Puppet Class: profile::imagecatalog

Defined in:
modules/profile/manifests/imagecatalog.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • deployment_server (Stdlib::Fqdn) (defaults to: lookup('deployment_server'))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'modules/profile/manifests/imagecatalog.pp', line 2

class profile::imagecatalog (
    Stdlib::Fqdn $deployment_server = lookup('deployment_server'),
) {
    # Ensure /etc/kubernetes/pki is created with proper permissions before the first pki::get_cert call
    # FIXME: https://phabricator.wikimedia.org/T337826
    $cert_dir = '/etc/kubernetes/pki'
    unless defined(File[$cert_dir]) {
        file { $cert_dir:
            ensure => 'directory',
            owner  => 'root',
            group  => 'root',
            mode   => '0755',
        }
    }

    # Fetch clusters without aliases
    $kubernetes_clusters = k8s::fetch_clusters(false).map | String $name, K8s::ClusterConfig $config | {
        if ($config['imagecatalog']) {
            $username = 'imagecatalog'

            $auth_cert = profile::pki::get_cert($config['pki_intermediate_base'], $username, {
                'renew_seconds'  => $config['pki_renew_seconds'],
                'outdir'         => $cert_dir,
                'owner'          => $username,
                # imagecatalog user does not have any organisation attributes (e.g. groups)
                # attached as it is being granted specific (limited) rights via RBAC.
            })

            $kubeconfig_path = "/etc/kubernetes/imagecatalog-${name}.config"
            k8s::kubeconfig { $kubeconfig_path:
                master_host => $config['master'],
                username    => $username,
                auth_cert   => $auth_cert,
                owner       => $username,
                group       => $username,
            }
            [$name, $kubeconfig_path]
        }
    }
    .filter |$v| { $v =~ NotUndef }       # and remove the undef entries for clusters where imagecatalog isn't enabled.

    $ensure = $deployment_server ? {
        $::fqdn => 'present',
        default => 'absent'
    }

    class { 'imagecatalog':
        port                => 3691,
        data_dir            => '/srv/deployment/imagecatalog',
        kubernetes_clusters => $kubernetes_clusters,
        ensure              => $ensure,
    }
}