From fe296d52d9b8596c77ca60109d166791e9853aa7 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 3 May 2024 22:16:20 +1000
Subject: [PATCH] feat: manage puppet/puppetca consul services

- add puppet service
- add puppetca service
- add ability to write to puppet/puppetca service in consul
- add puppet.(query,service).consul to dns_alt_names of all masters
- add puppetca.(query,service).consul to dns_alt_names of puppetca
---
 hieradata/common.yaml                         |  8 -----
 .../nodes/prodinf01n01.main.unkin.net.yaml    |  2 ++
 hieradata/roles/infra/puppet/master.yaml      | 34 +++++++++++++++++++
 site/profiles/manifests/puppet/puppetca.pp    | 21 ++++++++++++
 4 files changed, 57 insertions(+), 8 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 71eefa0..42b8e47 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -240,11 +240,3 @@ profiles::base::hosts::additional_hosts:
     aliases:
       - prodinf01n22
       - repos.main.unkin.net
-
-profiles::puppet::server::dns_alt_names:
-  - "%{facts.networking.fqdn}"
-  - "%{facts.networking.hostname}"
-  - puppetmaster.main.unkin.net
-  - puppet.main.unkin.net
-  - puppetmaster
-  - puppet
diff --git a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml
index d998612..a909eb0 100644
--- a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml
+++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml
@@ -1,6 +1,8 @@
 ---
 profiles::puppet::server::dns_alt_names:
   - puppetca.main.unkin.net
+  - puppetca.service.consul
+  - puppetca.query.consul
   - puppetca
 
 profiles::puppet::puppetca::is_puppetca: true
diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml
index 9d5468b..4f3b6d8 100644
--- a/hieradata/roles/infra/puppet/master.yaml
+++ b/hieradata/roles/infra/puppet/master.yaml
@@ -36,3 +36,37 @@ profiles::helpers::certmanager::vault_config:
   role_name: 'servers_default'
   output_path: '/tmp/certmanager'
   role_id: "%{lookup('certmanager::role_id')}"
+
+profiles::puppet::server::dns_alt_names:
+  - "%{facts.networking.fqdn}"
+  - "%{facts.networking.hostname}"
+  - puppetmaster.main.unkin.net
+  - puppet.main.unkin.net
+  - puppet.service.consul
+  - puppet.query.consul
+  - puppetmaster
+  - puppet
+
+consul::services:
+  puppet:
+    service_name: 'puppet'
+    tags:
+      - 'puppet'
+      - 'master'
+    address: "%{facts.networking.ip}"
+    port: 8140
+    checks:
+      - id: 'puppet_https_check'
+        name: 'Puppet HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:8140/status/v1/simple"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppet
+    disposition: write
+  - resource: service
+    segment: puppetca
+    disposition: write
diff --git a/site/profiles/manifests/puppet/puppetca.pp b/site/profiles/manifests/puppet/puppetca.pp
index 1e75240..e94ecad 100644
--- a/site/profiles/manifests/puppet/puppetca.pp
+++ b/site/profiles/manifests/puppet/puppetca.pp
@@ -32,4 +32,25 @@ class profiles::puppet::puppetca (
       require => Service['puppetserver'],
     }
   }
+
+  # register the PuppetCA service with consul
+  if $is_puppetca {
+    consul::service { 'puppetca':
+      service_name => 'puppetca',
+      tags         => ['ca', 'puppet', 'ssl'],
+      address      => $facts['networking']['ip'],
+      port         => 8140,
+      checks       => [
+        {
+          id              => 'puppetca_https_check',
+          name            => 'PuppetCA HTTPS Check',
+          http            => "https://${facts['networking']['fqdn']}:8140/status/v1/simple",
+          method          => 'GET',
+          tls_skip_verify => true,
+          interval        => '10s',
+          timeout         => '1s',
+        }
+      ],
+    }
+  }
 }