Puppet Class: profile::imagecatalog
- Defined in:
- modules/profile/manifests/imagecatalog.pp
Overview
SPDX-License-Identifier: Apache-2.0
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
# File 'modules/profile/manifests/imagecatalog.pp', line 2
class profile::imagecatalog (
Stdlib::Fqdn $deployment_server = lookup('deployment_server'),
) {
# Ensure /etc/kubernetes/pki is created with proper permissions before the first pki::get_cert call
# FIXME: https://phabricator.wikimedia.org/T337826
$cert_dir = '/etc/kubernetes/pki'
unless defined(File[$cert_dir]) {
file { $cert_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0755',
}
}
# Fetch clusters without aliases
$kubernetes_clusters = k8s::fetch_clusters(false).map | String $name, K8s::ClusterConfig $config | {
if ($config['imagecatalog']) {
$username = 'imagecatalog'
$auth_cert = profile::pki::get_cert($config['pki_intermediate_base'], $username, {
'renew_seconds' => $config['pki_renew_seconds'],
'outdir' => $cert_dir,
'owner' => $username,
# imagecatalog user does not have any organisation attributes (e.g. groups)
# attached as it is being granted specific (limited) rights via RBAC.
})
$kubeconfig_path = "/etc/kubernetes/imagecatalog-${name}.config"
k8s::kubeconfig { $kubeconfig_path:
master_host => $config['master'],
username => $username,
auth_cert => $auth_cert,
owner => $username,
group => $username,
}
[$name, $kubeconfig_path]
}
}
.filter |$v| { $v =~ NotUndef } # and remove the undef entries for clusters where imagecatalog isn't enabled.
$ensure = $deployment_server ? {
$::fqdn => 'present',
default => 'absent'
}
class { 'imagecatalog':
port => 3691,
data_dir => '/srv/deployment/imagecatalog',
kubernetes_clusters => $kubernetes_clusters,
ensure => $ensure,
}
}
|