unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'neoloc/consul_services' (#190) from neoloc/consul_services into develop

Browse Source 
Reviewed-on: unkinben/puppet-prod#190
This commit is contained in:
Ben Vincent 2024-04-28 16:40:02 +09:30
commit a141de8b74
3 changed files with 49 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
hieradata/common.yaml
View File

@ -63,6 +63,18 @@ lookup_options:
profiles::dns::master::keys: profiles::dns::master::keys:
merge: merge:
strategy: deep strategy: deep
consul::services:
merge:
strategy: deep
consul::watch:
merge:
strategy: deep
consul::check:
merge:
strategy: deep
profiles::consul::client::node_rules:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d' facts_path: '/opt/puppetlabs/facter/facts.d'
@ -87,6 +99,16 @@ profiles::consul::server::members_role: roles::infra::storage::consul
profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc' profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
profiles::consul::client::members_lookup: true profiles::consul::client::members_lookup: true
profiles::consul::client::members_role: roles::infra::storage::consul profiles::consul::client::members_role: roles::infra::storage::consul
profiles::consul::client::node_rules:
- resource: node
segment: "%{facts.networking.hostname}"
disposition: write
- resource: node
segment: "%{facts.networking.fqdn}"
disposition: write
- resource: node
segment: ''
disposition: read
profiles::packages::install: profiles::packages::install:
- bash-completion - bash-completion

20
hieradata/country/au/region/syd1/infra/storage/vault.yaml
View File

@ -1,2 +1,22 @@
--- ---
profiles::vault::server::primary_datacenter: 'au-syd1' profiles::vault::server::primary_datacenter: 'au-syd1'
consul::services:
vault:
service_name: 'vault'
tags:
- 'https'
- 'secure'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'vault_https_check'
name: 'Vault HTTPS Check'
http: "https://%{facts.networking.fqdn}:443/v1/sys/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: vault
disposition: write

19
site/profiles/manifests/consul/client.pp
View File

@ -9,6 +9,7 @@ class profiles::consul::client (
String $members_role = undef, String $members_role = undef,
Array $consul_servers = [], Array $consul_servers = [],
Stdlib::Absolutepath $data_dir = '/opt/consul', Stdlib::Absolutepath $data_dir = '/opt/consul',
Array[Hash] $node_rules = [],
) { ) {
if $facts['enc_role'] != $members_role { if $facts['enc_role'] != $members_role {
@ -42,6 +43,11 @@ class profiles::consul::client (
'retry_join' => $servers_array, 'retry_join' => $servers_array,
'bind_addr' => $::facts['networking']['ip'], 'bind_addr' => $::facts['networking']['ip'],
'advertise_addr' => $::facts['networking']['ip'], 'advertise_addr' => $::facts['networking']['ip'],
'acl' => {
tokens => {
default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
}
}
}, },
} }
} }
@ -49,18 +55,7 @@ class profiles::consul::client (
# Create ACL policy that allows nodes to update themselves and read others # Create ACL policy that allows nodes to update themselves and read others
consul_policy { $facts['networking']['hostname']: consul_policy { $facts['networking']['hostname']:
description => "${facts['networking']['fqdn']} puppet-generated-policy", description => "${facts['networking']['fqdn']} puppet-generated-policy",
rules => [ rules => $node_rules,
{
'resource' => 'node',
'segment' => $facts['networking']['hostname'],
'disposition' => 'write'
},
{
'resource' => 'node',
'segment' => '',
'disposition' => 'read'
}
],
acl_api_token => $consul_api_token, acl_api_token => $consul_api_token,
hostname => $consul_hostname, hostname => $consul_hostname,
protocol => $consul_protocol, protocol => $consul_protocol,