From 5e1032519189f3b6fa793cec81833a781a91d8f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Sun, 18 Jun 2023 20:35:48 +0200 Subject: Rewrote almost everything. --- manifests/worker.pp | 87 +++++++++++++++++++++++++++++------------------------ 1 file changed, 47 insertions(+), 40 deletions(-) (limited to 'manifests/worker.pp') diff --git a/manifests/worker.pp b/manifests/worker.pp index 18703f2..2d25395 100644 --- a/manifests/worker.pp +++ b/manifests/worker.pp @@ -1,4 +1,4 @@ -# @summary A Concourse workre +# @summary A Concourse worker # # Declared as a class, since the upstream documentation explicitly states # that multiple workers on a single node is nonsensical. This may however @@ -6,10 +6,10 @@ # a worker to a specific team or tag exists, and linux can limit the amount # of resources given to a given process (this gets even easier through systemd, # which the module currently uses extensively). - +# # @param key_dir # Directory in which keys should be stored. -# @param worker_key_file +# @param worker_public_key_file # File in which the worker's public key should be stored # @param worker_private_key_file # File in which the worker ns private key should be stored. @@ -26,6 +26,8 @@ # Network address to the master (web) node that this worker should connect to. # @param tsa_public_key # Public key of this workers master. +# +# MUST match the private key given to the corresponding web node as `tsa_private_key`. # @param worker_public_key # Public key of this worker. Only used if `$manage_private_key` is # false, otherwise a key will be automatically generated. @@ -40,11 +42,14 @@ # public portion exported as a fact. # @param export_public_key # Should an exported resource with this nodes public key be created. -# This reads the fact from `$worker_public_key` and creates an exported -# resource of type `concourse::worker_key`, which will allow the master -# to realize it. -# @param tag -# List of arbitrary tags to connnect to this worker. Can be used by +# The key is read from the local file configured in `$worker_public_key_file`. +# +# Each web node in the same cluster will collect these keys. +# +# This required a Puppet database to be configured +# (not in this module, just generally). +# @param concourse_tag +# List of arbitrary tags to connect to this worker. Can be used by # pipelines which requires specific environments. # @param team # Limit this worker to a specific team. @@ -55,45 +60,45 @@ # @param healthcheck_timeout # Timeout for health check. # @param extra_env -# A hash of extra environment variables which will be passed directly +# A hash of extra environment variables which will be passed directly # to the worker process. class concourse::worker ( - Std::AbsolutePath $key_dir = '/usr/lib/concourse', - Std::AbsolutePath $worker_key_file = "${key_dir}/worker_key", - Std::AbsolutePath $worker_private_key_file = "${worker_key_file}.pub", - String $cluster = $concourse::default_cluster, - String $service = $concourse::worker_service, - String $service_unit = "${service}.service", - Enum['absent', 'present'] $ensure = 'present', + String $cluster = $concourse::default_cluster, + Stdlib::Absolutepath $key_dir = '/usr/lib/concourse', + Stdlib::Absolutepath $worker_private_key_file = "${key_dir}/worker_key", + Stdlib::Absolutepath $worker_public_key_file = "${worker_private_key_file}.pub", + String $service = $concourse::worker_service, + String $service_unit = "${service}.service", + Enum['absent', 'present'] $ensure = 'present', - String $work_dir = $concourse::worker_work_dir, - String $tsa_host = lookup("concourse::${cluster}::tsa_host"), - String $tsa_public_key = lookup("concourse::${cluster}::tsa_public_key"), - Optinal[String] $worker_public_key = undef, - Optinal[String] $worker_private_key = undef, - Boolean $manage_private_key = $worker_private_key == undef, - Boolean $export_public_key = true, - Optional[Array[String]] $tag = undef, - Optinal[String] $team = undef, + String $work_dir = $concourse::worker_work_dir, + String $tsa_host = $concourse::configured_clusters[$cluster]['external_domain'], + String $tsa_public_key = $concourse::configured_clusters[$cluster]['tsa_public_key'], + Optional[String] $worker_public_key = undef, + Optional[String] $worker_private_key = undef, + Boolean $manage_private_key = $worker_private_key == undef, + Boolean $export_public_key = true, + Optional[Array[String]] $concourse_tag = undef, + Optional[String] $team = undef, - String $healthcheck_bind_ip = '0.0.0.0', - Stdlib::Port $healthcheck_bind_port = 8888, - String $healthcheck_timeout = '5s', + String $healthcheck_bind_ip = '0.0.0.0', + Stdlib::Port $healthcheck_bind_port = 8888, + String $healthcheck_timeout = '5s', - Hash[String, Any] $extra_env = {}, + Hash[String, Any] $extra_env = {}, ) { ensure_packages([ - 'concourse', + 'concourse', ]) if $manage_private_key { exec { 'Concourse generate worker key': - command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $worker_key_file], - creates => $worker_private_key_file, # and worker_key_file - path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin',] + command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $worker_private_key_file], + creates => $worker_private_key_file, # and worker_public_key_file + path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'], } } else { - file { $worker_key_file: + file { $worker_public_key_file: content => $worker_public_key, } @@ -104,15 +109,18 @@ class concourse::worker ( } if $export_public_key { - @@concourse::worker_key { "${facts['trusted']['certname']} worker key": - content => $facts['concourse_worker_key'], + @@concourse::worker_key { "${trusted['certname']} worker key": + content => $worker_public_key_file, cluster => $cluster, + # Requiring File[$worker_public_file] would be semantically better, + # but it appears like Exec resources don't autorequire their "created" file. + require => Exec['Concourse generate worker key'], } } systemd::unit_file { $service_unit: ensure => $ensure, - soruce => "puppet:///modules/${module_name}/concourse-worker.service", + source => "puppet:///modules/${module_name}/concourse-worker.service", } ~> service { $service: ensure => if $ensure == 'present' { 'running' } else { 'stopped' }, enable => true, @@ -123,18 +131,17 @@ class concourse::worker ( 'CONCOURSE_TSA_HOST' => $tsa_host, 'CONCOURSE_TSA_PUBLIC_KEY' => $tsa_public_key, 'CONCOURSE_TSA_WORKER_PRIVATE_KEY' => $worker_private_key_file, - 'CONCOURSE_TAG' => $tag, + 'CONCOURSE_TAG' => if $concourse_tag == undef { undef } else { $concourse_tag.join(',') }, 'CONCOURSE_TEAM' => $team, 'HEALTHCHECK_BIND_IP' => $healthcheck_bind_ip, 'HEALTHCHECK_BIND_PORT' => $healthcheck_bind_port, 'HEALTHCHECK_TIMEOUT' => $healthcheck_timeout, } + $extra_env - file { '/etc/conf.d/concourse-worker': ensure => $ensure, mode => '0600', show_diff => false, - content => epp("${module_name}/env.epp", $env), + content => epp("${module_name}/env.epp", { 'entries' => $env }), } } -- cgit v1.2.3