From 73b98210f69455b33116f8c2ca3aab6daf473bab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Thu, 15 Jun 2023 19:03:23 +0200 Subject: Initial add. --- manifests/worker.pp | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 manifests/worker.pp (limited to 'manifests/worker.pp') diff --git a/manifests/worker.pp b/manifests/worker.pp new file mode 100644 index 0000000..18703f2 --- /dev/null +++ b/manifests/worker.pp @@ -0,0 +1,140 @@ +# @summary A Concourse workre +# +# Declared as a class, since the upstream documentation explicitly states +# that multiple workers on a single node is nonsensical. This may however +# change in future versions of this module, since you the option to limit +# a worker to a specific team or tag exists, and linux can limit the amount +# of resources given to a given process (this gets even easier through systemd, +# which the module currently uses extensively). + +# @param key_dir +# Directory in which keys should be stored. +# @param worker_key_file +# File in which the worker's public key should be stored +# @param worker_private_key_file +# File in which the worker ns private key should be stored. +# @param cluster +# Which concourse cluster this worker should be part of. +# @param service +# Name of the worker service +# @param service_unit +# Name of the (systemd) service unit for the worker. +# @param ensure +# @param work_dir +# Working directory for the worker. +# @param tsa_host +# Network address to the master (web) node that this worker should connect to. +# @param tsa_public_key +# Public key of this workers master. +# @param worker_public_key +# Public key of this worker. Only used if `$manage_private_key` is +# false, otherwise a key will be automatically generated. +# public key exported as a fact. +# @param worker_private_key +# Private key of this worker. Like `worker_public_key`, will only +# be used if `$manage_private_key` is false. This value will however +# *not* be exported. +# @param manage_private_key +# Should this node manage and generate its own public key. If true +# (the default) then a key will automatically be generated, and the +# public portion exported as a fact. +# @param export_public_key +# Should an exported resource with this nodes public key be created. +# This reads the fact from `$worker_public_key` and creates an exported +# resource of type `concourse::worker_key`, which will allow the master +# to realize it. +# @param tag +# List of arbitrary tags to connnect to this worker. Can be used by +# pipelines which requires specific environments. +# @param team +# Limit this worker to a specific team. +# @param healthcheck_bind_ip +# Address to bind the healthcheck endpoint to. +# @param healthcheck_bind_port +# Port to bind the health endpoint to. +# @param healthcheck_timeout +# Timeout for health check. +# @param extra_env +# A hash of extra environment variables which will be passed directly +# to the worker process. +class concourse::worker ( + Std::AbsolutePath $key_dir = '/usr/lib/concourse', + Std::AbsolutePath $worker_key_file = "${key_dir}/worker_key", + Std::AbsolutePath $worker_private_key_file = "${worker_key_file}.pub", + String $cluster = $concourse::default_cluster, + String $service = $concourse::worker_service, + String $service_unit = "${service}.service", + Enum['absent', 'present'] $ensure = 'present', + + String $work_dir = $concourse::worker_work_dir, + String $tsa_host = lookup("concourse::${cluster}::tsa_host"), + String $tsa_public_key = lookup("concourse::${cluster}::tsa_public_key"), + Optinal[String] $worker_public_key = undef, + Optinal[String] $worker_private_key = undef, + Boolean $manage_private_key = $worker_private_key == undef, + Boolean $export_public_key = true, + Optional[Array[String]] $tag = undef, + Optinal[String] $team = undef, + + String $healthcheck_bind_ip = '0.0.0.0', + Stdlib::Port $healthcheck_bind_port = 8888, + String $healthcheck_timeout = '5s', + + Hash[String, Any] $extra_env = {}, +) { + ensure_packages([ + 'concourse', + ]) + + if $manage_private_key { + exec { 'Concourse generate worker key': + command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $worker_key_file], + creates => $worker_private_key_file, # and worker_key_file + path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin',] + } + } else { + file { $worker_key_file: + content => $worker_public_key, + } + + file { $worker_private_key_file: + mode => '0600', + content => $worker_private_key, + } + } + + if $export_public_key { + @@concourse::worker_key { "${facts['trusted']['certname']} worker key": + content => $facts['concourse_worker_key'], + cluster => $cluster, + } + } + + systemd::unit_file { $service_unit: + ensure => $ensure, + soruce => "puppet:///modules/${module_name}/concourse-worker.service", + } ~> service { $service: + ensure => if $ensure == 'present' { 'running' } else { 'stopped' }, + enable => true, + } + + $env = { + 'CONCOURSE_WORK_DIR' => $work_dir, + 'CONCOURSE_TSA_HOST' => $tsa_host, + 'CONCOURSE_TSA_PUBLIC_KEY' => $tsa_public_key, + 'CONCOURSE_TSA_WORKER_PRIVATE_KEY' => $worker_private_key_file, + 'CONCOURSE_TAG' => $tag, + 'CONCOURSE_TEAM' => $team, + 'HEALTHCHECK_BIND_IP' => $healthcheck_bind_ip, + 'HEALTHCHECK_BIND_PORT' => $healthcheck_bind_port, + 'HEALTHCHECK_TIMEOUT' => $healthcheck_timeout, + } + $extra_env + + + file { '/etc/conf.d/concourse-worker': + ensure => $ensure, + mode => '0600', + show_diff => false, + content => epp("${module_name}/env.epp", $env), + } +} -- cgit v1.2.3