From 7868609dba4c31752ca36fc3fe91487f8bbdccf6 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 20 Mar 2026 20:22:57 +1100 Subject: [PATCH] refactor: convert puppetserver compilers to deployment with configmap integration - Convert StatefulSet to Deployment for better scaling flexibility - Add initContainer to copy configmaps to shared RWX volume (10GB) - Integrate puppetserver-compiler-config configmap for environment variables - Configure configMapGenerator with stable names (disableNameSuffixHash) - Update HPA to target Deployment instead of StatefulSet - Simplify puppetboard SSL config to skip verification for internal connections --- .../puppet/configmap_puppetboard-config.yaml | 4 +- ... => deployment_puppetserver-compiler.yaml} | 80 ++++++++++++------- ...ler_puppetserver-compilers-autoscaler.yaml | 2 +- apps/base/puppet/kustomization.yaml | 24 +++++- apps/base/puppet/persistentvolumeclaims.yaml | 18 +++++ apps/base/puppet/resources/cobbler-enc | 50 ++++++++++++ .../puppet/resources/compiler/autosign.conf | 15 ++++ .../puppet/resources/compiler/puppet.conf | 23 ++++++ .../puppet/resources/compiler/puppetdb.conf | 3 + 9 files changed, 184 insertions(+), 35 deletions(-) rename apps/base/puppet/{statefulset_puppetserver-compiler.yaml => deployment_puppetserver-compiler.yaml} (71%) create mode 100755 apps/base/puppet/resources/cobbler-enc create mode 100644 apps/base/puppet/resources/compiler/autosign.conf create mode 100644 apps/base/puppet/resources/compiler/puppet.conf create mode 100644 apps/base/puppet/resources/compiler/puppetdb.conf diff --git a/apps/base/puppet/configmap_puppetboard-config.yaml b/apps/base/puppet/configmap_puppetboard-config.yaml index f61b620..a9f5740 100644 --- a/apps/base/puppet/configmap_puppetboard-config.yaml +++ b/apps/base/puppet/configmap_puppetboard-config.yaml @@ -12,9 +12,7 @@ metadata: data: PUPPETDB_HOST: "puppetdb" PUPPETDB_PORT: "8081" - PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem" - PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key" - PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem" + PUPPETDB_SSL_SKIP_VERIFY: "True" LOGLEVEL: "debug" PUPPETDB_TIMEOUT: "20" UNRESPONSIVE_HOURS: "3" diff --git a/apps/base/puppet/statefulset_puppetserver-compiler.yaml b/apps/base/puppet/deployment_puppetserver-compiler.yaml similarity index 71% rename from apps/base/puppet/statefulset_puppetserver-compiler.yaml rename to apps/base/puppet/deployment_puppetserver-compiler.yaml index 38824e6..bb17410 100644 --- a/apps/base/puppet/statefulset_puppetserver-compiler.yaml +++ b/apps/base/puppet/deployment_puppetserver-compiler.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: annotations: reloader.stakater.com/auto: "true" @@ -11,12 +11,10 @@ metadata: name: puppetserver-compiler namespace: puppet spec: - podManagementPolicy: OrderedReady selector: matchLabels: app.kubernetes.io/component: puppetserver-compilers app.kubernetes.io/name: puppetserver - serviceName: puppet-headless template: metadata: labels: @@ -41,26 +39,14 @@ spec: ports: - containerPort: 8140 name: puppetserver - envFrom: null + envFrom: + - configMapRef: + name: puppetserver-compiler-config env: - name: OPENVOXSERVER_HOSTNAME valueFrom: fieldRef: fieldPath: metadata.name - - name: OPENVOXSERVER_PORT - value: "8140" - - name: DNS_ALT_NAMES - value: puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net - - name: OPENVOXDB_SERVER_URLS - value: https://puppetdb:8081 - - name: CA_ENABLED - value: "false" - - name: CA_HOSTNAME - value: puppetca - - name: CA_PORT - value: "8140" - - name: PUPPETSERVER_JAVA_ARGS - value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false livenessProbe: failureThreshold: 3 periodSeconds: 30 @@ -109,6 +95,36 @@ spec: name: eyaml-keys readOnly: true initContainers: + - name: copy-configmaps + image: busybox:1.35 + command: + - sh + - -c + args: + - | + echo "Copying configmap files to shared volume..." + mkdir -p /etc/puppetlabs/puppet + cp /configmaps/puppet.conf /etc/puppetlabs/puppet/puppet.conf + cp /configmaps/puppetdb.conf /etc/puppetlabs/puppet/puppetdb.conf + cp /configmaps/autosign.conf /etc/puppetlabs/puppet/autosign.conf + cp /configmaps/cobbler-enc /etc/puppetlabs/puppet/cobbler-enc + chmod +x /etc/puppetlabs/puppet/cobbler-enc + echo "Configmap files copied successfully" + volumeMounts: + - mountPath: /etc/puppetlabs/puppet/ + name: puppet-puppet-volume + - mountPath: /configmaps/puppet.conf + name: compiler-puppet-conf + subPath: puppet.conf + - mountPath: /configmaps/puppetdb.conf + name: compiler-puppetdb-conf + subPath: puppetdb.conf + - mountPath: /configmaps/autosign.conf + name: compiler-autosign-conf + subPath: autosign.conf + - mountPath: /configmaps/cobbler-enc + name: puppet-cobbler-enc + subPath: cobbler-enc - args: - mkdir -p /etc/puppetlabs/puppet/eyaml/keys; mkdir -p /etc/puppetlabs/code/environments; @@ -165,20 +181,24 @@ spec: - name: puppet-code-volume persistentVolumeClaim: claimName: puppetserver-code-shared + - name: puppet-puppet-volume + persistentVolumeClaim: + claimName: puppetserver-compiler-config-shared - name: eyaml-keys secret: secretName: eyaml-keys defaultMode: 0600 - updateStrategy: + - name: compiler-puppet-conf + configMap: + name: compiler-puppet.conf + - name: compiler-puppetdb-conf + configMap: + name: compiler-puppetdb.conf + - name: compiler-autosign-conf + configMap: + name: compiler-autosign.conf + - name: puppet-cobbler-enc + configMap: + name: puppet-cobbler-enc + strategy: type: RollingUpdate - volumeClaimTemplates: - - metadata: - annotations: null - name: puppet-puppet-volume - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - storageClassName: cephrbd-fast-delete diff --git a/apps/base/puppet/horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml b/apps/base/puppet/horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml index f28e373..cdf4f62 100644 --- a/apps/base/puppet/horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml +++ b/apps/base/puppet/horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml @@ -11,7 +11,7 @@ metadata: spec: scaleTargetRef: apiVersion: apps/v1 - kind: StatefulSet + kind: Deployment name: puppetserver-compiler minReplicas: 2 maxReplicas: 5 diff --git a/apps/base/puppet/kustomization.yaml b/apps/base/puppet/kustomization.yaml index b169986..65866d4 100644 --- a/apps/base/puppet/kustomization.yaml +++ b/apps/base/puppet/kustomization.yaml @@ -31,4 +31,26 @@ resources: - service_puppetca.yaml - service_puppetboard.yaml - service_puppetdb.yaml - - statefulset_puppetserver-compiler.yaml + - deployment_puppetserver-compiler.yaml + +configMapGenerator: + - name: compiler-autosign.conf + files: + - resources/compiler/autosign.conf + options: + disableNameSuffixHash: true + - name: compiler-puppet.conf + files: + - resources/compiler/puppet.conf + options: + disableNameSuffixHash: true + - name: compiler-puppetdb.conf + files: + - resources/compiler/puppetdb.conf + options: + disableNameSuffixHash: true + - name: puppet-cobbler-enc + files: + - resources/cobbler-enc + options: + disableNameSuffixHash: true diff --git a/apps/base/puppet/persistentvolumeclaims.yaml b/apps/base/puppet/persistentvolumeclaims.yaml index d89b812..dda0468 100644 --- a/apps/base/puppet/persistentvolumeclaims.yaml +++ b/apps/base/puppet/persistentvolumeclaims.yaml @@ -106,3 +106,21 @@ spec: requests: storage: 1Gi storageClassName: cephfs-raid6-delete +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/component: puppetserver-compilers + app.kubernetes.io/instance: puppetserver + app.kubernetes.io/name: puppetserver + app.kubernetes.io/version: 8.8.0 + name: puppetserver-compiler-config-shared + namespace: puppet +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: cephfs-raid6-delete diff --git a/apps/base/puppet/resources/cobbler-enc b/apps/base/puppet/resources/cobbler-enc new file mode 100755 index 0000000..99f2f63 --- /dev/null +++ b/apps/base/puppet/resources/cobbler-enc @@ -0,0 +1,50 @@ +#!/usr/bin/env -S uv run --quiet --script +# /// script +# requires-python = ">=3.11" +# dependencies = ['pyyaml','requests'] +# /// +""" +External Node Classifier (ENC) for Puppet. + +If the environment specified in the YAML file is 'testing', +the environment is not included in the output. +""" + +import sys +import yaml +import requests + +def fetch_enc_data(cobbler_url: str, hostname: str) -> str: + """ + Fetches and modifies ENC data from a given URL to ensure classes are in list format. + """ + url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}" + try: + response = requests.get(url, verify='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem') + response.raise_for_status() + except requests.RequestException as e: + sys.exit(f"Request failed: {e}") + + data = yaml.safe_load(response.text) + data["parameters"] = data.get("parameters", {}) + + # Ensure 'classes' is in the desired list format + if "classes" in data: + if isinstance(data["classes"], dict): + data["parameters"]["enc_role"] = list(data["classes"].keys()) + data["classes"] = list(data["classes"].keys()) + else: + data["parameters"]["enc_role"] = list(data["classes"]) + data["classes"] = list(data["classes"]) + + if "environment" in data: + data["parameters"]["enc_env"] = data["environment"] + if data["environment"] == "testing": + del data["environment"] + + return yaml.dump(data) + +if __name__ == "__main__": + if len(sys.argv) != 2: + sys.exit(f"Usage: {sys.argv[0]} ") + print(fetch_enc_data("https://cobbler.main.unkin.net", sys.argv[1])) diff --git a/apps/base/puppet/resources/compiler/autosign.conf b/apps/base/puppet/resources/compiler/autosign.conf new file mode 100644 index 0000000..c7ffc94 --- /dev/null +++ b/apps/base/puppet/resources/compiler/autosign.conf @@ -0,0 +1,15 @@ +# Autosign all nodes from these subnets +198.18.13.0/24 +198.18.14.0/24 +198.18.15.0/24 +198.18.16.0/24 +198.18.17.0/24 +198.18.20.0/24 +198.18.24.0/24 +198.18.25.0/24 +198.18.26.0/24 +198.18.27.0/24 +198.18.28.0/24 +198.18.29.0/24 +# Autosign all nodes from these domains +*.main.unkin.net diff --git a/apps/base/puppet/resources/compiler/puppet.conf b/apps/base/puppet/resources/compiler/puppet.conf new file mode 100644 index 0000000..fad2e46 --- /dev/null +++ b/apps/base/puppet/resources/compiler/puppet.conf @@ -0,0 +1,23 @@ +[main] +server = puppetserver-compiler +serverport = 8140 +dns_alt_names = puppetserver-compiler,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net + +[server] +vardir = /opt/puppetlabs/server/data/puppetserver +logdir = /var/log/puppetlabs/puppetserver +rundir = /var/run/puppetlabs/puppetserver +pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid +codedir = /etc/puppetlabs/code +environmentpath = /etc/puppetlabs/code/environments + +[master] +node_terminus = exec +external_nodes = /usr/local/bin/cobbler-enc +autosign = /etc/puppetlabs/puppet/autosign.conf +default_manifest = /etc/puppetlabs/code/environments/develop/manifests +default_environment = develop +storeconfigs = true +storeconfigs_backend = puppetdb +reports = puppetdb +usecacheonfailure = false diff --git a/apps/base/puppet/resources/compiler/puppetdb.conf b/apps/base/puppet/resources/compiler/puppetdb.conf new file mode 100644 index 0000000..72bc228 --- /dev/null +++ b/apps/base/puppet/resources/compiler/puppetdb.conf @@ -0,0 +1,3 @@ +[main] +server_urls = https://puppetdb.k8s.syd1.au.unkin.net +soft_write_failure = true -- 2.47.3