refactor: convert puppetserver compilers to deployment with configmap integration (#57)

- Convert StatefulSet to Deployment for better scaling flexibility
- Add initContainer to copy configmaps to shared RWX volume (10GB)
- Integrate puppetserver-compiler-config configmap for environment variables
- Configure configMapGenerator with stable names (disableNameSuffixHash)
- Update HPA to target Deployment instead of StatefulSet
- Simplify puppetboard SSL config to skip verification for internal connections

Reviewed-on: #57
This commit was merged in pull request #57.
This commit is contained in:
2026-03-20 20:47:36 +11:00
parent f25117ab7f
commit c2d23aaeae
9 changed files with 184 additions and 35 deletions
@@ -12,9 +12,7 @@ metadata:
data: data:
PUPPETDB_HOST: "puppetdb" PUPPETDB_HOST: "puppetdb"
PUPPETDB_PORT: "8081" PUPPETDB_PORT: "8081"
PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem" PUPPETDB_SSL_SKIP_VERIFY: "True"
PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key"
PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem"
LOGLEVEL: "debug" LOGLEVEL: "debug"
PUPPETDB_TIMEOUT: "20" PUPPETDB_TIMEOUT: "20"
UNRESPONSIVE_HOURS: "3" UNRESPONSIVE_HOURS: "3"
@@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
annotations: annotations:
reloader.stakater.com/auto: "true" reloader.stakater.com/auto: "true"
@@ -11,12 +11,10 @@ metadata:
name: puppetserver-compiler name: puppetserver-compiler
namespace: puppet namespace: puppet
spec: spec:
podManagementPolicy: OrderedReady
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/component: puppetserver-compilers app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/name: puppetserver app.kubernetes.io/name: puppetserver
serviceName: puppet-headless
template: template:
metadata: metadata:
labels: labels:
@@ -41,26 +39,14 @@ spec:
ports: ports:
- containerPort: 8140 - containerPort: 8140
name: puppetserver name: puppetserver
envFrom: null envFrom:
- configMapRef:
name: puppetserver-compiler-config
env: env:
- name: OPENVOXSERVER_HOSTNAME - name: OPENVOXSERVER_HOSTNAME
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- name: OPENVOXSERVER_PORT
value: "8140"
- name: DNS_ALT_NAMES
value: puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
- name: OPENVOXDB_SERVER_URLS
value: https://puppetdb:8081
- name: CA_ENABLED
value: "false"
- name: CA_HOSTNAME
value: puppetca
- name: CA_PORT
value: "8140"
- name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
periodSeconds: 30 periodSeconds: 30
@@ -109,6 +95,36 @@ spec:
name: eyaml-keys name: eyaml-keys
readOnly: true readOnly: true
initContainers: initContainers:
- name: copy-configmaps
image: busybox:1.35
command:
- sh
- -c
args:
- |
echo "Copying configmap files to shared volume..."
mkdir -p /etc/puppetlabs/puppet
cp /configmaps/puppet.conf /etc/puppetlabs/puppet/puppet.conf
cp /configmaps/puppetdb.conf /etc/puppetlabs/puppet/puppetdb.conf
cp /configmaps/autosign.conf /etc/puppetlabs/puppet/autosign.conf
cp /configmaps/cobbler-enc /etc/puppetlabs/puppet/cobbler-enc
chmod +x /etc/puppetlabs/puppet/cobbler-enc
echo "Configmap files copied successfully"
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- mountPath: /configmaps/puppet.conf
name: compiler-puppet-conf
subPath: puppet.conf
- mountPath: /configmaps/puppetdb.conf
name: compiler-puppetdb-conf
subPath: puppetdb.conf
- mountPath: /configmaps/autosign.conf
name: compiler-autosign-conf
subPath: autosign.conf
- mountPath: /configmaps/cobbler-enc
name: puppet-cobbler-enc
subPath: cobbler-enc
- args: - args:
- mkdir -p /etc/puppetlabs/puppet/eyaml/keys; - mkdir -p /etc/puppetlabs/puppet/eyaml/keys;
mkdir -p /etc/puppetlabs/code/environments; mkdir -p /etc/puppetlabs/code/environments;
@@ -165,20 +181,24 @@ spec:
- name: puppet-code-volume - name: puppet-code-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: puppetserver-code-shared claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
- name: eyaml-keys - name: eyaml-keys
secret: secret:
secretName: eyaml-keys secretName: eyaml-keys
defaultMode: 0600 defaultMode: 0600
updateStrategy: - name: compiler-puppet-conf
configMap:
name: compiler-puppet.conf
- name: compiler-puppetdb-conf
configMap:
name: compiler-puppetdb.conf
- name: compiler-autosign-conf
configMap:
name: compiler-autosign.conf
- name: puppet-cobbler-enc
configMap:
name: puppet-cobbler-enc
strategy:
type: RollingUpdate type: RollingUpdate
volumeClaimTemplates:
- metadata:
annotations: null
name: puppet-puppet-volume
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: cephrbd-fast-delete
@@ -11,7 +11,7 @@ metadata:
spec: spec:
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
name: puppetserver-compiler name: puppetserver-compiler
minReplicas: 2 minReplicas: 2
maxReplicas: 5 maxReplicas: 5
+23 -1
View File
@@ -31,4 +31,26 @@ resources:
- service_puppetca.yaml - service_puppetca.yaml
- service_puppetboard.yaml - service_puppetboard.yaml
- service_puppetdb.yaml - service_puppetdb.yaml
- statefulset_puppetserver-compiler.yaml - deployment_puppetserver-compiler.yaml
configMapGenerator:
- name: compiler-autosign.conf
files:
- resources/compiler/autosign.conf
options:
disableNameSuffixHash: true
- name: compiler-puppet.conf
files:
- resources/compiler/puppet.conf
options:
disableNameSuffixHash: true
- name: compiler-puppetdb.conf
files:
- resources/compiler/puppetdb.conf
options:
disableNameSuffixHash: true
- name: puppet-cobbler-enc
files:
- resources/cobbler-enc
options:
disableNameSuffixHash: true
@@ -106,3 +106,21 @@ spec:
requests: requests:
storage: 1Gi storage: 1Gi
storageClassName: cephfs-raid6-delete storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-config-shared
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-raid6-delete
+50
View File
@@ -0,0 +1,50 @@
#!/usr/bin/env -S uv run --quiet --script
# /// script
# requires-python = ">=3.11"
# dependencies = ['pyyaml','requests']
# ///
"""
External Node Classifier (ENC) for Puppet.
If the environment specified in the YAML file is 'testing',
the environment is not included in the output.
"""
import sys
import yaml
import requests
def fetch_enc_data(cobbler_url: str, hostname: str) -> str:
"""
Fetches and modifies ENC data from a given URL to ensure classes are in list format.
"""
url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}"
try:
response = requests.get(url, verify='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem')
response.raise_for_status()
except requests.RequestException as e:
sys.exit(f"Request failed: {e}")
data = yaml.safe_load(response.text)
data["parameters"] = data.get("parameters", {})
# Ensure 'classes' is in the desired list format
if "classes" in data:
if isinstance(data["classes"], dict):
data["parameters"]["enc_role"] = list(data["classes"].keys())
data["classes"] = list(data["classes"].keys())
else:
data["parameters"]["enc_role"] = list(data["classes"])
data["classes"] = list(data["classes"])
if "environment" in data:
data["parameters"]["enc_env"] = data["environment"]
if data["environment"] == "testing":
del data["environment"]
return yaml.dump(data)
if __name__ == "__main__":
if len(sys.argv) != 2:
sys.exit(f"Usage: {sys.argv[0]} <hostname>")
print(fetch_enc_data("https://cobbler.main.unkin.net", sys.argv[1]))
@@ -0,0 +1,15 @@
# Autosign all nodes from these subnets
198.18.13.0/24
198.18.14.0/24
198.18.15.0/24
198.18.16.0/24
198.18.17.0/24
198.18.20.0/24
198.18.24.0/24
198.18.25.0/24
198.18.26.0/24
198.18.27.0/24
198.18.28.0/24
198.18.29.0/24
# Autosign all nodes from these domains
*.main.unkin.net
@@ -0,0 +1,23 @@
[main]
server = puppetserver-compiler
serverport = 8140
dns_alt_names = puppetserver-compiler,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
environmentpath = /etc/puppetlabs/code/environments
[master]
node_terminus = exec
external_nodes = /usr/local/bin/cobbler-enc
autosign = /etc/puppetlabs/puppet/autosign.conf
default_manifest = /etc/puppetlabs/code/environments/develop/manifests
default_environment = develop
storeconfigs = true
storeconfigs_backend = puppetdb
reports = puppetdb
usecacheonfailure = false
@@ -0,0 +1,3 @@
[main]
server_urls = https://puppetdb.k8s.syd1.au.unkin.net
soft_write_failure = true