Puppet Class: profile::toolforge::harbor

Defined in:

modules/profile/manifests/toolforge/harbor.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

• data_volume (Stdlib::Unixpath) (defaults to: lookup('profile::toolforge::harbor::data_volume', {default_value => '/srv/ops/harbor/data'}))
• cinder_attached (Boolean) (defaults to: lookup('profile::toolforge::harbor::cinder_attached', {default_value => false}))
• harbor_admin_pwd (String[1]) (defaults to: lookup('profile::toolforge::harbor::admin_pwd', {default_value => 'insecurityrules'}))
• harbor_db_pwd (String[1]) (defaults to: lookup('profile::toolforge::harbor::db_harbor_pwd', {default_value => 'dummypass'}))
• harbor_db_host (Stdlib::Host) (defaults to: lookup('profile::toolforge::harbor::db_primary', {default_value => 'dummy.db.host'}))
• harbor_url (Stdlib::Fqdn) (defaults to: lookup('profile::toolforge::harbor::url', {default_value => 'dummy.harbor.fqdn'}))
• robot_accounts (Profile::Toolforge::Harbor::Robot_accounts) (defaults to: lookup('profile::toolforge::harbor::robot_accounts', {default_value => {}}))

# File 'modules/profile/manifests/toolforge/harbor.pp', line 2

class profile::toolforge::harbor (
    Stdlib::Unixpath $data_volume = lookup('profile::toolforge::harbor::data_volume', {default_value => '/srv/ops/harbor/data'}),
    Boolean $cinder_attached = lookup('profile::toolforge::harbor::cinder_attached', {default_value => false}),
    String[1] $harbor_admin_pwd = lookup('profile::toolforge::harbor::admin_pwd', {default_value => 'insecurityrules'}),
    String[1] $harbor_db_pwd = lookup('profile::toolforge::harbor::db_harbor_pwd', {default_value => 'dummypass'}),
    Stdlib::Host $harbor_db_host = lookup('profile::toolforge::harbor::db_primary', {default_value => 'dummy.db.host'}),
    Stdlib::Fqdn $harbor_url = lookup('profile::toolforge::harbor::url', {default_value => 'dummy.harbor.fqdn'}),
    Profile::Toolforge::Harbor::Robot_accounts $robot_accounts = lookup('profile::toolforge::harbor::robot_accounts', {default_value => {}}),
) {
    ensure_packages(['docker.io'])
    service { 'docker':
        ensure => 'running'
    }

    file { '/etc/docker/daemon.json':
        source  => 'puppet:///modules/profile/toolforge/harbor/docker-config.json',
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        notify  => Service['docker'],
        require => Package['docker.io'],
    }

    # Useful packages as harbor runs in docker-compose
    ensure_packages(['postgresql-client', 'redis-tools', 'docker-compose'])

    # There must be some kind of puppet fact for this?
    if $cinder_attached {
        # On the cinder volume, expect an untarred installer on /srv/ops.
        # For a fun project, you *can* puppetize everything under
        # /srv/ops/harbor/common/config, however it is all generated by harbor.yml
        file { '/srv/ops':
            ensure => directory,
            owner  => 'root',
            group  => 'root',
            mode   => '0755',
        } -> file { '/srv/ops/harbor':
            ensure => directory,
            owner  => 'root',
            group  => 'root',
            mode   => '0755',
        } -> file { '/srv/ops/harbor/harbor.yml':
            ensure  => present,
            mode    => '0600',
            content => epp(
                'profile/toolforge/harbor/harbor-docker.yaml.epp',
                {
                    harbor_fqdn      => $harbor_url,
                    harbor_admin_pwd => $harbor_admin_pwd,
                    harbor_db_pwd    => $harbor_db_pwd,
                    harbor_db_host   => $harbor_db_host,
                    data_volume      => $data_volume,
                    robot_accounts   => $robot_accounts,
                }
            ),
        } -> file { '/srv/ops/harbor/data':
            ensure => directory,
            owner  => 'root',
            group  => 'root',
            mode   => '0755',
        } -> file { '/srv/ops/harbor/data/secret':
            ensure => directory,
            owner  => 'root',
            group  => 'root',
            mode   => '0755',
        } -> file { '/srv/ops/harbor/data/secret/cert':
            ensure => directory,
            owner  => 10000,
            group  => 10000,
            mode   => '0755',
        }

        # The downloaded default prepare script tries to get certs by
        # mounting / and fails. We just change the volume mount. This only matters
        # on a new install, normally. New versions may need an update here.
        file { '/srv/ops/harbor/prepare':
            ensure  => present,
            mode    => '0555',
            owner   => 'root',
            group   => 'root',
            content => template('profile/toolforge/harbor/prepare.erb'),
            require => File['/srv/ops/harbor'],
        }

        $composefile = '/srv/ops/harbor/docker-compose.yml'
        # I did not find an easy way (avoiding extra wrappers) to use a systemd unit that
        # detected also when the containers were stopped and declared the unit failed if so
        # this is a poor-person's effective alternative
        # the following script relies on docker-compose starting one container per service
        $check_script = @("EOS"/$)
            bash -c "
                want_services=$(docker-compose -f ${composefile} ps --services --all | wc -l);
                got_services=$(docker-compose -f ${composefile} ps | grep Up | wc -l);
                [[ \\\$want_services -ne \\\$got_services ]]
            "
            | EOS
        exec {'ensure-compose-started':
            command => "/usr/bin/docker-compose -f ${composefile} up -d",
            onlyif  => $check_script,
            require => File['/srv/ops/harbor/harbor.yml'],
            path    => ['/usr/bin'],
        }
    }
}