Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| b34ca82273 |
@@ -0,0 +1,24 @@
|
|||||||
|
name: Build
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
precommit:
|
||||||
|
runs-on: almalinux-8
|
||||||
|
container:
|
||||||
|
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
|
||||||
|
options: --privileged
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- name: Install requirements
|
||||||
|
run: |
|
||||||
|
dnf groupinstall -y "Development Tools" -y
|
||||||
|
dnf install rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel -y
|
||||||
|
|
||||||
|
- name: Pre-Commit All Files
|
||||||
|
run: |
|
||||||
|
uvx pre-commit run --all-files
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
when:
|
|
||||||
- event: pull_request
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: bolt-validate
|
|
||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
|
||||||
commands:
|
|
||||||
- uvx pre-commit run --all-files --config ci/bolt-validate.yaml
|
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
when:
|
|
||||||
- event: pull_request
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: epp-validate
|
|
||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
|
||||||
commands:
|
|
||||||
- uvx pre-commit run --all-files --config ci/epp-validate.yaml
|
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
when:
|
|
||||||
- event: pull_request
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: erb-validate
|
|
||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
|
||||||
commands:
|
|
||||||
- uvx pre-commit run --all-files --config ci/erb-validate.yaml
|
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
when:
|
|
||||||
- event: pull_request
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: puppet-lint
|
|
||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
|
||||||
commands:
|
|
||||||
- uvx pre-commit run --all-files --config ci/puppet-lint.yaml
|
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
when:
|
|
||||||
- event: pull_request
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: puppet-validate
|
|
||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
|
||||||
commands:
|
|
||||||
- uvx pre-commit run --all-files --config ci/puppet-validate.yaml
|
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 2
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 2
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
when:
|
|
||||||
- event: pull_request
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: ruby-check
|
|
||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
|
||||||
commands:
|
|
||||||
- uvx pre-commit run --all-files --config ci/ruby-check.yaml
|
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
when:
|
|
||||||
- event: pull_request
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: ruby-validate
|
|
||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
|
||||||
commands:
|
|
||||||
- uvx pre-commit run --all-files --config ci/ruby-validate.yaml
|
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
when:
|
|
||||||
- event: pull_request
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: yamllint
|
|
||||||
image: git.unkin.net/unkin/almalinux9-base:20260606
|
|
||||||
commands:
|
|
||||||
- uvx pre-commit run --all-files --config ci/yamllint.yaml
|
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
+2
-1
@@ -53,6 +53,7 @@ mod 'saz-ssh', '13.1.0'
|
|||||||
mod 'saz-limits', '5.0.0'
|
mod 'saz-limits', '5.0.0'
|
||||||
mod 'ghoneycutt-timezone', '4.0.0'
|
mod 'ghoneycutt-timezone', '4.0.0'
|
||||||
mod 'ghoneycutt-puppet', '3.3.0'
|
mod 'ghoneycutt-puppet', '3.3.0'
|
||||||
|
mod 'dalen-puppetdbquery', '3.0.1'
|
||||||
mod 'markt-galera', '3.1.0'
|
mod 'markt-galera', '3.1.0'
|
||||||
mod 'kogitoapp-minio', '1.1.4'
|
mod 'kogitoapp-minio', '1.1.4'
|
||||||
mod 'broadinstitute-certs', '3.0.1'
|
mod 'broadinstitute-certs', '3.0.1'
|
||||||
@@ -65,5 +66,5 @@ mod 'thias-sysctl', '1.0.8'
|
|||||||
mod 'cirrax-dovecot', '1.3.3'
|
mod 'cirrax-dovecot', '1.3.3'
|
||||||
|
|
||||||
mod 'bind',
|
mod 'bind',
|
||||||
:git => 'https://git.unkin.net/unkinben/puppet-bind.git',
|
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||||
:tag => '1.0'
|
:tag => '1.0'
|
||||||
|
|||||||
@@ -1,5 +0,0 @@
|
|||||||
repos:
|
|
||||||
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
|
|
||||||
rev: v2.2.0
|
|
||||||
hooks:
|
|
||||||
- id: bolt-validate
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
repos:
|
|
||||||
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
|
|
||||||
rev: v2.2.0
|
|
||||||
hooks:
|
|
||||||
- id: epp-validate
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
repos:
|
|
||||||
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
|
|
||||||
rev: v2.2.0
|
|
||||||
hooks:
|
|
||||||
- id: erb-validate
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
repos:
|
|
||||||
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
|
|
||||||
rev: v2.2.0
|
|
||||||
hooks:
|
|
||||||
- id: puppet-lint
|
|
||||||
args:
|
|
||||||
- --no-80chars-check
|
|
||||||
- --no-documentation-check
|
|
||||||
- --no-puppet_url_without_modules-check
|
|
||||||
- --fail-on-warnings
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
repos:
|
|
||||||
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
|
|
||||||
rev: v2.2.0
|
|
||||||
hooks:
|
|
||||||
- id: puppet-validate
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
repos:
|
|
||||||
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
|
|
||||||
rev: v2.2.0
|
|
||||||
hooks:
|
|
||||||
- id: ruby-validate
|
|
||||||
- repo: 'https://github.com/jumanjihouse/pre-commit-hooks'
|
|
||||||
rev: 3.0.0
|
|
||||||
hooks:
|
|
||||||
- id: reek
|
|
||||||
- id: rubocop
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
repos:
|
|
||||||
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
|
|
||||||
rev: v2.2.0
|
|
||||||
hooks:
|
|
||||||
- id: ruby-validate
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
repos:
|
|
||||||
- repo: 'https://github.com/adrienverge/yamllint'
|
|
||||||
rev: v1.32.0
|
|
||||||
hooks:
|
|
||||||
- id: 'yamllint'
|
|
||||||
args:
|
|
||||||
[
|
|
||||||
"-d {extends: relaxed, rules: {line-length: disable}, ignore: chart}",
|
|
||||||
"-s",
|
|
||||||
]
|
|
||||||
@@ -28,98 +28,6 @@ Always refer back to the official documentation at https://docs.ceph.com/en/late
|
|||||||
sudo ceph fs set mediafs max_mds 2
|
sudo ceph fs set mediafs max_mds 2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## managing cephfs with subvolumes
|
|
||||||
|
|
||||||
Create erasure code profiles. The K and M values are equivalent to the number of data disks (K) and parity disks (M) in RAID5, RAID6, etc.
|
|
||||||
|
|
||||||
sudo ceph osd erasure-code-profile set ec_6_2 k=6 m=2
|
|
||||||
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
|
|
||||||
|
|
||||||
Create data pools using the erasure-code-profile, set some required options
|
|
||||||
|
|
||||||
sudo ceph osd pool create cephfs_data_ssd_ec_6_2 erasure ec_6_2
|
|
||||||
sudo ceph osd pool set cephfs_data_ssd_ec_6_2 allow_ec_overwrites true
|
|
||||||
sudo ceph osd pool set cephfs_data_ssd_ec_6_2 bulk true
|
|
||||||
|
|
||||||
sudo ceph osd pool create cephfs_data_ssd_ec_4_1 erasure ec_4_1
|
|
||||||
sudo ceph osd pool set cephfs_data_ssd_ec_4_1 allow_ec_overwrites true
|
|
||||||
sudo ceph osd pool set cephfs_data_ssd_ec_4_1 bulk true
|
|
||||||
|
|
||||||
Add the pool to the fs `cephfs`
|
|
||||||
|
|
||||||
sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_6_2
|
|
||||||
sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_4_1
|
|
||||||
|
|
||||||
Create a subvolumegroup using the new data pool
|
|
||||||
|
|
||||||
sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_6_2 --pool_layout cephfs_data_ssd_ec_6_2
|
|
||||||
sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_4_1 --pool_layout cephfs_data_ssd_ec_4_1
|
|
||||||
|
|
||||||
All together:
|
|
||||||
|
|
||||||
sudo ceph osd erasure-code-profile set ec_6_2 k=6 m=2
|
|
||||||
sudo ceph osd pool create cephfs_data_ssd_ec_6_2 erasure ec_6_2
|
|
||||||
sudo ceph osd pool set cephfs_data_ssd_ec_6_2 allow_ec_overwrites true
|
|
||||||
sudo ceph osd pool set cephfs_data_ssd_ec_6_2 bulk true
|
|
||||||
sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_6_2
|
|
||||||
sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_6_2 --pool_layout cephfs_data_ssd_ec_6_2
|
|
||||||
|
|
||||||
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
|
|
||||||
sudo ceph osd pool create cephfs_data_ssd_ec_4_1 erasure ec_4_1
|
|
||||||
sudo ceph osd pool set cephfs_data_ssd_ec_4_1 allow_ec_overwrites true
|
|
||||||
sudo ceph osd pool set cephfs_data_ssd_ec_4_1 bulk true
|
|
||||||
sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_4_1
|
|
||||||
sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_4_1 --pool_layout cephfs_data_ssd_ec_4_1
|
|
||||||
|
|
||||||
Create a key with access to the new subvolume groups. Check if the user already exists first:
|
|
||||||
|
|
||||||
sudo ceph auth get client.kubernetes-cephfs
|
|
||||||
|
|
||||||
If it doesnt:
|
|
||||||
|
|
||||||
sudo ceph auth get-or-create client.kubernetes-cephfs \
|
|
||||||
mgr 'allow rw' \
|
|
||||||
osd 'allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs' \
|
|
||||||
mds 'allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi_ssd_ec_6_2, allow rws fsname=cephfs path=/volumes/csi_ssd_ec_4_1' \
|
|
||||||
mon 'allow r fsname=cephfs'
|
|
||||||
|
|
||||||
If it does, use `sudo ceph auth caps client.kubernetes-cephfs ...` instead to update existing capabilities.
|
|
||||||
|
|
||||||
## removing a cephfs subvolumegroup from cephfs
|
|
||||||
|
|
||||||
This will cleanup the subvolumegroup, and subvolumes if they exist, then remove the pool.
|
|
||||||
|
|
||||||
Check for subvolumegroups first, then for subvolumes in it
|
|
||||||
|
|
||||||
sudo ceph fs subvolumegroup ls cephfs
|
|
||||||
sudo ceph fs subvolume ls cephfs --group_name csi_raid6
|
|
||||||
|
|
||||||
|
|
||||||
If subvolumes exist, remove each one-by-one:
|
|
||||||
|
|
||||||
sudo ceph fs subvolume rm cephfs <subvol_name> --group_name csi_raid6
|
|
||||||
|
|
||||||
If you have snapshots, remove snapshots first:
|
|
||||||
|
|
||||||
sudo ceph fs subvolume snapshot ls cephfs <subvol_name> --group_name csi_raid6
|
|
||||||
sudo ceph fs subvolume snapshot rm cephfs <subvol_name> <snap_name> --group_name csi_raid6
|
|
||||||
|
|
||||||
Once the group is empty, remove it:
|
|
||||||
|
|
||||||
sudo ceph fs subvolumegroup rm cephfs csi_raid6
|
|
||||||
|
|
||||||
If it complains it’s not empty, go back as there’s still a subvolume or snapshot.
|
|
||||||
|
|
||||||
If you added it with `ceph fs add_data_pool`. Undo with `rm_data_pool`:
|
|
||||||
|
|
||||||
sudo ceph fs rm_data_pool cephfs cephfs_data_csi_raid6
|
|
||||||
|
|
||||||
After it’s detached from CephFS, you can delete it.
|
|
||||||
|
|
||||||
sudo ceph osd pool rm cephfs_data_csi_raid6 cephfs_data_csi_raid6 --yes-i-really-really-mean-it
|
|
||||||
|
|
||||||
|
|
||||||
## creating authentication tokens
|
## creating authentication tokens
|
||||||
|
|
||||||
- this will create a client keyring named media
|
- this will create a client keyring named media
|
||||||
@@ -150,78 +58,3 @@ this will overwrite the current capabilities of a given client.user
|
|||||||
mon 'allow r' \
|
mon 'allow r' \
|
||||||
mds 'allow rw path=/' \
|
mds 'allow rw path=/' \
|
||||||
osd 'allow rw pool=media_data'
|
osd 'allow rw pool=media_data'
|
||||||
|
|
||||||
## adding a new osd on new node
|
|
||||||
|
|
||||||
create the ceph conf (automate this?)
|
|
||||||
|
|
||||||
cat <<EOF | sudo tee /etc/ceph/ceph.conf
|
|
||||||
[global]
|
|
||||||
auth_client_required = cephx
|
|
||||||
auth_cluster_required = cephx
|
|
||||||
auth_service_required = cephx
|
|
||||||
fsid = de96a98f-3d23-465a-a899-86d3d67edab8
|
|
||||||
mon_allow_pool_delete = true
|
|
||||||
mon_initial_members = prodnxsr0009,prodnxsr0010,prodnxsr0011,prodnxsr0012,prodnxsr0013
|
|
||||||
mon_host = 198.18.23.9,198.18.23.10,198.18.23.11,198.18.23.12,198.18.23.13
|
|
||||||
ms_bind_ipv4 = true
|
|
||||||
ms_bind_ipv6 = false
|
|
||||||
osd_crush_chooseleaf_type = 1
|
|
||||||
osd_pool_default_min_size = 2
|
|
||||||
osd_pool_default_size = 3
|
|
||||||
osd_pool_default_pg_num = 128
|
|
||||||
public_network = 198.18.23.1/32,198.18.23.2/32,198.18.23.3/32,198.18.23.4/32,198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,198.18.23.13/32
|
|
||||||
EOF
|
|
||||||
|
|
||||||
ssh to one of the monitor hosts, then transfer the keys required
|
|
||||||
|
|
||||||
sudo cat /etc/ceph/ceph.client.admin.keyring | ssh prodnxsr0003 'sudo tee /etc/ceph/ceph.client.admin.keyring'
|
|
||||||
sudo cat /var/lib/ceph/bootstrap-osd/ceph.keyring | ssh prodnxsr0003 'sudo tee /var/lib/ceph/bootstrap-osd/ceph.keyring'
|
|
||||||
|
|
||||||
assuming we are adding /dev/sda to the cluster, first zap the disk to remove partitions/lvm/metadata
|
|
||||||
|
|
||||||
sudo ceph-volume lvm zap /dev/sda --destroy
|
|
||||||
|
|
||||||
then add it to the cluster
|
|
||||||
|
|
||||||
sudo ceph-volume lvm create --data /dev/sda
|
|
||||||
|
|
||||||
## removing an osd
|
|
||||||
|
|
||||||
check what OSD IDs were on this host (if you know it)
|
|
||||||
|
|
||||||
sudo ceph osd tree
|
|
||||||
|
|
||||||
or check for any DOWN osds
|
|
||||||
|
|
||||||
sudo ceph osd stat
|
|
||||||
sudo ceph health detail
|
|
||||||
|
|
||||||
once you identify the old OSD ID, remove it with these steps, replace X with the actual OSD ID:
|
|
||||||
|
|
||||||
sudo ceph osd out osd.X
|
|
||||||
sudo ceph osd down osd.X
|
|
||||||
sudo ceph osd crush remove osd.X
|
|
||||||
sudo ceph auth del osd.X
|
|
||||||
sudo ceph osd rm osd.X
|
|
||||||
|
|
||||||
|
|
||||||
## maintenance mode for the cluster
|
|
||||||
|
|
||||||
from one node in the cluster disable recovery
|
|
||||||
|
|
||||||
sudo ceph osd set noout
|
|
||||||
sudo ceph osd set nobackfill
|
|
||||||
sudo ceph osd set norecover
|
|
||||||
sudo ceph osd set norebalance
|
|
||||||
sudo ceph osd set nodown
|
|
||||||
sudo ceph osd set pause
|
|
||||||
|
|
||||||
to undo the change, use unset
|
|
||||||
|
|
||||||
sudo ceph osd unset noout
|
|
||||||
sudo ceph osd unset nobackfill
|
|
||||||
sudo ceph osd unset norecover
|
|
||||||
sudo ceph osd unset norebalance
|
|
||||||
sudo ceph osd unset nodown
|
|
||||||
sudo ceph osd unset pause
|
|
||||||
|
|||||||
@@ -30,7 +30,6 @@ hierarchy:
|
|||||||
- "roles/%{::enc_role_tier1}.eyaml"
|
- "roles/%{::enc_role_tier1}.eyaml"
|
||||||
- "roles/%{::enc_role_tier1}.yaml"
|
- "roles/%{::enc_role_tier1}.yaml"
|
||||||
- "virtual/%{facts.virtual}.yaml"
|
- "virtual/%{facts.virtual}.yaml"
|
||||||
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.%{facts.os.release.minor}.yaml"
|
|
||||||
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
|
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
|
||||||
- "os/%{facts.os.name}/all_releases.yaml"
|
- "os/%{facts.os.name}/all_releases.yaml"
|
||||||
- "common.eyaml"
|
- "common.eyaml"
|
||||||
|
|||||||
@@ -208,20 +208,6 @@ vault::disable_mlock: false
|
|||||||
profiles::dns::base::nameservers:
|
profiles::dns::base::nameservers:
|
||||||
- 198.18.19.16
|
- 198.18.19.16
|
||||||
profiles::dns::master::basedir: '/var/named/sources'
|
profiles::dns::master::basedir: '/var/named/sources'
|
||||||
|
|
||||||
# dns record publishing. During the k8s cutover both methods run; set
|
|
||||||
# manage_export false once k8s is authoritative.
|
|
||||||
# - export: legacy exported-resources -> puppet DNS master
|
|
||||||
# - nsupdate: RFC2136 to the k8s bind-authoritative write endpoint (.9),
|
|
||||||
# inert until the TSIG key is set in eyaml:
|
|
||||||
# profiles::dns::updater::key_secret: ENC[...]
|
|
||||||
# (must match the key the bind-authoritative zones allow-update
|
|
||||||
# with; algorithm hmac-sha256)
|
|
||||||
profiles::dns::updater::manage_export: true
|
|
||||||
profiles::dns::updater::manage_nsupdate: true
|
|
||||||
profiles::dns::updater::server: '198.18.200.9'
|
|
||||||
profiles::dns::updater::key_name: 'client-update'
|
|
||||||
profiles::dns::updater::key_algorithm: 'hmac-sha256'
|
|
||||||
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
||||||
#profiles::dns::base::use_ns: 'region'
|
#profiles::dns::base::use_ns: 'region'
|
||||||
profiles::consul::server::members_role: roles::infra::storage::consul
|
profiles::consul::server::members_role: roles::infra::storage::consul
|
||||||
|
|||||||
@@ -1,7 +1,4 @@
|
|||||||
---
|
---
|
||||||
haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2'
|
|
||||||
haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2'
|
|
||||||
|
|
||||||
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
|
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
|
||||||
profiles::haproxy::dns::vrrp_cnames:
|
profiles::haproxy::dns::vrrp_cnames:
|
||||||
- sonarr.main.unkin.net
|
- sonarr.main.unkin.net
|
||||||
@@ -19,7 +16,6 @@ profiles::haproxy::dns::vrrp_cnames:
|
|||||||
- mail.main.unkin.net
|
- mail.main.unkin.net
|
||||||
- autoconfig.main.unkin.net
|
- autoconfig.main.unkin.net
|
||||||
- autodiscover.main.unkin.net
|
- autodiscover.main.unkin.net
|
||||||
- auth.unkin.net
|
|
||||||
|
|
||||||
profiles::haproxy::mappings:
|
profiles::haproxy::mappings:
|
||||||
fe_http:
|
fe_http:
|
||||||
@@ -41,7 +37,6 @@ profiles::haproxy::mappings:
|
|||||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'auth.unkin.net be_k8s_kanidm'
|
|
||||||
fe_https:
|
fe_https:
|
||||||
ensure: present
|
ensure: present
|
||||||
mappings:
|
mappings:
|
||||||
@@ -61,7 +56,6 @@ profiles::haproxy::mappings:
|
|||||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'auth.unkin.net be_k8s_kanidm'
|
|
||||||
|
|
||||||
profiles::haproxy::frontends:
|
profiles::haproxy::frontends:
|
||||||
fe_http:
|
fe_http:
|
||||||
@@ -86,7 +80,6 @@ profiles::haproxy::frontends:
|
|||||||
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
||||||
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
||||||
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
||||||
- 'acl_kanidm req.hdr(host) -i auth.unkin.net'
|
|
||||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||||
use_backend:
|
use_backend:
|
||||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||||
@@ -106,7 +99,6 @@ profiles::haproxy::frontends:
|
|||||||
- 'set-header X-Frame-Options DENY if acl_grafana'
|
- 'set-header X-Frame-Options DENY if acl_grafana'
|
||||||
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
||||||
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
||||||
- 'set-header X-Frame-Options DENY if acl_kanidm'
|
|
||||||
- 'set-header X-Content-Type-Options nosniff'
|
- 'set-header X-Content-Type-Options nosniff'
|
||||||
- 'set-header X-XSS-Protection 1;mode=block'
|
- 'set-header X-XSS-Protection 1;mode=block'
|
||||||
|
|
||||||
@@ -328,26 +320,6 @@ profiles::haproxy::backends:
|
|||||||
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
redirect: 'scheme https if !{ ssl_fc }'
|
||||||
stick-table: 'type ip size 200k expire 30m'
|
stick-table: 'type ip size 200k expire 30m'
|
||||||
be_k8s_kanidm:
|
|
||||||
description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik)
|
|
||||||
collect_exported: false
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
http-check:
|
|
||||||
- 'connect ssl sni auth.unkin.net'
|
|
||||||
- 'send meth GET uri /status ver HTTP/1.1 hdr Host auth.unkin.net'
|
|
||||||
- 'expect status 200'
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)"
|
|
||||||
be_stalwart_imap:
|
be_stalwart_imap:
|
||||||
description: Backend for Stalwart IMAP (STARTTLS)
|
description: Backend for Stalwart IMAP (STARTTLS)
|
||||||
collect_exported: false
|
collect_exported: false
|
||||||
@@ -421,7 +393,6 @@ profiles::haproxy::certlist::certificates:
|
|||||||
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
||||||
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
||||||
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
|
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
|
||||||
- /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/vault/certificate.pem
|
- /etc/pki/tls/vault/certificate.pem
|
||||||
|
|
||||||
# additional altnames
|
# additional altnames
|
||||||
@@ -451,4 +422,3 @@ certbot::client::domains:
|
|||||||
- git.unkin.net
|
- git.unkin.net
|
||||||
- grafana.unkin.net
|
- grafana.unkin.net
|
||||||
- dashboard.ceph.unkin.net
|
- dashboard.ceph.unkin.net
|
||||||
- auth.unkin.net
|
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
|
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
|
||||||
---
|
---
|
||||||
crypto_policies::policy: 'DEFAULT'
|
crypto_policies::policy: 'DEFAULT'
|
||||||
almalinux-base-repo: almalinux
|
|
||||||
profiles::packages::include:
|
profiles::packages::include:
|
||||||
network-scripts: {}
|
network-scripts: {}
|
||||||
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
almalinux-base-repo: almalinux-vault
|
|
||||||
@@ -1,7 +1,7 @@
|
|||||||
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
|
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
|
||||||
---
|
---
|
||||||
crypto_policies::policy: 'DEFAULT:SHA1'
|
crypto_policies::policy: 'DEFAULT:SHA1'
|
||||||
almalinux-base-repo: almalinux
|
|
||||||
profiles::yum::global::repos:
|
profiles::yum::global::repos:
|
||||||
crb:
|
crb:
|
||||||
ensure: present
|
ensure: present
|
||||||
|
|||||||
@@ -23,45 +23,45 @@ profiles::yum::global::repos:
|
|||||||
name: baseos
|
name: baseos
|
||||||
descr: baseos repository
|
descr: baseos repository
|
||||||
target: /etc/yum.repos.d/baseos.repo
|
target: /etc/yum.repos.d/baseos.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
extras:
|
extras:
|
||||||
name: extras
|
name: extras
|
||||||
descr: extras repository
|
descr: extras repository
|
||||||
target: /etc/yum.repos.d/extras.repo
|
target: /etc/yum.repos.d/extras.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
appstream:
|
appstream:
|
||||||
name: appstream
|
name: appstream
|
||||||
descr: appstream repository
|
descr: appstream repository
|
||||||
target: /etc/yum.repos.d/appstream.repo
|
target: /etc/yum.repos.d/appstream.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
highavailability:
|
highavailability:
|
||||||
name: highavailability
|
name: highavailability
|
||||||
descr: highavailability repository
|
descr: highavailability repository
|
||||||
target: /etc/yum.repos.d/highavailability.repo
|
target: /etc/yum.repos.d/highavailability.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
crb:
|
crb:
|
||||||
ensure: absent
|
ensure: absent
|
||||||
name: crb
|
name: crb
|
||||||
descr: crb repository
|
descr: crb repository
|
||||||
target: /etc/yum.repos.d/crb.repo
|
target: /etc/yum.repos.d/crb.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
powertools:
|
powertools:
|
||||||
ensure: absent
|
ensure: absent
|
||||||
name: powertools
|
name: powertools
|
||||||
descr: powertools repository
|
descr: powertools repository
|
||||||
target: /etc/yum.repos.d/powertools.repo
|
target: /etc/yum.repos.d/powertools.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
epel:
|
epel:
|
||||||
name: epel
|
name: epel
|
||||||
@@ -127,16 +127,18 @@ profiles::yum::global::repos:
|
|||||||
name: ceph
|
name: ceph
|
||||||
descr: ceph repository
|
descr: ceph repository
|
||||||
target: /etc/yum.repos.d/ceph.repo
|
target: /etc/yum.repos.d/ceph.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el%{facts.os.release.major}/%{facts.os.architecture}
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el-%{facts.os.release.major}/%{facts.os.architecture}
|
||||||
gpgcheck: false
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el-%{facts.os.release.major}/%{facts.os.architecture}/repodata/repomd.xml.asc
|
||||||
|
gpgcheck: 1
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
ceph-noarch:
|
ceph-noarch:
|
||||||
ensure: absent
|
ensure: absent
|
||||||
name: ceph-noarch
|
name: ceph-noarch
|
||||||
descr: ceph noarch repository
|
descr: ceph noarch repository
|
||||||
target: /etc/yum.repos.d/ceph.repo
|
target: /etc/yum.repos.d/ceph.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el%{facts.os.release.major}/noarch
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el-%{facts.os.release.major}/noarch
|
||||||
gpgcheck: false
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el-%{facts.os.release.major}/noarch/repodata/repomd.xml.asc
|
||||||
|
gpgcheck: 1
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
|
|
||||||
# Rancher RKE2 repositories
|
# Rancher RKE2 repositories
|
||||||
|
|||||||
@@ -66,9 +66,6 @@ glauth::users:
|
|||||||
- 20025 # jupyterhub_admin
|
- 20025 # jupyterhub_admin
|
||||||
- 20026 # jupyterhub_user
|
- 20026 # jupyterhub_user
|
||||||
- 20027 # grafana_user
|
- 20027 # grafana_user
|
||||||
- 20028 # k8s/au/syd1 operator
|
|
||||||
- 20029 # k8s/au/syd1 admin
|
|
||||||
- 20030 # k8s/au/syd1 root
|
|
||||||
loginshell: '/bin/bash'
|
loginshell: '/bin/bash'
|
||||||
homedir: '/home/benvin'
|
homedir: '/home/benvin'
|
||||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||||
@@ -226,24 +223,6 @@ glauth::users:
|
|||||||
loginshell: '/bin/bash'
|
loginshell: '/bin/bash'
|
||||||
homedir: '/home/debvin'
|
homedir: '/home/debvin'
|
||||||
passsha256: 'cdac05ddb02e665d4ea65a974995f38a10236bc158731d92d78f6cde89b294a1'
|
passsha256: 'cdac05ddb02e665d4ea65a974995f38a10236bc158731d92d78f6cde89b294a1'
|
||||||
jassol:
|
|
||||||
user_name: 'jassol'
|
|
||||||
givenname: 'Jason'
|
|
||||||
sn: 'Solomon'
|
|
||||||
mail: 'jassol@users.main.unkin.net'
|
|
||||||
uidnumber: 20010
|
|
||||||
primarygroup: 20000
|
|
||||||
othergroups:
|
|
||||||
- 20010 # jelly
|
|
||||||
- 20011 # sonarr
|
|
||||||
- 20012 # radarr
|
|
||||||
- 20013 # lidarr
|
|
||||||
- 20014 # readarr
|
|
||||||
- 20016 # nzbget
|
|
||||||
- 20027 # grafana user
|
|
||||||
loginshell: '/bin/bash'
|
|
||||||
homedir: '/home/jassol'
|
|
||||||
passsha256: 'd8e215d3c94b954e1318c9c7243ce72713f2fb1d006037724fe857c1fb7e88e9'
|
|
||||||
|
|
||||||
glauth::services:
|
glauth::services:
|
||||||
svc_jellyfin:
|
svc_jellyfin:
|
||||||
@@ -388,12 +367,3 @@ glauth::groups:
|
|||||||
grafana_user:
|
grafana_user:
|
||||||
group_name: 'grafana_user'
|
group_name: 'grafana_user'
|
||||||
gidnumber: 20027
|
gidnumber: 20027
|
||||||
kubernetes_au_syd1_cluster_operator:
|
|
||||||
group_name: 'kubernetes_au_syd1_cluster_operator'
|
|
||||||
gidnumber: 20028
|
|
||||||
kubernetes_au_syd1_cluster_admin:
|
|
||||||
group_name: 'kubernetes_au_syd1_cluster_admin'
|
|
||||||
gidnumber: 20029
|
|
||||||
kubernetes_au_syd1_cluster_root:
|
|
||||||
group_name: 'kubernetes_au_syd1_cluster_root'
|
|
||||||
gidnumber: 20030
|
|
||||||
|
|||||||
@@ -6,10 +6,8 @@ hiera_include:
|
|||||||
profiles::dns::resolver::acls:
|
profiles::dns::resolver::acls:
|
||||||
acl-main.unkin.net:
|
acl-main.unkin.net:
|
||||||
addresses:
|
addresses:
|
||||||
- 198.18.1.10/32
|
- 10.10.8.1/32
|
||||||
- 198.18.2.160/27
|
|
||||||
- 198.18.21.160/27
|
- 198.18.21.160/27
|
||||||
- 198.18.2.192/27
|
|
||||||
- 198.18.21.192/27
|
- 198.18.21.192/27
|
||||||
- 198.18.13.0/24
|
- 198.18.13.0/24
|
||||||
- 198.18.14.0/24
|
- 198.18.14.0/24
|
||||||
|
|||||||
@@ -82,14 +82,8 @@ profiles::sql::postgresdb::dbname: gitea
|
|||||||
profiles::sql::postgresdb::dbuser: gitea
|
profiles::sql::postgresdb::dbuser: gitea
|
||||||
|
|
||||||
# deploy gitea
|
# deploy gitea
|
||||||
gitea::base_url: 'https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/gitea-dl/gitea'
|
gitea::ensure: '1.22.4'
|
||||||
gitea::install::checksums:
|
gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
|
||||||
1.26.2:
|
|
||||||
linux:
|
|
||||||
amd64: 5b37937b625de69196748f7293eee1a7363f8637ae6e3da3c359bb380bd61a6a
|
|
||||||
|
|
||||||
gitea::ensure: '1.26.2'
|
|
||||||
gitea::checksum: '5b37937b625de69196748f7293eee1a7363f8637ae6e3da3c359bb380bd61a6a'
|
|
||||||
gitea::manage_user: false
|
gitea::manage_user: false
|
||||||
gitea::manage_group: false
|
gitea::manage_group: false
|
||||||
gitea::manage_home: false
|
gitea::manage_home: false
|
||||||
|
|||||||
@@ -5,10 +5,6 @@ hiera_include:
|
|||||||
- incus
|
- incus
|
||||||
- zfs
|
- zfs
|
||||||
- profiles::ceph::node
|
- profiles::ceph::node
|
||||||
- profiles::ceph::mon
|
|
||||||
- profiles::ceph::mgr
|
|
||||||
- profiles::ceph::mds
|
|
||||||
- profiles::ceph::osd
|
|
||||||
- profiles::ceph::client
|
- profiles::ceph::client
|
||||||
- profiles::ceph::dashboard
|
- profiles::ceph::dashboard
|
||||||
- profiles::storage::cephfsvols
|
- profiles::storage::cephfsvols
|
||||||
@@ -103,7 +99,7 @@ profiles::yum::global::repos:
|
|||||||
profiles::dns::base::primary_interface: loopback0
|
profiles::dns::base::primary_interface: loopback0
|
||||||
|
|
||||||
# dashboard/haproxy
|
# dashboard/haproxy
|
||||||
profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback2_ip')}"
|
profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback0_ip')}"
|
||||||
|
|
||||||
# networking
|
# networking
|
||||||
systemd::manage_networkd: true
|
systemd::manage_networkd: true
|
||||||
|
|||||||
@@ -2,7 +2,6 @@
|
|||||||
hiera_include:
|
hiera_include:
|
||||||
- profiles::selinux::setenforce
|
- profiles::selinux::setenforce
|
||||||
- profiles::ceph::node
|
- profiles::ceph::node
|
||||||
- profiles::ceph::osd
|
|
||||||
- profiles::ceph::client
|
- profiles::ceph::client
|
||||||
- exporters::frr_exporter
|
- exporters::frr_exporter
|
||||||
- frrouting
|
- frrouting
|
||||||
@@ -11,62 +10,6 @@ hiera_include:
|
|||||||
# manage rke2
|
# manage rke2
|
||||||
rke2::bootstrap_node: prodnxsr0001.main.unkin.net
|
rke2::bootstrap_node: prodnxsr0001.main.unkin.net
|
||||||
rke2::join_url: https://join-k8s.service.consul:9345
|
rke2::join_url: https://join-k8s.service.consul:9345
|
||||||
rke2::manage_registries: true
|
|
||||||
rke2::registries:
|
|
||||||
docker.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "dockerhub/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
ghcr.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "ghcr/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
quay.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "quay/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
registry.k8s.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "k8s-registry/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
registry.gitlab.com:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "gitlab/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
docker.elastic.co:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "elastic/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
gcr.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "gcr/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
docker.litellm.ai:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "litellm/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
public.ecr.aws:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "ecr-public/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
rke2::config_hash:
|
rke2::config_hash:
|
||||||
bind-address: "%{hiera('networking_loopback0_ip')}"
|
bind-address: "%{hiera('networking_loopback0_ip')}"
|
||||||
node-ip: "%{hiera('networking_loopback0_ip')}"
|
node-ip: "%{hiera('networking_loopback0_ip')}"
|
||||||
@@ -182,17 +125,6 @@ frrouting::ospf_exclude_k8s_enable: true
|
|||||||
frrouting::k8s_cluster_cidr: '10.42.0.0/16' # RKE2 cluster-cidr (pods)
|
frrouting::k8s_cluster_cidr: '10.42.0.0/16' # RKE2 cluster-cidr (pods)
|
||||||
frrouting::k8s_service_cidr: '10.43.0.0/16' # RKE2 service-cidr
|
frrouting::k8s_service_cidr: '10.43.0.0/16' # RKE2 service-cidr
|
||||||
|
|
||||||
# sysctl recommendations
|
|
||||||
sysctl::base::values:
|
|
||||||
net.ipv4.conf.default.rp_filter:
|
|
||||||
value: '0'
|
|
||||||
net.ipv4.conf.all.rp_filter:
|
|
||||||
value: '0'
|
|
||||||
fs.inotify.max_user_watches:
|
|
||||||
value: '524288'
|
|
||||||
fs.inotify.max_user_instances:
|
|
||||||
value: '512'
|
|
||||||
|
|
||||||
# add loopback interfaces to ssh list
|
# add loopback interfaces to ssh list
|
||||||
ssh::server::options:
|
ssh::server::options:
|
||||||
ListenAddress:
|
ListenAddress:
|
||||||
|
|||||||
@@ -3,6 +3,9 @@
|
|||||||
rke2::node_type: server
|
rke2::node_type: server
|
||||||
rke2::helm_install: true
|
rke2::helm_install: true
|
||||||
rke2::helm_repos:
|
rke2::helm_repos:
|
||||||
|
rancher-stable: https://releases.rancher.com/server-charts/stable
|
||||||
|
purelb: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
|
||||||
|
jetstack: https://charts.jetstack.io
|
||||||
harbor: https://helm.goharbor.io
|
harbor: https://helm.goharbor.io
|
||||||
traefik: https://traefik.github.io/charts
|
traefik: https://traefik.github.io/charts
|
||||||
hashicorp: https://helm.releases.hashicorp.com
|
hashicorp: https://helm.releases.hashicorp.com
|
||||||
@@ -55,12 +58,6 @@ consul::services:
|
|||||||
tcp: "%{hiera('networking_loopback0_ip')}:9345"
|
tcp: "%{hiera('networking_loopback0_ip')}:9345"
|
||||||
interval: '10s'
|
interval: '10s'
|
||||||
timeout: '1s'
|
timeout: '1s'
|
||||||
- id: 'rke2_server_ping_check'
|
|
||||||
name: 'rke2 Server Ping Check'
|
|
||||||
http: "https://%{hiera('networking_loopback0_ip')}:9345/ping"
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '3s'
|
|
||||||
tls_skip_verify: true
|
|
||||||
profiles::consul::client::node_rules:
|
profiles::consul::client::node_rules:
|
||||||
- resource: service
|
- resource: service
|
||||||
segment: api-k8s
|
segment: api-k8s
|
||||||
|
|||||||
@@ -11,7 +11,6 @@ profiles::metrics::grafana::db_name: "%{hiera('profiles::sql::postgresdb::dbname
|
|||||||
profiles::metrics::grafana::db_user: "%{hiera('profiles::sql::postgresdb::dbuser')}"
|
profiles::metrics::grafana::db_user: "%{hiera('profiles::sql::postgresdb::dbuser')}"
|
||||||
profiles::metrics::grafana::db_pass: "%{hiera('profiles::sql::postgresdb::dbpass')}"
|
profiles::metrics::grafana::db_pass: "%{hiera('profiles::sql::postgresdb::dbpass')}"
|
||||||
profiles::metrics::grafana::pgsql_backend: true
|
profiles::metrics::grafana::pgsql_backend: true
|
||||||
profiles::metrics::grafana::version: '13.0.2'
|
|
||||||
profiles::metrics::grafana::plugins:
|
profiles::metrics::grafana::plugins:
|
||||||
victoriametrics-logs-datasource:
|
victoriametrics-logs-datasource:
|
||||||
ensure: present
|
ensure: present
|
||||||
|
|||||||
@@ -16,4 +16,3 @@ certbot::domains:
|
|||||||
- git.unkin.net
|
- git.unkin.net
|
||||||
- grafana.unkin.net
|
- grafana.unkin.net
|
||||||
- dashboard.ceph.unkin.net
|
- dashboard.ceph.unkin.net
|
||||||
- auth.unkin.net
|
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ profiles::puppet::cobbler_enc::packages:
|
|||||||
- 'requests'
|
- 'requests'
|
||||||
- 'PyYAML'
|
- 'PyYAML'
|
||||||
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
|
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
|
||||||
profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkin/puppet-r10k.git
|
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
|
||||||
profiles::puppet::g10k::bin_path: '/usr/bin/g10k'
|
profiles::puppet::g10k::bin_path: '/usr/bin/g10k'
|
||||||
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
|
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
|
||||||
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
|
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
|
||||||
|
|||||||
@@ -3,6 +3,125 @@ profiles::packages::include:
|
|||||||
createrepo: {}
|
createrepo: {}
|
||||||
|
|
||||||
profiles::reposync::repos_list:
|
profiles::reposync::repos_list:
|
||||||
|
almalinux_9.7_baseos:
|
||||||
|
repository: 'baseos'
|
||||||
|
description: 'AlmaLinux 9.7 BaseOS'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.7'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/baseos'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.7_appstream:
|
||||||
|
repository: 'appstream'
|
||||||
|
description: 'AlmaLinux 9.7 AppStream'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.7'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/appstream'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.7_crb:
|
||||||
|
repository: 'crb'
|
||||||
|
description: 'AlmaLinux 9.7 CRB'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.7'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/crb'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.7_ha:
|
||||||
|
repository: 'ha'
|
||||||
|
description: 'AlmaLinux 9.7 HighAvailability'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.7'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/highavailability'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.7_extras:
|
||||||
|
repository: 'extras'
|
||||||
|
description: 'AlmaLinux 9.7 extras'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.7'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/extras'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.6_baseos:
|
||||||
|
repository: 'baseos'
|
||||||
|
description: 'AlmaLinux 9.6 BaseOS'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.6'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/baseos'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.6_appstream:
|
||||||
|
repository: 'appstream'
|
||||||
|
description: 'AlmaLinux 9.6 AppStream'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.6'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/appstream'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.6_crb:
|
||||||
|
repository: 'crb'
|
||||||
|
description: 'AlmaLinux 9.6 CRB'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.6'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/crb'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.6_ha:
|
||||||
|
repository: 'ha'
|
||||||
|
description: 'AlmaLinux 9.6 HighAvailability'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.6'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/highavailability'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9.6_extras:
|
||||||
|
repository: 'extras'
|
||||||
|
description: 'AlmaLinux 9.6 extras'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.6'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/extras'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9_5_baseos:
|
||||||
|
repository: 'baseos'
|
||||||
|
description: 'AlmaLinux 9.5 BaseOS'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.5'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9_5_appstream:
|
||||||
|
repository: 'appstream'
|
||||||
|
description: 'AlmaLinux 9.5 AppStream'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.5'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9_5_crb:
|
||||||
|
repository: 'crb'
|
||||||
|
description: 'AlmaLinux 9.5 CRB'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.5'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9_5_ha:
|
||||||
|
repository: 'ha'
|
||||||
|
description: 'AlmaLinux 9.5 HighAvailability'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.5'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
almalinux_9_5_extras:
|
||||||
|
repository: 'extras'
|
||||||
|
description: 'AlmaLinux 9.5 extras'
|
||||||
|
osname: 'almalinux'
|
||||||
|
release: '9.5'
|
||||||
|
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
|
||||||
|
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||||
|
epel_8:
|
||||||
|
repository: 'everything'
|
||||||
|
description: 'EPEL8'
|
||||||
|
osname: 'epel'
|
||||||
|
release: '8'
|
||||||
|
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
|
||||||
|
gpgkey: 'https://epel.mirror.digitalpacific.com.au/RPM-GPG-KEY-EPEL-8'
|
||||||
|
epel_9:
|
||||||
|
repository: 'everything'
|
||||||
|
description: 'EPEL9'
|
||||||
|
osname: 'epel'
|
||||||
|
release: '9'
|
||||||
|
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-9&arch=x86_64'
|
||||||
|
gpgkey: 'https://epel.mirror.digitalpacific.com.au/RPM-GPG-KEY-EPEL-9'
|
||||||
docker_stable_el8:
|
docker_stable_el8:
|
||||||
repository: 'stable'
|
repository: 'stable'
|
||||||
description: 'Docker CE Stable EL8'
|
description: 'Docker CE Stable EL8'
|
||||||
@@ -17,6 +136,34 @@ profiles::reposync::repos_list:
|
|||||||
release: 'el9'
|
release: 'el9'
|
||||||
baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
|
baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
|
||||||
gpgkey: 'https://download.docker.com/linux/centos/gpg'
|
gpgkey: 'https://download.docker.com/linux/centos/gpg'
|
||||||
|
frr_stable_el8:
|
||||||
|
repository: 'stable'
|
||||||
|
description: 'FRR Stable EL8'
|
||||||
|
osname: 'frr'
|
||||||
|
release: 'el8'
|
||||||
|
baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
|
||||||
|
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||||
|
frr_extras_el8:
|
||||||
|
repository: 'extras'
|
||||||
|
description: 'FRR Extras EL8'
|
||||||
|
osname: 'frr'
|
||||||
|
release: 'el8'
|
||||||
|
baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
|
||||||
|
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||||
|
frr_stable_el9:
|
||||||
|
repository: 'stable'
|
||||||
|
description: 'FRR Stable EL9'
|
||||||
|
osname: 'frr'
|
||||||
|
release: 'el9'
|
||||||
|
baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
|
||||||
|
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||||
|
frr_extras_el9:
|
||||||
|
repository: 'extras'
|
||||||
|
description: 'FRR Extras el9'
|
||||||
|
osname: 'frr'
|
||||||
|
release: 'el9'
|
||||||
|
baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
|
||||||
|
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||||
k8s_1.32:
|
k8s_1.32:
|
||||||
repository: '1.32'
|
repository: '1.32'
|
||||||
description: 'Kubernetes 1.32'
|
description: 'Kubernetes 1.32'
|
||||||
@@ -31,6 +178,62 @@ profiles::reposync::repos_list:
|
|||||||
release: '1.33'
|
release: '1.33'
|
||||||
baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/'
|
baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/'
|
||||||
gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/repodata/repomd.xml.key'
|
gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/repodata/repomd.xml.key'
|
||||||
|
mariadb_11_8_el8:
|
||||||
|
repository: 'el8'
|
||||||
|
description: 'MariaDB 11.8'
|
||||||
|
osname: 'mariadb'
|
||||||
|
release: '11.8'
|
||||||
|
baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.8/rhel8-amd64/'
|
||||||
|
gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
|
||||||
|
mariadb_11_8_el9:
|
||||||
|
repository: 'el9'
|
||||||
|
description: 'MariaDB 11.8'
|
||||||
|
osname: 'mariadb'
|
||||||
|
release: '11.8'
|
||||||
|
baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.8/rhel9-amd64/'
|
||||||
|
gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
|
||||||
|
openvox7_el8:
|
||||||
|
repository: '8'
|
||||||
|
description: 'openvox 7 EL8'
|
||||||
|
osname: 'openvox7'
|
||||||
|
release: 'el'
|
||||||
|
baseurl: 'https://yum.voxpupuli.org/openvox7/el/8/x86_64/'
|
||||||
|
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
|
||||||
|
openvox7_el9:
|
||||||
|
repository: '9'
|
||||||
|
description: 'openvox 7 EL9'
|
||||||
|
osname: 'openvox7'
|
||||||
|
release: 'el'
|
||||||
|
baseurl: 'https://yum.voxpupuli.org/openvox7/el/9/x86_64/'
|
||||||
|
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
|
||||||
|
openvox7_el10:
|
||||||
|
repository: '10'
|
||||||
|
description: 'openvox 7 EL10'
|
||||||
|
osname: 'openvox7'
|
||||||
|
release: 'el'
|
||||||
|
baseurl: 'https://yum.voxpupuli.org/openvox7/el/10/x86_64/'
|
||||||
|
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
|
||||||
|
openvox8_el8:
|
||||||
|
repository: '8'
|
||||||
|
description: 'openvox 8 EL8'
|
||||||
|
osname: 'openvox8'
|
||||||
|
release: 'el'
|
||||||
|
baseurl: 'https://yum.voxpupuli.org/openvox8/el/8/x86_64/'
|
||||||
|
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
|
||||||
|
openvox8_el9:
|
||||||
|
repository: '9'
|
||||||
|
description: 'openvox 8 EL9'
|
||||||
|
osname: 'openvox8'
|
||||||
|
release: 'el'
|
||||||
|
baseurl: 'https://yum.voxpupuli.org/openvox8/el/9/x86_64/'
|
||||||
|
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
|
||||||
|
openvox8_el10:
|
||||||
|
repository: '10'
|
||||||
|
description: 'openvox 8 EL10'
|
||||||
|
osname: 'openvox8'
|
||||||
|
release: 'el'
|
||||||
|
baseurl: 'https://yum.voxpupuli.org/openvox8/el/10/x86_64/'
|
||||||
|
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
|
||||||
puppet7_el8:
|
puppet7_el8:
|
||||||
repository: '8'
|
repository: '8'
|
||||||
description: 'Puppet 7 EL8'
|
description: 'Puppet 7 EL8'
|
||||||
@@ -59,6 +262,76 @@ profiles::reposync::repos_list:
|
|||||||
release: 'el'
|
release: 'el'
|
||||||
baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
|
baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
|
||||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||||
|
postgresql_rhel8_common:
|
||||||
|
repository: 'common'
|
||||||
|
description: 'PostgreSQL Common RHEL 8'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel8'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel9_common:
|
||||||
|
repository: 'common'
|
||||||
|
description: 'PostgreSQL Common RHEL 9'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel9'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel8_15:
|
||||||
|
repository: '15'
|
||||||
|
description: 'PostgreSQL 15 RHEL 8'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel8'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-8-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel9_15:
|
||||||
|
repository: '15'
|
||||||
|
description: 'PostgreSQL 15 RHEL 9'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel9'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-9-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel8_16:
|
||||||
|
repository: '16'
|
||||||
|
description: 'PostgreSQL 16 RHEL 8'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel8'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel9_16:
|
||||||
|
repository: '16'
|
||||||
|
description: 'PostgreSQL 16 RHEL 9'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel9'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel8_17:
|
||||||
|
repository: '17'
|
||||||
|
description: 'PostgreSQL 17 RHEL 8'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel8'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-8-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel9_17:
|
||||||
|
repository: '17'
|
||||||
|
description: 'PostgreSQL 17 RHEL 9'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel9'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
rke2_common_el9:
|
||||||
|
repository: 'common'
|
||||||
|
description: 'RKE2 common RHEL 9'
|
||||||
|
osname: 'rke2'
|
||||||
|
release: "rhel9"
|
||||||
|
baseurl: "https://rpm.rancher.io/rke2/latest/common/centos/9/noarch"
|
||||||
|
gpgkey: "https://rpm.rancher.io/public.key"
|
||||||
|
rke2_1_33_el9:
|
||||||
|
repository: '1.33'
|
||||||
|
description: 'RKE2 1.33 RHEL 9'
|
||||||
|
osname: 'rke2'
|
||||||
|
release: "rhel9"
|
||||||
|
baseurl: "https://rpm.rancher.io/rke2/latest/1.33/centos/9/x86_64"
|
||||||
|
gpgkey: "https://rpm.rancher.io/public.key"
|
||||||
zfs_dkms_rhel8:
|
zfs_dkms_rhel8:
|
||||||
repository: 'dkms'
|
repository: 'dkms'
|
||||||
description: 'ZFS DKMS RHEL 8'
|
description: 'ZFS DKMS RHEL 8'
|
||||||
|
|||||||
@@ -29,7 +29,6 @@ profiles::consul::server::acl:
|
|||||||
profiles::pki::vault::alt_names:
|
profiles::pki::vault::alt_names:
|
||||||
- consul.main.unkin.net
|
- consul.main.unkin.net
|
||||||
- consul.service.consul
|
- consul.service.consul
|
||||||
- "consul.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
- consul
|
- consul
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
# manage a simple nginx reverse proxy
|
||||||
@@ -39,7 +38,6 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
|||||||
- consul.main.unkin.net
|
- consul.main.unkin.net
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8500
|
profiles::nginx::simpleproxy::proxy_port: 8500
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||||
nginx::client_max_body_size: 512M
|
|
||||||
|
|
||||||
# consul
|
# consul
|
||||||
profiles::consul::client::node_rules:
|
profiles::consul::client::node_rules:
|
||||||
|
|||||||
@@ -2,12 +2,10 @@
|
|||||||
profiles::vault::server::members_role: roles::infra::storage::vault
|
profiles::vault::server::members_role: roles::infra::storage::vault
|
||||||
profiles::vault::server::members_lookup: true
|
profiles::vault::server::members_lookup: true
|
||||||
profiles::vault::server::data_dir: /data/vault
|
profiles::vault::server::data_dir: /data/vault
|
||||||
profiles::vault::server::plugin_dir: /opt/openbao-plugins
|
|
||||||
profiles::vault::server::manage_storage_dir: true
|
profiles::vault::server::manage_storage_dir: true
|
||||||
profiles::vault::server::tls_disable: false
|
profiles::vault::server::tls_disable: false
|
||||||
profiles::vault::server::package_name: openbao
|
vault::package_name: openbao
|
||||||
profiles::vault::server::package_ensure: 2.4.4
|
vault::package_ensure: latest
|
||||||
profiles::vault::server::disable_openbao: false
|
|
||||||
|
|
||||||
# additional altnames
|
# additional altnames
|
||||||
profiles::pki::vault::alt_names:
|
profiles::pki::vault::alt_names:
|
||||||
@@ -25,6 +23,3 @@ profiles::nginx::simpleproxy::proxy_scheme: 'http'
|
|||||||
profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
|
profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8200
|
profiles::nginx::simpleproxy::proxy_port: 8200
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||||
|
|
||||||
profiles::packages::include:
|
|
||||||
openbao-plugins: {}
|
|
||||||
|
|||||||
@@ -28,8 +28,8 @@ class externaldns::master inherits externaldns {
|
|||||||
dynamic => true,
|
dynamic => true,
|
||||||
allow_updates => ['key externaldns-key'],
|
allow_updates => ['key externaldns-key'],
|
||||||
allow_transfers => empty($slave_ips) ? {
|
allow_transfers => empty($slave_ips) ? {
|
||||||
true => ['key externaldns-key'],
|
true => [],
|
||||||
false => ['key externaldns-key','dns-slaves'],
|
false => ['dns-slaves'],
|
||||||
},
|
},
|
||||||
ns_notify => !empty($slave_ips),
|
ns_notify => !empty($slave_ips),
|
||||||
also_notify => $slave_ips,
|
also_notify => $slave_ips,
|
||||||
|
|||||||
@@ -22,12 +22,7 @@ class incus::cluster (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -1,56 +0,0 @@
|
|||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
require 'facter'
|
|
||||||
|
|
||||||
# Detects active ceph service instances via systemctl and exposes facts
|
|
||||||
# for use in ceph service management profiles.
|
|
||||||
# rubocop:disable Style/ClassAndModuleChildren
|
|
||||||
module Unkin
|
|
||||||
module Ceph
|
|
||||||
# Detects active ceph service instances via systemctl and exposes Facter facts.
|
|
||||||
module Utils
|
|
||||||
TYPES = %w[mon mgr mds osd].freeze
|
|
||||||
|
|
||||||
def self.services
|
|
||||||
output = Facter::Core::Execution.execute(
|
|
||||||
'systemctl list-units "ceph*" --no-legend --plain --all 2>/dev/null',
|
|
||||||
on_fail: ''
|
|
||||||
)
|
|
||||||
parse_units(output)
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.parse_units(output)
|
|
||||||
result = TYPES.each_with_object({}) { |type, hash| hash[type] = [] }
|
|
||||||
output.each_line do |line|
|
|
||||||
unit = line.split.first
|
|
||||||
next unless unit
|
|
||||||
|
|
||||||
match_unit(result, unit)
|
|
||||||
end
|
|
||||||
result
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.match_unit(result, unit)
|
|
||||||
TYPES.each do |type|
|
|
||||||
match = unit.match(/\Aceph-#{type}@(.+)\.service\z/)
|
|
||||||
result[type] << "ceph-#{type}@#{match[1]}" if match
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
TYPES.each do |type|
|
|
||||||
define_singleton_method(:"#{type}?") { !services[type].empty? }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
# rubocop:enable Style/ClassAndModuleChildren
|
|
||||||
|
|
||||||
Facter.add('ceph_services') do
|
|
||||||
setcode { Unkin::Ceph::Utils.services }
|
|
||||||
end
|
|
||||||
|
|
||||||
Unkin::Ceph::Utils::TYPES.each do |type|
|
|
||||||
Facter.add("is_ceph_#{type}") do
|
|
||||||
setcode { Unkin::Ceph::Utils.public_send(:"#{type}?") }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@@ -1,88 +0,0 @@
|
|||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
# lib/facter/dns_records.rb
|
|
||||||
#
|
|
||||||
# Reports this host's expected DNS records (assembled by profiles::dns::updater
|
|
||||||
# into its records file) versus what is currently deployed on the authoritative
|
|
||||||
# server, so puppet can detect drift and re-apply.
|
|
||||||
#
|
|
||||||
# Structured value:
|
|
||||||
# { server, count, expected => [{zone,fqdn,type,ttl,value}], in_sync,
|
|
||||||
# drift => [{...,deployed => [...]}] }
|
|
||||||
|
|
||||||
# Helpers for the dns_records fact.
|
|
||||||
module DnsRecordsFact
|
|
||||||
RECORDS_FILE = '/var/lib/dns-updater/records'
|
|
||||||
SERVER_FILE = '/var/lib/dns-updater/server'
|
|
||||||
|
|
||||||
module_function
|
|
||||||
|
|
||||||
# normalise a value for comparison: strip, drop trailing dot, downcase
|
|
||||||
def norm(value)
|
|
||||||
value.to_s.strip.chomp('.').downcase
|
|
||||||
end
|
|
||||||
|
|
||||||
def server
|
|
||||||
File.exist?(SERVER_FILE) ? File.read(SERVER_FILE).strip : nil
|
|
||||||
end
|
|
||||||
|
|
||||||
# a name relative to a zone (or @) as a fully-qualified name
|
|
||||||
def to_fqdn(name, zone)
|
|
||||||
return "#{zone}." if name.to_s.empty? || name == '@'
|
|
||||||
|
|
||||||
"#{name}.#{zone}."
|
|
||||||
end
|
|
||||||
|
|
||||||
# parse one "zone|name|type|ttl|value" line into a record hash (nil to skip)
|
|
||||||
def parse_line(line)
|
|
||||||
line = line.strip
|
|
||||||
return nil if line.empty? || line.start_with?('#')
|
|
||||||
|
|
||||||
zone, name, type, ttl, value = line.split('|', 5)
|
|
||||||
return nil unless zone && type && value
|
|
||||||
|
|
||||||
{ 'zone' => zone, 'fqdn' => to_fqdn(name, zone), 'type' => type, 'ttl' => ttl, 'value' => value }
|
|
||||||
end
|
|
||||||
|
|
||||||
# parse the records file into record hashes
|
|
||||||
def expected
|
|
||||||
return [] unless File.exist?(RECORDS_FILE)
|
|
||||||
|
|
||||||
File.readlines(RECORDS_FILE).filter_map { |line| parse_line(line) }
|
|
||||||
end
|
|
||||||
|
|
||||||
# the values currently deployed for a record, per the authoritative server
|
|
||||||
def deployed(record, srv)
|
|
||||||
cmd = ['dig', '+short', '+time=2', '+tries=1']
|
|
||||||
cmd << "@#{srv}" if srv && !srv.empty?
|
|
||||||
cmd += [record['fqdn'], record['type']]
|
|
||||||
out = Facter::Core::Execution.execute(cmd.join(' '), on_fail: '')
|
|
||||||
out.to_s.split("\n").map { |line| norm(line) }.reject(&:empty?)
|
|
||||||
end
|
|
||||||
|
|
||||||
def report
|
|
||||||
srv = server
|
|
||||||
exp = expected
|
|
||||||
drift = exp.filter_map do |record|
|
|
||||||
dep = deployed(record, srv)
|
|
||||||
record.merge('deployed' => dep) unless dep.include?(norm(record['value']))
|
|
||||||
end
|
|
||||||
{ 'server' => srv, 'count' => exp.length, 'expected' => exp, 'in_sync' => drift.empty?, 'drift' => drift }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
Facter.add(:dns_records) do
|
|
||||||
confine kernel: 'Linux'
|
|
||||||
setcode do
|
|
||||||
File.exist?(DnsRecordsFact::RECORDS_FILE) ? DnsRecordsFact.report : nil
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Convenience boolean for `if $facts['dns_records_insync']` guards.
|
|
||||||
Facter.add(:dns_records_insync) do
|
|
||||||
confine kernel: 'Linux'
|
|
||||||
setcode do
|
|
||||||
v = Facter.value(:dns_records)
|
|
||||||
v.nil? ? nil : v['in_sync']
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@@ -20,12 +20,7 @@ class redisha::redis (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${redisha_members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -23,12 +23,7 @@ class redisha::sentinel (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${redisha_members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: rancher
|
||||||
|
namespace: cattle-system
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/ingress.class: nginx
|
||||||
|
spec:
|
||||||
|
tls:
|
||||||
|
- hosts: [rancher.main.unkin.net]
|
||||||
|
secretName: tls-rancher
|
||||||
|
rules:
|
||||||
|
- host: rancher.main.unkin.net
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: rancher
|
||||||
|
port:
|
||||||
|
number: 80
|
||||||
@@ -0,0 +1,45 @@
|
|||||||
|
apiVersion: purelb.io/v1
|
||||||
|
kind: LBNodeAgent
|
||||||
|
metadata:
|
||||||
|
name: common
|
||||||
|
namespace: purelb
|
||||||
|
spec:
|
||||||
|
local:
|
||||||
|
extlbint: kube-lb0
|
||||||
|
localint: default
|
||||||
|
sendgarp: false
|
||||||
|
---
|
||||||
|
apiVersion: purelb.io/v1
|
||||||
|
kind: LBNodeAgent
|
||||||
|
metadata:
|
||||||
|
name: dmz
|
||||||
|
namespace: purelb
|
||||||
|
spec:
|
||||||
|
local:
|
||||||
|
extlbint: kube-lb0
|
||||||
|
localint: default
|
||||||
|
sendgarp: false
|
||||||
|
---
|
||||||
|
apiVersion: purelb.io/v1
|
||||||
|
kind: ServiceGroup
|
||||||
|
metadata:
|
||||||
|
name: dmz
|
||||||
|
namespace: purelb
|
||||||
|
spec:
|
||||||
|
local:
|
||||||
|
v4pools:
|
||||||
|
- subnet: 198.18.199.0/24
|
||||||
|
pool: 198.18.199.0/24
|
||||||
|
aggregation: /32
|
||||||
|
---
|
||||||
|
apiVersion: purelb.io/v1
|
||||||
|
kind: ServiceGroup
|
||||||
|
metadata:
|
||||||
|
name: common
|
||||||
|
namespace: purelb
|
||||||
|
spec:
|
||||||
|
local:
|
||||||
|
v4pools:
|
||||||
|
- subnet: 198.18.200.0/24
|
||||||
|
pool: 198.18.200.0/24
|
||||||
|
aggregation: /32
|
||||||
@@ -7,8 +7,6 @@ class rke2::config (
|
|||||||
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
|
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
|
||||||
String $node_token = $rke2::node_token,
|
String $node_token = $rke2::node_token,
|
||||||
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
|
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
|
||||||
Boolean $manage_registries = $rke2::manage_registries,
|
|
||||||
Hash $registries = $rke2::registries,
|
|
||||||
){
|
){
|
||||||
|
|
||||||
# if its not the bootstrap node, add join path to config
|
# if its not the bootstrap node, add join path to config
|
||||||
@@ -30,24 +28,6 @@ class rke2::config (
|
|||||||
$config = $config_hash
|
$config = $config_hash
|
||||||
}
|
}
|
||||||
|
|
||||||
if $manage_registries {
|
|
||||||
file { '/etc/rancher/rke2/registries.yaml':
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0644',
|
|
||||||
content => epp('rke2/registries.yaml.epp', { registries => $registries }),
|
|
||||||
require => Package["rke2-${node_type}"],
|
|
||||||
notify => Service["rke2-${node_type}"],
|
|
||||||
}
|
|
||||||
}else{
|
|
||||||
file { '/etc/rancher/rke2/registries.yaml':
|
|
||||||
ensure => absent,
|
|
||||||
require => Package["rke2-${node_type}"],
|
|
||||||
notify => Service["rke2-${node_type}"],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# create the config file
|
# create the config file
|
||||||
file { $config_file:
|
file { $config_file:
|
||||||
ensure => file,
|
ensure => file,
|
||||||
@@ -88,6 +68,30 @@ class rke2::config (
|
|||||||
# on the controller nodes only
|
# on the controller nodes only
|
||||||
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
|
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
|
||||||
|
|
||||||
|
# wait for purelb helm to setup namespace
|
||||||
|
if 'purelb' in $facts['k8s_namespaces'] {
|
||||||
|
file {'/var/lib/rancher/rke2/server/manifests/purelb-config.yaml':
|
||||||
|
ensure => file,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
source => 'puppet:///modules/rke2/purelb-config.yaml',
|
||||||
|
require => Service['rke2-server'],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# wait for rancher helm to setup namespace
|
||||||
|
if 'cattle-system' in $facts['k8s_namespaces'] {
|
||||||
|
file {'/var/lib/rancher/rke2/server/manifests/ingress-route-rancher.yaml':
|
||||||
|
ensure => file,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
source => 'puppet:///modules/rke2/ingress-route-rancher.yaml',
|
||||||
|
require => Service['rke2-server'],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# manage extra config config (these are not dependent on helm)
|
# manage extra config config (these are not dependent on helm)
|
||||||
$extra_config_files.each |$file| {
|
$extra_config_files.each |$file| {
|
||||||
|
|
||||||
|
|||||||
@@ -38,6 +38,44 @@ class rke2::helm (
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# install specific helm charts to bootstrap environment
|
||||||
|
$plb_cmd = 'helm install purelb purelb/purelb \
|
||||||
|
--create-namespace \
|
||||||
|
--namespace=purelb \
|
||||||
|
--repository-config /etc/helm/repositories.yaml'
|
||||||
|
exec { 'install_purelb':
|
||||||
|
command => $plb_cmd,
|
||||||
|
path => ['/usr/bin', '/bin'],
|
||||||
|
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
|
||||||
|
unless => 'helm list -n purelb | grep -q ^purelb',
|
||||||
|
}
|
||||||
|
|
||||||
|
$cm_cmd = 'helm install cert-manager jetstack/cert-manager \
|
||||||
|
--namespace cert-manager \
|
||||||
|
--create-namespace \
|
||||||
|
--set crds.enabled=true \
|
||||||
|
--repository-config /etc/helm/repositories.yaml'
|
||||||
|
exec { 'install_cert_manager':
|
||||||
|
command => $cm_cmd,
|
||||||
|
path => ['/usr/bin', '/bin'],
|
||||||
|
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
|
||||||
|
unless => 'helm list -n cert-manager | grep -q ^cert-manager',
|
||||||
|
}
|
||||||
|
|
||||||
|
$r_cmd = 'helm install rancher rancher-stable/rancher \
|
||||||
|
--namespace cattle-system \
|
||||||
|
--create-namespace \
|
||||||
|
--set hostname=rancher.main.unkin.net \
|
||||||
|
--set bootstrapPassword=admin \
|
||||||
|
--set ingress.tls.source=secret \
|
||||||
|
--repository-config /etc/helm/repositories.yaml'
|
||||||
|
exec { 'install_rancher':
|
||||||
|
command => $r_cmd,
|
||||||
|
path => ['/usr/bin', '/bin'],
|
||||||
|
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
|
||||||
|
unless => 'helm list -n cattle-system | grep -q ^rancher',
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,8 +12,6 @@ class rke2 (
|
|||||||
Hash $helm_repos = $rke2::params::helm_repos,
|
Hash $helm_repos = $rke2::params::helm_repos,
|
||||||
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
|
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
|
||||||
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
|
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
|
||||||
Boolean $manage_registries = $rke2::params::manage_registries,
|
|
||||||
Hash $registries = $rke2::params::registries,
|
|
||||||
) inherits rke2::params {
|
) inherits rke2::params {
|
||||||
|
|
||||||
include rke2::install
|
include rke2::install
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ class rke2::install (
|
|||||||
# download required archive of containers
|
# download required archive of containers
|
||||||
archive { '/var/lib/rancher/rke2/agent/images/rke2-images.linux-amd64.tar.zst':
|
archive { '/var/lib/rancher/rke2/agent/images/rke2-images.linux-amd64.tar.zst':
|
||||||
ensure => present,
|
ensure => present,
|
||||||
source => "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/rancher/rke2/releases/download/v${rke2_version}%2B${rke2_release}/rke2-images.linux-amd64.tar.zst",
|
source => "https://github.com/rancher/rke2/releases/download/v${rke2_version}%2B${rke2_release}/rke2-images.linux-amd64.tar.zst",
|
||||||
require => [
|
require => [
|
||||||
Package["rke2-${node_type}"],
|
Package["rke2-${node_type}"],
|
||||||
File['/var/lib/rancher/rke2/agent/images'],
|
File['/var/lib/rancher/rke2/agent/images'],
|
||||||
|
|||||||
@@ -12,6 +12,4 @@ class rke2::params (
|
|||||||
Hash $helm_repos = {},
|
Hash $helm_repos = {},
|
||||||
Array[String[1]] $extra_config_files = [],
|
Array[String[1]] $extra_config_files = [],
|
||||||
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
|
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
|
||||||
Boolean $manage_registries = false,
|
|
||||||
Hash $registries = {},
|
|
||||||
) {}
|
) {}
|
||||||
|
|||||||
@@ -1,20 +0,0 @@
|
|||||||
<%- | Hash $registries | -%>
|
|
||||||
---
|
|
||||||
# DO NOT MODIFY - MANAGED BY PUPPET
|
|
||||||
mirrors:
|
|
||||||
<%- $registries.each |$registry, $config| { -%>
|
|
||||||
<%= $registry %>:
|
|
||||||
endpoint:
|
|
||||||
<%- $config['endpoint'].each |$ep| { -%>
|
|
||||||
- "<%= $ep %>"
|
|
||||||
<%- } -%>
|
|
||||||
<%- if $config['rewrite'] { -%>
|
|
||||||
rewrite:
|
|
||||||
<%- $config['rewrite'].each |$pattern, $replacement| { -%>
|
|
||||||
"<%= $pattern %>": "<%= $replacement %>"
|
|
||||||
<%- } -%>
|
|
||||||
<%- } -%>
|
|
||||||
<%- if $config['disable-default-registry-endpoint'] { -%>
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
<%- } -%>
|
|
||||||
<%- } -%>
|
|
||||||
@@ -167,13 +167,7 @@ class stalwart (
|
|||||||
|
|
||||||
# Query cluster members for validation
|
# Query cluster members for validation
|
||||||
$cluster_query = "enc_role='${cluster_role}' and country='${facts['country']}' and region='${facts['region']}'"
|
$cluster_query = "enc_role='${cluster_role}' and country='${facts['country']}' and region='${facts['region']}'"
|
||||||
$cluster_members_raw = puppetdb_query(
|
$cluster_members_raw = query_nodes($cluster_query, 'networking.fqdn')
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${cluster_role}' and
|
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] }
|
|
||||||
$cluster_members = $cluster_members_raw ? {
|
$cluster_members = $cluster_members_raw ? {
|
||||||
undef => [],
|
undef => [],
|
||||||
default => $cluster_members_raw,
|
default => $cluster_members_raw,
|
||||||
@@ -186,20 +180,7 @@ class stalwart (
|
|||||||
|
|
||||||
# Query HAProxy nodes for proxy trusted networks
|
# Query HAProxy nodes for proxy trusted networks
|
||||||
$haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'"
|
$haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'"
|
||||||
$haproxy_members_raw = puppetdb_query(
|
$haproxy_members_raw = query_nodes($haproxy_query, 'networking.ip')
|
||||||
"facts[certname,value] {
|
|
||||||
name = 'networking' and
|
|
||||||
certname in facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${haproxy_role}'
|
|
||||||
} and
|
|
||||||
certname in facts[certname] {
|
|
||||||
name = 'country' and value = '${facts['country']}'
|
|
||||||
} and
|
|
||||||
certname in facts[certname] {
|
|
||||||
name = 'region' and value = '${facts['region']}'
|
|
||||||
}
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['value']['ip'] }
|
|
||||||
$haproxy_ips = $haproxy_members_raw ? {
|
$haproxy_ips = $haproxy_members_raw ? {
|
||||||
undef => [],
|
undef => [],
|
||||||
default => sort($haproxy_members_raw),
|
default => sort($haproxy_members_raw),
|
||||||
|
|||||||
@@ -1,13 +0,0 @@
|
|||||||
class profiles::ceph::mds (
|
|
||||||
Boolean $ensure_running = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $ensure_running and $facts['is_ceph_mds'] {
|
|
||||||
$facts['ceph_services']['mds'].each |String $svc| {
|
|
||||||
service { $svc:
|
|
||||||
ensure => running,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
class profiles::ceph::mgr (
|
|
||||||
Boolean $ensure_running = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $ensure_running and $facts['is_ceph_mgr'] {
|
|
||||||
$facts['ceph_services']['mgr'].each |String $svc| {
|
|
||||||
service { $svc:
|
|
||||||
ensure => running,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
class profiles::ceph::mon (
|
|
||||||
Boolean $ensure_running = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $ensure_running and $facts['is_ceph_mon'] {
|
|
||||||
$facts['ceph_services']['mon'].each |String $svc| {
|
|
||||||
service { $svc:
|
|
||||||
ensure => running,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
class profiles::ceph::osd (
|
|
||||||
Boolean $ensure_running = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $ensure_running and $facts['is_ceph_osd'] {
|
|
||||||
$facts['ceph_services']['osd'].each |String $svc| {
|
|
||||||
service { $svc:
|
|
||||||
ensure => running,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -28,12 +28,7 @@ class profiles::consul::client (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -65,22 +65,12 @@ class profiles::consul::server (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
if $join_remote_regions {
|
if $join_remote_regions {
|
||||||
# get all nodes in the members_role for each other region
|
# get all nodes in the members_role for each other region
|
||||||
$region_to_servers = $remote_regions.reduce({}) |$memo, $region| {
|
$region_to_servers = $remote_regions.reduce({}) |$memo, $region| {
|
||||||
$servers = sort(puppetdb_query(
|
$servers = sort(query_nodes("enc_role='${members_role}' and region='${region}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${region}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
$memo + { $region => $servers }
|
$memo + { $region => $servers }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -11,38 +11,16 @@ class profiles::dns::base (
|
|||||||
Optional[String] $ns_role = undef,
|
Optional[String] $ns_role = undef,
|
||||||
){
|
){
|
||||||
|
|
||||||
# install bind_utils (provides nsupdate)
|
# install bind_utils
|
||||||
include bind::updater
|
include bind::updater
|
||||||
|
|
||||||
# assemble the host's DNS records and nsupdate them to the authoritative server
|
|
||||||
include profiles::dns::updater
|
|
||||||
|
|
||||||
# if ns_role is set, find all hosts matching that enc_role
|
# if ns_role is set, find all hosts matching that enc_role
|
||||||
$nameserver_array = $ns_role ? {
|
$nameserver_array = $ns_role ? {
|
||||||
undef => $nameservers,
|
undef => $nameservers,
|
||||||
default => $use_ns ? {
|
default => $use_ns ? {
|
||||||
'all' => puppetdb_query(
|
'all' => query_nodes("enc_role='${ns_role}'", 'networking.ip'),
|
||||||
"facts[certname,value] {
|
'region' => query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.ip'),
|
||||||
name = 'networking' and
|
'country' => query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.ip'),
|
||||||
certname in nodes[certname] { facts.enc_role = '${ns_role}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['value']['ip'] },
|
|
||||||
'region' => puppetdb_query(
|
|
||||||
"facts[certname,value] {
|
|
||||||
name = 'networking' and
|
|
||||||
certname in nodes[certname] {
|
|
||||||
facts.enc_role = '${ns_role}' and facts.region = '${facts['region']}'
|
|
||||||
}
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['value']['ip'] },
|
|
||||||
'country' => puppetdb_query(
|
|
||||||
"facts[certname,value] {
|
|
||||||
name = 'networking' and
|
|
||||||
certname in nodes[certname] {
|
|
||||||
facts.enc_role = '${ns_role}' and facts.country = '${facts['country']}'
|
|
||||||
}
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['value']['ip'] },
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -20,21 +20,9 @@ class profiles::dns::master (
|
|||||||
$nameservers_array = $ns_role ? {
|
$nameservers_array = $ns_role ? {
|
||||||
undef => [$facts['networking']['fqdn']],
|
undef => [$facts['networking']['fqdn']],
|
||||||
default => $use_ns ? {
|
default => $use_ns ? {
|
||||||
'all' => sort(puppetdb_query(
|
'all' => sort(query_nodes("enc_role='${ns_role}'", 'networking.fqdn')),
|
||||||
"facts[certname] { name = 'enc_role' and value = '${ns_role}' }"
|
'region' => sort(query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.fqdn')),
|
||||||
).map |$fact| { $fact['certname'] }),
|
'country' => sort(query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.fqdn')),
|
||||||
'region' => sort(puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${ns_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] }),
|
|
||||||
'country' => sort(puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${ns_role}' and
|
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] }),
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -44,9 +32,7 @@ class profiles::dns::master (
|
|||||||
$facts['networking']['fqdn'] => $facts['networking']['ip']
|
$facts['networking']['fqdn'] => $facts['networking']['ip']
|
||||||
},
|
},
|
||||||
default => $nameservers_array.reduce({}) |$acc, $fqdn| {
|
default => $nameservers_array.reduce({}) |$acc, $fqdn| {
|
||||||
$result = puppetdb_query(
|
$result = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')
|
||||||
"facts[certname,value] { name = 'networking' and certname = '${fqdn}' }"
|
|
||||||
).map |$fact| { $fact['value']['ip'] }
|
|
||||||
$ip = $result[0]
|
$ip = $result[0]
|
||||||
$acc + { "${fqdn}." => $ip }
|
$acc + { "${fqdn}." => $ip }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,10 +1,4 @@
|
|||||||
# profiles::dns::record
|
# defines the base record that will be exported
|
||||||
#
|
|
||||||
# Declares a DNS record for this host. Publishes it via either or both methods,
|
|
||||||
# controlled by profiles::dns::updater's toggles (both on during cutover):
|
|
||||||
# - nsupdate: a local concat fragment consumed by profiles::dns::updater,
|
|
||||||
# which nsupdates it to the authoritative server.
|
|
||||||
# - export: the legacy @@concat::fragment exported to the puppet DNS master.
|
|
||||||
define profiles::dns::record (
|
define profiles::dns::record (
|
||||||
String $record,
|
String $record,
|
||||||
Enum[
|
Enum[
|
||||||
@@ -19,26 +13,11 @@ define profiles::dns::record (
|
|||||||
String $value,
|
String $value,
|
||||||
String $zone,
|
String $zone,
|
||||||
Integer $order,
|
Integer $order,
|
||||||
Integer $ttl = 300,
|
Stdlib::AbsolutePath $basedir = lookup('profiles::dns::master::basedir'),
|
||||||
) {
|
) {
|
||||||
include profiles::dns::updater
|
|
||||||
|
|
||||||
# new: local records file consumed by the nsupdate service
|
|
||||||
if $profiles::dns::updater::manage_nsupdate {
|
|
||||||
# zone|name|type|ttl|value (parsed by the dns-update script)
|
|
||||||
concat::fragment { "dns-record-${name}":
|
|
||||||
target => $profiles::dns::updater::records_file,
|
|
||||||
content => "${zone}|${record}|${type}|${ttl}|${value}\n",
|
|
||||||
order => sprintf('%03d', $order),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# legacy: export the fragment to the puppet DNS master
|
|
||||||
if $profiles::dns::updater::manage_export {
|
|
||||||
@@concat::fragment { "${zone}_${name}":
|
@@concat::fragment { "${zone}_${name}":
|
||||||
target => "${profiles::dns::updater::master_basedir}/${zone}.conf",
|
target => "${basedir}/${zone}.conf",
|
||||||
content => "${record} IN ${type} ${value}\n",
|
content => "${record} IN ${type} ${value}\n",
|
||||||
order => $order,
|
order => $order,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|||||||
@@ -1,127 +0,0 @@
|
|||||||
# profiles::dns::updater
|
|
||||||
#
|
|
||||||
# Publishes this host's DNS records. Two methods, independently toggled so both
|
|
||||||
# can run during the k8s cutover (profiles::dns::record honours the same flags):
|
|
||||||
#
|
|
||||||
# - nsupdate ($manage_nsupdate): assemble the records into a local file and
|
|
||||||
# nsupdate them to the k8s authoritative write endpoint via a systemd .path
|
|
||||||
# unit that watches the file. Inert until $key_secret (TSIG) is set.
|
|
||||||
# - export ($manage_export): the legacy exported-resources flow to the puppet
|
|
||||||
# DNS master. Kept during cutover; disable once k8s is authoritative.
|
|
||||||
#
|
|
||||||
# nsupdate comes from bind-utils (installed via bind::updater in
|
|
||||||
# profiles::dns::base).
|
|
||||||
class profiles::dns::updater (
|
|
||||||
Boolean $manage_nsupdate = true,
|
|
||||||
Boolean $manage_export = true,
|
|
||||||
String $server = '198.18.200.9',
|
|
||||||
String $key_name = 'client-update',
|
|
||||||
String $key_algorithm = 'hmac-sha256',
|
|
||||||
Optional[Sensitive[String]] $key_secret = undef,
|
|
||||||
Integer $default_ttl = 300,
|
|
||||||
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
|
|
||||||
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
|
||||||
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
|
||||||
Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'),
|
|
||||||
) {
|
|
||||||
|
|
||||||
$state_file = "${state_dir}/applied"
|
|
||||||
$server_file = "${state_dir}/server"
|
|
||||||
$key_file = "${config_dir}/key"
|
|
||||||
|
|
||||||
if $manage_nsupdate {
|
|
||||||
|
|
||||||
file { $state_dir:
|
|
||||||
ensure => directory,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0755',
|
|
||||||
}
|
|
||||||
|
|
||||||
# Server address, read by the dns_records fact for drift detection.
|
|
||||||
file { $server_file:
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0644',
|
|
||||||
content => "${server}\n",
|
|
||||||
require => File[$state_dir],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Records file, assembled from profiles::dns::record fragments.
|
|
||||||
concat { $records_file:
|
|
||||||
ensure => present,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0644',
|
|
||||||
ensure_newline => true,
|
|
||||||
warn => false,
|
|
||||||
require => File[$state_dir],
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { 'dns-update-header':
|
|
||||||
target => $records_file,
|
|
||||||
content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n",
|
|
||||||
order => '00',
|
|
||||||
}
|
|
||||||
|
|
||||||
if $key_secret =~ Undef {
|
|
||||||
notify { 'dns-updater-inert':
|
|
||||||
message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.',
|
|
||||||
loglevel => 'info',
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
file { $config_dir:
|
|
||||||
ensure => directory,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0700',
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $key_file:
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0600',
|
|
||||||
show_diff => false,
|
|
||||||
content => Sensitive(epp('profiles/dns/tsig-key.epp', {
|
|
||||||
'name' => $key_name,
|
|
||||||
'algorithm' => $key_algorithm,
|
|
||||||
'secret' => $key_secret.unwrap,
|
|
||||||
})),
|
|
||||||
}
|
|
||||||
|
|
||||||
file { '/usr/local/bin/dns-update':
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0755',
|
|
||||||
content => epp('profiles/dns/dns-update.sh.epp', {
|
|
||||||
'server' => $server,
|
|
||||||
'key_file' => $key_file,
|
|
||||||
'records_file' => $records_file,
|
|
||||||
'state_file' => $state_file,
|
|
||||||
}),
|
|
||||||
}
|
|
||||||
|
|
||||||
systemd::unit_file { 'dns-update.service':
|
|
||||||
content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }),
|
|
||||||
}
|
|
||||||
|
|
||||||
# The .path unit watches the records file and triggers the service.
|
|
||||||
systemd::unit_file { 'dns-update.path':
|
|
||||||
content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }),
|
|
||||||
active => true,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
|
|
||||||
# Also apply within the puppet run whenever the records change.
|
|
||||||
exec { 'dns-update-apply':
|
|
||||||
command => '/usr/local/bin/dns-update',
|
|
||||||
refreshonly => true,
|
|
||||||
subscribe => Concat[$records_file],
|
|
||||||
require => [File['/usr/local/bin/dns-update'], File[$key_file]],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -18,12 +18,7 @@ class profiles::etcd::node (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
@@ -36,7 +31,7 @@ class profiles::etcd::node (
|
|||||||
$initial_cluster = $servers_array.map |$fqdn| {
|
$initial_cluster = $servers_array.map |$fqdn| {
|
||||||
|
|
||||||
# lookup the ip address for the current fqdn
|
# lookup the ip address for the current fqdn
|
||||||
$ip = puppetdb_query("facts[certname,value] { name = 'networking' and certname = '${fqdn}' }").map |$fact| { $fact['value']['ip'] }[0]
|
$ip = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')[0]
|
||||||
|
|
||||||
# construct the string for this server
|
# construct the string for this server
|
||||||
"${fqdn}=https://${ip}:${peer_port}"
|
"${fqdn}=https://${ip}:${peer_port}"
|
||||||
|
|||||||
@@ -30,14 +30,13 @@ class profiles::haproxy::dns (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes(
|
||||||
"facts[certname] {
|
"enc_role='${facts['enc_role']}' and
|
||||||
name = 'enc_role' and value = '${facts['enc_role']}' and
|
country='${facts['country']}' and
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
|
region='${facts['region']}' and
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' } and
|
environment='${facts['environment']}'",
|
||||||
certname in facts[certname] { name = 'environment' and value = '${facts['environment']}' }
|
'networking.fqdn'
|
||||||
}"
|
))
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# give enough time for a few hosts to be provisioned
|
# give enough time for a few hosts to be provisioned
|
||||||
if length($servers_array) >= 3 {
|
if length($servers_array) >= 3 {
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
# profiles::metrics::grafana
|
# profiles::metrics::grafana
|
||||||
class profiles::metrics::grafana (
|
class profiles::metrics::grafana (
|
||||||
String $ldap_bind_pass,
|
String $ldap_bind_pass,
|
||||||
String $version = 'installed',
|
|
||||||
Stdlib::Port $http_port = 8080,
|
Stdlib::Port $http_port = 8080,
|
||||||
String $app_mode = 'production',
|
String $app_mode = 'production',
|
||||||
Boolean $allow_sign_up = false,
|
Boolean $allow_sign_up = false,
|
||||||
@@ -108,7 +107,6 @@ class profiles::metrics::grafana (
|
|||||||
|
|
||||||
# deploy grafana
|
# deploy grafana
|
||||||
class { 'grafana':
|
class { 'grafana':
|
||||||
version => $version,
|
|
||||||
cfg => $cfg,
|
cfg => $cfg,
|
||||||
ldap_cfg => $ldap_cfg,
|
ldap_cfg => $ldap_cfg,
|
||||||
plugins => $plugins,
|
plugins => $plugins,
|
||||||
|
|||||||
@@ -98,15 +98,8 @@ class profiles::minio::server (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
#$servers_array = sort(puppetdb_query(
|
#$servers_array = sort(query_nodes("enc_role='${minio_members_role}'", 'networking.fqdn'))
|
||||||
# "facts[certname] { name = 'enc_role' and value = '${minio_members_role}' }"
|
$servers_array = sort(query_nodes("enc_role='${minio_members_role}' and minio_region='${minio_region}'", 'networking.fqdn'))
|
||||||
#).map |$fact| { $fact['certname'] })
|
|
||||||
$servers_array = sort(puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${minio_members_role}' and
|
|
||||||
certname in facts[certname] { name = 'minio_region' and value = '${minio_region}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -26,21 +26,9 @@ class profiles::ntp::client (
|
|||||||
$ntpserver_array = $ntp_role ? {
|
$ntpserver_array = $ntp_role ? {
|
||||||
undef => $peers,
|
undef => $peers,
|
||||||
default => $use_ntp ? {
|
default => $use_ntp ? {
|
||||||
'all' => puppetdb_query(
|
'all' => query_nodes("enc_role='${ntp_role}'", 'networking.fqdn'),
|
||||||
"facts[certname] { name = 'enc_role' and value = '${ntp_role}' }"
|
'region' => query_nodes("enc_role='${ntp_role}' and region=${facts['region']}", 'networking.fqdn'),
|
||||||
).map |$fact| { $fact['certname'] },
|
'country' => query_nodes("enc_role='${ntp_role}' and country=${facts['country']}", 'networking.fqdn'),
|
||||||
'region' => puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${ntp_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] },
|
|
||||||
'country' => puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${ntp_role}' and
|
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] },
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -24,13 +24,10 @@ class profiles::proxmox::clusterinit {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes(
|
||||||
"facts[certname] {
|
"enc_role='${membersrole}' and country='${facts['country']}' and region='${facts['region']}'",
|
||||||
name = 'enc_role' and value = '${membersrole}' and
|
'networking.fqdn'
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
|
))
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
if ! $profiles::proxmox::params::pve_clusterinit_master {
|
if ! $profiles::proxmox::params::pve_clusterinit_master {
|
||||||
if !empty($servers_array) {
|
if !empty($servers_array) {
|
||||||
|
|||||||
@@ -11,14 +11,13 @@ class profiles::proxmox::clusterjoin {
|
|||||||
$root_password = $profiles::proxmox::params::root_password
|
$root_password = $profiles::proxmox::params::root_password
|
||||||
|
|
||||||
# query puppetdb for list of cluster members
|
# query puppetdb for list of cluster members
|
||||||
$members_array = sort(puppetdb_query(
|
$members_array = sort(query_nodes(
|
||||||
"facts[certname] {
|
"enc_role='${membersrole}' and \
|
||||||
name = 'enc_role' and value = '${membersrole}' and
|
country='${facts['country']}' and \
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
|
region='${facts['region']}' and \
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' } and
|
pve_cluster.cluster_name='${clustername}'",
|
||||||
certname in facts[certname] { name = 'pve_cluster' and value.cluster_name = '${clustername}' }
|
'networking.fqdn'
|
||||||
}"
|
))
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# check if the pve kernerl is running
|
# check if the pve kernerl is running
|
||||||
if $facts['kernelrelease'] == $profiles::proxmox::params::pve_kernel_release {
|
if $facts['kernelrelease'] == $profiles::proxmox::params::pve_kernel_release {
|
||||||
|
|||||||
@@ -13,8 +13,6 @@ class profiles::puppet::client (
|
|||||||
Boolean $show_diff = true,
|
Boolean $show_diff = true,
|
||||||
Boolean $usecacheonfailure = false,
|
Boolean $usecacheonfailure = false,
|
||||||
Integer $facts_soft_limit = 4096,
|
Integer $facts_soft_limit = 4096,
|
||||||
Boolean $splay = true,
|
|
||||||
Integer $splaylimit = 600,
|
|
||||||
) {
|
) {
|
||||||
|
|
||||||
# dont manage puppet.conf if this is a puppetmaster
|
# dont manage puppet.conf if this is a puppetmaster
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
# This class manages the Puppetboard, a web interface to PuppetDB.
|
# This class manages the Puppetboard, a web interface to PuppetDB.
|
||||||
#
|
#
|
||||||
class profiles::puppet::puppetboard (
|
class profiles::puppet::puppetboard (
|
||||||
String $python_version = '3.12',
|
String $python_version = $facts['python3_release'],
|
||||||
Boolean $manage_virtualenv = false,
|
Boolean $manage_virtualenv = false,
|
||||||
Integer $reports_count = 40,
|
Integer $reports_count = 40,
|
||||||
Boolean $offline_mode = true,
|
Boolean $offline_mode = true,
|
||||||
|
|||||||
@@ -48,12 +48,7 @@ class profiles::sql::galera_member (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${galera_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${galera_members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -18,12 +18,7 @@ class profiles::sql::postgresdb (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -6,15 +6,11 @@ class profiles::vault::server (
|
|||||||
Undef
|
Undef
|
||||||
] $members_role = undef,
|
] $members_role = undef,
|
||||||
Array $vault_servers = [],
|
Array $vault_servers = [],
|
||||||
String $package_name = 'vault',
|
|
||||||
String $package_ensure = 'latest',
|
|
||||||
Boolean $disable_openbao = true,
|
|
||||||
Boolean $tls_disable = false,
|
Boolean $tls_disable = false,
|
||||||
Stdlib::Port $client_port = 8200,
|
Stdlib::Port $client_port = 8200,
|
||||||
Stdlib::Port $cluster_port = 8201,
|
Stdlib::Port $cluster_port = 8201,
|
||||||
Boolean $manage_storage_dir = false,
|
Boolean $manage_storage_dir = false,
|
||||||
Stdlib::Absolutepath $data_dir = '/opt/vault',
|
Stdlib::Absolutepath $data_dir = '/opt/vault',
|
||||||
Stdlib::Absolutepath $plugin_dir = '/opt/vault_plugins',
|
|
||||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||||
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
|
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
|
||||||
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
||||||
@@ -29,12 +25,7 @@ class profiles::vault::server (
|
|||||||
if $members_lookup and $members_role != undef {
|
if $members_lookup and $members_role != undef {
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
@@ -60,33 +51,7 @@ class profiles::vault::server (
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# cleanup openbao?
|
|
||||||
if $disable_openbao {
|
|
||||||
package {'openbao':
|
|
||||||
ensure => absent,
|
|
||||||
before => Class['vault']
|
|
||||||
}
|
|
||||||
package {'openbao-vault-compat':
|
|
||||||
ensure => absent,
|
|
||||||
before => [
|
|
||||||
Class['vault'],
|
|
||||||
Package['openbao']
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# add versionlock for package_name?
|
|
||||||
if $package_ensure != 'latest' {
|
|
||||||
yum::versionlock{$package_name:
|
|
||||||
ensure => present,
|
|
||||||
version => $package_ensure,
|
|
||||||
before => Class['vault']
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class { 'vault':
|
class { 'vault':
|
||||||
package_name => $package_name,
|
|
||||||
package_ensure => $package_ensure,
|
|
||||||
manage_service => false,
|
manage_service => false,
|
||||||
manage_storage_dir => $manage_storage_dir,
|
manage_storage_dir => $manage_storage_dir,
|
||||||
enable_ui => true,
|
enable_ui => true,
|
||||||
@@ -100,7 +65,6 @@ class profiles::vault::server (
|
|||||||
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
|
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
|
||||||
extra_config => {
|
extra_config => {
|
||||||
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
|
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
|
||||||
plugin_directory => $plugin_dir,
|
|
||||||
},
|
},
|
||||||
listener => [
|
listener => [
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
<%- | String $records_file | -%>
|
|
||||||
[Unit]
|
|
||||||
Description=Watch the DNS records file and apply changes
|
|
||||||
|
|
||||||
[Path]
|
|
||||||
PathModified=<%= $records_file %>
|
|
||||||
Unit=dns-update.service
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
<%- | String $script | -%>
|
|
||||||
[Unit]
|
|
||||||
Description=Apply host DNS records via nsupdate
|
|
||||||
After=network-online.target
|
|
||||||
Wants=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=<%= $script %>
|
|
||||||
@@ -1,56 +0,0 @@
|
|||||||
<%- | String $server, String $key_file, String $records_file, String $state_file | -%>
|
|
||||||
#!/bin/bash
|
|
||||||
# Managed by puppet (profiles::dns::updater). Applies this host's records to the
|
|
||||||
# authoritative DNS server via TSIG nsupdate. Only the delta since the last
|
|
||||||
# successful run is sent; removed records are deleted.
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
SERVER="<%= $server %>"
|
|
||||||
KEYFILE="<%= $key_file %>"
|
|
||||||
RECORDS="<%= $records_file %>"
|
|
||||||
STATE="<%= $state_file %>"
|
|
||||||
|
|
||||||
[ -f "$RECORDS" ] || exit 0
|
|
||||||
touch "$STATE"
|
|
||||||
|
|
||||||
# Format per line: zone|name|type|ttl|value (name is relative to zone, or @).
|
|
||||||
desired="$(grep -vE '^[[:space:]]*(#|$)' "$RECORDS" | sort -u || true)"
|
|
||||||
applied="$(grep -vE '^[[:space:]]*(#|$)' "$STATE" 2>/dev/null | sort -u || true)"
|
|
||||||
|
|
||||||
[ "$desired" = "$applied" ] && exit 0
|
|
||||||
|
|
||||||
fqdn() { # name zone
|
|
||||||
if [ -z "$1" ] || [ "$1" = "@" ]; then printf '%s.' "$2"; else printf '%s.%s.' "$1" "$2"; fi
|
|
||||||
}
|
|
||||||
|
|
||||||
msg="$(mktemp)"
|
|
||||||
trap 'rm -f "$msg"' EXIT
|
|
||||||
printf 'server %s\n' "$SERVER" >> "$msg"
|
|
||||||
|
|
||||||
# Process per zone so each UPDATE message targets a single zone.
|
|
||||||
zones="$(printf '%s\n%s\n' "$desired" "$applied" | cut -d'|' -f1 | sort -u | grep -v '^$' || true)"
|
|
||||||
for zone in $zones; do
|
|
||||||
printf 'zone %s.\n' "$zone" >> "$msg"
|
|
||||||
# Additions/updates: replace the RRset for every desired record in this zone.
|
|
||||||
printf '%s\n' "$desired" | awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
|
|
||||||
while IFS='|' read -r z name type ttl value; do
|
|
||||||
f="$(fqdn "$name" "$z")"
|
|
||||||
printf 'update delete %s %s\n' "$f" "$type" >> "$msg"
|
|
||||||
printf 'update add %s %s %s %s\n' "$f" "$ttl" "$type" "$value" >> "$msg"
|
|
||||||
done
|
|
||||||
# Deletions: records present last run but gone now.
|
|
||||||
comm -23 <(printf '%s\n' "$applied") <(printf '%s\n' "$desired") | \
|
|
||||||
awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
|
|
||||||
while IFS='|' read -r z name type ttl value; do
|
|
||||||
f="$(fqdn "$name" "$z")"
|
|
||||||
printf 'update delete %s %s %s\n' "$f" "$type" "$value" >> "$msg"
|
|
||||||
done
|
|
||||||
printf 'send\n' >> "$msg"
|
|
||||||
done
|
|
||||||
|
|
||||||
if nsupdate -k "$KEYFILE" "$msg"; then
|
|
||||||
printf '%s\n' "$desired" > "$STATE"
|
|
||||||
else
|
|
||||||
echo "dns-update: nsupdate to ${SERVER} failed" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
<%- | String $name, String $algorithm, String $secret | -%>
|
|
||||||
key "<%= $name %>" {
|
|
||||||
algorithm <%= $algorithm %>;
|
|
||||||
secret "<%= $secret %>";
|
|
||||||
};
|
|
||||||
@@ -12,5 +12,3 @@ runtimeout = <%= @runtimeout %>
|
|||||||
show_diff = <%= @show_diff %>
|
show_diff = <%= @show_diff %>
|
||||||
usecacheonfailure = <%= @usecacheonfailure %>
|
usecacheonfailure = <%= @usecacheonfailure %>
|
||||||
number_of_facts_soft_limit = <%= @facts_soft_limit %>
|
number_of_facts_soft_limit = <%= @facts_soft_limit %>
|
||||||
splay = <%= @splay %>
|
|
||||||
splaylimit = <%= @splaylimit %>
|
|
||||||
|
|||||||
Reference in New Issue
Block a user