From 22bd213509d77182367c7c8131675ba0e90da114 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 24 May 2024 23:49:35 +1000
Subject: [PATCH] feat: moved puppetdb profiles

- move puppetdb profiles to profiles::puppetdb namespace
- add profile to manage puppetdb api ssl certificates
---
 hieradata/roles/infra.yaml                    |  1 -
 hieradata/roles/infra/puppetdb/api.yaml       |  4 +-
 .../{puppet => puppetdb}/puppetdb_api.pp      |  4 +-
 .../{puppet => puppetdb}/puppetdb_sql.pp      |  2 +-
 site/profiles/manifests/puppetdb/ssl.pp       | 44 +++++++++++++++++++
 site/roles/manifests/infra/puppetdb/api.pp    |  2 +-
 site/roles/manifests/infra/puppetdb/sql.pp    |  2 +-
 7 files changed, 52 insertions(+), 7 deletions(-)
 rename site/profiles/manifests/{puppet => puppetdb}/puppetdb_api.pp (94%)
 rename site/profiles/manifests/{puppet => puppetdb}/puppetdb_sql.pp (96%)
 create mode 100644 site/profiles/manifests/puppetdb/ssl.pp

diff --git a/hieradata/roles/infra.yaml b/hieradata/roles/infra.yaml
index 8c2ae06..339fa50 100644
--- a/hieradata/roles/infra.yaml
+++ b/hieradata/roles/infra.yaml
@@ -3,4 +3,3 @@ profiles::packages::install:
   - policycoreutils
 
 puppetdb::master::config::create_puppet_service_resource: false
-#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml
index 784200a..d603aeb 100644
--- a/hieradata/roles/infra/puppetdb/api.yaml
+++ b/hieradata/roles/infra/puppetdb/api.yaml
@@ -1,6 +1,6 @@
 ---
-profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
-profiles::puppet::puppetdb_api::java_args:
+profiles::puppetdb::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
+profiles::puppetdb::puppetdb_api::java_args:
   '-Xmx': '2048m'
   '-Xms': '256m'
 
diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppetdb/puppetdb_api.pp
similarity index 94%
rename from site/profiles/manifests/puppet/puppetdb_api.pp
rename to site/profiles/manifests/puppetdb/puppetdb_api.pp
index 8c2177e..d4051fd 100644
--- a/site/profiles/manifests/puppet/puppetdb_api.pp
+++ b/site/profiles/manifests/puppetdb/puppetdb_api.pp
@@ -1,5 +1,5 @@
 # configure the puppetdb api service
-class profiles::puppet::puppetdb_api (
+class profiles::puppetdb::puppetdb_api (
   String $postgres_host = lookup('puppetdbsql'),
   String $listen_address = $facts['networking']['ip'],
   Stdlib::Absolutepath $java_bin = '/usr/bin/java',
@@ -29,6 +29,8 @@ class profiles::puppet::puppetdb_api (
       export_scrape_job => true,
     }
 
+    include profiles::puppetdb::ssl
+
     # export haproxy balancemember
     profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
       service => 'be_puppetdbapi',
diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppetdb/puppetdb_sql.pp
similarity index 96%
rename from site/profiles/manifests/puppet/puppetdb_sql.pp
rename to site/profiles/manifests/puppetdb/puppetdb_sql.pp
index 1765003..ea83f13 100644
--- a/site/profiles/manifests/puppet/puppetdb_sql.pp
+++ b/site/profiles/manifests/puppetdb/puppetdb_sql.pp
@@ -1,5 +1,5 @@
 # configure the puppetdb sql service
-class profiles::puppet::puppetdb_sql (
+class profiles::puppetdb::puppetdb_sql (
   String $puppetdb_host = lookup('puppetdbsql'),
   String $listen_address = $facts['networking']['ip'],
 ) {
diff --git a/site/profiles/manifests/puppetdb/ssl.pp b/site/profiles/manifests/puppetdb/ssl.pp
new file mode 100644
index 0000000..6ef8ba6
--- /dev/null
+++ b/site/profiles/manifests/puppetdb/ssl.pp
@@ -0,0 +1,44 @@
+# profiles::puppetdb::ssl
+class profiles::puppetdb::ssl (
+  $certname           = $trusted['certname'],
+  $ssl_dir            = '/etc/puppetlabs/puppetdb/ssl',
+  $ssl_owner          = 'puppetdb',
+  $ssl_group          = 'puppetdb',
+  $puppetdb_service   = 'puppetdb',
+  $ca_source          = '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
+  $public_cert_source = "/etc/puppetlabs/puppet/ssl/certs/${trusted['certname']}.pem",
+  $private_key_source = "/etc/puppetlabs/puppet/ssl/private_keys/${trusted['certname']}.pem",
+) {
+
+  file { $ssl_dir:
+    ensure  => directory,
+    owner   => $ssl_owner,
+    group   => $ssl_group,
+    recurse => true,
+  }
+
+  file { "${ssl_dir}/ca.pem":
+    ensure => file,
+    source => $ca_source,
+    owner  => $ssl_owner,
+    group  => $ssl_group,
+    notify => Service['puppetdb'],
+  }
+
+  file { "${ssl_dir}/public.pem":
+    ensure => file,
+    source => $public_cert_source,
+    owner  => $ssl_owner,
+    group  => $ssl_group,
+    notify => Service['puppetdb'],
+  }
+
+  file { "${ssl_dir}/private.pem":
+    ensure => file,
+    source => $private_key_source,
+    owner  => $ssl_owner,
+    group  => $ssl_group,
+    mode   => '0600',
+    notify => Service['puppetdb'],
+  }
+}
diff --git a/site/roles/manifests/infra/puppetdb/api.pp b/site/roles/manifests/infra/puppetdb/api.pp
index 7d50c47..2f52eeb 100644
--- a/site/roles/manifests/infra/puppetdb/api.pp
+++ b/site/roles/manifests/infra/puppetdb/api.pp
@@ -6,6 +6,6 @@ class roles::infra::puppetdb::api {
   }else{
     include profiles::defaults
     include profiles::base
-    include profiles::puppet::puppetdb_api
+    include profiles::puppetdb::puppetdb_api
   }
 }
diff --git a/site/roles/manifests/infra/puppetdb/sql.pp b/site/roles/manifests/infra/puppetdb/sql.pp
index 7f13859..6fcdbb7 100644
--- a/site/roles/manifests/infra/puppetdb/sql.pp
+++ b/site/roles/manifests/infra/puppetdb/sql.pp
@@ -6,6 +6,6 @@ class roles::infra::puppetdb::sql {
   }else{
     include profiles::defaults
     include profiles::base
-    include profiles::puppet::puppetdb_sql
+    include profiles::puppetdb::puppetdb_sql
   }
 }