Puppet Class: profile::etcd::tlsproxy

Defined in:
modules/profile/manifests/etcd/tlsproxy.pp

Overview

Parameters:

  • cert_name (Any) (defaults to: hiera('profile::etcd::tlsproxy::cert_name'))
  • acls (Any) (defaults to: hiera('profile::etcd::tlsproxy::acls'))
  • salt (Any) (defaults to: hiera('profile::etcd::tlsproxy::salt'))
  • read_only (Any) (defaults to: hiera('profile::etcd::tlsproxy::read_only'))
  • listen_port (Stdlib::Port) (defaults to: hiera('profile::etcd::tlsproxy::listen_port'))
  • upstream_port (Stdlib::Port) (defaults to: hiera('profile::etcd::tlsproxy::upstream_port'))
  • tls_upstream (Boolean) (defaults to: hiera('profile::etcd::tlsproxy::tls_upstream'))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'modules/profile/manifests/etcd/tlsproxy.pp', line 1

class profile::etcd::tlsproxy(
    $cert_name = hiera('profile::etcd::tlsproxy::cert_name'),
    $acls = hiera('profile::etcd::tlsproxy::acls'),
    $salt = hiera('profile::etcd::tlsproxy::salt'),
    $read_only = hiera('profile::etcd::tlsproxy::read_only'),
    Stdlib::Port $listen_port = hiera('profile::etcd::tlsproxy::listen_port'),
    Stdlib::Port $upstream_port = hiera('profile::etcd::tlsproxy::upstream_port'),
    Boolean $tls_upstream = hiera('profile::etcd::tlsproxy::tls_upstream')
) {
    require ::profile::tlsproxy::instance
    require ::passwords::etcd

    $accounts = $::passwords::etcd::accounts

    # TODO: also support TLS cert auth to the backend
    $upstream_scheme = $tls_upstream ? {
        true    => 'https',
        default => 'http'
    }

    $upstream_host = $tls_upstream ? {
        true    => $::fqdn,
        default => '127.0.0.1'
    }
    sslcert::certificate { $cert_name:
        skip_private => false,
        before       => Service['nginx'],
    }

    file { '/etc/nginx/auth/':
        ensure  => directory,
        mode    => '0550',
        owner   => 'www-data',
        require => Package['nginx-full'],
        before  => Service['nginx']
    }

    file { '/etc/nginx/etcd-errors':
        ensure  => directory,
        mode    => '0550',
        owner   => 'www-data',
        require => Package['nginx-full'],
        before  => Service['nginx']
    }

    # Simulate the etcd auth error
    file { '/etc/nginx/etcd-errors/401.json':
        ensure  => present,
        mode    => '0444',
        content => '{"errorCode":110,"message":"The request requires user authentication","cause":"Insufficient credentials","index":0}',
    }

    file { '/etc/nginx/etcd-errors/readonly.json':
        ensure  => present,
        mode    => '0444',
        content => '{"errorCode":107,"message":"This cluster is in read-only mode","cause":"Cluster configured to be read-only","index":0}',
    }

    # I know, this is pretty horrible. Puppet is too, with its
    # allergy for any form of data-structure mangling.
    $htpasswd_files = keys($acls)
    ::profile::etcd::htpasswd_file { $htpasswd_files:
        acls  => $acls,
        users => $accounts,
        salt  => $salt,
    }

    nginx::site { 'etcd_tls_proxy':
        ensure  => present,
        content => template('profile/etcd/tls_proxy.conf.erb'),
    }
}