From 01441653e7f9a9149c7aadbebd3f215d2e679fbf Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Mon, 10 Mar 2025 13:21:44 +0100 Subject: [PATCH] add puppetdb section --- .vscode/settings.json | 11 ++ manifests/main/config.pp | 4 + manifests/params.pp | 106 +++++++++++-------- manifests/puppetdb/dirs.pp | 64 +++++++++++ manifests/puppetdb/files.pp | 117 +++++++++++++++++++++ manifests/puppetdb/service.pp | 19 ++++ templates/puppetdb/bootstrap.cfg.erb | 32 ++++++ templates/puppetdb/config.ini.erb | 11 ++ templates/puppetdb/database.ini.erb | 10 ++ templates/puppetdb/jetty.ini.erb | 31 ++++++ templates/puppetdb/logback.xml.erb | 59 +++++++++++ templates/puppetdb/puppetdb.conf.erb | 4 +- templates/puppetdb/repl.ini.erb | 13 +++ templates/puppetdb/request_logging.xml.erb | 17 +++ 14 files changed, 454 insertions(+), 44 deletions(-) create mode 100644 .vscode/settings.json create mode 100644 manifests/puppetdb/dirs.pp create mode 100644 manifests/puppetdb/files.pp create mode 100644 manifests/puppetdb/service.pp create mode 100644 templates/puppetdb/bootstrap.cfg.erb create mode 100644 templates/puppetdb/config.ini.erb create mode 100644 templates/puppetdb/database.ini.erb create mode 100644 templates/puppetdb/jetty.ini.erb create mode 100755 templates/puppetdb/logback.xml.erb create mode 100644 templates/puppetdb/repl.ini.erb create mode 100644 templates/puppetdb/request_logging.xml.erb diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..f821985 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,11 @@ +{ + "cSpell.words": [ + "appender", + "kahadb", + "logappender", + "requestlogging", + "springframework", + "Supress", + "trapperkeeper" + ] +} \ No newline at end of file diff --git a/manifests/main/config.pp b/manifests/main/config.pp index 3b9fa98..234343e 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -7,4 +7,8 @@ class puppet_cd::main::config ( ) inherits puppet_cd::params { include puppet_cd::server::service + + if $pt_use_puppetdb == true { + include puppet_cd::puppetdb::service + } } diff --git a/manifests/params.pp b/manifests/params.pp index f90578b..f701271 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -54,7 +54,29 @@ # @param [string] pt_parser which parser version to use # @param [boolean] pt_cert_revocation whether to check for cert revocations # @param [string] pt_logging_max_file_size max file size for puppetdb logging -# +# @param [string] pt_logging_max_history max logging history +# @param [string] pt_logging_total_size total size of logging file +# @param [string] pt_com_proc_threads number of processing threads +# @param [string] pt_concurrent_writes max concurrent writes +# @param [string] pt_db_subname the db name +# @param [string] pt_db_username the db username +# @param [string] pt_db_password the db password +# @param [string] pt_gc_interval garbage collection interval (Java) +# @param [string] pt_log_slow_statements number of seconds before an SQL query +# is considered "slow." +# @param [string] pt_puppetdb_source_lan the source lan for puppetdb clients +# @param [boolean] pt_soft_write_failure allows the PuppetDB-termini to fail +# softly if PuppetDB is not accessible for command submission. +# @param [string] pt_no_ssl_host ip range for non-ssl hosts +# @param [string] pt_ssl_host ip range for SSL hosts +# @param [string] pt_ssl_key location of the private key +# @param [string] pt_ssl_cert location of the ssl cert +# @param [string] pt_ssl_ca_cert location of the ssl ca cert +# @param [boolean] pt_log_access whether to configure log access +# @param [string] pt_access_log_config the location of the access log config +# @param [boolean] pt_enable_repl whether to allow puppetdb replication +# @param [string] pt_repl_port the replication port +# @param [string] pt_repl_host the replication host ############################################################################### class puppet_cd::params ( @@ -130,7 +152,7 @@ class puppet_cd::params ( String $pt_no_ssl_host = '0.0.0.0', String $pt_ssl_host = '0.0.0.0', String $pt_ssl_key = '/etc/puppetlabs/puppetdb/ssl/private.pem', - String $pt_ssh_cert = '/etc/puppetlabs/puppetdb/ssl/public.pem', + String $pt_ssl_cert = '/etc/puppetlabs/puppetdb/ssl/public.pem', String $pt_ssl_ca_cert = '/etc/puppetlabs/puppetdb/ssl/ca.pem', Boolean $pt_log_access = false, String $pt_access_log_config = '/etc/puppetlabs/puppetdb/request-logging.xml', @@ -139,56 +161,56 @@ class puppet_cd::params ( String $pt_repl_host = '127.0.0.1', ) { - $fqdn = $facts['networking']['fqdn'] + $fqdn = $facts['networking']['fqdn'] # directories ## puppet - $pt_main_dir = '/etc/puppetlabs' - $pt_puppetdir = "${pt_main_dir}/puppet" - $pt_code_dir = "${pt_main_dir}/code" - $pt_environmentspath = "${pt_code_dir}/environments" - $pt_ssldir = "${pt_puppetdir}/ssl" - $pt_privatekeydir = "${pt_ssldir}/private_keys" - $pt_rundir = '/var/run/puppetlabs' - $pt_rundir_master = '/var/run/puppetlabs/puppetserver' - $pt_vardir = '/opt/puppetlabs/puppet/cache' - $pt_vardir_master = '/opt/puppetlabs/server/data/puppetserver' + $pt_main_dir = '/etc/puppetlabs' + $pt_puppetdir = "${pt_main_dir}/puppet" + $pt_code_dir = "${pt_main_dir}/code" + $pt_environmentspath = "${pt_code_dir}/environments" + $pt_ssldir = "${pt_puppetdir}/ssl" + $pt_privatekeydir = "${pt_ssldir}/private_keys" + $pt_rundir = '/var/run/puppetlabs' + $pt_rundir_master = '/var/run/puppetlabs/puppetserver' + $pt_vardir = '/opt/puppetlabs/puppet/cache' + $pt_vardir_master = '/opt/puppetlabs/server/data/puppetserver' ## puppetdb - $pt_puppetdb_main = '/etc/puppetlabs/puppetdb' - $pt_puppetdb_conf_d = "${pt_puppetdb_main}/conf.d" - $pt_puppetdb_ssl = "${pt_puppetdb_main}/ssl" - $pt_puppetdb_log = '/var/log/puppetlabs/puppetdb' - $pt_puppetdb_var_dir = '/opt/puppetlabs/server/data/puppetdb' + $pt_puppetdb_main = '/etc/puppetlabs/puppetdb' + $pt_puppetdb_conf_d = "${pt_puppetdb_main}/conf.d" + $pt_puppetdb_ssl = "${pt_puppetdb_main}/ssl" + $pt_puppetdb_log = '/var/log/puppetlabs/puppetdb' + $pt_puppetdb_var_dir = '/opt/puppetlabs/server/data/puppetdb' # files ## puppet - $pt_puppet_conf_file = "${pt_puppetdir}/puppet.conf" - $pt_puppet_conf_erb = 'puppet_cd/puppet.conf.erb' - $pt_agent_conf_erb = 'puppet_cd/agent.conf.erb' - $pt_hiera_config = "${pt_puppetdir}/hiera.yaml" + $pt_puppet_conf_file = "${pt_puppetdir}/puppet.conf" + $pt_puppet_conf_erb = 'puppet_cd/puppet.conf.erb' + $pt_agent_conf_erb = 'puppet_cd/agent.conf.erb' + $pt_hiera_config = "${pt_puppetdir}/hiera.yaml" ## puppetdb - $pt_bootstrap_conf = "${pt_puppetdb_main}/bootstrap.cfg" - $pt_bootstrap_erb = 'cd_puppet/puppetdb/bootstrap.cfg.erb' - $pt_puppetdb_access_log = "${pt_puppetdb_log}/puppetdb-access" - $pt_request_logging_conf = "${pt_puppetdb_main}/request-logging.xml" - $pt_request_logging_erb = 'cd_puppet/puppetdb/request_logging.xml.erb' - $pt_logback_conf = "${pt_puppetdb_main}/logback.xml" - $pt_logback_erb = 'cd_puppet/puppetdb/logback.xml.erb' - $pt_puppetdb_config_ini = "${pt_puppetdb_conf_d}/config.ini" - $pt_puppetdb_config_erb = 'cd_puppet/puppetdb/config.ini.erb' - $pt_puppetdb_database_ini = "${pt_puppetdb_conf_d}/database.ini" - $pt_puppetdb_database_erb = 'cd_puppet/puppetdb/database.ini.erb' - $pt_puppetdb_jetty_ini = "${pt_puppetdb_conf_d}/jetty.ini" - $pt_puppetdb_jetty_erb = 'cd_puppet/puppetdb/jetty.ini.erb' - $pt_puppetdb_conf_file = "${pt_puppetdir}/puppetdb.conf" - $pt_puppetdb_conf_erb = 'cd_puppet/puppetdb/puppetdb.conf.erb' - $pt_puppetdb_repl_ini = "${pt_puppetdb_conf_d}/repl.ini" - $pt_puppetdb_repl_erb = 'cd_puppet/puppetdb/repl.ini.erb' + $pt_bootstrap_conf = "${pt_puppetdb_main}/bootstrap.cfg" + $pt_bootstrap_erb = 'cd_puppet/puppetdb/bootstrap.cfg.erb' + $pt_puppetdb_access_log = "${pt_puppetdb_log}/puppetdb-access" + $pt_request_logging_conf = "${pt_puppetdb_main}/request-logging.xml" + $pt_request_logging_erb = 'cd_puppet/puppetdb/request_logging.xml.erb' + $pt_logback_conf = "${pt_puppetdb_main}/logback.xml" + $pt_logback_erb = 'cd_puppet/puppetdb/logback.xml.erb' + $pt_puppetdb_config_ini = "${pt_puppetdb_conf_d}/config.ini" + $pt_puppetdb_config_erb = 'cd_puppet/puppetdb/config.ini.erb' + $pt_puppetdb_database_ini = "${pt_puppetdb_conf_d}/database.ini" + $pt_puppetdb_database_erb = 'cd_puppet/puppetdb/database.ini.erb' + $pt_puppetdb_jetty_ini = "${pt_puppetdb_conf_d}/jetty.ini" + $pt_puppetdb_jetty_erb = 'cd_puppet/puppetdb/jetty.ini.erb' + $pt_puppetdb_conf_file = "${pt_puppetdir}/puppetdb.conf" + $pt_puppetdb_conf_erb = 'cd_puppet/puppetdb/puppetdb.conf.erb' + $pt_puppetdb_repl_ini = "${pt_puppetdb_conf_d}/repl.ini" + $pt_puppetdb_repl_erb = 'cd_puppet/puppetdb/repl.ini.erb' # service - $pt_server_service = 'puppetserver' - $pt_agent_service = 'puppet' - $pt_db_service = 'puppetdb' + $pt_server_service = 'puppetserver' + $pt_agent_service = 'puppet' + $pt_db_service = 'puppetdb' # # includes must be last diff --git a/manifests/puppetdb/dirs.pp b/manifests/puppetdb/dirs.pp new file mode 100644 index 0000000..a023923 --- /dev/null +++ b/manifests/puppetdb/dirs.pp @@ -0,0 +1,64 @@ +## puppet_cd::puppetdb::dirs.pp +# Module name: puppet_cd +# Author: Arne Teuke (arne_teuke@confdroid) +# @summary Class manages puppetdb directories +############################################################################### +class puppet_cd::puppetdb::dirs ( + +) inherits puppet_cd::params { + if ($fqdn == $pt_puppetdb_server) and ($pt_use_puppetdb == true) { + require puppet_cd::main::install + + # main directory + file { $pt_puppetdb_main: + ensure => directory, + path => $pt_puppetdb_main, + owner => $pt_puppetdb_user, + group => $pt_puppetdb_user, + mode => '0750', + selrange => s0, + selrole => object_r, + seltype => etc_t, + seluser => system_u, + } + + # conf.d directory + file { $pt_puppetdb_conf_d: + ensure => directory, + path => $pt_puppetdb_conf_d, + owner => $pt_puppetdb_user, + group => $pt_puppetdb_user, + mode => '0750', + selrange => s0, + selrole => object_r, + seltype => etc_t, + seluser => system_u, + } + + # ssl directory + file { $pt_puppetdb_ssl: + ensure => directory, + path => $pt_puppetdb_ssl, + owner => $pt_puppetdb_user, + group => $pt_puppetdb_user, + mode => '0750', + selrange => s0, + selrole => object_r, + seltype => etc_t, + seluser => system_u, + } + + # log dir + file { $pt_puppetdb_log: + ensure => directory, + path => $pt_puppetdb_log, + owner => $pt_puppetdb_user, + group => $pt_puppetdb_user, + mode => '0700', + selrange => s0, + selrole => object_r, + seltype => var_log_t, + seluser => system_u, + } + } +} diff --git a/manifests/puppetdb/files.pp b/manifests/puppetdb/files.pp new file mode 100644 index 0000000..a0ae43d --- /dev/null +++ b/manifests/puppetdb/files.pp @@ -0,0 +1,117 @@ +## puppet_cd::puppetdb::files.pp +# Module name: puppet_cd +# Author: Arne Teuke (arne_teuke@confdroid) +# @summary Class manages puppetdb files +############################################################################### +class puppet_cd::puppetdb::files ( + +) inherits puppet_cd::params { + if ($fqdn == $pt_puppetdb_server) and ($pt_use_puppetdb == true) { + require puppet_cd::puppetdb::dirs + + # bootstrap.cfg + file { $pt_bootstrap_conf: + ensure => file, + path => $pt_bootstrap_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_bootstrap_erb), + notify => Service[$pt_puppetdb], + } + + # requestlogging.xml + file { $pt_request_logging_conf: + ensure => file, + path => $pt_request_logging_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_request_logging_erb), + notify => Service[$pt_puppetdb], + } + + # logback.xml + file { $pt_logback_conf: + ensure => file, + path => $pt_logback_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_logback_erb), + notify => Service[$pt_puppetdb], + } + + # config.ini + file { $pt_puppetdb_config_ini: + ensure => file, + path => $pt_puppetdb_config_ini, + owner => $pt_puppetdb_user, + group => $pt_puppetdb_user, + mode => '0640', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_puppetdb_config_erb), + notify => Service[$pt_puppetdb], + } + + # database.ini + file { $pt_puppetdb_database_ini: + ensure => file, + path => $pt_puppetdb_database_ini, + owner => $pt_puppetdb_user, + group => $pt_puppetdb_user, + mode => '0640', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_puppetdb_database_erb), + notify => Service[$pt_puppetdb], + } + + # jetty.ini + file { $pt_puppetdb_jetty_ini : + ensure => file, + path => $pt_puppetdb_jetty_ini , + owner => $pt_puppetdb_user, + group => $pt_puppetdb_user, + mode => '0640', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_puppetdb_jetty_erb), + notify => Service[$pt_puppetdb], + } + + # repl.ini + file { $pt_puppetdb_repl_ini: + ensure => file, + path => $pt_puppetdb_repl_ini, + owner => $pt_puppetdb_user, + group => $pt_puppetdb_user, + mode => '0640', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_puppetdb_repl_erb), + notify => Service[$pt_puppetdb], + } + } +} diff --git a/manifests/puppetdb/service.pp b/manifests/puppetdb/service.pp new file mode 100644 index 0000000..dbdcea0 --- /dev/null +++ b/manifests/puppetdb/service.pp @@ -0,0 +1,19 @@ +## puppet_cd::puppetdb::service.pp +# Module name: puppet_cd +# Author: Arne Teuke (arne_teuke@confdroid) +# @summary Class manages puppetdb service +############################################################################### +class puppet_cd::puppetdb::service ( + +) inherits puppet_cd::params { + if ($fqdn == $pt_puppetdb_server) and ($pt_use_puppetdb == true) { + require puppet_cd::puppetdb::files + + service { $pt_puppetdb: + ensure => running, + hasstatus => true, + hasrestart => true, + enable => true, + } + } +} diff --git a/templates/puppetdb/bootstrap.cfg.erb b/templates/puppetdb/bootstrap.cfg.erb new file mode 100644 index 0000000..ed31588 --- /dev/null +++ b/templates/puppetdb/bootstrap.cfg.erb @@ -0,0 +1,32 @@ +############################################################################### +########## bootstrap.cfg managed by puppet agent ########## +############################################################################### + +# This file is used by the application framework (trapperkeeper) to +# determine what services should be loaded at boot time. +# For more info, see: +# https://github.com/puppetlabs/trapperkeeper/wiki/Bootstrapping + +# Web Server +puppetlabs.trapperkeeper.services.webserver.jetty9-service/jetty9-service + +# Webrouting +puppetlabs.trapperkeeper.services.webrouting.webrouting-service/webrouting-service + +# TK status +puppetlabs.trapperkeeper.services.metrics.metrics-service/metrics-webservice +puppetlabs.trapperkeeper.services.status.status-service/status-service +puppetlabs.trapperkeeper.services.scheduler.scheduler-service/scheduler-service + +# PuppetDB Services +puppetlabs.puppetdb.cli.services/puppetdb-service +puppetlabs.puppetdb.command/command-service +puppetlabs.puppetdb.pdb-routing/maint-mode-service +puppetlabs.puppetdb.pdb-routing/pdb-routing-service +puppetlabs.puppetdb.config/config-service + +# NREPL +puppetlabs.trapperkeeper.services.nrepl.nrepl-service/nrepl-service + +# Dashboard redirect: remove to disable +puppetlabs.puppetdb.dashboard/dashboard-redirect-service diff --git a/templates/puppetdb/config.ini.erb b/templates/puppetdb/config.ini.erb new file mode 100644 index 0000000..bc5f428 --- /dev/null +++ b/templates/puppetdb/config.ini.erb @@ -0,0 +1,11 @@ +############################################################################### +########## config.ini managed by puppet agent ########## +############################################################################### + +[global] +vardir = <%= @pt_puppetdb_var_dir %> +logging-config = <%= @pt_logback_conf %> + +[command-processing] +threads = <%= @pt_com_proc_threads %> +concurrent-writes = <%= @pt_concurrent_writes %> diff --git a/templates/puppetdb/database.ini.erb b/templates/puppetdb/database.ini.erb new file mode 100644 index 0000000..5534376 --- /dev/null +++ b/templates/puppetdb/database.ini.erb @@ -0,0 +1,10 @@ +############################################################################### +########## database.ini managed by puppet agent ########## +############################################################################### + +[database] +subname = <%= @pt_db_subname %> +username = <%= @pt_db_username %> +password = <%= @pt_db_password %> + +gc-interval = <%= @pt_gc_interval %> diff --git a/templates/puppetdb/jetty.ini.erb b/templates/puppetdb/jetty.ini.erb new file mode 100644 index 0000000..a12eef3 --- /dev/null +++ b/templates/puppetdb/jetty.ini.erb @@ -0,0 +1,31 @@ +############################################################################### +########## jetty.ini managed by puppet agent ########## +############################################################################### + +[jetty] +<% if @pt_use_ssl_only != true %> +host = <%= @pt_no_ssl_host %> +port = <%= @pt_no_ssl_port %> + +# ssl +ssl-host = <%= @pt_ssl_host %> +ssl-port = <%= @pt_ssl_port %> +ssl-key = <%= @pt_ssl_key %> +ssl-cert = <%= @pt_ssl_cert %> +ssl-ca-cert = <%= @pt_ssl_ca_cert %> + +<% if @pt_log_access == true %> +access-log-config = <%= @pt_access_log_config %> +<% end end %> + + +<% if @pt_use_ssl_only == true %> +ssl-host = <%= @pt_ssl_host %> +ssl-port = <%= @pt_ssl_port %> +ssl-key = <%= @pt_ssl_key %> +ssl-cert = <%= @pt_ssl_cert %> +ssl-ca-cert = <%= @pt_ssl_ca_cert %> + +<% if @pt_log_access == true %> +access-log-config = <%= @pt_access_log_config %> +<% end end %> diff --git a/templates/puppetdb/logback.xml.erb b/templates/puppetdb/logback.xml.erb new file mode 100755 index 0000000..2815728 --- /dev/null +++ b/templates/puppetdb/logback.xml.erb @@ -0,0 +1,59 @@ + + + + %d %-5p [%c{2}] %m%n + + + + + /var/log/puppetlabs/puppetdb/puppetdb.log + true + + /var/log/puppetlabs/puppetdb/puppetdb-%d{yyyy-MM-dd}.%i.log.gz + + 200MB + 90 + 1GB + + + %d %-5p [%c{2}] %m%n + + + + + + + + + + + + + + /var/log/puppetlabs/puppetdb/puppetdb-status.log + true + + + /var/log/puppetlabs/puppetdb/puppetdb-status-%d{yyyy-MM-dd}.%i.log.gz + + 200MB + 90 + 1GB + + + + %m%n + + + + + + + + + + + + + diff --git a/templates/puppetdb/puppetdb.conf.erb b/templates/puppetdb/puppetdb.conf.erb index 1362f44..e4f4e70 100644 --- a/templates/puppetdb/puppetdb.conf.erb +++ b/templates/puppetdb/puppetdb.conf.erb @@ -3,5 +3,5 @@ ############################################################################### [main] -server_urls = https://<%= @pt_db_fqdn %>:<%= @pt_ssl_port %> -soft_write_failure = <%= @pt_soft_write_failure %> \ No newline at end of file +server_urls = https://<%= @pt_puppetdb_server%>:<%= @pt_ssl_port %> +soft_write_failure = <%= @pt_soft_write_failure %> diff --git a/templates/puppetdb/repl.ini.erb b/templates/puppetdb/repl.ini.erb new file mode 100644 index 0000000..a851985 --- /dev/null +++ b/templates/puppetdb/repl.ini.erb @@ -0,0 +1,13 @@ +############################################################################### +########## repl.ini managed by puppet agent ########## +############################################################################### + +[nrepl] +<% if @pt_enable_repl == true %> +enabled = <%= @pt_enable_repl %> +port = <% @pt_repl_port %> +host = <%= @pt_repl_host %> +<% else %> +# REPL is disabled for security reasons and not normally not required. +# To enable it, set `$pt_enable_repl` to `true`. +<% end %> diff --git a/templates/puppetdb/request_logging.xml.erb b/templates/puppetdb/request_logging.xml.erb new file mode 100644 index 0000000..aff8cb7 --- /dev/null +++ b/templates/puppetdb/request_logging.xml.erb @@ -0,0 +1,17 @@ + + + <%= @pt_puppetdb_access_log %>.log + true + + <%= @pt_puppetdb_access_log %>-%d{yyyy-MM-dd}.%i.log.gz + + <%= @pt_logging_max_file_size %> + <%= @pt_loging_max_history %> + <%= @pt_logging_total_size %> + + + %h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D + + + +