feat: manage puppet/puppetca consul services

- add puppet service - add puppetca service - add ability to write to puppet/puppetca service in consul - add puppet.(query,service).consul to dns_alt_names of all masters - add puppetca.(query,service).consul to dns_alt_names of puppetca
2024-05-03 22:16:20 +10:00 · 2024-05-03 22:16:20 +10:00 · fe296d52d9
commit fe296d52d9
parent df8a55c3dd
4 changed files with 57 additions and 8 deletions
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -240,11 +240,3 @@ profiles::base::hosts::additional_hosts:
    aliases:
      - prodinf01n22
      - repos.main.unkin.net
-
-profiles::puppet::server::dns_alt_names:
-  - "%{facts.networking.fqdn}"
-  - "%{facts.networking.hostname}"
-  - puppetmaster.main.unkin.net
-  - puppet.main.unkin.net
-  - puppetmaster
-  - puppet
--- a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml
+++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml
@ -1,6 +1,8 @@
 ---
 profiles::puppet::server::dns_alt_names:
  - puppetca.main.unkin.net
+  - puppetca.service.consul
+  - puppetca.query.consul
  - puppetca

 profiles::puppet::puppetca::is_puppetca: true
--- a/hieradata/roles/infra/puppet/master.yaml
+++ b/hieradata/roles/infra/puppet/master.yaml
@ -36,3 +36,37 @@ profiles::helpers::certmanager::vault_config:
  role_name: 'servers_default'
  output_path: '/tmp/certmanager'
  role_id: "%{lookup('certmanager::role_id')}"
+
+profiles::puppet::server::dns_alt_names:
+  - "%{facts.networking.fqdn}"
+  - "%{facts.networking.hostname}"
+  - puppetmaster.main.unkin.net
+  - puppet.main.unkin.net
+  - puppet.service.consul
+  - puppet.query.consul
+  - puppetmaster
+  - puppet
+
+consul::services:
+  puppet:
+    service_name: 'puppet'
+    tags:
+      - 'puppet'
+      - 'master'
+    address: "%{facts.networking.ip}"
+    port: 8140
+    checks:
+      - id: 'puppet_https_check'
+        name: 'Puppet HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:8140/status/v1/simple"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppet
+    disposition: write
+  - resource: service
+    segment: puppetca
+    disposition: write
--- a/site/profiles/manifests/puppet/puppetca.pp
+++ b/site/profiles/manifests/puppet/puppetca.pp
@ -32,4 +32,25 @@ class profiles::puppet::puppetca (
      require => Service['puppetserver'],
    }
  }
+
+  # register the PuppetCA service with consul
+  if $is_puppetca {
+    consul::service { 'puppetca':
+      service_name => 'puppetca',
+      tags         => ['ca', 'puppet', 'ssl'],
+      address      => $facts['networking']['ip'],
+      port         => 8140,
+      checks       => [
+        {
+          id              => 'puppetca_https_check',
+          name            => 'PuppetCA HTTPS Check',
+          http            => "https://${facts['networking']['fqdn']}:8140/status/v1/simple",
+          method          => 'GET',
+          tls_skip_verify => true,
+          interval        => '10s',
+          timeout         => '1s',
+        }
+      ],
+    }
+  }
 }