diff options
Diffstat (limited to 'manifests/web.pp')
-rw-r--r-- | manifests/web.pp | 100 |
1 files changed, 66 insertions, 34 deletions
diff --git a/manifests/web.pp b/manifests/web.pp index f89ac4e..db28e07 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -1,4 +1,5 @@ # @summary A concourse web node. +# # # @param service # The name of the system service. # This service WILL be managed by us. @@ -16,26 +17,62 @@ # removing that resource. # @param ensure # @param cluster -# If this web node is part of a cluster of web nodes, name that -# cluster. This will create an `nginx::resoruce::upstream::member` -# resource for this node, which should be realized by -# `concourse::proxy::nginx` -# -# Also requires `peer_address` to be set +# Which concourse this web node is part of. An +# `nginx::resource::upstream::member` resource will be exported, +# which can be realized by the `concourse::proxy::nginx` resource. # # @param peer_address -# Peer address used when used in a cluster +# Address to use when connecting this node to the cluster. +# Should preferably be a private address, since the cluster should +# only be exposed publicly through the load balancer. +# +# Despite that, defaults to `$facts['ipaddress']`, since that +# forces it to work. +# +# Note that concourse always binds on port 8080, this is currently +# not configurable. +# +# @param postgres_user +# @param postgres_password +# @param session_signing_key +# +# Maps to `CONCOURSE_SESSION_SIGNING_KEY`, and is the key private key generated by +# concourse generate-key -t rsa -f ./session_signing_key +# That command will also emit a public key, but that key should be discarded since it's unused. +# +# This key is used for signing and verifying user session tokens. +# +# @param tsa_private_key +# Private key used to validate SSH connections from workers. # -# Also requires `cluster` to be set. +# Generated by +# concourse generate-key -t ssh -f ./tsa_host_key # -# Remaining keys maps directly to concourse configurations. +# Maps to `CONCOURSE_TSA_HOST_KEY`, and the public part should be passed to each worker. +# +# @param worker_public_keys +# @param key_dir +# @param session_signing_key_file +# @param tsa_host_key_file +# @param tsa_authorized_keys_file +# @param postgres_host +# @param postgres_port +# @param postgres_socket +# @param postgres_database +# @param external_url +# Publicly facing url of this cluster. Mainly used by the web server to generate proper links. +# +# For example, 'https://concourse.example.com' +# @param api_max_conns +# @param backend_max_conns +# @param packages class concourse::web ( - String $postgres_user = lookup("concourse::${cluster}::postgres_user"), - Variant[String, Sensitive[String]] $postgres_password = lookup("concourse::${cluster}::postgres_password"), + String $cluster = $concourse::default_cluster, + String $postgres_user = $concourse::configured_clusters[$cluster]['postgres_user'], + Variant[String, Sensitive[String]] $postgres_password = $concourse::configured_clusters[$cluster]['postgres_password'], - Variant[String, Sensitive[String]] $session_signing_key = lookup("concourse::${cluster}::session_signing_key"), - Variant[String, Sensitive[String]] $tsa_private_key = lookup("concourse::${cluster}::tsa_private_key"), - Variant[String, Sensitive[String]] $tsa_public_key = lookup("concourse::${cluster}::tsa_public_key"), + Variant[String, Sensitive[String]] $session_signing_key = $concourse::configured_clusters[$cluster]['session_signing_key'], + Variant[String, Sensitive[String]] $tsa_private_key = $concourse::configured_clusters[$cluster]['tsa_private_key'], Array[String] $worker_public_keys = [], String $key_dir = '/usr/lib/concourse', @@ -43,7 +80,6 @@ class concourse::web ( String $tsa_host_key_file = "${key_dir}/tsa_host_key", String $tsa_authorized_keys_file = "${key_dir}/authorized_worker_keys", - String $cluster = 'default', Optional[String] $peer_address = undef, Optional[String] $postgres_host = undef, @@ -52,27 +88,27 @@ class concourse::web ( Optional[String] $postgres_database = undef, - Optional[String] $external_url = undef, + String $external_url = "https://${concourse::configured_clusters[$cluster]['external_domain']}", Optional[Integer] $api_max_conns = undef, Optional[Integer] $backend_max_conns = undef, String $service = 'concourse', String $service_unit = "${service}.service", - Std::AbsolutePath $conf_file = '/etc/conf.d/concourse', - Std::AbsolutePath $conf_dir = '/etc/conf.d/concourse.d', + Stdlib::Absolutepath $conf_file = '/etc/conf.d/concourse', + Stdlib::Absolutepath $conf_dir = '/etc/conf.d/concourse.d', Boolean $purge_conf_dir = true, Enum['absent', 'present'] $ensure = 'present', Array[String] $packages = [ 'concourse', - 'councourse-resource-types', + 'concourse-resource-types', ], ) { include concourse ensure_packages($packages, { - ensure => $ensure, + ensure => $ensure, }) $env = { @@ -99,7 +135,7 @@ class concourse::web ( ensure => $ensure, mode => '0600', show_diff => false, - content => epp("${module_name}/env.epp", $env), + content => epp("${module_name}/env.epp", { 'entries' => $env }), } file { $conf_dir: @@ -125,16 +161,13 @@ class concourse::web ( content => $session_signing_key, ; $tsa_host_key_file: - conent => $tsa_private_key, - ; - "${tsa_host_key_file}.pub": - content => $tsa_public_key, + content => $tsa_private_key, ; } concat { "authorized_workers_key - ${cluster}": - target => $tsa_authorized_keys_file, - warning => '# File managed by puppet, local changes WILL be overwritten', + path => $tsa_authorized_keys_file, + warn => '# File managed by puppet, local changes WILL be overwritten', ensure_newline => true, } @@ -145,7 +178,7 @@ class concourse::web ( } } - Worker_key <<| cluster == $cluster |>> + Concourse::Worker_key <<| cluster == $cluster |>> systemd::unit_file { $service_unit: ensure => $ensure, @@ -155,11 +188,10 @@ class concourse::web ( enable => true, } - if $peer_address { - @@nginx::resource::upstream::member { $facts['trusted']['certname']: - ensure => $ensure, - upstream => "concourse - ${cluster}", - server => $peer_address, - } + # Exported resource + @@nginx::resource::upstream::member { $trusted['certname']: + ensure => $ensure, + upstream => "concourse - ${cluster}", + server => "${peer_address}:8080", } } |