Puppet Class: profile::docker::builder

Defined in:
modules/profile/manifests/docker/builder.pp

Overview

SPDX-License-Identifier: Apache-2.0

Class profile::docker::builder

This class sets up a docker builder server, where our base images can be built and uploaded to the docker registry.

Parameters

proxy_address

The http proxy address, set to undef if you don't want to use item

proxy_port

The http proxy port; set to undef if not needed

registry

Address of the docker registry.

password

password for the “prod-build” user on the docker registry.

docker_pkg

Boolean value for enabling the docker_pkg component

Parameters:

  • proxy_address (Optional[Stdlib::Host]) (defaults to: lookup('profile::docker::builder::proxy_address', {default_value => undef}))
  • proxy_port (Optional[Stdlib::Port]) (defaults to: lookup('profile::docker::builder::proxy_port', {default_value => undef}))
  • registry (Stdlib::Host) (defaults to: lookup('docker::registry'))
  • password (String) (defaults to: lookup('profile::docker::builder::prod_build_password'))
  • docker_pkg (Boolean) (defaults to: lookup('profile::docker::docker_pkg', {default_value => false}))
  • prune_prod_images (Boolean) (defaults to: lookup('profile::docker::builder::prune_images'))
  • rebuild_images (Boolean) (defaults to: lookup('profile::docker::builder::rebuild_images'))
  • known_uid_mappings (Hash[String,Integer]) (defaults to: lookup('profile::docker::builder::known_uid_mappings', {default_value => undef}))


19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# File 'modules/profile/manifests/docker/builder.pp', line 19

class profile::docker::builder(
    Optional[Stdlib::Host] $proxy_address = lookup('profile::docker::builder::proxy_address', {default_value => undef}),
    Optional[Stdlib::Port] $proxy_port = lookup('profile::docker::builder::proxy_port', {default_value => undef}),
    Stdlib::Host $registry = lookup('docker::registry'),
    String $password = lookup('profile::docker::builder::prod_build_password'),
    Boolean $docker_pkg = lookup('profile::docker::docker_pkg', {default_value => false}),
    Boolean $prune_prod_images = lookup('profile::docker::builder::prune_images'),
    Boolean $rebuild_images = lookup('profile::docker::builder::rebuild_images'),
    Hash[String,Integer] $known_uid_mappings = lookup('profile::docker::builder::known_uid_mappings', {default_value => undef})
){

    if $docker_pkg {
        class { '::docker_pkg': }
    }

    class { 'service::deploy::common': }

    class { 'docker::baseimages':
        docker_registry => $registry,
        proxy_address   => $proxy_address,
        proxy_port      => $proxy_port,
        distributions   => ['bullseye', 'buster', 'stretch'],
    }

    ensure_packages(['python3-virtualenv', 'virtualenv'])

    git::clone { 'operations/docker-images/production-images':
        ensure    => present,
        directory => '/srv/images/production-images'
    }

    file {'/etc/production-images':
        ensure => directory,
        mode   => '0700',
    }

    file { '/etc/production-images/config.yaml':
        ensure  => present,
        content => template('profile/docker/production-images-config.yaml.erb'),
        owner   => 'root',
        group   => 'root',
        mode    => '0444'
    }

    file { '/etc/production-images/config-istio.yaml':
        ensure  => present,
        content => template('profile/docker/production-images-config-istio.yaml.erb'),
        owner   => 'root',
        group   => 'root',
        mode    => '0444'
    }

    file { '/etc/production-images/config-cert-manager.yaml':
        ensure  => present,
        content => template('profile/docker/production-images-config-cert-manager.yaml.erb'),
        owner   => 'root',
        group   => 'root',
        mode    => '0444'
    }

    file { '/usr/local/bin/build-production-images':
        ensure => present,
        source => 'puppet:///modules/profile/docker/build-production-images.sh',
        owner  => 'root',
        group  => 'root',
        mode   => '0500'
    }

    file { '/usr/local/bin/manage-production-images':
        ensure => present,
        source => 'puppet:///modules/profile/docker/manage-production-images.sh',
        owner  => 'root',
        group  => 'root',
        mode   => '0500'
    }

    # Cleanup old images at the start of the month.
    if $prune_prod_images {
        systemd::timer::job { 'prune-production-images':
            description     => 'Periodic job to prune old docker images',
            command         => '/usr/local/bin/manage-production-images prune',
            interval        => {'start' => 'OnCalendar', 'interval' => '*-*-01 04:00:00'},
            user            => 'root',
            logfile_basedir => '/var/log'
        }
    }

    docker::credentials { '/root/.docker/config.json':
        owner             => 'root',
        group             => 'root',
        registry          => $registry,
        registry_username => 'prod-build',
        registry_password => $password,
    }

    $timer_ensure = $rebuild_images ? {
        true    => 'present',
        default => 'absent',
    }
    # Cronjob to refresh the production-images every week on sunday.
    systemd::timer::job { 'production-images-weekly-rebuild':
        ensure              => $timer_ensure,
        description         => 'Weekly job to rebuild the production-images',
        command             => '/usr/local/bin/build-production-images --nightly',
        interval            => {'start' => 'OnCalendar', 'interval' => 'Sun *-*-* 06:00:00'},
        user                => 'root',
        after               => 'debian-weekly-rebuild.service',
        max_runtime_seconds => 86400,
    }
}