Puppet Class: profile::java

Defined in:
modules/profile/manifests/java.pp

Overview

SPDX-License-Identifier: Apache-2.0

Class profile::java

This profile takes care of deploying openjdk following the best practices used in the WMF.

This profile also takes into account the possibility of deploying various kind of openjdk variants (jre, jre-headless, jdk, jdk-headless).

To avoid unnecessary hiera params, we have defaults:

  • On Debian Buster/Bullseye, by default, we simply deploy openjdk-11-jdk.

  • On Debian Bookworm, by default, we simply deploy openjdk-17-jdk.

Changing the defaults is very easy, for example we can set the following in hiera to deploy openjdk-8-jre-headless, openjdk-11-jdk and set the former as default via alternatives:

profile::java::java_packages:

- version: 8
  variant: jre-headless
- version: 11
  variant: jdk

There is also the possibility of adding extra args in /etc/environment.d/10openjdk.conf (used by some teams like Analytics). Example: 'JAVA_TOOL_OPTIONS=“-Dfile.encoding=UTF-8”'

For convenience a variable named “default_java_home” is provided to expose the default jvm's home directory.

Parameters:

  • java_packages (Array[Java::PackageInfo]) (defaults to: lookup('profile::java::java_packages'))

    Array of Java::PackageInfo describing what to install and configure

  • extra_args (Hash[String[1], String[1]]) (defaults to: lookup('profile::java::extra_args'))

    A dict of extra arguments to use

  • hardened_tls (Boolean) (defaults to: lookup('profile::java::hardened_tls'))

    if true enable a hardened security profile

  • egd_source (Java::Egd_source) (defaults to: lookup('profile::java::egd_source'))

    securerandom source location

  • trust_puppet_ca (Boolean) (defaults to: lookup('profile::java::trust_puppet_ca'))

    if true add the puppet ca to the java trust store

  • enable_dbg (Boolean) (defaults to: lookup('profile::java::enable_dbg'))

    Install debug packages (off by default)



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# File 'modules/profile/manifests/java.pp', line 37

class profile::java (
    Array[Java::PackageInfo]   $java_packages   = lookup('profile::java::java_packages'),
    Hash[String[1], String[1]] $extra_args      = lookup('profile::java::extra_args'),
    Boolean                    $hardened_tls    = lookup('profile::java::hardened_tls'),
    Java::Egd_source           $egd_source      = lookup('profile::java::egd_source'),
    Boolean                    $trust_puppet_ca = lookup('profile::java::trust_puppet_ca'),
    Boolean                    $enable_dbg      = lookup('profile::java::enable_dbg'),
) {

    $default_java_packages = $facts['os']['distro']['codename'] ? {
        'buster'    => [{'version' => '11', 'variant' => 'jdk'}],
        'bullseye'  => [{'version' => '11', 'variant' => 'jdk'}],
        'bookworm'  => [{'version' => '17', 'variant' => 'jdk'}],
        default     => fail("${module_name} doesn't support ${facts['os']['distro']['codename']}")
    }

    $_java_packages = $java_packages.empty() ? {
        true  => $default_java_packages,
        false => $java_packages
    }

    $cacerts_ensure = $trust_puppet_ca ? {
        true    => 'present',
        default => 'absent',
    }

    if $::realm == 'production' {
        $cacerts = {
            'wmf:puppetca.pem' => {
                'ensure' => $cacerts_ensure,
                'path'  => '/usr/share/ca-certificates/wikimedia/Puppet5_Internal_CA.crt',
            },
            'wmf:Wikimedia_Internal_Root_CA' => {
                'ensure' => $cacerts_ensure,
                'path'   => '/usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt',
            },
        }
        # includes wmf-certificates
        include profile::base::certificates
        $java_require = Package['wmf-certificates']
    } else {
        $cacerts = {
            'wmf:puppetca.pem' => {
                'ensure' => $cacerts_ensure,
                'path'   => $facts['puppet_config']['localcacert'],
            },
        }
        $java_require = undef
    }
    class { 'java':
        java_packages => $_java_packages,
        hardened_tls  => $hardened_tls,
        egd_source    => $egd_source,
        enable_dbg    => $enable_dbg,
        require       => $java_require,
    }
    $cacerts.each |$title, $config| {
        java::cacert {$title:
            require => Alternatives::Java[$java::default_java_package['version']],
            *       => $config,
        }
    }


    $default_java_home = $java::java_home
    $default_package_name = "openjdk-${java::default_java_package['version']}-${java::default_java_package['variant']}"

    unless $extra_args.empty {
        systemd::environment { 'openjdk':
            priority  => 10,
            variables => $extra_args,
        }
    }
}