From e9c7fbc2b5cb9160cad67c1b239dbdcae5b90314 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 5 May 2024 18:58:52 +1000
Subject: [PATCH] feat: update puppetdb_api for multi-zone

- wait for the enc_role fact to be updated and match
- move puppetdb db/api host values to common.yaml
- add vault cert altnames for consul query/service addresses
- add consul services/rules/checks
---
 hieradata/common.yaml                         |  3 +
 hieradata/roles/infra.yaml                    |  2 -
 hieradata/roles/infra/puppetdb/api.yaml       | 29 +++++++++
 .../profiles/manifests/puppet/puppetdb_api.pp | 59 ++++++++++---------
 4 files changed, 63 insertions(+), 30 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 555a2b3..6baf98e 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -188,6 +188,9 @@ profiles::puppet::client::runtimeout: 3600
 profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
+profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
+profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
+
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
 
diff --git a/hieradata/roles/infra.yaml b/hieradata/roles/infra.yaml
index 3192355..8c2ae06 100644
--- a/hieradata/roles/infra.yaml
+++ b/hieradata/roles/infra.yaml
@@ -2,7 +2,5 @@
 profiles::packages::install:
   - policycoreutils
 
-profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
-profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
 puppetdb::master::config::create_puppet_service_resource: false
 #puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml
index 551007e..b6f77cc 100644
--- a/hieradata/roles/infra/puppetdb/api.yaml
+++ b/hieradata/roles/infra/puppetdb/api.yaml
@@ -3,3 +3,32 @@ profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
 profiles::puppet::puppetdb_api::java_args:
   '-Xmx': '512m'
   '-Xms': '256m'
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - puppetdbapi.main.unkin.net
+  - puppetdbapi.service.consul
+  - puppetdbapi.query.consul
+  - puppetdbapi
+
+consul::services:
+  puppetdbapi:
+    service_name: 'puppetdbapi'
+    tags:
+      - 'puppet'
+      - 'puppetdb'
+      - 'puppetdbapi'
+    address: "%{facts.networking.ip}"
+    port: 8080
+    checks:
+      - id: 'puppetdbapi_http_check'
+        name: 'PuppetDB API HTTP Check'
+        http: "http://%{facts.networking.fqdn}:8080"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppetdbapi
+    disposition: write
diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp
index 214f163..e02db38 100644
--- a/site/profiles/manifests/puppet/puppetdb_api.pp
+++ b/site/profiles/manifests/puppet/puppetdb_api.pp
@@ -6,37 +6,40 @@ class profiles::puppet::puppetdb_api (
   Hash   $java_args = {},
 ) {
 
-  class { 'java':
-    package => 'java-11-openjdk-devel',
-    before  => Class['puppetdb::server'],
-  }
+  # wait for enc_role to match the required role
+  if $facts['enc_role'] == 'roles::infra::puppetdb::api' {
+    class { 'java':
+      package => 'java-11-openjdk-devel',
+      before  => Class['puppetdb::server'],
+    }
 
-  class { 'puppetdb::server':
-    database_host      => $postgres_host,
-    manage_firewall    => false,
-    ssl_listen_address => $listen_address,
-    listen_address     => $listen_address,
-    java_bin           => $java_bin,
-    java_args          => $java_args,
-  }
+    class { 'puppetdb::server':
+      database_host      => $postgres_host,
+      manage_firewall    => false,
+      ssl_listen_address => $listen_address,
+      listen_address     => $listen_address,
+      java_bin           => $java_bin,
+      java_args          => $java_args,
+    }
 
-  contain ::puppetdb::server
+    contain ::puppetdb::server
 
-  class { 'prometheus::puppetdb_exporter':
-    puppetdb_url      => "http://${listen_address}:8080/pdb/query",
-    export_scrape_job => true,
-  }
+    class { 'prometheus::puppetdb_exporter':
+      puppetdb_url      => "http://${listen_address}:8080/pdb/query",
+      export_scrape_job => true,
+    }
 
-  # export haproxy balancemember
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
-    service => 'be_puppetdbapi',
-    ports   => [8080],
-    options => [
-      "cookie ${facts['networking']['hostname']}",
-      'check',
-      'inter 2s',
-      'rise 3',
-      'fall 2',
-    ]
+    # export haproxy balancemember
+    profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
+      service => 'be_puppetdbapi',
+      ports   => [8080],
+      options => [
+        "cookie ${facts['networking']['hostname']}",
+        'check',
+        'inter 2s',
+        'rise 3',
+        'fall 2',
+      ]
+    }
   }
 }