feat: add host_volumes to nomad (#315)

- add puppet client certs
- add tls-ca-bundle

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/315

hieradata/roles/infra/nomad/agentv2.yaml

@@ -25,6 +25,19 @@ profiles::packages::include:
   consul-cni: {}
 
 profiles::nomad::node::client: true
+profiles::nomad::node::host_volumes:
+  - name: puppetclient_crt
+    path: /etc/puppetlabs/puppet/ssl/certs/ausyd1nxvm2040.main.unkin.net.pem
+    read_only: true
+  - name: puppetclient_key
+    path: /etc/puppetlabs/puppet/ssl/private_keys/ausyd1nxvm2040.main.unkin.net.pem
+    read_only: true
+  - name: puppetclient_ca
+    path: /etc/puppetlabs/puppet/ssl/certs/ca.pem
+    read_only: true
+  - name: tls-ca-bundle
+    path: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+    read_only: true
 
 # additional altnames
 profiles::pki::vault::alt_names:

site/profiles/manifests/nomad/node.pp

@@ -9,6 +9,7 @@ class profiles::nomad::node (
   Boolean $manage_user    = true,
   String  $user           = 'nomad',
   String  $group          = 'nomad',
+  Array   $host_volumes   = [],
 ){
 
   if $manage_user {
@@ -45,7 +46,6 @@ class profiles::nomad::node (
         require     => Profiles::Ceph::Keyring['nomad'],
       }
     }
-
   }
 
   file { $data_dir:

site/profiles/templates/nomad/config.hcl.erb

@@ -21,6 +21,13 @@ server {
 # Manage clients/agents
 client {
   enabled = true
+
+<%- @host_volumes.each do |volume| %>
+  host_volume "<%= volume['name'] %>" {
+    path      = "<%= volume['path'] %>"
+    read_only = <%= volume['read_only'] %>
+  }
+  <% end %>
 }
 plugin "docker" {
   config {