From 39aa6e114eb97c82ba6b2431609abe71e897b4fb Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 20 May 2024 21:07:37 +1000
Subject: [PATCH] feat: puppetdb sql updates

- add consul support
- enable local script checks in consul agents
- add a test DB/User for consult to verify the psql instance is running
- manage the postgresql repo and gpg key
---
 hieradata/roles/infra/puppetdb/sql.eyaml      |  1 +
 hieradata/roles/infra/puppetdb/sql.yaml       | 35 +++++++++++++++++++
 site/profiles/manifests/consul/client.pp      | 17 ++++-----
 .../profiles/manifests/puppet/puppetdb_sql.pp | 24 +++++++++++--
 .../puppetdb/check_consul_postgresql.erb      |  2 ++
 site/roles/manifests/infra/puppetdb/sql.pp    |  4 ++-
 6 files changed, 71 insertions(+), 12 deletions(-)
 create mode 100644 hieradata/roles/infra/puppetdb/sql.eyaml
 create mode 100644 site/profiles/templates/puppetdb/check_consul_postgresql.erb

diff --git a/hieradata/roles/infra/puppetdb/sql.eyaml b/hieradata/roles/infra/puppetdb/sql.eyaml
new file mode 100644
index 0000000..c1c2c5d
--- /dev/null
+++ b/hieradata/roles/infra/puppetdb/sql.eyaml
@@ -0,0 +1 @@
+profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]
diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml
index 0d6409a..838300d 100644
--- a/hieradata/roles/infra/puppetdb/sql.yaml
+++ b/hieradata/roles/infra/puppetdb/sql.yaml
@@ -2,3 +2,38 @@
 postgresql_config_entries:
   max_connections: 300
   shared_buffers: '256MB'
+
+consul::services:
+  puppetdbsql:
+    service_name: 'puppetdbsql'
+    tags:
+      - 'puppet'
+      - 'puppetdb'
+      - 'database'
+    address: "%{facts.networking.ip}"
+    port: 5432
+    checks:
+      - id: 'psql-check'
+        name: 'PostgreSQL Health Check'
+        args:
+          - '/usr/local/bin/check_consul_postgresql'
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppetdbsql
+    disposition: write
+
+profiles::yum::global::repos:
+  postgresql-15:
+    name: postgresql-15
+    descr: postgresql-15 repository
+    target: /etc/yum.repos.d/postgresql.repo
+    baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
+    gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
+  postgresql-common:
+    name: postgresql-common
+    descr: postgresql-common repository
+    target: /etc/yum.repos.d/postgresql.repo
+    baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
+    gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp
index 4524b87..d1d82d8 100644
--- a/site/profiles/manifests/consul/client.pp
+++ b/site/profiles/manifests/consul/client.pp
@@ -36,14 +36,15 @@ class profiles::consul::client (
     # deploy the consul agent
     class { 'consul':
       config_hash => {
-        'data_dir'       => $data_dir,
-        'datacenter'     => $consul_cluster,
-        'log_level'      => 'INFO',
-        'node_name'      => $facts['networking']['fqdn'],
-        'retry_join'     => $servers_array,
-        'bind_addr'      => $::facts['networking']['ip'],
-        'advertise_addr' => $::facts['networking']['ip'],
-        'acl'            => {
+        'data_dir'             => $data_dir,
+        'datacenter'           => $consul_cluster,
+        'log_level'            => 'INFO',
+        'node_name'            => $facts['networking']['fqdn'],
+        'retry_join'           => $servers_array,
+        'bind_addr'            => $::facts['networking']['ip'],
+        'advertise_addr'       => $::facts['networking']['ip'],
+        'enable_script_checks' => true,
+        'acl'                  => {
           tokens => {
             default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
           }
diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp
index 5afa9a5..096fb7b 100644
--- a/site/profiles/manifests/puppet/puppetdb_sql.pp
+++ b/site/profiles/manifests/puppet/puppetdb_sql.pp
@@ -2,6 +2,7 @@
 class profiles::puppet::puppetdb_sql (
   String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
   String $listen_address = $facts['networking']['ip'],
+  String $consul_test_db_pass = '',
 ) {
 
   # disable the postgresql dnf module for el8+
@@ -17,9 +18,11 @@ class profiles::puppet::puppetdb_sql (
 
   # Install and configure PostgreSQL for PuppetDB
   class { 'puppetdb::database::postgresql':
-    listen_addresses => $listen_address,
-    postgres_version => '15',
-    puppetdb_server  => $puppetdb_host,
+    listen_addresses    => $listen_address,
+    postgres_version    => '15',
+    puppetdb_server     => $puppetdb_host,
+    manage_package_repo => false,
+    require             => [ Yumrepo['postgresql-15'],Yumrepo['postgresql-common'] ],
   }
 
   contain ::puppetdb::database::postgresql
@@ -32,4 +35,19 @@ class profiles::puppet::puppetdb_sql (
       value  => $value,
     }
   }
+
+  # create consul database + user to test the host is responsive
+  postgresql::server::db { 'consul_test_db':
+    user     => 'consul_test_user',
+    password => postgresql::postgresql_password('consul_test_user', Sensitive($consul_test_db_pass) ),
+  }
+
+  file { '/usr/local/bin/check_consul_postgresql':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => template('profiles/puppetdb/check_consul_postgresql.erb'),
+    before  => Class['profiles::consul::client'],
+  }
 }
diff --git a/site/profiles/templates/puppetdb/check_consul_postgresql.erb b/site/profiles/templates/puppetdb/check_consul_postgresql.erb
new file mode 100644
index 0000000..9d651d7
--- /dev/null
+++ b/site/profiles/templates/puppetdb/check_consul_postgresql.erb
@@ -0,0 +1,2 @@
+#!/usr/bin/bash
+PGPASSWORD=<%= @consul_test_db_pass %> /usr/bin/psql -U consul_test_user -d consul_test_db -h <%= @facts['networking']['ip'] %> -p 5432 -c "SELECT 1"
diff --git a/site/roles/manifests/infra/puppetdb/sql.pp b/site/roles/manifests/infra/puppetdb/sql.pp
index 7f13859..872e9b4 100644
--- a/site/roles/manifests/infra/puppetdb/sql.pp
+++ b/site/roles/manifests/infra/puppetdb/sql.pp
@@ -6,6 +6,8 @@ class roles::infra::puppetdb::sql {
   }else{
     include profiles::defaults
     include profiles::base
-    include profiles::puppet::puppetdb_sql
+    if $facts['enc_role'] == 'roles::infra::puppetdb::sql' {
+      include profiles::puppet::puppetdb_sql
+    }
   }
 }