From cb1d562cb0141d9adeef50dc2dcd3e7a9f7b790f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 19 Jun 2025 05:52:32 +1000 Subject: [PATCH] feat: migrate pupeptdb sql to patroni (#318) - change puppetdb::sql to using the patroni profile - change puppetdb::api to use new patroni cluster - remove references to puppetlabs-puppetdb managed database - update consul rules to enable sessions Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/318 --- hieradata/roles/infra/puppetdb/api.eyaml | 3 + hieradata/roles/infra/puppetdb/api.yaml | 12 ++++ hieradata/roles/infra/puppetdb/sql.eyaml | 3 + hieradata/roles/infra/puppetdb/sql.yaml | 69 +++++++++++++------ .../profiles/manifests/puppet/puppetdb_api.pp | 42 ++++++++--- .../profiles/manifests/puppet/puppetdb_sql.pp | 12 ---- site/profiles/manifests/sql/patroni.pp | 6 +- site/profiles/manifests/sql/postgresdb.pp | 3 +- site/roles/manifests/infra/puppetdb/sql.pp | 3 - 9 files changed, 100 insertions(+), 53 deletions(-) diff --git a/hieradata/roles/infra/puppetdb/api.eyaml b/hieradata/roles/infra/puppetdb/api.eyaml index 4bb4232..28ed0ca 100644 --- a/hieradata/roles/infra/puppetdb/api.eyaml +++ b/hieradata/roles/infra/puppetdb/api.eyaml @@ -1,2 +1,5 @@ profiles::puppet::puppetdb_api::public_cert: ENC[PKCS7,MIIJrQYJKoZIhvcNAQcDoIIJnjCCCZoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEATUl7Aa6W6Q0gWWPet6fufBUtFUO7wCkED8w3NojkDYNR0Cine5+yWupy1FZ0d75mtdjI16DgZ9d2BhNlnbvPrZHuFSfBFj0s6lc0cYs1dpEUwPwPssmfNNfLe+73Fn0e43fguXisBYiE0Xn4x9UqGEIXXnwBqucIo4lkR0QAvhrmgEsNJKrxKV2isBZOnV40hrilnK3fLszGlfEfEuK1ZLrdtQV54Cl/Fpga8OOEk3Ji+WO/qC3WSQ+RWmc+si5L7w6raFLcHb3ZN96BHNVN2h2rBe85RRTg08LT+9Eyge3Fc0/+eoRmzTvnHMc4RptRfvopv5RGGyOma0mExmD6CzCCCG4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEB2t8I7YdvzPGIuGG1fUIViAgghAKhUoHO1UphPXu/KwYgo3xPSmWWF76B/ZKPd3SdzobYBsfK7CEhRiONU29W/wEzDdn7An2E16bIuecxT114z0i6OqQc3W92jBETWlpV1IRWs4DTb2QWjA4l74KdwRtltpeAKeFjSjuW2+L5UUOgGsaW4lxR0wP/uIqUT76/wQCoCAIw/i+YcIvIJDpeVPKSyaA6GFJbiT8CuG1SzD/1tb+XOxEf3WpeUwVNrPIO1ADjdi3cha6bJDa6Dvrtz8ornYwsfZ9cIlhDb6kmz938+EWpH5swCppfHcMncSd+R1zST6DzhN54+kvWGjvrN79m5+f0al/t3a85iZ6boLXSE8VkPLWZnlAt0ISdCtt0m7luxWWUN3AvmBmLZ5hhjnHUQC4RNCmu3BrjB7bN/nvInZQNcBlArhthiy/DpbdjLpF5kkUq+J+S7I898rG/B8lWrWjYsQvOUM/yiVbpCtsLJS9Pv1UjlkHcere6YgOq4gZKaESF19npV6SLU2MfC+Raefj1biE+haOOjpDdR+xQLAHmZqgOBUFMkYh1RH77zg2QPtz5aDLGypO/yVuJDcuSGV6qpoxc0uu7EmihfOg2cHF6FtSlStwFQYw3mG3oyuByv527lVRUjNHOx85bXeFccb96lyTzStAopLADo9nuOHjDxs6qzXj4h0y5w0ODh3Wyy/h4EXYaTrXuSB/FJJb1rvToC+XJ7ABxzt0rB8ySNtt+DFRssZQ5ZXWF6T88YKLcigKYGNTGmf92Iwpq6+hw0NEF1OWy7aHDzog6xORilgy6zcPTWkz2TUxzOuwN6Y0UeLlj+C4r+hl17/9aYhls6UJ+5xF+ZNcJmqEXqZ5HHykcYRwaWI0FF4tkbsto8Is2/aZVfeQc/2JZ+9IbLXlh1Km6hJxWJmw/S9RwTXVK7kGO/IlIoQiYTFYoeSU4RDPVUXZTBmGxuBmz37JPVMLXkL6tGUPwTz6pa+AMppT/qMLC8y2LhLm+eRsfz4w2ySc/kBR0FKsD0Z1h9h4zM+VtNnxaSYmxkFG77pX+bi/ToQqaydWblf0NPdw2t+uoULzkxxhX3wjZi8V9gGOhZ7s7YUKJFljZZYcl0MnDab+xGjD8DGiq/vHqTLXm8DYpVOxsryGIJ3zXf5KPvo8y6/wQAkKq6Vb4lraqkg9m5wGLxQDemE4h2OWgjcnWOXx/N9bcVO0xMyqrFo337wPoZ+hYQhwxzrfiQZ87nLe28OstaWS8OK6KoAx95LvMypaFURf+EoZkYO8wFiLmFBNAMMOkf/TJjmXoeDw46Qv1sZi57239pgzxz6RXEjd5TBURli7tSaniqKNarRY7ZoYymzYBv9Kyj6zQGgXxozhQsMsju9fTo2l+bXQ2siBljHnNkI+I3aO5Q6FLpM57h5xhA86ayJzfaKSbniMARGY2inG3qUfKafgQUvrYBxaIxSBAg7LfE2GRJx8gEioATFZpclrm+0fP3xaXW3I/wiyl/EPKIP2aPP8lqJam/KWXZ46nYdgrKIrg51tXp/YUcgR6geZYHIBWkAgofJeThKPz9ervLzu3dYS0FgMiRcyCOXfI4nttW/QCNl5a19UXXYpSgj0MOAKuSZYkHYgaSt7DNt3sZtWLtCZ1M/QFLSiqsfUAULVwUJpOCS4Ul0Bn9gu038xCBCkaQ8VnSHtvl6NsCUHDhk/JGq5pmZjrE5zTEnlMBUBoQ1sun/HwLAnoX24KV+3pzwul0eCLm2pBndWvgnHsEY7COiookx7mwvg93xuejN7zQk/NAJp4L3haT5ueVTcUcEsTPmsIDMn2xg2HSGLum6yG02XPMBYJlG/GHtu2kuvOV2UFqxkzje4FB3cNishelQ1VRDOBJodt8xmfKkgPciFChEOVe5OY7AbBvKIBab+kjbG78guGReqkmePFkEtsnL7KouiERojAVsGXtvqOT2dQvO7xLrozLk+kY/Xk6HkGedmc2PUEc/CSKPy73k2a154ByzwfOaAaTM1XCvo4Ff7hTA7VHUu3rWpHmd2LZbKN1nlGbrrX0Wk0jt72OsRWRzgKp+81jEkNh/hbD9xCjmIbzdloOmcJJbcyikmThVpFaUMaHowZmrBtQxE7pR2ARbhVvNXH3fZQnIpxMcHEPoKh12pOTlp+GIO8H1EsGZ6tOjXniBiy/szoa8Oi/eJp/Co8uRoDSyBc5t6ZD6ciLHOVG4c0nCdMHaouA/EXNe/EOzLg4fYk7cLBNGoaBUo8LbXv0Z2tkhtE1ctl8NBvZS3X80VchtmQg7lVlqZUEkcXEtoadrjRpiWL9EW68mzjTsejePMNBb6CCL4zGqQwCfA1zUVtlNJslguClQ2u0IlqPjBYsj3Xy+leg24YrHKB1zEu1/aGuVxCBlJMozQj//5OCTp+1iO0EExnGBYjZuk8UTYrUj9FZeu5GiRlBvky1HBE/fq4LPD7l/Gr0npAwKJofIglA2DZe9Sr4VmA8oi4vsmbpmtyPLVa/pfVXrl/w2dLH/Y2TI8MbPFMvjtAgdlK6endrxpb9EC2YeWrFibDXL9EsOAXo5droa6WyIDoVr7GBZ0Faa19uW2IZf0fw02tz0L1Bg/4RopeIZpbH0CKCwpqg5GNb7gKvKkXt9ugI84ZGnF5CgrqXH+lXXtMgHsEkUQ6vAJeKioLSMVla6Pu/BdztDKBVuKTEzV/lH/nbR2qhjlIEm+AntndtRNU3J6Aakje0keGjDV66paCnh/v7fha3SOPkgCV8OxrqMDAUl9/RxB907OF/Ethg4F/gsWfwDJLcAoS206rV6r+VZyurb3xx6HSLFzh+MMBgNlJhf] profiles::puppet::puppetdb_api::private_cert: ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAR7TO46Sg7DTeJmy+YMKpcKgcbbyDed4zHib7Jii2ltlFBMzFAJ49u986i13pSE0qaPIgydc94ILKc0oTwTWvstbiBJB2NYikswKHIJwKKSTzzbfCz1/eyfVKwKyp3DakdImdPClmjZIp/eQyWsLkZjxmJ5T9MVHSo3l8sNVY3WyGbKwEi0TwZabE9Op8cvFTifcBL5zDwKMrhwghAPEoVz8DALoMOko8Lp2K7yCo+LvyvY/Ib9CtIfbgpXQTo2NDbww29/KWHqw6PjzRdyuswUDdnCuLOaThUQkDopTZyhhJ9Y5z5/7Doo/zGYQLBkyThjtKkKwsPlq1eGkjFzY/ITCCDN4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEAvibroua3O2ot73run7uWKAggywIm7gZ/o/vc47kaCICTS2LtsHDmTe9HHqujdAdQLlBGvEhasKGDMr8s54aIbNUbLhD82Vuvwjl2GShqSg/IATfwzDPoqm982KrVZd/9kO61o3vBdtqZO1+InbY7iDbTqf45A7Ar3545aF+/y30WDamFyECwCePrQu1Y9bw6VhLTEVYO+A8zr8y0CYRKAtWNYcPpTP/3VO8/RKtMV+nWrUzS00zAp56lA7xeOzdeKdHzCkpKeaHrpSEN6YGrZmAhTdKBxHYiez9h3eZprEtqoAz0I5DL9Y54t74+pZxicFjQKYPxUGccqg0dIkFZUgE1dxuOkASspydJ890xC/SYJZxREeuF9SPCUkT4Szc814/JHzfqrHt5ZfdzQcBX0xjtEfwoud+Hc4MVerT4cmhyaJLP1/jEe8l3B3Cj4uVilbfAyxOAmAHZl4lcKawdzqUm1os6bsBzCwQU0usKYlW1vczvjvxHvq5z/+IQvCvvlPlUrVIlB7XaiIihkW4LbgZBKNaCWW8rihewX5FUTtvjveHzkGqXnzBBF8WfQmNvVtjKFGdkz3teOHShZOZO7fYo4rHGAV+KVz3kzSCZ8pgqAUsYYW5z/aViNnFuNdDz8xiq05DfUtD3GwbydH2mr5IN8bAFwufAidKEfuQeAusCuS5k6PRJyXK81ErqYMW/H+mSLVw9jCNOqqGGfiYdfcx8oNw+U1Vz/fDmQIQ+eT/JKDSOCbBYjrydC9WBzvgRngDoLQ/UXGCnIENqLJekvVJ0x9KTUhrzQyZVky+INyzp3i5UDyu2uLH55vJEI7qSmcM0Y8Eyj3Buc+0k739OQCC56IiQm/Aw6Uh+6Vi+/MfevcI5K0etMgTZ+dIhRAJAT5Jd4vRu4ge8M1HqEOQQj5lQfO+WtHcgwFyg1dGeQF6I6iy0JfMqXZVDsEkyCsDN6ZDaLcgMQN0FYWSsqy7tCzU9ZbvQ/pAHT/Ed1mNDWs+w0YzgcVv8+XCBGVzunpqcjbi08aKDYIKOIL5EBVOfDwGIeYjBuJhINQa49tNryXEkjZs+OxXDM4YvvksvwfNq4P4OLNJHoQ4DCEyqVbdqGGksRjNtU28Lu8y2M5eX6ehG8ismBMSgUy0SIbR5vTDVNjguo4HD7slVNYqERfMjlwHbnOLajoPl8nWIrhW3glWKBvJ1bQKWU81TRawlCAQ3k5DFnebFgoBagtqo0+Zoygt29Bz38wwqfF90jvfzVEM0sy4X+7FxZFYX2WTWKyZV3+16a7hWBjMbJeulU1chzs1V0/lPMXVEa+c3xcO8W2DyrX4wR27fUEfjPmug49tMhMSFOZXEOwzUMsXjz3K4XhEcC0mtYHDMT0EYtRX8pHe62RkMILuJGRHvw3Wwg2GzZRMpZfPQy8jLhkOhUSGc7z4XEWC/PdLmfGjBTZsZ6G2FfKlGLbSxOlgQlew2sZ+oNTHRrN+aMrkgyG11TheXDbE0y+Sxls+13DEYbMaflq5wjE2FlvD3b5X7/Pu4BizQI7Ski7jjb5qcqik8xoin2qGfhnY6H6PNSPz67J1RTxVZjHgUtZQKG56e+aKIv5FFyjFTgEPRqj3Yyrzh7+E6gt+LETh3vuJDUxKPLZskLD03xP6E/yiLbIu5DIYzK9+uuS/JGF3OibE93hgwp9uzDFirDzRbcuDVDxZyToSfH8P7m58lhp/FiKO3rpUqRqaC/GXz5xbekQ+yGuMKk6qEmiPj7B3pHm2Ic2tJIGTpTNCDNfsqefplUJXbKskiKRxOP04yCIn3XuHu8jUDhWZW848RWHgXfySdqEAFKrvsyamJKXz/1IGIdDzOgnAcd/wiudhZ41gDaCyA1DQYxU9T04106eD9aTZwj+mS9uZmfwHfROiBinC1ZAHsXfjLtwVZj3gpdUsieIqAiuAuMKle9yOMn3np4NEu5vjj/SOZeVWCvBfcPg8VB+uj6s7FtXRH5jdxkaB72PykYa8aTAbNKqcw/qlowv0k/vWnWa++fFFVfbg+VZ3a6oEW2YKvcVefQg/R4nEeTusmH/tnOl7SHLlJ4WLQ+U+v0GLeCY6zJKS6WweN+6SXIbkB9BLES2VpvxlYAmjqLlQuJBpcIuxL1SwCIkKUXdWjQqp6WzfS4XSxuxizZNL8xlEjXSJzFXvo+rPZXF37gHvmLHnjJkQdhctZUjyzDUfgLdR4FcMsp/U8qugWtbbemARFtrXHT9D3M/hVp0z/0ho80LB2chI1nOfY0u8GXgHtJfwZtoeyctud6JLo4zUxZy0zQMqIqgpytVNhjMPOIK5sWpKCKscPlg8+vANhPQHze7Wc8PXwC7jbSMH4QqqnGz+fPB/KKl+wz4jICe/vu7fNJRq0pehibPifXJtBDBH+i+s/U3ZX2WECKPYsF0DXq8Askisa3b97WPO7oWk8ghzE8ZXZs5CypkLpq+oPRg/WrsRJea+EWmkzKmBXtS23AQzhItNB0KFP18elLVmb6atYNs4lzv22ptifD+5wbYmk+/mAVgInqqixLPAy2uofCXvlXhIPd4vgkwpjar/lxcZWGtX7c7EUzDND1AyirMjcZyTaMsHEzYybT3S/8n8OgxVvyemLvgHnmZxmWnUBFUhItQ2Pt6iF2Dn68huo+0PE5K5qlKzoRPbfNLrNYImn4KxmLW5+bT2STe1j8aowyY3ROY1r+4BxHIbDknCb5aj6N4WR14SeUWSSPu23oK1VDLBlQUMiHHqfJwu0NiGhsI8Vl0Mp5Slp6FK0UvZz2O7C+x0HGaWVK9mMuP40BKHjEo7T97ZoXMN0uX4GmBQ3jEwXzsPpuPbZI5JnwwEyp5YX+IyYWJyCww2fntSQ/fS509b6mvG5isUMK3lpiogucROtJTA1KrODrocpTgUGvIwDUP/tosGT57lmXjTmHbTf6WjCHIUZsrbT5ycjYNJI0sn+dfx3Tba289CEeBEaX2FefnHX+o8HMLlRI4JmiD6faswCjC2IFMjDVfkJoie45Y+8Q9LSVZ8TkZey1QucNRrMIKpNLo4cPDCdUJIOPUDbfX4I1g0Qhk7T5WYX/JUtiaUgKiR5Gc/PHmV8oL8G9P+OSgg2Lc5XaN7/PevHCiBOLwAXsKbSCwL7oGmxyw90+sHIZr+ZyClNnfuXE3UrW7NXQI6mCxvQWKtJKn1trO17I6Cd00RMfC3uPy5/LIicubunfvDjp3BlaatxIrzDg3rVnFPX0dKzt/s4iuSyK3IT0le/x9OBLIp4EhdQdvd2HOFYxOtjxzbvWRzWrqGpBsLQLg7EG5adrqg69VOQMCT2pq0sCJp6hk4yGHbuz4hoX2PIeiI3l/Z0TwDGopGWW3uWRWxH/6bq1a6idgxHYhruUmR8aFpUKSsVyodiDV1PtK1zj5mKcZdeXx0THBYTEUWyo3RI9iLUnMcDYyPRTjCKoCm6pPS7yjIT7tq+MUi3iWo2XijY8AaV/K+WrnkcqoQH2cXsrBoH0sZMksdWwYBYz97+RKkx3FSxgdXJb1xxr0X21oPW1PhJq/zHSxe3OmxwYMPeZsGPaG8UngxTdfTQ3KPn+mN9NRXvlXkqudGJa/d/QMinCf/tp9eU1WX5xktqDgqBbPD391+6gcDsFgdidFdpLKf6yGLEovTwE9GrLX7srAC2dPOxviWekqng8H0N9RjHT06NVD9kAnnR/01ZkmmPzdP7vLX9imy0j/huTpN8i9XpFS6za4jdGt46Y5SfRKg/4qpwtE6meElgiOnTkP2uBI5cF4czaK1rYr1ZlwoneFzNHnBVFctAP7CD+w98hYexQ5RrdUYgFrMB5+88Y1IrI8Gd02RCEycPCoxdEFXqBVWmu2N/fuovgihTn9qf/mUxpQPsiUHjCgmV5w+ALs02oiRf08b8mTBAjy8utziFA6efpAppv98bQUfTs8lyNn7sH6OCoa4ZKeB51wqPXZBsKZ8Ja9VDZXjpCV+MB0b9XuSgOx2Y3UD/GJ/+eW7J6MiYFTHrhB1kRert5vRdF4M2KMoyYnVRFMBRqimnNBq6xrOvz4D6dSiquhFRtxlnb6dPCyRgHImsFbR/qdDukLB6DB+vfjzZQArLbkaMVF86hX1+9xP+BdZPsnVapY9u+DSZP7ZkEP/VftTl7uJZnqAWUis+jOncUizmzSIpV6cZO7SVdiQicHiRm6VSOmpBhniRKYN13Ct8B0g+JJeyMlx6OGALMLvcXKDXxJNvyYL9FuXyRvOygButRRjvLsEku+fl9ESD27r56ZNExf7w411cGbKQ+obhSnMsBM2qGBDR97VJyLGhbFX7SKl7CGOAWZF3TbOe4PU4Ty75qb8+U5R8amQ1FFQD4r65M=] +puppetdb_postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=] +profiles::puppet::puppetdb_api::database_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAfJ70k1yTSQeL1kG8N37Gw6yATW7+1ksr3s+HXjApQ/egubMHdTE19qFNN0cjVha61ALQDPOAz836bxGKfFi2kJt5+G9J+P/sqW91Ak37dWavouUgRlYrDvpOTlhznqWE5lgqFknwsACYwZx+o8kKjpew42WpdEwYcfpyX33D/I8dkR1hbU9A6QCBWLKnRbVnu3cEzmboVXcwmoRFRQl1+SBGlOdYzTJCj70P27nMup4Mn4tEKdaGcyxB3gTioBzbCRrLSYPQzLqKXS27gX4He4c1KISnVLcAHYojoVduKWdx0eJWznutmB5PTXQfpCx9LoJyIM6SOLAiovj9ZSp7UjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBApzCw5CAkbHtxINh3HwcZMgDBxMEbpRc/g8DnEVCNI4NIN4hdXasMktHhlwJPFu0xjqeqPgeNUdtjCq6KH2P4qgnU=] +profiles::puppet::puppetdb_api::read_database_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASL2BML1+bFcnQngGspuwvnbT/qRLvh+cbf8fQ2HM1FqdF6rnt8O0j3hOymWKzlwRZV7MvAB0JteMkaxLhqVZB/WSn7vkIDxAbybPN6Aoo9Fdw2kHX1HLZolTE8GIyd6reWJZaf3xwHFtua4KJ3Tj+7PZWzL2ytWbUuJ7x5PzreYRZIILzx9JM77US3LXXYJ/eN3pqgrKI0sVWK1NErBHn2WPG+0IokdDaD58E7FDzP0bjmTlUUXV2nCX+7aXRKjR9UMk6iEBpT9i9/trc6q4RBUu5ivKHiFbL6RBUIMemZ/Rwo0ssDGb0Qk20ezRwk+Nu/HVQaQcvwP7pI8sfQFiUTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDT1nUXTouM9kDWPDpRxlBRgDAnCYhDw6QT0vugtOG6zf9NJFxR/KPYojLuVjSfuR7kppDG9itjsHXnHGuzHQ0M6fo=] diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml index 784200a..76c6e0f 100644 --- a/hieradata/roles/infra/puppetdb/api.yaml +++ b/hieradata/roles/infra/puppetdb/api.yaml @@ -4,6 +4,18 @@ profiles::puppet::puppetdb_api::java_args: '-Xmx': '2048m' '-Xms': '256m' +profiles::puppet::puppetdb_api::read_database_host: 'replica.patroni-puppetdb-prod.service.consul' +profiles::puppet::puppetdb_api::read_database_port: 5432 +profiles::puppet::puppetdb_api::read_database_username: 'puppetdb-read' +profiles::puppet::puppetdb_api::read_database_name: 'puppetdb' +profiles::puppet::puppetdb_api::read_database_validate: true +profiles::puppet::puppetdb_api::database_host: 'master.patroni-puppetdb-prod.service.consul' +profiles::puppet::puppetdb_api::database_port: 5432 +profiles::puppet::puppetdb_api::database_username: 'puppetdb' +profiles::puppet::puppetdb_api::database_name: 'puppetdb' +profiles::puppet::puppetdb_api::database_validate: true + + profiles::puppet::client::dns_alt_names: - puppetdbapi.main.unkin.net - puppetdbapi.service.consul diff --git a/hieradata/roles/infra/puppetdb/sql.eyaml b/hieradata/roles/infra/puppetdb/sql.eyaml index c1c2c5d..0b3e1c5 100644 --- a/hieradata/roles/infra/puppetdb/sql.eyaml +++ b/hieradata/roles/infra/puppetdb/sql.eyaml @@ -1 +1,4 @@ profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==] +profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=] +profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=] +profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=] diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml index baae548..e7aacdb 100644 --- a/hieradata/roles/infra/puppetdb/sql.yaml +++ b/hieradata/roles/infra/puppetdb/sql.yaml @@ -1,36 +1,61 @@ --- +hiera_include: + - profiles::sql::patroni + +profiles::packages::include: + python3-devel: {} + libpq5-devel: {} + postgresql-devel: {} + postgresql_config_entries: max_connections: 300 shared_buffers: '256MB' -consul::services: - puppetdbsql: - service_name: 'puppetdbsql' - tags: - - 'puppet' - - 'puppetdb' - - 'database' - address: "%{facts.networking.ip}" - port: 5432 - checks: - - id: 'psql-check' - name: 'PostgreSQL Health Check' - args: - - '/usr/local/bin/check_consul_postgresql' - interval: '10s' - timeout: '1s' +profiles::sql::patroni::cluster_name: "patroni-puppetdb-%{facts.environment}" +profiles::sql::patroni::postgres_exporter_enabled: true +profiles::sql::patroni::postgres_exporter_user: postgres_exporter +profiles::sql::patroni::pgsql_version: "17" + +# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package +python::manage_dev_package: false + +#consul::services: +# "%{hiera('profiles::sql::patroni::cluster_name')}": +# service_name: "%{hiera('profiles::sql::patroni::cluster_name')}" +# tags: +# - 'puppet' +# - 'puppetdb' +# - 'database' +# address: "%{facts.networking.ip}" +# port: 5432 +# checks: +# - id: 'psql-check' +# name: 'PostgreSQL Health Check' +# args: +# - '/usr/local/bin/check_consul_postgresql' +# interval: '10s' +# timeout: '1s' profiles::consul::client::node_rules: - resource: service - segment: puppetdbsql + segment: "%{hiera('profiles::sql::patroni::cluster_name')}" + disposition: write + - resource: service_prefix + segment: "%{hiera('profiles::sql::patroni::cluster_name')}" + disposition: write + - resource: key_prefix + segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}" + disposition: write + - resource: session_prefix + segment: "" disposition: write profiles::yum::global::repos: - postgresql-15: - name: postgresql-15 - descr: postgresql-15 repository + postgresql-17: + name: postgresql-17 + descr: postgresql-17 repository target: /etc/yum.repos.d/postgresql.repo - baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os - gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL + baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL postgresql-common: name: postgresql-common descr: postgresql-common repository diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp index 03567b3..60cc180 100644 --- a/site/profiles/manifests/puppet/puppetdb_api.pp +++ b/site/profiles/manifests/puppet/puppetdb_api.pp @@ -2,10 +2,21 @@ class profiles::puppet::puppetdb_api ( String $private_cert, String $public_cert, - String $postgres_host = lookup('puppetdbsql'), - String $listen_address = $facts['networking']['ip'], - Stdlib::Absolutepath $java_bin = '/usr/bin/java', - Hash $java_args = {}, + Stdlib::Host $read_database_host, + Stdlib::Port $read_database_port, + String[1] $read_database_username, + String[1] $read_database_name, + String[1] $read_database_password, + Boolean $read_database_validate, + Stdlib::Host $database_host, + Stdlib::Port $database_port, + String[1] $database_username, + String[1] $database_name, + String[1] $database_password, + Boolean $database_validate, + String $listen_address = $facts['networking']['ip'], + Stdlib::Absolutepath $java_bin = '/usr/bin/java', + Hash $java_args = {}, ) { # wait for enc_role to match the required role @@ -16,12 +27,23 @@ class profiles::puppet::puppetdb_api ( } class { 'puppetdb::server': - database_host => $postgres_host, - manage_firewall => false, - ssl_listen_address => $listen_address, - listen_address => $listen_address, - java_bin => $java_bin, - java_args => $java_args, + manage_firewall => false, + ssl_listen_address => $listen_address, + listen_address => $listen_address, + java_bin => $java_bin, + java_args => $java_args, + read_database_host => $read_database_host, + read_database_port => $read_database_port, + read_database_username => $read_database_username, + read_database_name => $read_database_name, + read_database_password => Sensitive($read_database_password), + read_database_validate => $read_database_validate, + database_host => $database_host, + database_port => $database_port, + database_username => $database_username, + database_name => $database_name, + database_password => Sensitive($database_password), + database_validate => $database_validate, } contain ::puppetdb::server diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp index c13a778..b628d78 100644 --- a/site/profiles/manifests/puppet/puppetdb_sql.pp +++ b/site/profiles/manifests/puppet/puppetdb_sql.pp @@ -12,21 +12,9 @@ class profiles::puppet::puppetdb_sql ( ensure => 'disabled', name => 'postgresql', provider => 'dnfmodule', - before => Class['puppetdb::database::postgresql'], } } - # Install and configure PostgreSQL for PuppetDB - class { 'puppetdb::database::postgresql': - listen_addresses => $listen_address, - postgres_version => '15', - puppetdb_server => $puppetdb_host, - manage_package_repo => false, - require => [ Yumrepo['postgresql-15'],Yumrepo['postgresql-common'] ], - } - - contain ::puppetdb::database::postgresql - # create the postgresql::server::config_entry resources $pg_config_entries = lookup('postgresql_config_entries', Hash[String, Data], 'hash', {}) $pg_config_entries.each |String $key, Data $value| { diff --git a/site/profiles/manifests/sql/patroni.pp b/site/profiles/manifests/sql/patroni.pp index 45b91c4..ea29403 100644 --- a/site/profiles/manifests/sql/patroni.pp +++ b/site/profiles/manifests/sql/patroni.pp @@ -84,14 +84,10 @@ class profiles::sql::patroni ( ], } - $connect_settings = { - - } - # only apply changes to DBs/Users/Grants on master if ! $facts['psql_is_slave'] { # collect exported resources - $tag = "${facts['country']}-${facts['region']}-${facts['environment']}" + $tag = "${cluster_name}-${facts['country']}-${facts['region']}-${facts['environment']}" Profiles::Sql::Postgres::Db <<| tag == $tag |>> {} Profiles::Sql::Postgres::User <<| tag == $tag |>> {} Profiles::Sql::Postgres::Grant <<| tag == $tag |>> {} diff --git a/site/profiles/manifests/sql/postgresdb.pp b/site/profiles/manifests/sql/postgresdb.pp index 66b5268..2497e8c 100644 --- a/site/profiles/manifests/sql/postgresdb.pp +++ b/site/profiles/manifests/sql/postgresdb.pp @@ -2,6 +2,7 @@ class profiles::sql::postgresdb ( String $dbname, String $dbuser, String $dbpass, + String $cluster_name, Boolean $create_host_users = false, Boolean $members_lookup = false, String $members_role = undef, @@ -24,7 +25,7 @@ class profiles::sql::postgresdb ( $servers_array = $servers } - $tag = "${facts['country']}-${facts['region']}-${facts['environment']}" + $tag = "${cluster_name}-${facts['country']}-${facts['region']}-${facts['environment']}" # only export from the first server in a cluster if $servers_array[0] == $facts['networking']['fqdn'] { diff --git a/site/roles/manifests/infra/puppetdb/sql.pp b/site/roles/manifests/infra/puppetdb/sql.pp index 872e9b4..6248f4b 100644 --- a/site/roles/manifests/infra/puppetdb/sql.pp +++ b/site/roles/manifests/infra/puppetdb/sql.pp @@ -6,8 +6,5 @@ class roles::infra::puppetdb::sql { }else{ include profiles::defaults include profiles::base - if $facts['enc_role'] == 'roles::infra::puppetdb::sql' { - include profiles::puppet::puppetdb_sql - } } }