4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
# File 'modules/profile/manifests/cache/purge.pp', line 4
class profile::cache::purge(
Optional[String] $frontend_addr = lookup('profile::cache::purge::frontend_addr', {'default_value' => undef}),
Optional[String] $backend_addr = lookup('profile::cache::purge::backend_addr', {'default_value' => undef}),
Optional[String] $host_regex = lookup('profile::cache::purge::host_regex', {'default_value' => undef}),
Array[String] $kafka_topics = lookup('profile::cache::purge::kafka_topics', {'default_value' => []}),
Boolean $kafka_tls = lookup('profile::cache::purge::kafka_tls', {'default_value' => false}),
String $kafka_cluster_name = lookup('profile::cache::purge::kafka_cluster_name', {'default_value' => 'main-eqiad'}),
Optional[String] $tls_key_password = lookup('profile::cache::purge::tls_key_password', {'default_value' => undef}),
Boolean $use_pki = lookup('profile::cache::purge::use_pki', {'default_value' => false}),
){
$kafka_ensure = $kafka_topics ? {
[] => 'absent',
default => 'present'
}
if $kafka_topics != [] {
$kafka_conf = kafka_config($kafka_cluster_name)
$brokers = $kafka_tls ? {
false => $kafka_conf['brokers']['string'].split(','),
default => $kafka_conf['brokers']['ssl_array']
}
} else {
$brokers = []
}
# KAFKA TLS SETUP
$base_dir = '/etc/purged'
$tls_dir = "${base_dir}/ssl"
$tls_private_dir = "${tls_dir}/private"
file { $base_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0555'
}
$cipher_suites = 'ECDHE-ECDSA-AES256-GCM-SHA384'
$curves_list = 'P-256'
$sigalgs_list = 'ECDSA+SHA256'
if $kafka_tls and $kafka_topics != [] {
if $use_pki {
file { $tls_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0555'
}
file { $tls_private_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0500'
}
$tls_paths = profile::pki::get_cert('discovery',
'purged',
{
'owner' => 'root',
'group' => 'root',
'notify_services' => ['purged'],
'outdir' => $tls_dir,
})
$tls_key = $tls_paths['key']
$tls_cert = $tls_paths['cert']
} else {
$tls_key = "${tls_private_dir}/purged.key.pem"
$tls_cert = "${tls_dir}/purged.crt.pem"
file { $tls_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0555'
}
file { $tls_private_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0500'
}
file { $tls_key:
ensure => 'present',
content => secret('certificates/purged/purged.key.private.pem'),
owner => 'root',
group => 'root',
mode => '0400',
before => Service['purged']
}
file { $tls_cert:
ensure => 'present',
content => secret('certificates/purged/purged.crt.pem'),
owner => 'root',
group => 'root',
mode => '0444',
before => Service['purged']
}
}
}
$tls_settings = {
'ca_location' => '/etc/ssl/certs/wmf-ca-certificates.crt',
'key_location' => $tls_key,
'key_password' => $tls_key_password,
'certificate_location' => $tls_cert,
'cipher_suites' => $cipher_suites,
'curves_list' => $curves_list,
'sigalgs_list' => $sigalgs_list
}
$prometheus_port = 2112
class { 'purged':
backend_addr => $backend_addr,
frontend_addr => $frontend_addr,
prometheus_addr => ":${prometheus_port}",
frontend_workers => 4,
backend_workers => $::processorcount,
is_active => true,
host_regex => $host_regex,
kafka_topics => $kafka_topics,
brokers => $brokers,
tls => $tls_settings,
kafka_conf_file => "${base_dir}/purged-kafka.conf"
}
}
|