Puppet Class: profile::puppetdb::microservice

Defined in:
modules/profile/manifests/puppetdb/microservice.pp

Summary

install the puppetdb micro service

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • enabled (Boolean) (defaults to: lookup('profile::puppetdb::microservice::enabled'))

    wether to enable the service

  • port (Stdlib::Port) (defaults to: lookup('profile::puppetdb::microservice::port'))

    the port to listen on

  • uwsgi_port (Stdlib::Port) (defaults to: lookup('profile::puppetdb::microservice::uwsgi_port'))

    the port of the backend service

  • allowed_hosts (Array[Stdlib::Host]) (defaults to: lookup('profile::puppetdb::microservice::allowed_hosts'))

    a list of allowed hosts

  • allowed_roles (Array[String[1]]) (defaults to: lookup('profile::puppetdb::microservice::allowed_roles'))

    a list of allowed roles



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'modules/profile/manifests/puppetdb/microservice.pp', line 8

class profile::puppetdb::microservice (
    Boolean             $enabled       = lookup('profile::puppetdb::microservice::enabled'),
    Stdlib::Port        $port          = lookup('profile::puppetdb::microservice::port'),
    Stdlib::Port        $uwsgi_port    = lookup('profile::puppetdb::microservice::uwsgi_port'),
    Array[Stdlib::Host] $allowed_hosts = lookup('profile::puppetdb::microservice::allowed_hosts'),
    Array[String[1]]    $allowed_roles = lookup('profile::puppetdb::microservice::allowed_roles'),
) {
    $ssl_settings = ssl_ciphersuite('nginx', 'strong', true)
    $_allowed_hosts = $allowed_roles.map |$role| {
        wmflib::role::ips($role)
    }.flatten + $allowed_hosts

    ensure_packages(['python3-flask'])

    if $enabled {
        $certs = profile::pki::get_cert('discovery', $facts['networking']['fqdn'], {
            hosts   => ['puppetdb-api.discovery.wmnet', 'puppetdb-api-next.discovery.wmnet'],
            notify  => Exec['nginx-reload'],
        })
        $site_content = template('profile/puppetdb/nginx-puppetdb-microservice.conf.erb')
    } else {
        $site_content = undef
    }

    nginx::site { 'puppetdb-microservice':
        ensure  => stdlib::ensure($enabled),
        content => $site_content,
    }

    file { '/srv/puppetdb-microservice.py':
        ensure => stdlib::ensure($enabled, 'file'),
        source => 'puppet:///modules/profile/puppetdb/puppetdb-microservice.py',
        owner  => 'root',
        mode   => '0644',
        notify => Service['uwsgi-puppetdb-microservice'],
    }
    uwsgi::app { 'puppetdb-microservice':
        ensure     => stdlib::ensure($enabled),
        monitoring => absent,
        settings   => {
            uwsgi => {
                'plugins'     => 'python3',
                'socket'      => '/run/uwsgi/puppetdb-microservice.sock',
                'file'        => '/srv/puppetdb-microservice.py',
                'callable'    => 'app',
                'http-socket' => "127.0.0.1:${uwsgi_port}",
            },
        },
    }

    # The microservice is managed via a dedicated systemd unit (uwsgi-puppetdb-microservice),
    # mask the generic uwsgi unit which gets auto-translated based on the init.d script
    # shipped in the uwsgi Debian package
    systemd::mask { 'mask_default_uwsgi_puppetdb':
        unit => 'uwsgi.service',
    }

    profile::auto_restarts::service { 'uwsgi-puppetdb-microservice':
        ensure => stdlib::ensure($enabled),
    }

    unless $_allowed_hosts.empty() {
        firewall::service { 'puppetdb-microservice':
            proto  => 'tcp',
            port   => $port,
            srange => $_allowed_hosts,
        }
    }
}