Puppet Class: profile::conftool::requestctl_client

Defined in:
modules/profile/manifests/conftool/requestctl_client.pp

Summary

profile to install conftool requestctl plugin

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • conftool_prefix (String) (defaults to: lookup('conftool_prefix'))

    the conftool prefix

  • api_tokens (Hash[String, String]) (defaults to: lookup('profile::conftool::hiddenparma::api_tokens'))
  • admin_groups (Array[String]) (defaults to: lookup('profile::conftool::requestctl_client::admin_groups', { 'default_value' => ['ops'] })) 


4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'modules/profile/manifests/conftool/requestctl_client.pp', line 4

class profile::conftool::requestctl_client (
    String $conftool_prefix = lookup('conftool_prefix'),
    Hash[String, String] $api_tokens = lookup('profile::conftool::hiddenparma::api_tokens'),
    Array[String] $admin_groups = lookup('profile::conftool::requestctl_client::admin_groups', { 'default_value' => ['ops'] }),
) {
    require profile::conftool::client
    # Remove the old requestctl client and everything that came with it.
    package { 'python3-conftool-requestctl': ensure => absent}
    file { ['/var/lib/requestctl', '/var/lib/requestctl/tests']:
        ensure => absent,
    }
    # Ensure everyone in the admin groups group has their api token in their home directory.
    # If even one user in the groups doesn't have an api token, puppet will fail.
    # While this might seem harsh, it's the only way to ensure people get onboarded correctly.
    $admin_module_path = get_module_path('admin')
    $admin_data = loadyaml("${admin_module_path}/data/data.yaml")['groups']
    $admin_groups.each |$grp| {
        unless $grp in $admin_data {
            fail("${grp}, declared in profile::conftool::requestctl_client::admin_groups, does not exist.")
        }
        $admin_data[$grp]['members'].each |$user| {
            if $user in $api_tokens {
                file { "/home/${user}/.requestctl":
                    ensure  => file,
                    mode    => '0400',
                    owner   => $user,
                    group   => $grp,
                    content => "${api_tokens[$user]}\n",
                }
            } else {
                fail("User '${user}' lacks an api token for HP: please add it in profile::conftool::hiddenparma::api_tokens")
            }
        }
    }
    # A lot of people probably still have the muscle memory of using "sudo" when running requestctl. We need that to keep
    # working. We might want a better solution later.
    file { '/root/.requestctl':
        ensure  => file,
        mode    => '0400',
        owner   => 'root',
        group   => 'root',
        content => "${api_tokens['root']}\n",
    }

    # This is a copy of the file contained in the scripts/ directory of the
    # HIDDENPARMA repository:
    # https://gitlab.wikimedia.org/repos/sre/hiddenparma/-/blob/main/scripts/requestctl_cli.py
    file { '/usr/bin/requestctl':
        ensure => file,
        mode   => '0755',
        source => 'puppet:///modules/profile/conftool/requestctl_cli.original.py',
    }
    file { '/usr/local/bin/requestctl-checkip':
        ensure => file,
        owner  => 'root',
        mode   => '0555',
        source => 'puppet:///modules/profile/conftool/requestctl_checkip.py',
    }
}