Puppet Class: puppetmaster::puppetdb

Defined in:
modules/puppetmaster/manifests/puppetdb.pp

Overview

Class puppetmaster::puppetdb

Sets up a puppetdb instance and the corresponding database server. TODO: fold this class into profile::puppetdb

Parameters:

  • gc_interval (Integer[0]) (defaults to: 20)

    This controls how often, in minutes, to compact the database. The compaction process reclaims space and deletes unnecessary rows. If not supplied, the default is every 20 minutes. If set to zero, all database GC processes will be disabled.

  • node_ttl (Pattern[/\d+[dhms]/]) (defaults to: '7d')

    Mark as ‘expired’ nodes that haven’t seen any activity (no new catalogs, facts, or reports) in the specified amount of time. Expired nodes behave the same as manually-deactivated nodes.

  • node_purge_ttl (Pattern[/\d+[dhms]/]) (defaults to: '14d')

    Automatically delete nodes that have been deactivated or expired for the specified amount of time

  • report_ttl (Pattern[/\d+[dhms]/]) (defaults to: '1d')

    Automatically delete reports that are older than the specified amount of time.

  • ca_content (Optional[String[1]]) (defaults to: undef)

    if present update the ca_path with the content

  • master (Stdlib::Host)

    the primary db server

  • port (Stdlib::Port) (defaults to: 443)

    the port to to listen on

  • jetty_port (Stdlib::Port) (defaults to: 8080)

    the port the puppetdb app listens on

  • jvm_opts (String) (defaults to: '-Xmx4G')

    options passed to the java vm

  • ssldir (Optional[Stdlib::Unixpath]) (defaults to: undef)

    the puippet ssl directory

  • ca_path (Stdlib::Unixpath) (defaults to: '/etc/ssl/certs/Puppet_Internal_CA.pem')

    the to use for client auth

  • puppetdb_pass (String) (defaults to: '')

    the puppetdb password

  • puppetdb_ro_pass (String) (defaults to: '')

    the puppetdb read only password

  • db_ro_host (Optional[Stdlib::Host]) (defaults to: undef)

    Postgres host for read queries

  • log_level (Puppetdb::Loglevel) (defaults to: 'info')

    the log log_level

  • tmpfs_stockpile_queue (Boolean) (defaults to: false)

    if true use tmpfs fort the stockpile queue

  • facts_blacklist (Array[String]) (defaults to: [])

    a liust of facts to blacklist from insertion to the db

  • facts_blacklist_type (Enum['literal', 'regex']) (defaults to: 'literal')

    wether the above blacklist entries are literal or regex

  • ssl_verify_client (Nginx::SSL::Verify_client) (defaults to: 'optional')

    this value indicates how to authenticate mtls users



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
# File 'modules/puppetmaster/manifests/puppetdb.pp', line 30

class puppetmaster::puppetdb(
    Stdlib::Host               $master,
    Stdlib::Port               $port                  = 443,
    Stdlib::Port               $jetty_port            = 8080,
    String                     $jvm_opts              ='-Xmx4G',
    Optional[Stdlib::Unixpath] $ssldir                = undef,
    Stdlib::Unixpath           $ca_path               = '/etc/ssl/certs/Puppet_Internal_CA.pem',
    String                     $puppetdb_pass         = '',
    String                     $puppetdb_ro_pass      = '',
    Optional[Stdlib::Host]     $db_ro_host            = undef,
    Puppetdb::Loglevel         $log_level             = 'info',
    Boolean                    $tmpfs_stockpile_queue = false,
    Array[String]              $facts_blacklist       = [],
    Enum['literal', 'regex']   $facts_blacklist_type  = 'literal',
    Integer[0]                 $gc_interval           = 20,
    Pattern[/\d+[dhms]/]       $node_ttl              = '7d',
    Pattern[/\d+[dhms]/]       $node_purge_ttl        = '14d',
    Pattern[/\d+[dhms]/]       $report_ttl            = '1d',
    Nginx::SSL::Verify_client  $ssl_verify_client     = 'optional',
    Optional[String[1]]        $ca_content            = undef,
) {

    ## TLS Termination
    # Set up nginx as a reverse-proxy
    # TODO: consider using profile::pki::get_cert
    puppet::expose_agent_certs { '/etc/nginx':
        ensure          => present,
        provide_private => true,
        ssldir          => $ssldir,
    }
    if $ca_content {
        file { $ca_path:
            ensure  => file,
            content => $ca_content,
            mode    => '0444',
        }
    }

    $ssl_settings = ssl_ciphersuite('nginx', 'mid')
    include sslcert::dhparam
    nginx::site { 'puppetdb':
        ensure  => present,
        content => template('puppetmaster/nginx-puppetdb.conf.erb'),
        require => [
            Class['::sslcert::dhparam'],
            Puppet::Expose_agent_certs['/etc/nginx'],
        ],
    }

    # T209709
    nginx::status_site { 'status':
        port    => 10080,
        require => Puppet::Expose_agent_certs['/etc/nginx'],
    }

    class { 'puppetdb::app':
        db_rw_host            => $master,
        db_ro_host            => $db_ro_host,
        db_password           => $puppetdb_pass,
        db_ro_password        => $puppetdb_ro_pass,
        jvm_opts              => $jvm_opts,
        ssldir                => $ssldir,
        ca_path               => $ca_path,
        log_level             => $log_level,
        tmpfs_stockpile_queue => $tmpfs_stockpile_queue,
        facts_blacklist       => $facts_blacklist,
        facts_blacklist_type  => $facts_blacklist_type,
        gc_interval           => $gc_interval,
        node_ttl              => $node_ttl,
        node_purge_ttl        => $node_purge_ttl,
        report_ttl            => $report_ttl,
    }
}