Puppet Class: profile::openstack::base::puppetmaster::frontend

Defined in:
modules/profile/manifests/openstack/base/puppetmaster/frontend.pp

Overview

Parameters:

  • openstack_controllers (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::openstack::base::openstack_controllers'))
  • designate_hosts (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::openstack::base::designate_hosts'))
  • puppetmasters (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::servers'))
  • puppetmaster_ca (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::ca'))
  • puppetmaster_hostname (Any) (defaults to: hiera('profile::openstack::base::puppetmaster_hostname'))
  • puppetmaster_webhostname (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::web_hostname'))
  • encapi_db_host (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::encapi::db_host'))
  • encapi_db_name (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::encapi::db_name'))
  • encapi_db_user (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::encapi::db_user'))
  • encapi_db_pass (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::encapi::db_pass'))
  • encapi_statsd_prefix (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::encapi::statsd_prefix'))
  • statsd_host (Any) (defaults to: hiera('profile::openstack::base::statsd_host'))
  • labweb_hosts (Any) (defaults to: hiera('profile::openstack::base::labweb_hosts'))
  • cert_secret_path (Any) (defaults to: hiera('profile::openstack::base::puppetmaster::cert_secret_path')) 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
 
# File 'modules/profile/manifests/openstack/base/puppetmaster/frontend.pp', line 1

class profile::openstack::base::puppetmaster::frontend(
    Array[Stdlib::Fqdn] $openstack_controllers = lookup('profile::openstack::base::openstack_controllers'),
    Array[Stdlib::Fqdn] $designate_hosts = lookup('profile::openstack::base::designate_hosts'),
    $puppetmasters = hiera('profile::openstack::base::puppetmaster::servers'),
    $puppetmaster_ca = hiera('profile::openstack::base::puppetmaster::ca'),
    $puppetmaster_hostname = hiera('profile::openstack::base::puppetmaster_hostname'),
    $puppetmaster_webhostname = hiera('profile::openstack::base::puppetmaster::web_hostname'),
    $encapi_db_host = hiera('profile::openstack::base::puppetmaster::encapi::db_host'),
    $encapi_db_name = hiera('profile::openstack::base::puppetmaster::encapi::db_name'),
    $encapi_db_user = hiera('profile::openstack::base::puppetmaster::encapi::db_user'),
    $encapi_db_pass = hiera('profile::openstack::base::puppetmaster::encapi::db_pass'),
    $encapi_statsd_prefix = hiera('profile::openstack::base::puppetmaster::encapi::statsd_prefix'),
    $statsd_host = hiera('profile::openstack::base::statsd_host'),
    $labweb_hosts = hiera('profile::openstack::base::labweb_hosts'),
    $cert_secret_path = hiera('profile::openstack::base::puppetmaster::cert_secret_path'),
    ) {

    include ::network::constants
    include ::profile::backup::host
    include ::profile::conftool::client
    include ::profile::conftool::master

    # validatelabsfqdn will look up an instance certname in nova
    #  and make sure it's for an actual instance before signing
    file { '/usr/local/sbin/validatelabsfqdn.py':
        ensure => 'present',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
        source => 'puppet:///modules/puppetmaster/validatelabsfqdn.py',
    }

    class {'profile::openstack::base::puppetmaster::common':
        openstack_controllers    => $openstack_controllers,
        designate_hosts          => $designate_hosts,
        puppetmaster_webhostname => $puppetmaster_webhostname,
        puppetmaster_hostname    => $puppetmaster_hostname,
        puppetmasters            => $puppetmasters,
        encapi_db_host           => $encapi_db_host,
        encapi_db_name           => $encapi_db_name,
        encapi_db_user           => $encapi_db_user,
        encapi_db_pass           => $encapi_db_pass,
        encapi_statsd_prefix     => $encapi_statsd_prefix,
        statsd_host              => $statsd_host,
        labweb_hosts             => $labweb_hosts,
    }

    $designate_ips = $designate_hosts.map |$host| { ipresolve($host, 4) }
    $designate_ips_v6 = $designate_hosts.map |$host| { ipresolve($host, 6) }
    $openstack_controller_ips = $openstack_controllers.map |$host| { ipresolve($host, 4) }
    $openstack_controller_ips_v6 = $openstack_controllers.map |$host| { ipresolve($host, 6) }

    if ! defined(Class['puppetmaster::certmanager']) {
        class { 'puppetmaster::certmanager':
            remote_cert_cleaners => flatten([
                $designate_ips,
                $designate_ips_v6,
                $openstack_controller_ips,
                $openstack_controller_ips_v6,
            ])
        }
    }

    $config = {
        'node_terminus'     => 'exec',
        'external_nodes'    => '/usr/local/bin/puppet-enc',
        'thin_storeconfigs' => false,
        'autosign'          => '/usr/local/sbin/validatelabsfqdn.py',
    }

    class { '::profile::puppetmaster::frontend':
        ca_server        => $puppetmaster_ca,
        web_hostname     => $puppetmaster_webhostname,
        config           => $config,
        secure_private   => false,
        servers          => $puppetmasters,
        extra_auth_rules => template('profile/openstack/base/puppetmaster/extra_auth_rules.conf.erb'),
    }

    # The above profile will make a standard vhost for $web_hostname.
    #  We also want to support clients using simple 'puppet'
    #   as the master name.  There's some DNS magic elsewhere
    #   so that VMs can refer to 'puppet' and get a deployment-appropriate
    #   puppetmaster.
    ::puppetmaster::web_frontend { 'puppet':
        master           => $puppetmaster_ca,
        workers          => $puppetmasters[$::fqdn],
        bind_address     => $::puppetmaster::bind_address,
        priority         => 40,
        cert_secret_path => $cert_secret_path,
    }

    $labs_networks = join($network::constants::labs_networks, ' ')
    $labweb_ips = inline_template("@resolve((<%= @labweb_hosts.join(' ') %>))")
    $labweb_ips_v6 = inline_template("@resolve((<%= @labweb_hosts.join(' ') %>), AAAA)")
    ferm::rule{'puppetmaster_balancer':
        ensure => 'present',
        rule   => "saddr (${labs_networks}
                          ${labweb_ips} ${labweb_ips_v6})
                          proto tcp dport 8140 ACCEPT;",
    }

    ferm::rule{'puppetcertcleaning':
        ensure => 'present',
        rule   => "saddr (@resolve((${join($designate_hosts,' ')}))
                          @resolve((${join($designate_hosts,' ')}), AAAA))
                        proto tcp dport 22 ACCEPT;",
    }

    file {'/etc/labspuppet':
        ensure => directory,
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }

    openstack::db::project_grants { 'labspuppet':
        access_hosts => flatten([$openstack_controllers, keys($puppetmasters)]),
        db_name      => $encapi_db_name,
        db_user      => $encapi_db_user,
        db_pass      => $encapi_db_pass,
    }
}