Ben Vincent
40c57ede59
- a ci workflow for build tests - run pre-commit against all files Reviewed-on: #342
97 lines
3.5 KiB
Puppet
97 lines
3.5 KiB
Puppet
# profiles::consul::client
|
|
class profiles::consul::client (
|
|
String $secret_id_salt = '',
|
|
Stdlib::Fqdn $consul_hostname = 'consul.service.consul',
|
|
Enum['http','https'] $consul_protocol = 'http',
|
|
Stdlib::Port $consul_port = 8500,
|
|
String $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
|
|
Boolean $members_lookup = false,
|
|
String $members_role = undef,
|
|
Array $consul_servers = [],
|
|
Stdlib::Absolutepath $data_dir = '/opt/consul',
|
|
Array[Hash] $node_rules = [],
|
|
Hash $ports = {},
|
|
) {
|
|
|
|
if $facts['enc_role'] != $members_role {
|
|
|
|
# set a datacentre/cluster name
|
|
$consul_cluster = "${::facts['country']}-${::facts['region']}"
|
|
|
|
# if lookup is enabled, find all the hosts in the specified role and create the servers_array
|
|
if $members_lookup {
|
|
|
|
# check that the role is also set
|
|
unless !($members_role == undef) {
|
|
fail("members_role must be provided for ${title} when members_lookup is True")
|
|
}
|
|
|
|
# if it is, find hosts, sort them so they dont cause changes every run
|
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
|
|
|
# else use provided array from params
|
|
}else{
|
|
$servers_array = $consul_servers
|
|
}
|
|
|
|
# deploy the consul agent
|
|
class { 'consul':
|
|
config_hash => {
|
|
'data_dir' => $data_dir,
|
|
'datacenter' => $consul_cluster,
|
|
'log_level' => 'INFO',
|
|
'node_name' => $facts['networking']['fqdn'],
|
|
'retry_join' => $servers_array,
|
|
'bind_addr' => $::facts['networking']['ip'],
|
|
'advertise_addr' => $::facts['networking']['ip'],
|
|
'enable_script_checks' => true,
|
|
'ports' => $ports,
|
|
'acl' => {
|
|
tokens => {
|
|
default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
|
|
}
|
|
}
|
|
},
|
|
}
|
|
}
|
|
|
|
# Create ACL policy that allows nodes to update themselves and read others
|
|
consul_policy { $facts['networking']['hostname']:
|
|
description => "${facts['networking']['fqdn']} puppet-generated-policy",
|
|
rules => $node_rules,
|
|
acl_api_token => $consul_api_token,
|
|
hostname => $consul_hostname,
|
|
protocol => $consul_protocol,
|
|
port => $consul_port,
|
|
}
|
|
|
|
consul_token { $facts['networking']['hostname']:
|
|
accessor_id => fqdn_uuid($facts['networking']['fqdn']),
|
|
description => "${facts['networking']['fqdn']} puppet-generated-token",
|
|
policies_by_name => [$facts['networking']['hostname']],
|
|
acl_api_token => $consul_api_token,
|
|
secret_id => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}"),
|
|
hostname => $consul_hostname,
|
|
protocol => $consul_protocol,
|
|
port => $consul_port,
|
|
|
|
}
|
|
|
|
# ensure the consul token is saved for the root user
|
|
file {'/root/.config/consul_node_token':
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => Sensitive(fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")),
|
|
require => File['/root/.config'],
|
|
}
|
|
|
|
# cleanup /usr/local/bin/consul which was created by url install method
|
|
if $facts['os']['family'] == 'RedHat' {
|
|
file {'/usr/local/bin/consul':
|
|
ensure => absent,
|
|
}
|
|
}
|
|
}
|