable            => 'app',
                master              => true,
                socket              => '/run/uwsgi/puppet-enc.sock',
                reload-on-exception => true,
                logto               => '/var/log/puppet-enc.log',
            },
        },
        subscribe => File["/usr/local/lib/${python_version}/dist-packages/puppet-enc.py"],
        require   => File['/var/log/puppet-enc.log'],
    }

    nginx::site { 'default':
        ensure => absent,
        before => Nginx::Site['puppet-enc-public'],
    }

    $ssl_settings  = ssl_ciphersuite('nginx', 'strong')

    nginx::site { 'puppet-enc':
        ensure  => $ensure,
        content => template('openstack/puppet/master/encapi/nginx-puppet-enc.conf.erb'),
    }

    # This is a GET-only front end that sits on port 8100.  We can
    #  open this up to the public even though the actual API has no
    #  auth protections.
    nginx::site { 'puppet-enc-public':
        ensure  => $ensure,
        content => template('openstack/puppet/master/encapi/nginx-puppet-enc-public.conf.erb'),
    }
}