Puppet Class: profile::kubernetes::deployment_server::helmfile
- Defined in:
- modules/profile/manifests/kubernetes/deployment_server/helmfile.pp
Overview
SPDX-License-Identifier: Apache-2.0 Installs helmfile and helmfile-diff, plus all the puppet-provided defaults and secrets for each service.
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
# File 'modules/profile/manifests/kubernetes/deployment_server/helmfile.pp', line 5
class profile::kubernetes::deployment_server::helmfile (
Profile::Kubernetes::User_defaults $user_defaults = lookup('profile::kubernetes::deployment_server::user_defaults'),
Hash[String, Hash[String, Profile::Kubernetes::Services]] $services = lookup('profile::kubernetes::deployment_server::services', { 'default_value' => {} }),
Hash[String, Any] $services_secrets = lookup('profile::kubernetes::deployment_server_secrets::services', { 'default_value' => {} }),
Hash[String, Any] $default_secrets = lookup('profile::kubernetes::deployment_server_secrets::defaults', { 'default_value' => {} }),
Hash[String, Any] $admin_services_secrets = lookup('profile::kubernetes::deployment_server_secrets::admin_services', { 'default_value' => {} }),
String $helm_user_group = lookup('profile::kubernetes::deployment_server::helm_user_group'),
) {
# Add the global configuration for all deployments.
require profile::kubernetes::deployment_server::global_config
# Install helmfile and the repository containing helmfile deployments.
class { 'helmfile': }
class { 'helmfile::repository':
repository => 'operations/deployment-charts',
srcdir => '/srv/deployment-charts',
}
$general_private_dir = "${profile::kubernetes::deployment_server::global_config::general_dir}/private"
# Private directories for admin services
$admin_private_dir = "${general_private_dir}/admin"
file { $admin_private_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0750',
}
# Install the private values for each service
k8s::fetch_cluster_groups().each | String $cluster_group, Hash $cluster | {
$merged_services = deep_merge($services[$cluster_group], $services_secrets[$cluster_group])
# Per "cluster_group" private directory for services
$service_private_dir = "${general_private_dir}/${cluster_group}_services"
file { $service_private_dir:
ensure => directory,
owner => 'root',
group => $helm_user_group,
mode => '0750',
}
if $admin_services_secrets[$cluster_group] {
$admin_services_secrets[$cluster_group].each | String $svcname, Hash $data | {
$admin_service_dir = "${admin_private_dir}/${svcname}"
unless defined(File[$admin_service_dir]) {
file { $admin_service_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0750',
force => true,
recurse => true,
}
}
}
}
# New-style private directories are one per service, not per cluster.
$merged_services.each | String $svcname, Hash $data | {
$permissions = $data['private_files'] ? {
undef => $user_defaults,
default => $data['private_files']
}
$service_dir_ensure = $data['ensure'] ? {
undef => directory,
'present' => directory,
default => $data['ensure'],
}
file { "${service_private_dir}/${svcname}":
ensure => $service_dir_ensure,
owner => $permissions['owner'],
group => $permissions['group'],
mode => '0750',
force => true,
recurse => true,
}
}
$cluster.each() | String $cluster_name, K8s::ClusterConfig $_ | {
$merged_services.map | String $svcname, Hash $data | {
# Permission and file presence setup
if $data['private_files'] {
$permissions = $user_defaults.merge($data['private_files'])
} else {
$permissions = $user_defaults
}
$service_ensure = $data['ensure'] ? {
undef => present,
default => $data['ensure'],
}
$raw_data = deep_merge($default_secrets[$cluster_name], $data[$cluster_name])
# write private section only if there is any secret defined.
unless $raw_data.empty {
# Substitute the value of any key in the form <somekey>: secret__<somevalue>
# with <somekey>: secret(<somevalue>)
# This allows to avoid having to copy/paste certs inside of yaml files directly,
# for example.
$secret_data = wmflib::inject_secret($raw_data)
file { "${service_private_dir}/${svcname}/${cluster_name}.yaml":
ensure => $service_ensure,
owner => $permissions['owner'],
group => $permissions['group'],
mode => $permissions['mode'],
content => to_yaml($secret_data),
require => "File[${service_private_dir}/${svcname}]",
}
}
}
if $admin_services_secrets[$cluster_group] {
$admin_services_secrets[$cluster_group].each | String $svcname, Hash $data | {
unless $data[$cluster_name].empty {
$secret_data = wmflib::inject_secret($data[$cluster_name])
file { "${admin_private_dir}/${svcname}/${cluster_name}.yaml":
owner => 'root',
group => 'root',
mode => '0440',
content => to_yaml($secret_data),
require => "File[${admin_private_dir}/${svcname}]",
}
}
}
}
}
}
}
|