Puppet Class: profile::pontoon::base

Defined in:
modules/profile/manifests/pontoon/base.pp

Overview

This profile is injected by the Pontoon ENC and used as the hook for code running on all Pontoon hosts.

Parameters:

  • provider (String) (defaults to: lookup('profile::pontoon::provider', { default_value => 'cloud_vps' }))
  • sd_enabled (Boolean) (defaults to: lookup('profile::pontoon::sd_enabled', { default_value => false }))
  • pki_enabled (Boolean) (defaults to: lookup('profile::puppetmaster::pontoon::pki_enabled', { default_value => false }))
  • root_ca_name (Cfssl::Ca_name) (defaults to: lookup('profile::pki::root_ca::common_name', {'default_value' => ''})) 


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'modules/profile/manifests/pontoon/base.pp', line 5

class profile::pontoon::base (
    String  $provider   = lookup('profile::pontoon::provider', { default_value => 'cloud_vps' }),
    Boolean $sd_enabled = lookup('profile::pontoon::sd_enabled', { default_value => false }),
    Boolean $pki_enabled = lookup('profile::puppetmaster::pontoon::pki_enabled', { default_value => false }),
    Cfssl::Ca_name $root_ca_name = lookup('profile::pki::root_ca::common_name', {'default_value' => ''}),
) {
    if $sd_enabled {
        include profile::pontoon::sd
    }

    include "profile::pontoon::provider::${provider}"

    # Partial duplication/compatibility with profile::base::production
    # Ideally Pontoon runs with the profile above enabled, and we are
    # not there yet.
    include profile::monitoring

    # PKI is a "base" service, often required even in minimal stacks
    # (e.g. puppetdb can use PKI).
    # Do not require a load balancer and service discovery enabled
    # to be able to use PKI.
    $pki_hosts = pontoon::hosts_for_role('pki::multirootca')
    if $pki_hosts and length($pki_hosts) > 0 {
        host { 'pki.discovery.wmnet':
            ip => ipresolve($pki_hosts[0]),
        }
    }

    # Include en_US.UTF-8 which is generated by debian-installer in wikiprod hosts
    include profile::locales::base

    # Trust the Pontoon Puppet CA (and optionally PKI)
    # In theory this could be handled via profile::base::certificates::trusted_certs
    # however there isn't a mechanism to optionally include a cert (i.e.
    # when PKI isn't enabled)
    ensure_packages(['wmf-certificates'])

    # This is cheeky but necessary to give that production look and feel:
    # Replace the Puppet CA (and PKI) public certs with Pontoon's, since
    # that's what the user expect (i.e. these two certs will 'just work')
    # and the filenames must be compatible with what will work in production

    file { '/usr/share/ca-certificates/wikimedia/Puppet5_Internal_CA.crt':
        ensure => present,
        source => '/var/lib/puppet/ssl/certs/ca.pem',
        notify => Exec['reconfigure-wmf-certificates'],
    }

    if $pki_enabled and $root_ca_name != '' {
        file { "/usr/share/ca-certificates/wikimedia/${root_ca_name}.crt":
            ensure  => present,
            content => file('/etc/pontoon/pki/ca.pem'),
            notify  => Exec['reconfigure-wmf-certificates'],
        }
    }

    exec { 'reconfigure-wmf-certificates':
        command     => '/usr/sbin/dpkg-reconfigure wmf-certificates',
        refreshonly => true,
        require     => Package['wmf-certificates'],
    }
}