feat: update puppetdb_api for multi-zone

- wait for the enc_role fact to be updated and match
- move puppetdb db/api host values to common.yaml
- add vault cert altnames for consul query/service addresses
- add consul services/rules/checks

hieradata/common.yaml

@@ -188,6 +188,9 @@ profiles::puppet::client::runtimeout: 3600
 profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
+profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
+profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
+
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
 

hieradata/roles/infra.yaml

@@ -2,7 +2,5 @@
 profiles::packages::install:
   - policycoreutils
 
-profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
-profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
 puppetdb::master::config::create_puppet_service_resource: false
 #puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"

hieradata/roles/infra/puppetdb/api.yaml

@@ -3,3 +3,32 @@ profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
 profiles::puppet::puppetdb_api::java_args:
   '-Xmx': '512m'
   '-Xms': '256m'
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - puppetdbapi.main.unkin.net
+  - puppetdbapi.service.consul
+  - puppetdbapi.query.consul
+  - puppetdbapi
+
+consul::services:
+  puppetdbapi:
+    service_name: 'puppetdbapi'
+    tags:
+      - 'puppet'
+      - 'puppetdb'
+      - 'puppetdbapi'
+    address: "%{facts.networking.ip}"
+    port: 8080
+    checks:
+      - id: 'puppetdbapi_http_check'
+        name: 'PuppetDB API HTTP Check'
+        http: "http://%{facts.networking.fqdn}:8080"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppetdbapi
+    disposition: write

site/profiles/manifests/puppet/puppetdb_api.pp

@@ -6,37 +6,40 @@ class profiles::puppet::puppetdb_api (
   Hash   $java_args = {},
 ) {
 
-  class { 'java':
-    package => 'java-11-openjdk-devel',
-    before  => Class['puppetdb::server'],
-  }
+  # wait for enc_role to match the required role
+  if $facts['enc_role'] == 'roles::infra::puppetdb::api' {
+    class { 'java':
+      package => 'java-11-openjdk-devel',
+      before  => Class['puppetdb::server'],
+    }
 
-  class { 'puppetdb::server':
-    database_host      => $postgres_host,
-    manage_firewall    => false,
-    ssl_listen_address => $listen_address,
-    listen_address     => $listen_address,
-    java_bin           => $java_bin,
-    java_args          => $java_args,
-  }
+    class { 'puppetdb::server':
+      database_host      => $postgres_host,
+      manage_firewall    => false,
+      ssl_listen_address => $listen_address,
+      listen_address     => $listen_address,
+      java_bin           => $java_bin,
+      java_args          => $java_args,
+    }
 
-  contain ::puppetdb::server
+    contain ::puppetdb::server
 
-  class { 'prometheus::puppetdb_exporter':
-    puppetdb_url      => "http://${listen_address}:8080/pdb/query",
-    export_scrape_job => true,
-  }
+    class { 'prometheus::puppetdb_exporter':
+      puppetdb_url      => "http://${listen_address}:8080/pdb/query",
+      export_scrape_job => true,
+    }
 
-  # export haproxy balancemember
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
-    service => 'be_puppetdbapi',
-    ports   => [8080],
-    options => [
-      "cookie ${facts['networking']['hostname']}",
-      'check',
-      'inter 2s',
-      'rise 3',
-      'fall 2',
-    ]
+    # export haproxy balancemember
+    profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
+      service => 'be_puppetdbapi',
+      ports   => [8080],
+      options => [
+        "cookie ${facts['networking']['hostname']}",
+        'check',
+        'inter 2s',
+        'rise 3',
+        'fall 2',
+      ]
+    }
   }
 }