Puppet Class: profile::puppetserver::volatile
- Defined in:
- modules/profile/manifests/puppetserver/volatile.pp
Summary
set up the puppetserver volatile direcotry this directory is sed to serv * external_clouds_vendors * Geoip files * tftp images used for the debian installerOverview
SPDX-License-Identifier: Apache-2.0
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 |
# File 'modules/profile/manifests/puppetserver/volatile.pp', line 12
class profile::puppetserver::volatile (
Optional[Stdlib::HTTPUrl] $http_proxy = lookup('http_proxy'),
Boolean $geoip_fetch_private = lookup('profile::puppetserver::volatile::geoip_fetch_private'),
# Should be defined in the private repo.
Hash[String, Any] $ip_reputation_config = lookup('profile::puppetserver::volatile::ip_reputation_config'),
Array[String] $ip_reputation_proxies = lookup('profile::puppetserver::volatile::ip_reputation_proxies'),
Hash[String, String] $api_tokens = lookup('profile::conftool::hiddenparma::api_tokens'),
Optional[String[1]] $cdn_private_git_token = lookup('profile::puppetserver::volatile::cdn_private_git_token', { 'default_value' => undef }),
) {
include profile::puppetserver
unless $profile::puppetserver::extra_mounts.has_key('volatile') {
fail("Must define a volatile entry in profile::puppetserver::extra_mounts to use ${title}")
}
include profile::puppetserver::git
unless $profile::puppetserver::git::repos.has_key('private') {
fail("Must define a private entry in profile::puppetserver::git::repos to use ${title}")
}
$private_repo_path = "${profile::puppetserver::git::basedir}/private"
$base_path = $profile::puppetserver::extra_mounts['volatile']
$geoip_destdir = "${base_path}/GeoIP"
$geoip_destdir_ipinfo = "${base_path}/GeoIPInfo"
# Files in this folder are managed manually
file { "${base_path}/tftpboot":
ensure => directory,
}
file { '/usr/local/sbin/update-netboot-image':
ensure => file,
source => 'puppet:///modules/profile/puppetserver/update-netboot-image.sh',
mode => '0544',
}
# Needed by update-netboot-image
ensure_packages('pax')
class { 'external_clouds_vendors':
user => 'root',
manage_user => false,
outfile => "${base_path}/external_cloud_vendors/public_clouds.json",
conftool => $profile::puppetserver::enable_ca,
http_proxy => $http_proxy,
api_token => $api_tokens['root'],
}
class { 'ip_reputation_vendors':
ensure => stdlib::ensure(!$ip_reputation_proxies.empty()),
user => 'root',
manage_user => false,
outfile => "${base_path}/ip_reputation_vendors/proxies.json",
proxy_families => $ip_reputation_proxies,
configuration => $ip_reputation_config,
http_proxy => $http_proxy,
}
$spur_dch_user = 'nobody'
$spur_dch_group = 'nogroup'
$spur_mmdb = "${base_path}/datacenter_vendors/datacenter.mmdb"
file { $spur_mmdb.dirname():
ensure => $geoip_fetch_private.bool2str('directory', 'absent'),
owner => $spur_dch_user,
group => $spur_dch_group,
}
class { 'ip_reputation_vendors::spur_datacenter':
ensure => stdlib::ensure($geoip_fetch_private),
user => $spur_dch_user,
group => $spur_dch_group,
outfile => "${base_path}/datacenter_vendors/datacenter.mmdb",
configuration => $ip_reputation_config,
http_proxy => $http_proxy,
}
class { 'ip_reputation_vendors::spur_feeds':
ensure => stdlib::ensure($geoip_fetch_private),
user => 'root',
group => $spur_dch_group,
outfile => "${base_path}/ip_reputation_vendors/proxy.mmdb",
configuration => $ip_reputation_config,
http_proxy => $http_proxy,
}
class { 'profile::swift::fetch_rings':
volatile_dir => $base_path,
}
# TODO: this should probably be handeled in the geoip classes
file { [$geoip_destdir, $geoip_destdir_ipinfo]:
ensure => directory,
}
if $geoip_fetch_private {
include passwords::geoip
class { 'geoip::data::maxmind':
data_directory => $geoip_destdir,
proxy => $http_proxy,
ca_server => $profile::puppetserver::ca_server,
user_id => $passwords::geoip::user_id,
license_key => $passwords::geoip::license_key,
product_ids => [
'GeoIP2-City',
'GeoIP2-Connection-Type',
'GeoIP2-Country',
'GeoIP2-ISP',
],
}
# TODO: after I53708b14ed36c6ae0ca7d71df0fc704c60ab749b is merged, we can modify
# accordingly to just include the freely available product_ids
class { 'geoip::data::maxmind::ipinfo':
data_directory => $geoip_destdir_ipinfo,
proxy => $http_proxy,
ca_server => $profile::puppetserver::ca_server,
user_id => $passwords::geoip::user_id_ipinfo,
license_key => $passwords::geoip::license_key_ipinfo,
product_ids => [
'GeoLite2-ASN',
'GeoLite2-Country',
'GeoLite2-City',
],
}
} else {
class { 'geoip::data::maxmind':
data_directory => $geoip_destdir,
proxy => $http_proxy,
product_ids => [
'GeoIP2-City',
'GeoIP2-Connection-Type',
],
}
}
if $cdn_private_git_token {
$cdn_private_repo = true
} else {
$cdn_private_repo = false
}
git::clone { 'repos/sre/xcheesescore':
ensure => $cdn_private_repo.bool2str('latest', 'absent'),
directory => "${base_path}/private_cdn/",
branch => 'main',
owner => 'nobody',
group => 'nogroup',
source => 'gitlab',
token => $cdn_private_git_token
}
puppetserver::rsync_module { 'volatile':
path => $base_path,
hosts => wmflib::class::hosts('profile::puppetserver::volatile'),
interval => { 'start' => 'OnUnitInactiveSec', 'interval' => '15m' },
}
# This system user is configured to allow the DSE k8s cluster to rsync
# data to volatile via Airflow.
$webrequest_dump_dir = "${base_path}/webrequest_dump"
ssh::userkey { 'analytics-sre':
source => 'puppet:///modules/profile/puppetserver/analytics_sre_authorized_keys',
}
# Allow SSH from the DSE K8s cluster's pod IP range
firewall::service { 'ssh_dse-K8s_pods':
proto => 'tcp',
port => 22,
src_sets => ['DSE_KUBEPODS_NETWORKS'],
}
# The analytics-sre user will be able to write only this directory.
file { $webrequest_dump_dir:
ensure => directory,
owner => 'analytics-sre',
group => 'analytics-sre',
}
}
|