From e025928d77662e8f6c5d70c45e8c04c6564c4734 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Mar 2025 01:53:25 +1100 Subject: [PATCH 1/8] chore: set secretid for puppetboard (#232) - manage the secret_key for puppetboard - required since module upgrade https://github.com/voxpupuli/puppetboard/issues/721 Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/232 --- hieradata/roles/infra/puppetboard/server.eyaml | 1 + site/profiles/manifests/puppet/puppetboard.pp | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 hieradata/roles/infra/puppetboard/server.eyaml diff --git a/hieradata/roles/infra/puppetboard/server.eyaml b/hieradata/roles/infra/puppetboard/server.eyaml new file mode 100644 index 0000000..29c7cb3 --- /dev/null +++ b/hieradata/roles/infra/puppetboard/server.eyaml @@ -0,0 +1 @@ +profiles::puppet::puppetboard::secret_key: ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoCr9JTtrnMaVjJlEpA0NYNt/QAgTGiEmS3kPn2oJ80Ay7fUl79pop95uLQIfw6C3e8WGUhxYt31wmzent4Bfbced7uF/tjhP2cniKPmZGuf/tmVrGIHIh4T4g0Wz2K0DIU/dGWUlgE03ICRxXlAy0atjUuAp02ehj7bzLuMf+vZbghm8vnOoDCTKjeZNAJEkDvBkIzwUu9JiM9Gn6BzoLLGdEERqs/LR832vjjNmF7KUEH/Ntt47wbLdfCzawsZsBNLggEb1HNGu0aSb0qBXYBPRq6w1L/RU8gX2dCqGRbhDZymihebaOcwU1AtbLEBdHTYQpga+c4bcTz9rJplLtjCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAdSjLEaZPK47TY7LDCB7b4CBkOTvHbi4nb+pB/Kng+Z3N9ocZPZdGbV6WzMNGxsxmhWXoi+XKEzEvfB10UhQwDcvZXd2W9hhiRkakq7+S0uLWzCX1jNMH2LXZAzoiyGM4FFvGpx7Z64OhmVrOJuKnxD+3zK6PZqvMb3g7CjZeAr5vyhcT/zO75krhJuYp11ZFpLCRcuASf0ru+Jq5OKD4+ZI/g==] diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index 08b49aa..c141e73 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -21,7 +21,7 @@ class profiles::puppet::puppetboard ( Stdlib::Port $nginx_port = 80, Stdlib::Host $nginx_vhost = 'puppetboard.main.unkin.net', Array[Stdlib::Host] $nginx_aliases = [], - #String[1] $secret_key = "${fqdn_rand_string(32)}", + String[1] $secret_key = "${fqdn_rand_string(32)}", ) { # store puppet-agents ssl settings/certname @@ -37,7 +37,7 @@ class profiles::puppet::puppetboard ( basedir => $basedir, virtualenv_dir => $virtualenv_dir, settings_file => $settings_file, - #secret_key => $secret_key, + secret_key => $secret_key, default_environment => $default_environment, puppetdb_host => $puppetdb_host, puppetdb_port => 8081, From e3046563a20a3dc666e4ee2873b6ad2f13cf0f85 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Mar 2025 02:04:13 +1100 Subject: [PATCH 2/8] chore: install consul from package (#233) - upgrade to puppet-consul changed default install method to archive - ensure package method is used - dont manage the repo, consul is packaged by rpmbuilder Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/233 --- hieradata/common.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index ece85d6..d2871a5 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -165,6 +165,9 @@ profiles::ntp::client::peers: profiles::base::puppet_servers: - 'prodinf01n01.main.unkin.net' +consul::install_method: 'package' +consul::manage_repo: false + profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' profiles::dns::base::use_ns: 'region' From 06b458cb0e8a2f4dd9639bbb8534b477aeec5381 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Mar 2025 12:31:09 +1100 Subject: [PATCH 3/8] feat: reposync for almalinux 9.4 (in vault) (#234) - sync baseos, ha, appstream and crb repos Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/234 --- hieradata/roles/infra/reposync/syncer.yaml | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 2c1b63d..5d5c1ab 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -38,6 +38,41 @@ profiles::consul::client::node_rules: profiles::reposync::webserver::nginx_listen_mode: both profiles::reposync::webserver::nginx_cert_type: vault profiles::reposync::repos_list: + almalinux_9_4_baseos: + repository: 'baseos' + description: 'AlmaLinux 9.4 BaseOS' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_appstream: + repository: 'appstream' + description: 'AlmaLinux 9.4 AppStream' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_crb: + repository: 'crb' + description: 'AlmaLinux 9.4 CRB' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_ha: + repository: 'ha' + description: 'AlmaLinux 9.4 HighAvailability' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_4_extras: + repository: 'extras' + description: 'AlmaLinux 9.4 extras' + osname: 'almalinux' + release: '9.4' + baseurl: 'https://vault.almalinux.org/9.4/extras/x86_64/os/' + gpgkey: 'https://vault.almalinux.org/9.4/extras/x86_64/os/RPM-GPG-KEY-AlmaLinux-9' docker_stable_el8: repository: 'stable' description: 'Docker CE Stable EL8' From d39d25d3f16babc9aa27b260589079b879678bc9 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Mar 2025 16:24:55 +1100 Subject: [PATCH 4/8] feat: add almalinux 9.5 repos using mirrorlist (#235) Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/235 --- hieradata/roles/infra/reposync/syncer.yaml | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml index 5d5c1ab..2ccd0ae 100644 --- a/hieradata/roles/infra/reposync/syncer.yaml +++ b/hieradata/roles/infra/reposync/syncer.yaml @@ -38,6 +38,41 @@ profiles::consul::client::node_rules: profiles::reposync::webserver::nginx_listen_mode: both profiles::reposync::webserver::nginx_cert_type: vault profiles::reposync::repos_list: + almalinux_9_5_baseos: + repository: 'baseos' + description: 'AlmaLinux 9.5 BaseOS' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_5_appstream: + repository: 'appstream' + description: 'AlmaLinux 9.5 AppStream' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_5_crb: + repository: 'crb' + description: 'AlmaLinux 9.5 CRB' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_5_ha: + repository: 'ha' + description: 'AlmaLinux 9.5 HighAvailability' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' + almalinux_9_5_extras: + repository: 'extras' + description: 'AlmaLinux 9.5 extras' + osname: 'almalinux' + release: '9.5' + mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras' + gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9' almalinux_9_4_baseos: repository: 'baseos' description: 'AlmaLinux 9.4 BaseOS' From 45b061a0536d44c978265918d698a58bd675de07 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Mar 2025 17:05:03 +1100 Subject: [PATCH 5/8] feat: change almalinux9 to use packagerepo (#236) Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/236 --- hieradata/os/AlmaLinux/AlmaLinux9.yaml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/hieradata/os/AlmaLinux/AlmaLinux9.yaml b/hieradata/os/AlmaLinux/AlmaLinux9.yaml index 7c98e9c..f3f218e 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux9.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux9.yaml @@ -3,12 +3,28 @@ crypto_policies::policy: 'DEFAULT:SHA1' profiles::yum::global::repos: + baseos: + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent + extras: + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent + appstream: + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent + highavailability: + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 + mirrorlist: absent crb: name: crb descr: crb repository target: /etc/yum.repos.d/crb.repo - baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os - gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/ + gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9 mirrorlist: absent unkin: name: unkin From 427fe352b48d73a32ec18070af1895e63a773050 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Mar 2025 17:13:54 +1100 Subject: [PATCH 6/8] feat: debian package for consul not managed (#237) - change debian hosts to use the url method to download consul Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/237 --- hieradata/os/Debian/all_releases.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hieradata/os/Debian/all_releases.yaml b/hieradata/os/Debian/all_releases.yaml index bd8f426..0caa1b1 100644 --- a/hieradata/os/Debian/all_releases.yaml +++ b/hieradata/os/Debian/all_releases.yaml @@ -13,3 +13,6 @@ profiles::packages::include: lm-sensors::package: lm-sensors networking::nwmgr_dns_none: false + +consul::install_method: 'url' +consul::manage_repo: false From 6cb249ffbceca7f1820124806f078d4b78562faa Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Mar 2025 17:51:33 +1100 Subject: [PATCH 7/8] fix: backtrack to 9.2.0 for postgresql (#238) - no parameter named 'instance' - no parameter named 'port' downgrading due to incompatibilities between the latest version of puppetdb and postgresql Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/238 --- Puppetfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Puppetfile b/Puppetfile index d38a073..b559a1b 100644 --- a/Puppetfile +++ b/Puppetfile @@ -9,8 +9,8 @@ mod 'puppetlabs-vcsrepo', '7.0.0' mod 'puppetlabs-yumrepo_core', '2.1.0' mod 'puppetlabs-apt', '10.0.1' mod 'puppetlabs-lvm', '3.0.1' -mod 'puppetlabs-puppetdb', '8.1.0' -mod 'puppetlabs-postgresql', '10.5.0' +mod 'puppetlabs-puppetdb', '7.14.0' +mod 'puppetlabs-postgresql', '9.2.0' mod 'puppetlabs-firewall', '8.1.4' mod 'puppetlabs-accounts', '8.2.2' mod 'puppetlabs-mysql', '16.2.0' From 829b1b05fd67a9894817fb82975054aa7e9c2c3f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Mar 2025 18:40:09 +1100 Subject: [PATCH 8/8] feat: cleanup consul from url install (#239) - set bind_dir to be /usr/bin for rhel, /usr/local/bin for debian - remove url-installed consul from rhel Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/239 --- hieradata/common.yaml | 1 + hieradata/os/Debian/all_releases.yaml | 1 + site/profiles/manifests/consul/client.pp | 6 ++++++ 3 files changed, 8 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index d2871a5..ecd78e5 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -167,6 +167,7 @@ profiles::base::puppet_servers: consul::install_method: 'package' consul::manage_repo: false +consul::bin_dir: /usr/bin profiles::dns::master::basedir: '/var/named/sources' profiles::dns::base::ns_role: 'roles::infra::dns::resolver' diff --git a/hieradata/os/Debian/all_releases.yaml b/hieradata/os/Debian/all_releases.yaml index 0caa1b1..efd71f9 100644 --- a/hieradata/os/Debian/all_releases.yaml +++ b/hieradata/os/Debian/all_releases.yaml @@ -16,3 +16,4 @@ networking::nwmgr_dns_none: false consul::install_method: 'url' consul::manage_repo: false +consul::bin_dir: /usr/local/bin diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp index d1d82d8..fa229c8 100644 --- a/site/profiles/manifests/consul/client.pp +++ b/site/profiles/manifests/consul/client.pp @@ -85,4 +85,10 @@ class profiles::consul::client ( require => File['/root/.config'], } + # cleanup /usr/local/bin/consul which was created by url install method + if $facts['os']['family'] == 'RedHat' { + file {'/usr/local/bin/consul': + ensure => absent, + } + } }