Puppet Class: puppetdb::app

Defined in:
modules/puppetdb/manifests/app.pp

Summary

Sets up the puppetdb clojure app. This assumes you're using ...magic!

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • gc_interval (Integer[0]) (defaults to: 20)

    This controls how often, in minutes, to compact the database. The compaction process reclaims space and deletes unnecessary rows. If not supplied, the default is every 60 minutes. If set to zero, all database GC processes will be disabled.

  • node_ttl (Pattern[/\d+[dhms]/]) (defaults to: '7d')

    Mark as ‘expired’ nodes that haven’t seen any activity (no new catalogs, facts, or reports) in the specified amount of time. Expired nodes behave the same as manually-deactivated nodes.

  • node_purge_ttl (Pattern[/\d+[dhms]/]) (defaults to: '14d')

    Automatically delete nodes that have been deactivated or expired for the specified amount of time

  • report_ttl (Pattern[/\d+[dhms]/]) (defaults to: '1d')

    Automatically delete reports that are older than the specified amount of time.

  • jvm_opts (String) (defaults to: '-Xmx4G')

    options passed to the jvm_opts

  • db_user (String) (defaults to: 'puppetdb')

    the database user

  • db_driver (Enum['hsqldb', 'postgres']) (defaults to: 'postgres')

    the database driver to user

  • ssldir (Stdlib::Unixpath) (defaults to: puppet_ssldir())

    the puppet ssl directory

  • ca_path (Stdlib::Unixpath) (defaults to: '/etc/ssl/certs/wmf-ca-certificates.crt')

    the path to the CA to use

  • tmpfs_stockpile_queue (Boolean) (defaults to: false)

    if true store the stockpile queue on tmpfs

  • command_processing_threads (Integer) (defaults to: 16)

    number of threads to use for command processing

  • log_level (Puppetdb::Loglevel) (defaults to: 'info')

    log level to use

  • facts_blacklist (Array[String]) (defaults to: [])

    a list of facts to blacklist from db storage

  • facts_blacklist_type (Enum['literal', 'regex']) (defaults to: 'literal')

    indicates if the facts list contains literal or regex expressions

  • bind_ip (Optional[Stdlib::IP::Address]) (defaults to: undef)

    the ip address to bind to for TLS

  • bind_ip_insecure (Optional[Stdlib::IP::Address]) (defaults to: undef)

    the clear text ip to bind to

  • db_ro_host (Optional[Stdlib::Host]) (defaults to: undef)

    the host of the read only database

  • db_password (Optional[String]) (defaults to: undef)

    the database password

  • db_ro_password (Optional[String]) (defaults to: undef)

    the password for the ro database

  • db_rw_host (Stdlib::Host) (defaults to: $facts['networking']['fqdn'])


28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# File 'modules/puppetdb/manifests/app.pp', line 28

class puppetdb::app(
    String                        $jvm_opts                   = '-Xmx4G',
    String                        $db_user                    = 'puppetdb',
    Enum['hsqldb', 'postgres']    $db_driver                  = 'postgres',
    Stdlib::Unixpath              $ssldir                     = puppet_ssldir(),
    Stdlib::Unixpath              $ca_path                    = '/etc/ssl/certs/wmf-ca-certificates.crt',
    Boolean                       $tmpfs_stockpile_queue      = false,
    Integer                       $command_processing_threads = 16,
    Puppetdb::Loglevel            $log_level                  = 'info',
    Array[String]                 $facts_blacklist            = [],
    Enum['literal', 'regex']      $facts_blacklist_type       = 'literal',
    Integer[0]                    $gc_interval                = 20,
    Pattern[/\d+[dhms]/]          $node_ttl                   = '7d',
    Pattern[/\d+[dhms]/]          $node_purge_ttl             = '14d',
    Pattern[/\d+[dhms]/]          $report_ttl                 = '1d',
    Stdlib::Host                  $db_rw_host                 = $facts['networking']['fqdn'],
    Optional[Stdlib::IP::Address] $bind_ip                    = undef,
    Optional[Stdlib::IP::Address] $bind_ip_insecure           = undef,
    Optional[Stdlib::Host]        $db_ro_host                 = undef,
    Optional[String]              $db_password                = undef,
    Optional[String]              $db_ro_password             = undef,
) {
    # We don't want debian's dbconfig to configure our database, since we are
    # configuring it via puppet.
    ensure_packages(['dbconfig-no-thanks'])

    # PuppetDB installation
    package { 'puppetdb':
        ensure  => installed,
        require => Package['dbconfig-no-thanks'],
    }

    $vardir              = '/var/lib/puppetdb'
    $stockpile_queue_dir = "${vardir}/stockpile/cmd/q"

    file { $vardir:
        ensure  => directory,
        owner   => 'puppetdb',
        group   => 'puppetdb',
        mode    => '0755',
        require => Package['puppetdb'],
    }
    $stockpile_mount_ensure = $tmpfs_stockpile_queue ? {
        true    => 'mounted',
        default => 'absent',
    }

    if $facts.has_key('puppetdb') and $facts['puppetdb']['stockpile_initialized'] {
        mount { $stockpile_queue_dir:
            ensure  => $stockpile_mount_ensure,
            atboot  => true,
            device  => 'tmpfs',
            fstype  => 'tmpfs',
            options => 'uid=puppetdb,gid=puppetdb',
            notify  => Service['puppetdb'],
        }
    }

    file { '/etc/default/puppetdb':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        content => template('puppetdb/etc/default/puppetdb.erb'),
    }

    systemd::service { 'puppetdb':
        override => true,
        content  => "[Service]\nRestart=on-failure\nRestartSec=5s\n",
    }

    ## Configuration
    file { '/etc/puppetdb':
        ensure  => directory,
        require => Package['puppetdb'],
    }
    file { '/etc/puppetdb/conf.d':
        ensure  => directory,
        owner   => 'puppetdb',
        group   => 'root',
        mode    => '0750',
        recurse => true,
        purge   => true,
        require => Package['puppetdb'],
    }
    if debian::codename::ge('bookworm') {
        file { '/etc/puppetdb/conf.d/auth.conf':
            ensure  => file,
            owner   => 'puppetdb',
            group   => 'root',
            mode    => '0750',
            source  => 'puppet:///modules/puppetdb/auth.conf',
            require => Package['puppetdb'],
        }
    }


    $postgres_uri = "ssl=true&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=verify-full&sslrootcert=${ca_path}"
    $postgres_rw_db_subname = "//${db_rw_host}:5432/puppetdb?${postgres_uri}"

    $db_settings = {
        'report-ttl'           => $report_ttl,
        'gc-interval'          => $gc_interval,
        'node-ttl'             => $node_ttl,
        'node-purge-ttl'       => $node_purge_ttl,
        'subname'              => $postgres_rw_db_subname,
        'username'             => 'puppetdb',
        'password'             => $db_password,
        'facts-blacklist-type' => $facts_blacklist_type,
        'facts-blacklist'      => $facts_blacklist.join(', '),
    }
    puppetdb::config { 'database':
        settings => $db_settings,
    }

    if $db_ro_host and $db_driver == 'postgres' {
        $postgres_ro_db_subname = "//${db_ro_host}:5432/puppetdb?${postgres_uri}"
        $read_db_settings = {
            'subname'  => $postgres_ro_db_subname,
            'username' => 'puppetdb_ro',
            'password' => $db_ro_password,
        }
        puppetdb::config { 'read-database':
            settings => $read_db_settings,
        }
    }

    puppetdb::config { 'global':
        settings => {
            'vardir'         => $vardir,
            'logging-config' => '/etc/puppetdb/logback.xml',
        },
    }

    puppetdb::config { 'nrepl':
        settings => {'enabled' => false},
    }

    # TODO: consider using profile::pki::get_cert
    puppet::expose_agent_certs { '/etc/puppetdb':
        ensure          => present,
        provide_private => true,
        user            => 'puppetdb',
        group           => 'puppetdb',
        ssldir          => $ssldir,
    }

    $_bind_ip = $bind_ip ? {
        undef   => {},
        default => {'ssl-host' => $bind_ip}
    }
    $_bind_ip_insecure = $bind_ip_insecure ? {
        undef   => {},
        default => {'host' => $bind_ip_insecure}
    }
    $jetty_settings = {
        'port'        => 8080,
        'ssl-port'    => 8081,
        'ssl-key'     => '/etc/puppetdb/ssl/server.key',
        'ssl-cert'    => '/etc/puppetdb/ssl/cert.pem',
        'ssl-ca-cert' => $ca_path,
    } + $_bind_ip + $_bind_ip_insecure

    puppetdb::config { 'jetty':
        settings => $jetty_settings,
        require  => Puppet::Expose_agent_certs['/etc/puppetdb'],
    }

    puppetdb::config { 'command-processing':
        settings => {
            'threads' => $command_processing_threads,
        },
    }
    file {'/etc/puppetdb/logback.xml':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
        content => template('puppetdb/logback.xml.erb'),
    }
}