aboutsummaryrefslogtreecommitdiff
path: root/manifests/web.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/web.pp')
-rw-r--r--manifests/web.pp100
1 files changed, 66 insertions, 34 deletions
diff --git a/manifests/web.pp b/manifests/web.pp
index f89ac4e..db28e07 100644
--- a/manifests/web.pp
+++ b/manifests/web.pp
@@ -1,4 +1,5 @@
# @summary A concourse web node.
+# #
# @param service
# The name of the system service.
# This service WILL be managed by us.
@@ -16,26 +17,62 @@
# removing that resource.
# @param ensure
# @param cluster
-# If this web node is part of a cluster of web nodes, name that
-# cluster. This will create an `nginx::resoruce::upstream::member`
-# resource for this node, which should be realized by
-# `concourse::proxy::nginx`
-#
-# Also requires `peer_address` to be set
+# Which concourse this web node is part of. An
+# `nginx::resource::upstream::member` resource will be exported,
+# which can be realized by the `concourse::proxy::nginx` resource.
#
# @param peer_address
-# Peer address used when used in a cluster
+# Address to use when connecting this node to the cluster.
+# Should preferably be a private address, since the cluster should
+# only be exposed publicly through the load balancer.
+#
+# Despite that, defaults to `$facts['ipaddress']`, since that
+# forces it to work.
+#
+# Note that concourse always binds on port 8080, this is currently
+# not configurable.
+#
+# @param postgres_user
+# @param postgres_password
+# @param session_signing_key
+#
+# Maps to `CONCOURSE_SESSION_SIGNING_KEY`, and is the key private key generated by
+# concourse generate-key -t rsa -f ./session_signing_key
+# That command will also emit a public key, but that key should be discarded since it's unused.
+#
+# This key is used for signing and verifying user session tokens.
+#
+# @param tsa_private_key
+# Private key used to validate SSH connections from workers.
#
-# Also requires `cluster` to be set.
+# Generated by
+# concourse generate-key -t ssh -f ./tsa_host_key
#
-# Remaining keys maps directly to concourse configurations.
+# Maps to `CONCOURSE_TSA_HOST_KEY`, and the public part should be passed to each worker.
+#
+# @param worker_public_keys
+# @param key_dir
+# @param session_signing_key_file
+# @param tsa_host_key_file
+# @param tsa_authorized_keys_file
+# @param postgres_host
+# @param postgres_port
+# @param postgres_socket
+# @param postgres_database
+# @param external_url
+# Publicly facing url of this cluster. Mainly used by the web server to generate proper links.
+#
+# For example, 'https://concourse.example.com'
+# @param api_max_conns
+# @param backend_max_conns
+# @param packages
class concourse::web (
- String $postgres_user = lookup("concourse::${cluster}::postgres_user"),
- Variant[String, Sensitive[String]] $postgres_password = lookup("concourse::${cluster}::postgres_password"),
+ String $cluster = $concourse::default_cluster,
+ String $postgres_user = $concourse::configured_clusters[$cluster]['postgres_user'],
+ Variant[String, Sensitive[String]] $postgres_password = $concourse::configured_clusters[$cluster]['postgres_password'],
- Variant[String, Sensitive[String]] $session_signing_key = lookup("concourse::${cluster}::session_signing_key"),
- Variant[String, Sensitive[String]] $tsa_private_key = lookup("concourse::${cluster}::tsa_private_key"),
- Variant[String, Sensitive[String]] $tsa_public_key = lookup("concourse::${cluster}::tsa_public_key"),
+ Variant[String, Sensitive[String]] $session_signing_key = $concourse::configured_clusters[$cluster]['session_signing_key'],
+ Variant[String, Sensitive[String]] $tsa_private_key = $concourse::configured_clusters[$cluster]['tsa_private_key'],
Array[String] $worker_public_keys = [],
String $key_dir = '/usr/lib/concourse',
@@ -43,7 +80,6 @@ class concourse::web (
String $tsa_host_key_file = "${key_dir}/tsa_host_key",
String $tsa_authorized_keys_file = "${key_dir}/authorized_worker_keys",
- String $cluster = 'default',
Optional[String] $peer_address = undef,
Optional[String] $postgres_host = undef,
@@ -52,27 +88,27 @@ class concourse::web (
Optional[String] $postgres_database = undef,
- Optional[String] $external_url = undef,
+ String $external_url = "https://${concourse::configured_clusters[$cluster]['external_domain']}",
Optional[Integer] $api_max_conns = undef,
Optional[Integer] $backend_max_conns = undef,
String $service = 'concourse',
String $service_unit = "${service}.service",
- Std::AbsolutePath $conf_file = '/etc/conf.d/concourse',
- Std::AbsolutePath $conf_dir = '/etc/conf.d/concourse.d',
+ Stdlib::Absolutepath $conf_file = '/etc/conf.d/concourse',
+ Stdlib::Absolutepath $conf_dir = '/etc/conf.d/concourse.d',
Boolean $purge_conf_dir = true,
Enum['absent', 'present'] $ensure = 'present',
Array[String] $packages = [
'concourse',
- 'councourse-resource-types',
+ 'concourse-resource-types',
],
) {
include concourse
ensure_packages($packages, {
- ensure => $ensure,
+ ensure => $ensure,
})
$env = {
@@ -99,7 +135,7 @@ class concourse::web (
ensure => $ensure,
mode => '0600',
show_diff => false,
- content => epp("${module_name}/env.epp", $env),
+ content => epp("${module_name}/env.epp", { 'entries' => $env }),
}
file { $conf_dir:
@@ -125,16 +161,13 @@ class concourse::web (
content => $session_signing_key,
;
$tsa_host_key_file:
- conent => $tsa_private_key,
- ;
- "${tsa_host_key_file}.pub":
- content => $tsa_public_key,
+ content => $tsa_private_key,
;
}
concat { "authorized_workers_key - ${cluster}":
- target => $tsa_authorized_keys_file,
- warning => '# File managed by puppet, local changes WILL be overwritten',
+ path => $tsa_authorized_keys_file,
+ warn => '# File managed by puppet, local changes WILL be overwritten',
ensure_newline => true,
}
@@ -145,7 +178,7 @@ class concourse::web (
}
}
- Worker_key <<| cluster == $cluster |>>
+ Concourse::Worker_key <<| cluster == $cluster |>>
systemd::unit_file { $service_unit:
ensure => $ensure,
@@ -155,11 +188,10 @@ class concourse::web (
enable => true,
}
- if $peer_address {
- @@nginx::resource::upstream::member { $facts['trusted']['certname']:
- ensure => $ensure,
- upstream => "concourse - ${cluster}",
- server => $peer_address,
- }
+ # Exported resource
+ @@nginx::resource::upstream::member { $trusted['certname']:
+ ensure => $ensure,
+ upstream => "concourse - ${cluster}",
+ server => "${peer_address}:8080",
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-24 15:19:11 +0200