Rewrote almost everything.

1 files changed, 47 insertions, 40 deletions

diff --git a/manifests/worker.pp b/manifests/worker.pp
index 18703f2..2d25395 100644
--- a/manifests/worker.pp
+++ b/manifests/worker.pp
@@ -1,4 +1,4 @@
-# @summary A Concourse workre
+# @summary A Concourse worker
 #
 # Declared as a class, since the upstream documentation explicitly states
 # that multiple workers on a single node is nonsensical. This may however
@@ -6,10 +6,10 @@
 # a worker to a specific team or tag exists, and linux can limit the amount
 # of resources given to a given process (this gets even easier through systemd,
 # which the module currently uses extensively).
-
+#
 # @param key_dir
 #   Directory in which keys should be stored.
-# @param worker_key_file
+# @param worker_public_key_file
 #   File in which the worker's public key should be stored
 # @param worker_private_key_file
 #   File in which the worker ns private key should be stored.
@@ -26,6 +26,8 @@
 #   Network address to the master (web) node that this worker should connect to.
 # @param tsa_public_key
 #   Public key of this workers master.
+#
+#   MUST match the private key given to the corresponding web node as `tsa_private_key`.
 # @param worker_public_key
 #   Public key of this worker. Only used if `$manage_private_key` is
 #   false, otherwise a key will be automatically generated.
@@ -40,11 +42,14 @@
 #   public portion exported as a fact.
 # @param export_public_key
 #   Should an exported resource with this nodes public key be created.
-#   This reads the fact from `$worker_public_key` and creates an exported
-#   resource of type `concourse::worker_key`, which will allow the master
-#   to realize it.
-# @param tag
-#   List of arbitrary tags to connnect to this worker. Can be used by
+#   The key is read from the local file configured in `$worker_public_key_file`.
+#
+#   Each web node in the same cluster will collect these keys.
+#
+#   This required a Puppet database to be configured
+#   (not in this module, just generally).
+# @param concourse_tag
+#   List of arbitrary tags to connect to this worker. Can be used by
 #   pipelines which requires specific environments.
 # @param team
 #   Limit this worker to a specific team.
@@ -55,45 +60,45 @@
 # @param healthcheck_timeout
 #   Timeout for health check.
 # @param extra_env
-#   A hash of extra environment variables which will be passed directly 
+#   A hash of extra environment variables which will be passed directly
 #   to the worker process.
 class concourse::worker (
-  Std::AbsolutePath $key_dir                 = '/usr/lib/concourse',
-  Std::AbsolutePath $worker_key_file         = "${key_dir}/worker_key",
-  Std::AbsolutePath $worker_private_key_file = "${worker_key_file}.pub",
-  String $cluster                            = $concourse::default_cluster,
-  String $service                            = $concourse::worker_service,
-  String $service_unit                       = "${service}.service",
-  Enum['absent', 'present'] $ensure          = 'present',
+  String $cluster                               = $concourse::default_cluster,
+  Stdlib::Absolutepath $key_dir                 = '/usr/lib/concourse',
+  Stdlib::Absolutepath $worker_private_key_file = "${key_dir}/worker_key",
+  Stdlib::Absolutepath $worker_public_key_file  = "${worker_private_key_file}.pub",
+  String $service                               = $concourse::worker_service,
+  String $service_unit                          = "${service}.service",
+  Enum['absent', 'present'] $ensure             = 'present',
 
-  String $work_dir                           = $concourse::worker_work_dir,
-  String $tsa_host                           = lookup("concourse::${cluster}::tsa_host"),
-  String $tsa_public_key                     = lookup("concourse::${cluster}::tsa_public_key"),
-  Optinal[String] $worker_public_key         = undef,
-  Optinal[String] $worker_private_key        = undef,
-  Boolean $manage_private_key                = $worker_private_key == undef,
-  Boolean $export_public_key                 = true,
-  Optional[Array[String]] $tag               = undef,
-  Optinal[String] $team                      = undef,
+  String $work_dir                              = $concourse::worker_work_dir,
+  String $tsa_host                              = $concourse::configured_clusters[$cluster]['external_domain'],
+  String $tsa_public_key                        = $concourse::configured_clusters[$cluster]['tsa_public_key'],
+  Optional[String] $worker_public_key           = undef,
+  Optional[String] $worker_private_key          = undef,
+  Boolean $manage_private_key                   = $worker_private_key == undef,
+  Boolean $export_public_key                    = true,
+  Optional[Array[String]] $concourse_tag        = undef,
+  Optional[String] $team                        = undef,
 
-  String $healthcheck_bind_ip                = '0.0.0.0',
-  Stdlib::Port $healthcheck_bind_port        = 8888,
-  String $healthcheck_timeout                = '5s',
+  String $healthcheck_bind_ip                   = '0.0.0.0',
+  Stdlib::Port $healthcheck_bind_port           = 8888,
+  String $healthcheck_timeout                   = '5s',
 
-  Hash[String, Any] $extra_env               = {},
+  Hash[String, Any] $extra_env                  = {},
 ) {
   ensure_packages([
-    'concourse',
+      'concourse',
   ])
 
   if $manage_private_key {
     exec { 'Concourse generate worker key':
-      command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $worker_key_file],
-      creates => $worker_private_key_file,  # and worker_key_file
-      path    => ['/sbin', '/usr/sbin', '/bin', '/usr/bin',]
+      command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $worker_private_key_file],
+      creates => $worker_private_key_file,  # and worker_public_key_file
+      path    => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],
     }
   } else {
-    file { $worker_key_file:
+    file { $worker_public_key_file:
       content => $worker_public_key,
     }
 
@@ -104,15 +109,18 @@ class concourse::worker (
   }
 
   if $export_public_key {
-    @@concourse::worker_key { "${facts['trusted']['certname']} worker key":
-      content => $facts['concourse_worker_key'],
+    @@concourse::worker_key { "${trusted['certname']} worker key":
+      content => $worker_public_key_file,
       cluster => $cluster,
+      # Requiring File[$worker_public_file] would be semantically better,
+      # but it appears like Exec resources don't autorequire their "created" file.
+      require => Exec['Concourse generate worker key'],
     }
   }
 
   systemd::unit_file { $service_unit:
     ensure => $ensure,
-    soruce => "puppet:///modules/${module_name}/concourse-worker.service",
+    source => "puppet:///modules/${module_name}/concourse-worker.service",
   } ~> service { $service:
     ensure => if $ensure == 'present' { 'running' } else { 'stopped' },
     enable => true,
@@ -123,18 +131,17 @@ class concourse::worker (
     'CONCOURSE_TSA_HOST'               => $tsa_host,
     'CONCOURSE_TSA_PUBLIC_KEY'         => $tsa_public_key,
     'CONCOURSE_TSA_WORKER_PRIVATE_KEY' => $worker_private_key_file,
-    'CONCOURSE_TAG'                    => $tag,
+    'CONCOURSE_TAG'                    => if $concourse_tag == undef { undef } else { $concourse_tag.join(',') },
     'CONCOURSE_TEAM'                   => $team,
     'HEALTHCHECK_BIND_IP'              => $healthcheck_bind_ip,
     'HEALTHCHECK_BIND_PORT'            => $healthcheck_bind_port,
     'HEALTHCHECK_TIMEOUT'              => $healthcheck_timeout,
   } + $extra_env
 
-
   file { '/etc/conf.d/concourse-worker':
     ensure    => $ensure,
     mode      => '0600',
     show_diff => false,
-    content   => epp("${module_name}/env.epp", $env),
+    content   => epp("${module_name}/env.epp", { 'entries' => $env }),
   }
 }