From e9c7fbc2b5cb9160cad67c1b239dbdcae5b90314 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 5 May 2024 18:58:52 +1000
Subject: [PATCH 1/3] feat: update puppetdb_api for multi-zone

- wait for the enc_role fact to be updated and match
- move puppetdb db/api host values to common.yaml
- add vault cert altnames for consul query/service addresses
- add consul services/rules/checks
---
 hieradata/common.yaml                         |  3 +
 hieradata/roles/infra.yaml                    |  2 -
 hieradata/roles/infra/puppetdb/api.yaml       | 29 +++++++++
 .../profiles/manifests/puppet/puppetdb_api.pp | 59 ++++++++++---------
 4 files changed, 63 insertions(+), 30 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 555a2b3..6baf98e 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -188,6 +188,9 @@ profiles::puppet::client::runtimeout: 3600
 profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
+profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
+profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
+
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
 
diff --git a/hieradata/roles/infra.yaml b/hieradata/roles/infra.yaml
index 3192355..8c2ae06 100644
--- a/hieradata/roles/infra.yaml
+++ b/hieradata/roles/infra.yaml
@@ -2,7 +2,5 @@
 profiles::packages::install:
   - policycoreutils
 
-profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
-profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
 puppetdb::master::config::create_puppet_service_resource: false
 #puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml
index 551007e..b6f77cc 100644
--- a/hieradata/roles/infra/puppetdb/api.yaml
+++ b/hieradata/roles/infra/puppetdb/api.yaml
@@ -3,3 +3,32 @@ profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
 profiles::puppet::puppetdb_api::java_args:
   '-Xmx': '512m'
   '-Xms': '256m'
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - puppetdbapi.main.unkin.net
+  - puppetdbapi.service.consul
+  - puppetdbapi.query.consul
+  - puppetdbapi
+
+consul::services:
+  puppetdbapi:
+    service_name: 'puppetdbapi'
+    tags:
+      - 'puppet'
+      - 'puppetdb'
+      - 'puppetdbapi'
+    address: "%{facts.networking.ip}"
+    port: 8080
+    checks:
+      - id: 'puppetdbapi_http_check'
+        name: 'PuppetDB API HTTP Check'
+        http: "http://%{facts.networking.fqdn}:8080"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppetdbapi
+    disposition: write
diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp
index 214f163..e02db38 100644
--- a/site/profiles/manifests/puppet/puppetdb_api.pp
+++ b/site/profiles/manifests/puppet/puppetdb_api.pp
@@ -6,37 +6,40 @@ class profiles::puppet::puppetdb_api (
   Hash   $java_args = {},
 ) {
 
-  class { 'java':
-    package => 'java-11-openjdk-devel',
-    before  => Class['puppetdb::server'],
-  }
+  # wait for enc_role to match the required role
+  if $facts['enc_role'] == 'roles::infra::puppetdb::api' {
+    class { 'java':
+      package => 'java-11-openjdk-devel',
+      before  => Class['puppetdb::server'],
+    }
 
-  class { 'puppetdb::server':
-    database_host      => $postgres_host,
-    manage_firewall    => false,
-    ssl_listen_address => $listen_address,
-    listen_address     => $listen_address,
-    java_bin           => $java_bin,
-    java_args          => $java_args,
-  }
+    class { 'puppetdb::server':
+      database_host      => $postgres_host,
+      manage_firewall    => false,
+      ssl_listen_address => $listen_address,
+      listen_address     => $listen_address,
+      java_bin           => $java_bin,
+      java_args          => $java_args,
+    }
 
-  contain ::puppetdb::server
+    contain ::puppetdb::server
 
-  class { 'prometheus::puppetdb_exporter':
-    puppetdb_url      => "http://${listen_address}:8080/pdb/query",
-    export_scrape_job => true,
-  }
+    class { 'prometheus::puppetdb_exporter':
+      puppetdb_url      => "http://${listen_address}:8080/pdb/query",
+      export_scrape_job => true,
+    }
 
-  # export haproxy balancemember
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
-    service => 'be_puppetdbapi',
-    ports   => [8080],
-    options => [
-      "cookie ${facts['networking']['hostname']}",
-      'check',
-      'inter 2s',
-      'rise 3',
-      'fall 2',
-    ]
+    # export haproxy balancemember
+    profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
+      service => 'be_puppetdbapi',
+      ports   => [8080],
+      options => [
+        "cookie ${facts['networking']['hostname']}",
+        'check',
+        'inter 2s',
+        'rise 3',
+        'fall 2',
+      ]
+    }
   }
 }

From 9e3b680b0b73739dc8be9ce9089e2b11b518d7ea Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Wed, 22 May 2024 22:11:51 +1000
Subject: [PATCH 2/3] feat: add prepared query for puppetdbapi

- merge to develop
- add prepared query for puppetdbapi
---
 hieradata/roles/infra/storage/consul.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml
index 036e177..07bf60a 100644
--- a/hieradata/roles/infra/storage/consul.yaml
+++ b/hieradata/roles/infra/storage/consul.yaml
@@ -59,3 +59,9 @@ profiles::consul::prepared_query::rules:
     service_failover_n: 3
     service_only_passing: true
     ttl: 10
+  puppetdbapi:
+    ensure: 'present'
+    service_name: 'puppetdbapi'
+    service_failover_n: 3
+    service_only_passing: true
+    ttl: 10

From 770c8cc159ef877bdf5c442c5ab478e27975a442 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Wed, 22 May 2024 22:18:32 +1000
Subject: [PATCH 3/3] feat: update hiera key for puppetdb api/sql

- changed to use puppetdbapi and puppetdbsql hiera keys
- updated all classes that referenced old values
---
 hieradata/common.yaml                          | 5 +++--
 site/profiles/manifests/puppet/puppetboard.pp  | 2 +-
 site/profiles/manifests/puppet/puppetdb_api.pp | 2 +-
 site/profiles/manifests/puppet/puppetdb_sql.pp | 2 +-
 site/profiles/manifests/puppet/puppetmaster.pp | 2 +-
 5 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index b909823..89259fc 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -200,8 +200,9 @@ profiles::puppet::client::runtimeout: 3600
 profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
-profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
-profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
+# puppetdb
+puppetdbapi: prodinf01n04.main.unkin.net
+puppetdbsql: prodinf01n05.main.unkin.net
 
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp
index 6a2bbb9..4130e73 100644
--- a/site/profiles/manifests/puppet/puppetboard.pp
+++ b/site/profiles/manifests/puppet/puppetboard.pp
@@ -8,7 +8,7 @@ class profiles::puppet::puppetboard (
   Integer $reports_count        = 40,
   Boolean $offline_mode         = true,
   String  $default_environment  = '*',
-  String  $puppetdb_host        = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  String  $puppetdb_host        = lookup('puppetdbapi'),
   Stdlib::AbsolutePath $basedir = '/opt/puppetboard',
   Stdlib::Absolutepath $virtualenv_dir  = "${basedir}/venv",
   Stdlib::Absolutepath $settings_file   = "${basedir}/settings.py",
diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp
index e02db38..8c2177e 100644
--- a/site/profiles/manifests/puppet/puppetdb_api.pp
+++ b/site/profiles/manifests/puppet/puppetdb_api.pp
@@ -1,6 +1,6 @@
 # configure the puppetdb api service
 class profiles::puppet::puppetdb_api (
-  String $postgres_host = lookup('profiles::puppet::puppetdb::postgres_host'),
+  String $postgres_host = lookup('puppetdbsql'),
   String $listen_address = $facts['networking']['ip'],
   Stdlib::Absolutepath $java_bin = '/usr/bin/java',
   Hash   $java_args = {},
diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp
index 5afa9a5..1765003 100644
--- a/site/profiles/manifests/puppet/puppetdb_sql.pp
+++ b/site/profiles/manifests/puppet/puppetdb_sql.pp
@@ -1,6 +1,6 @@
 # configure the puppetdb sql service
 class profiles::puppet::puppetdb_sql (
-  String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  String $puppetdb_host = lookup('puppetdbsql'),
   String $listen_address = $facts['networking']['ip'],
 ) {
 
diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp
index 79ce387..6ce7ca5 100644
--- a/site/profiles/manifests/puppet/puppetmaster.pp
+++ b/site/profiles/manifests/puppet/puppetmaster.pp
@@ -3,7 +3,7 @@
 # This class manages the puppetmaster using the ghoneycutt-puppet module.
 # It manages the server settings in the puppet.conf file.
 class profiles::puppet::puppetmaster (
-  Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef),
+  Optional[Stdlib::Fqdn] $puppetdb_host = lookup('puppetdbapi', Optional[Stdlib::Fqdn], 'first', undef),
 ) {
 
   if $facts['enc_role'] == 'roles::infra::puppet::master' {