feat: manage puppet/puppetca consul services

- add puppet service
- add puppetca service
- add ability to write to puppet/puppetca service in consul
- add puppet.(query,service).consul to dns_alt_names of all masters
- add puppetca.(query,service).consul to dns_alt_names of puppetca

hieradata/common.yaml

@@ -240,11 +240,3 @@ profiles::base::hosts::additional_hosts:
     aliases:
       - prodinf01n22
       - repos.main.unkin.net
-
-profiles::puppet::server::dns_alt_names:
-  - "%{facts.networking.fqdn}"
-  - "%{facts.networking.hostname}"
-  - puppetmaster.main.unkin.net
-  - puppet.main.unkin.net
-  - puppetmaster
-  - puppet

hieradata/nodes/prodinf01n01.main.unkin.net.yaml

@@ -1,6 +1,8 @@
 ---
 profiles::puppet::server::dns_alt_names:
   - puppetca.main.unkin.net
+  - puppetca.service.consul
+  - puppetca.query.consul
   - puppetca
 
 profiles::puppet::puppetca::is_puppetca: true

hieradata/roles/infra/puppet/master.yaml

@@ -36,3 +36,37 @@ profiles::helpers::certmanager::vault_config:
   role_name: 'servers_default'
   output_path: '/tmp/certmanager'
   role_id: "%{lookup('certmanager::role_id')}"
+
+profiles::puppet::server::dns_alt_names:
+  - "%{facts.networking.fqdn}"
+  - "%{facts.networking.hostname}"
+  - puppetmaster.main.unkin.net
+  - puppet.main.unkin.net
+  - puppet.service.consul
+  - puppet.query.consul
+  - puppetmaster
+  - puppet
+
+consul::services:
+  puppet:
+    service_name: 'puppet'
+    tags:
+      - 'puppet'
+      - 'master'
+    address: "%{facts.networking.ip}"
+    port: 8140
+    checks:
+      - id: 'puppet_https_check'
+        name: 'Puppet HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:8140/status/v1/simple"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppet
+    disposition: write
+  - resource: service
+    segment: puppetca
+    disposition: write

site/profiles/manifests/puppet/puppetca.pp

@@ -32,4 +32,25 @@ class profiles::puppet::puppetca (
       require => Service['puppetserver'],
     }
   }
+
+  # register the PuppetCA service with consul
+  if $is_puppetca {
+    consul::service { 'puppetca':
+      service_name => 'puppetca',
+      tags         => ['ca', 'puppet', 'ssl'],
+      address      => $facts['networking']['ip'],
+      port         => 8140,
+      checks       => [
+        {
+          id              => 'puppetca_https_check',
+          name            => 'PuppetCA HTTPS Check',
+          http            => "https://${facts['networking']['fqdn']}:8140/status/v1/simple",
+          method          => 'GET',
+          tls_skip_verify => true,
+          interval        => '10s',
+          timeout         => '1s',
+        }
+      ],
+    }
+  }
 }