1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
# @summary A Concourse workre
#
# Declared as a class, since the upstream documentation explicitly states
# that multiple workers on a single node is nonsensical. This may however
# change in future versions of this module, since you the option to limit
# a worker to a specific team or tag exists, and linux can limit the amount
# of resources given to a given process (this gets even easier through systemd,
# which the module currently uses extensively).
# @param key_dir
# Directory in which keys should be stored.
# @param worker_key_file
# File in which the worker's public key should be stored
# @param worker_private_key_file
# File in which the worker ns private key should be stored.
# @param cluster
# Which concourse cluster this worker should be part of.
# @param service
# Name of the worker service
# @param service_unit
# Name of the (systemd) service unit for the worker.
# @param ensure
# @param work_dir
# Working directory for the worker.
# @param tsa_host
# Network address to the master (web) node that this worker should connect to.
# @param tsa_public_key
# Public key of this workers master.
# @param worker_public_key
# Public key of this worker. Only used if `$manage_private_key` is
# false, otherwise a key will be automatically generated.
# public key exported as a fact.
# @param worker_private_key
# Private key of this worker. Like `worker_public_key`, will only
# be used if `$manage_private_key` is false. This value will however
# *not* be exported.
# @param manage_private_key
# Should this node manage and generate its own public key. If true
# (the default) then a key will automatically be generated, and the
# public portion exported as a fact.
# @param export_public_key
# Should an exported resource with this nodes public key be created.
# This reads the fact from `$worker_public_key` and creates an exported
# resource of type `concourse::worker_key`, which will allow the master
# to realize it.
# @param tag
# List of arbitrary tags to connnect to this worker. Can be used by
# pipelines which requires specific environments.
# @param team
# Limit this worker to a specific team.
# @param healthcheck_bind_ip
# Address to bind the healthcheck endpoint to.
# @param healthcheck_bind_port
# Port to bind the health endpoint to.
# @param healthcheck_timeout
# Timeout for health check.
# @param extra_env
# A hash of extra environment variables which will be passed directly
# to the worker process.
class concourse::worker (
Std::AbsolutePath $key_dir = '/usr/lib/concourse',
Std::AbsolutePath $worker_key_file = "${key_dir}/worker_key",
Std::AbsolutePath $worker_private_key_file = "${worker_key_file}.pub",
String $cluster = $concourse::default_cluster,
String $service = $concourse::worker_service,
String $service_unit = "${service}.service",
Enum['absent', 'present'] $ensure = 'present',
String $work_dir = $concourse::worker_work_dir,
String $tsa_host = lookup("concourse::${cluster}::tsa_host"),
String $tsa_public_key = lookup("concourse::${cluster}::tsa_public_key"),
Optinal[String] $worker_public_key = undef,
Optinal[String] $worker_private_key = undef,
Boolean $manage_private_key = $worker_private_key == undef,
Boolean $export_public_key = true,
Optional[Array[String]] $tag = undef,
Optinal[String] $team = undef,
String $healthcheck_bind_ip = '0.0.0.0',
Stdlib::Port $healthcheck_bind_port = 8888,
String $healthcheck_timeout = '5s',
Hash[String, Any] $extra_env = {},
) {
ensure_packages([
'concourse',
])
if $manage_private_key {
exec { 'Concourse generate worker key':
command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $worker_key_file],
creates => $worker_private_key_file, # and worker_key_file
path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin',]
}
} else {
file { $worker_key_file:
content => $worker_public_key,
}
file { $worker_private_key_file:
mode => '0600',
content => $worker_private_key,
}
}
if $export_public_key {
@@concourse::worker_key { "${facts['trusted']['certname']} worker key":
content => $facts['concourse_worker_key'],
cluster => $cluster,
}
}
systemd::unit_file { $service_unit:
ensure => $ensure,
soruce => "puppet:///modules/${module_name}/concourse-worker.service",
} ~> service { $service:
ensure => if $ensure == 'present' { 'running' } else { 'stopped' },
enable => true,
}
$env = {
'CONCOURSE_WORK_DIR' => $work_dir,
'CONCOURSE_TSA_HOST' => $tsa_host,
'CONCOURSE_TSA_PUBLIC_KEY' => $tsa_public_key,
'CONCOURSE_TSA_WORKER_PRIVATE_KEY' => $worker_private_key_file,
'CONCOURSE_TAG' => $tag,
'CONCOURSE_TEAM' => $team,
'HEALTHCHECK_BIND_IP' => $healthcheck_bind_ip,
'HEALTHCHECK_BIND_PORT' => $healthcheck_bind_port,
'HEALTHCHECK_TIMEOUT' => $healthcheck_timeout,
} + $extra_env
file { '/etc/conf.d/concourse-worker':
ensure => $ensure,
mode => '0600',
show_diff => false,
content => epp("${module_name}/env.epp", $env),
}
}
|
