Puppet Class: profile::cumin::master

Defined in:
modules/profile/manifests/cumin/master.pp

Summary

profile to manage cumin masters

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • puppetdb_host (Stdlib::Host) (defaults to: lookup('puppetdb_host'))

    the host running puppetdb

  • datacenters (Array[String]) (defaults to: lookup('datacenters'))

    list of datacenters

  • kerberos_kadmin_host (Stdlib::Host) (defaults to: lookup('kerberos_kadmin_server_primary'))

    the host running kerberos kadmin

  • monitor_agentrun (Boolean) (defaults to: lookup('profile::cumin::monitor_agentrun'))

    weather to monitor agent runs

  • email_alerts (Boolean) (defaults to: lookup('profile::cumin::master::email_alerts'))

    whether to send email alerts



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# File 'modules/profile/manifests/cumin/master.pp', line 8

class profile::cumin::master (
    Stdlib::Host  $puppetdb_host        = lookup('puppetdb_host'),
    Array[String] $datacenters          = lookup('datacenters'),
    Stdlib::Host  $kerberos_kadmin_host = lookup('kerberos_kadmin_server_primary'),
    Boolean       $monitor_agentrun     = lookup('profile::cumin::monitor_agentrun'),
    Boolean       $email_alerts         = lookup('profile::cumin::master::email_alerts'),
) {
    include passwords::phabricator
    $cumin_log_path = '/var/log/cumin'
    $ssh_config_path = '/etc/cumin/ssh_config'
    # Ensure to add FQDN of the current host also the first time the role is applied
    $cumin_masters = (wmflib::role::hosts('cluster::management') << $facts['networking']['fqdn']).sort.unique
    $mariadb_roles = Profile::Mariadb::Role
    $mariadb_sections = Profile::Mariadb::Valid_section
    $owners = profile::contacts::get_owners().values.flatten.unique

    keyholder::agent { 'cumin_master':
        trusted_groups => ['root'],
    }

    ensure_packages([
        'clustershell',  # Installs nodeset CLI that is useful to mangle host lists.
        'cumin',
        'python3-dnspython',
        'python3-phabricator',
        'python3-requests',
    ])

    file { $cumin_log_path:
        ensure => directory,
        owner  => 'root',
        group  => 'root',
        mode   => '0750',
    }

    file { '/etc/cumin':
        ensure => directory,
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }

    file { '/etc/cumin/config.yaml':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0640',
        content => template('profile/cumin/config.yaml.erb'),
        require => File['/etc/cumin'],
    }

    file { '/etc/cumin/config-installer.yaml':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0640',
        content => template('profile/cumin/config-installer.yaml.erb'),
        require => File['/etc/cumin'],
    }

    file { '/etc/cumin/aliases.yaml':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
        content => template('profile/cumin/aliases.yaml.erb'),
        require => File['/etc/cumin'],
    }

    $check_cumin_aliases_ensure = $email_alerts ? {
        true => file,
        false => absent,
    }
    file { '/usr/local/sbin/check-cumin-aliases':
        ensure => $check_cumin_aliases_ensure,
        source => 'puppet:///modules/profile/cumin/check_cumin_aliases.py',
        mode   => '0544',
        owner  => 'root',
        group  => 'root',
    }

    file { '/usr/local/bin/secure-cookbook':
        ensure => file,
        source => 'puppet:///modules/profile/cumin/secure_cookbook.py',
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
    }

    file { $ssh_config_path:
        ensure => file,
        owner  => 'root',
        group  => 'root',
        mode   => '0640',
        source => 'puppet:///modules/profile/cumin/ssh_config',
    }

    # Check aliases periodic job, splayed between the week across the Cumin masters
    $times = cron_splay($cumin_masters, 'weekly', 'cumin-check-aliases')
    $check_cumin_aliases_timer_ensure = $email_alerts ? {
        true => present,
        false => absent,
    }

    systemd::timer::job { 'cumin-check-aliases':
        ensure        => $check_cumin_aliases_timer_ensure,
        user          => 'root',
        description   => 'Checks the cumin aliases file for problems.',
        command       => '/usr/local/sbin/check-cumin-aliases',
        send_mail     => $email_alerts,
        ignore_errors => true,
        interval      => { 'start' => 'OnCalendar', 'interval' => $times['OnCalendar'] },
    }

    class { 'phabricator::bot':
        username => 'ops-monitoring-bot',
        token    => $passwords::phabricator::ops_monitoring_bot_token,
        owner    => 'root',
        group    => 'root',
    }
    if $monitor_agentrun {
        include profile::cumin::monitoring_agentrun
    }
}