Puppet Class: profile::dragonfly::dfdaemon

Defined in:
modules/profile/manifests/dragonfly/dfdaemon.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ensure (Wmflib::Ensure) (defaults to: lookup('profile::dragonfly::dfdaemon::ensure'))
  • supernodes (Array[String]) (defaults to: lookup('profile::dragonfly::dfdaemon::supernodes'))
  • docker_registry_fqdn (Stdlib::Fqdn) (defaults to: lookup('profile::dragonfly::dfdaemon::docker_registry_fqdn'))
  • proxy_urls_regex (Array[String]) (defaults to: lookup('profile::dragonfly::dfdaemon::proxy_urls_regex'))
  • ratelimit (String) (defaults to: lookup('profile::dragonfly::dfdaemon::ratelimit')) 


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'modules/profile/manifests/dragonfly/dfdaemon.pp', line 2

class profile::dragonfly::dfdaemon (
    Wmflib::Ensure $ensure = lookup('profile::dragonfly::dfdaemon::ensure'),
    Array[String] $supernodes = lookup('profile::dragonfly::dfdaemon::supernodes'),
    Stdlib::Fqdn  $docker_registry_fqdn = lookup('profile::dragonfly::dfdaemon::docker_registry_fqdn'),
    Array[String] $proxy_urls_regex = lookup('profile::dragonfly::dfdaemon::proxy_urls_regex'),
    String $ratelimit = lookup('profile::dragonfly::dfdaemon::ratelimit'),
) {
  # TODO: add a global hiera variable called docker_registry_fqdn and use it in the other
  #       places where we refer to it explicitly in hiera.

  # Generate a certificate to hijack/MITM requests to docker-registry as well as
  # accept connections via localhost.
  #
  # With ensure == 'absent' get_cert fails because the user (owner) does not exist:
  # Error: Could not execute posix command: Invalid user: dragonfly
  # The user (and /etc/dragonfly) is created by the debian package which will not be installed
  # in case of ensure == 'absent'
  if $ensure == 'present' {
    $ssl_paths = profile::pki::get_cert('discovery', $facts['fqdn'], {
      'ensure'          => $ensure,
      'owner'           => 'dragonfly',
      'outdir'          => '/etc/dragonfly',
      'hosts'           => [$facts['hostname'], $facts['fqdn'], $docker_registry_fqdn, '127.0.0.1', '::1', 'localhost'],
      'notify_services' => ['dragonfly-dfdaemon'],
    })
  } else {
    # Create a dummy so that dragonfly::dfdaemon receives valid paths
    $ssl_paths = {
      'chained' => '/nonexistent',
      'cert' => '/nonexistent',
      'key' => '/nonexistent',
    }
  }

  class { 'dragonfly::dfdaemon':
    ensure               => $ensure,
    supernodes           => $supernodes,
    dfdaemon_ssl_cert    => $ssl_paths['chained'],
    dfdaemon_ssl_key     => $ssl_paths['key'],
    docker_registry_fqdn => $docker_registry_fqdn,
    proxy_urls_regex     => $proxy_urls_regex,
    ratelimit            => $ratelimit,
  }

  # This is the port dfget (called by dfdaemon) will listen and serve chunks on.
  # dfdaemon itself does not receive connections from outside.
  firewall::service { 'dragonfly_dfget':
    ensure   => $ensure,
    proto    => 'tcp',
    port     => 15001,
    src_sets => ['DOMAIN_NETWORKS'],
  }

  # TODO: Add monitoring
}