-
-
Save timogoebel/e4d26249d2b993fd4f084d65cacbed52 to your computer and use it in GitHub Desktop.
Katello Split Classes Puppet Modules WIP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # == Class: service_foreman::ca | |
| # | |
| # Sets up a ca and generate certificates for katello | |
| # Attention: We need all of them, but uncommenting all leads to duplicate declarations | |
| # | |
| class service_foreman::ca { | |
| include ::service_foreman::repos | |
| group { 'foreman': | |
| ensure => 'present', | |
| system => true, | |
| } | |
| class { '::certs': | |
| group => 'foreman', | |
| generate => true, | |
| deploy => true, | |
| } | |
| # Candlepin | |
| class { '::certs::candlepin': | |
| hostname => 'infra-candlepin-01.lxstage.example.com', | |
| cname => ['foreman-candlepin-stage.example.com'], | |
| deploy => false, | |
| } | |
| # Qpid | |
| #class { '::certs::qpid': | |
| # hostname => 'infra-qpid-01.lxstage.example.com', | |
| # cname => ['foreman-qpid-lxstage.example.com'], | |
| # deploy => false, | |
| #} | |
| # Pulp | |
| #class { '::certs::qpid_client': | |
| # hostname => 'infra-pulp-01.lxstage.example.com', | |
| # cname => ['foreman-pulp-lxstage.example.com'], # TODO: No cname | |
| # deploy => false, | |
| #} | |
| #class { '::certs::apache': | |
| # hostname => 'infra-pulp-01.lxstage.example.com', | |
| # cname => ['foreman-pulp-lxstage.example.com'], | |
| # deploy => false, | |
| #} | |
| class { '::certs::foreman_proxy': | |
| hostname => 'infra-pulp-01.lxstage.example.com', | |
| cname => ['foreman-pulp-lxstage.example.com'], | |
| deploy => false, | |
| } | |
| class { '::certs::qpid_router': | |
| hostname => 'infra-pulp-01.lxstage.example.com', | |
| cname => ['foreman-pulp-lxstage.example.com'], | |
| deploy => false, | |
| } | |
| # Foreman | |
| class { '::certs::foreman': | |
| hostname => 'infra-foreman-01.lxstage.example.com', | |
| cname => ['foreman-ui-lxstage.example.com'], | |
| deploy => false, | |
| } | |
| class { '::certs::pulp_client': | |
| hostname => 'infra-foreman-01.lxstage.example.com', | |
| cname => ['foreman-ui-lxstage.example.com'], # TODO: No CNAME | |
| deploy => false, | |
| } | |
| class { '::certs::apache': | |
| hostname => 'infra-foreman-01.lxstage.example.com', | |
| cname => ['foreman-ui-lxstage.example.com'], | |
| deploy => false, | |
| } | |
| # TODO: required? | |
| #class { '::certs::qpid_client': | |
| # hostname => 'infra-foreman-01.lxstage.example.com', | |
| # cname => [], | |
| # deploy => false, | |
| #} | |
| class { '::certs::qpid': | |
| hostname => 'infra-candlepin-01.lxstage.example.com', | |
| cname => [], | |
| deploy => false, | |
| } | |
| #class { '::certs::qpid': | |
| # hostname => 'infra-foreman-01.lxstage.example.com', | |
| # cname => [], | |
| # deploy => false, | |
| #} | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # == Class: service_foreman::candlepin | |
| # | |
| # Sets up a candlepin for katello | |
| # | |
| class service_foreman::candlepin inherits service_foreman { | |
| include ::service_foreman::repos | |
| include ::service_foreman::certs | |
| # The candlepin module creates a qpid exchange and therefor needs the qpid client with ssl certs installed. | |
| # certs::qpid_client are not the certificates for the qpid-client tool. | |
| # Reasoning: https://github.com/Katello/puppet-katello/pull/170#issuecomment-288478211 | |
| class { '::certs::qpid': | |
| generate => false, | |
| deploy => true, | |
| require => Class['certs::ca'], | |
| } | |
| class { '::certs::candlepin': | |
| generate => false, | |
| deploy => true, | |
| require => Class['certs::ca'], | |
| } | |
| class { 'katello': | |
| enable_candlepin => true, | |
| enable_qpid => false, | |
| enable_qpid_client => false, | |
| enable_pulp => false, | |
| enable_application => false, | |
| qpid_hostname => "${::project}-qpid-01.${::app_tier}.example.com", | |
| candlepin_manage_db => false, | |
| candlepin_db_host => "${::project}-pgsql-01.${::app_tier}.example.com", | |
| candlepin_db_name => 'candlepin', | |
| candlepin_db_user => 'candlepin', | |
| candlepin_db_password => 'candlepin', | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # == Class: service_foreman::certs | |
| # | |
| # Sets up a certificates for katello | |
| # | |
| class service_foreman::certs { | |
| group { 'foreman': | |
| ensure => 'present', | |
| system => true, | |
| } | |
| class { '::certs': | |
| group => 'foreman', | |
| generate => false, | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # == Class: service_foreman:gui | |
| # | |
| # Setting up a foreman gui system. | |
| # | |
| class service_foreman::gui inherits service_foreman { | |
| include ::service_foreman::repos | |
| $db_user_prefix = regsubst($::project, '^(\S{0,10})', '\1') | |
| $passenger_instances = ceiling($::processorcount*1.5) | |
| certmanager::cert { $::service_foreman::foreman_host: | |
| aliases => [$::fqdn], | |
| } | |
| $foreman_ssl_puppet_ca = '/etc/foreman/puppet-ca.pem' | |
| $foreman_ssl_puppet_key = '/etc/foreman/puppet-key.pem' | |
| $foreman_ssl_puppet_cert = '/etc/foreman/puppet-cert.pem' | |
| $foreman_ssl_ui_key = '/etc/foreman/ui-key.pem' | |
| $foreman_ssl_ui_cert = '/etc/foreman/ui-cert.pem' | |
| class { '::foreman': | |
| custom_repo => true, | |
| configure_epel_repo => false, | |
| configure_scl_repo => false, | |
| db_manage => false, | |
| db_type => 'postgresql', | |
| db_host => "${::project}-pgsql-01.${::app_tier}.ka.de.dm-drogeriemarkt.com", | |
| db_port => '5432', | |
| db_username => 'foreman', | |
| db_database => 'foreman', | |
| db_password => 'foreman', | |
| db_pool => '25', | |
| ssl => true, | |
| server_ssl_chain => "/etc/pki/tls/certs/${::service_foreman::foreman_host}_chain.crt", | |
| server_ssl_cert => "/etc/pki/tls/certs/${::service_foreman::foreman_host}.crt", | |
| server_ssl_key => "/etc/pki/tls/private/${::service_foreman::foreman_host}.key", | |
| server_ssl_crl => "${::puppet_ssldir}/crl.pem", | |
| oauth_consumer_key => trocla("foreman-oauth-key-${::project}-${::app_tier}", 'plain', {'charset' => 'alphanumeric', 'length' => '32'}), | |
| oauth_consumer_secret => trocla("foreman-oauth-secret-${::project}-${::app_tier}", 'plain', {'charset' => 'alphanumeric', 'length' => '32'}), | |
| organizations_enabled => true, | |
| locations_enabled => true, | |
| initial_organization => 'FD-PS-LX', | |
| initial_location => 'DE', | |
| puppetrun => true, | |
| passenger_min_instances => $passenger_instances, | |
| email_delivery_method => 'sendmail', | |
| websockets_ssl_cert => $foreman_ssl_ui_cert, | |
| websockets_ssl_key => $foreman_ssl_ui_key, | |
| client_ssl_ca => $foreman_ssl_puppet_ca, | |
| client_ssl_cert => $foreman_ssl_puppet_cert, | |
| client_ssl_key => $foreman_ssl_puppet_key, | |
| } | |
| # Foreman Plugins | |
| include ::foreman::compute::ec2 | |
| include ::foreman::compute::vmware | |
| include ::foreman::plugin::tasks | |
| include ::foreman::plugin::bootdisk | |
| include ::foreman::plugin::dhcp_browser | |
| include ::foreman::plugin::remote_execution | |
| include ::foreman::plugin::expire_hosts | |
| include ::foreman::plugin::host_extra_validator | |
| # Encryption key | |
| $foreman_encryption_key = trocla('foreman_encryption', 'plain', {'charset' => 'alphanumeric', 'length' => '32'}) | |
| file { '/etc/foreman/encryption_key.rb': | |
| ensure => file, | |
| owner => 'root', | |
| group => 'foreman', | |
| mode => '0640', | |
| content => template("${module_name}/encryption_key.rb.erb"), | |
| notify => Service['httpd'], | |
| require => Class['::foreman'], | |
| } | |
| # PuppetDB | |
| class { '::foreman::plugin::puppetdb': | |
| address => 'https://puppetdbng.ka.de.dm-drogeriemarkt.com:8081/v3/commands', | |
| ssl_ca_file => $foreman_ssl_puppet_ca, | |
| ssl_certificate => $foreman_ssl_puppet_cert, | |
| ssl_private_key => $foreman_ssl_puppet_key, | |
| } | |
| # Discovery | |
| class { '::foreman::plugin::discovery': | |
| install_images => false, | |
| } | |
| # Register ourself at the loadbalancer | |
| if $::service_foreman::standby_node { | |
| $haproxy_role = "backup" | |
| } else { | |
| $haproxy_role = undef | |
| } | |
| service_haproxy::balancermember { "${::fqdn}_foremangui_http": | |
| service => 'foremangui_http', | |
| ports => [80], | |
| options => $haproxy_role, | |
| } | |
| service_haproxy::balancermember { "${::fqdn}_foremangui_https": | |
| service => 'foremangui_https', | |
| ports => [443], | |
| options => $haproxy_role, | |
| } | |
| # Monitoring | |
| #include ::service_foreman::monitoring | |
| # Ensure cron files are only present on the first cluster node | |
| if $::serverinstance > 1 { | |
| $cron_files = [ | |
| '/etc/cron.d/foreman', | |
| '/etc/cron.d/foreman_expire_hosts', | |
| ] | |
| file { $cron_files: | |
| ensure => absent, | |
| } | |
| } | |
| # Allow Foreman user to execute cron jobs | |
| pam::access::entry { 'foreman': | |
| permission => '+', | |
| origins => ['cron','crond'], | |
| } | |
| # Copy puppet ssl cert and key so they are in the same place on | |
| # every host and do not have filename containing the fqdn | |
| file { $foreman_ssl_puppet_ca: | |
| ensure => file, | |
| source => "${settings::ssldir}/certs/ca.pem", | |
| owner => 'foreman', | |
| group => 'foreman', | |
| mode => '0644', | |
| require => Class['::foreman'], | |
| } | |
| file { $foreman_ssl_puppet_key: | |
| ensure => file, | |
| source => "${settings::ssldir}/private_keys/${::fqdn}.pem", | |
| owner => 'foreman', | |
| group => 'foreman', | |
| mode => '0640', | |
| require => Class['::foreman'], | |
| } | |
| file { $foreman_ssl_puppet_cert: | |
| ensure => file, | |
| source => "${settings::ssldir}/certs/${::fqdn}.pem", | |
| owner => 'foreman', | |
| group => 'foreman', | |
| mode => '0600', | |
| require => Class['::foreman'], | |
| } | |
| # Copy ui ssl cert and key for websockets | |
| file { $foreman_ssl_ui_key: | |
| ensure => file, | |
| source => "/etc/pki/tls/private/${::service_foreman::foreman_host}.key", | |
| owner => 'foreman', | |
| group => 'foreman', | |
| mode => '0640', | |
| require => Class['::foreman'], | |
| } | |
| file { $foreman_ssl_ui_cert: | |
| ensure => file, | |
| source => "/etc/pki/tls/certs/${::service_foreman::foreman_host}.crt", | |
| owner => 'foreman', | |
| group => 'foreman', | |
| mode => '0600', | |
| require => Class['::foreman'], | |
| } | |
| # Setup memcache | |
| $memcached_instances = service_memcache_memcached_instances("memcached-${::service_foreman::memcached_cluster_name}") | |
| class { '::foreman::plugin::memcache': | |
| hosts => $memcached_instances, | |
| } | |
| # Passenger tuning | |
| foreman::config::passenger::fragment { 'dmtuning': | |
| ssl_content => "### This file contains passenger tuning settings for EXAMPLE GmbH\n\nPassengerMaxPoolSize ${passenger_instances}\nPassengerMaxRequestQueueSize 200\n", | |
| } | |
| # Katello | |
| include ::service_foreman::certs | |
| include ::katello::params | |
| class { '::certs::qpid': } ~> | |
| class { '::qpid::client': | |
| ssl => true, | |
| ssl_cert_name => 'broker', | |
| ssl_cert_db => $::certs::nss_db_dir, | |
| ssl_cert_password_file => $::certs::qpid::nss_db_password_file, | |
| } ~> | |
| class {'::certs::katello': } | |
| class { 'katello': | |
| enable_candlepin => false, | |
| enable_qpid => false, | |
| enable_qpid_client => false, | |
| enable_pulp => false, | |
| enable_application => true, | |
| candlepin_url => "https://${::project}-candlepin-01.${::app_tier}.example.com:8443/candlepin", | |
| pulp_url => "https://${::project}-pulp-01.${::app_tier}.example.com/pulp/api/v2/", | |
| qpid_url => "amqp:ssl:${::project}-qpid-01.${::app_tier}.example.com:5671", | |
| package_names => [$::katello::params::rubygem_katello], # do not install the katello meta package as it contains everything | |
| # Added for proxy support | |
| proxy_url => 'http://proxy.example.com', | |
| proxy_port => 8000, | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # == Class: service_foreman::pulp | |
| # | |
| # Sets up a pulp for katello | |
| # | |
| class service_foreman::pulp inherits service_foreman { | |
| include ::service_foreman::repos | |
| include ::service_foreman::certs | |
| include ::katello::params | |
| #class { '::pulp': | |
| # oauth_enabled => true, | |
| # oauth_key => $::katello::params::oauth_key, | |
| # oauth_secret => $::katello::params::oauth_secret, | |
| # messaging_url => "ssl://${::project}-qpid-01.${::app_tier}.example.com:5671", # Edited | |
| # messaging_ca_cert => $::certs::ca_cert, | |
| # messaging_client_cert => $::certs::qpid_client::messaging_client_cert, | |
| # messaging_transport => 'qpid', | |
| # messaging_auth_enabled => false, | |
| # broker_url => "qpid://${::project}-qpid-01.${::app_tier}.example.com:5671", # Edited | |
| # broker_use_ssl => true, | |
| # #consumers_crl => $candlepin::crl_file, | |
| # proxy_url => $::katello::params::proxy_url, | |
| # proxy_port => $::katello::params::proxy_port, | |
| # proxy_username => $::katello::params::proxy_username, | |
| # proxy_password => $::katello::params::proxy_password, | |
| # yum_max_speed => $::katello::params::pulp_max_speed, | |
| # manage_broker => false, | |
| # manage_httpd => true, # Changed | |
| # manage_plugins_httpd => true, | |
| # manage_squid => true, | |
| # enable_rpm => true, | |
| # enable_puppet => true, | |
| # enable_docker => true, | |
| # enable_ostree => $::katello::params::enable_ostree, | |
| # num_workers => $::katello::params::num_pulp_workers, | |
| # #max_tasks_per_child => $::katello::params::max_tasks_per_pulp_worker, | |
| # enable_parent_node => false, | |
| # repo_auth => true, | |
| # puppet_wsgi_processes => 1, | |
| # crane_data_dir => '/var/lib/pulp/published/docker/v2/app', | |
| # # Added params | |
| # https_cert => $::certs::apache::apache_cert, | |
| # https_key => $::certs::apache::apache_key, | |
| # ca_cert => $::certs::katello_server_ca_cert, | |
| # enable_katello => true, | |
| #} | |
| class { 'foreman_proxy': | |
| custom_repo => true, | |
| http => false, | |
| ssl_port => '9090', | |
| templates => false, | |
| # TODO: remove hardcoded paths | |
| # TODO: defaults to puppetCA, that's what we want for the proxy | |
| #ssl_ca => '/etc/foreman-proxy/ssl_ca.pem', | |
| #ssl_cert => '/etc/foreman-proxy/ssl_cert.pem', | |
| #ssl_key => '/etc/foreman-proxy/ssl_key.pem', | |
| foreman_ssl_ca => '/etc/pki/tls/certs/example.crt', # Foreman GUI has exampleCA certs, so we have to verify against her | |
| # TODO: defaults to puppetCA, which is good | |
| #foreman_ssl_ca => '/etc/foreman-proxy/foreman_ssl_ca.pem', | |
| #foreman_ssl_cert => '/etc/foreman-proxy/foreman_ssl_cert.pem', | |
| #foreman_ssl_key => '/etc/foreman-proxy/foreman_ssl_key.pem', | |
| # Custom params | |
| manage_sudoersd => false, # is managed by service_aaa | |
| register_in_foreman => false, | |
| puppetca => false, | |
| tftp => false, | |
| dhcp => false, | |
| dns => false, | |
| puppet => false, | |
| trusted_hosts => ["${::project}-foreman-01.${::app_tier}.example.com"], | |
| } | |
| class { 'foreman_proxy::plugin::pulp': | |
| enabled => true, | |
| pulpnode_enabled => false, | |
| } | |
| class { 'foreman_proxy_content': | |
| pulp_master => true, | |
| qpid_router_broker_addr => "${::project}-qpid-01.${::app_tier}.example.com", | |
| #parent_fqdn => "${::project}-foreman-01.${::app_tier}.example.com", | |
| reverse_proxy => true, | |
| puppet => false, # Changed | |
| pulp_oauth_key => $::katello::params::oauth_key, | |
| pulp_oauth_secret => $::katello::params::oauth_secret, | |
| # for PR | |
| pulp_master_standalone => true, | |
| install_local_qpid => false, | |
| parent_fqdn => "${::project}-qpid-01.${::app_tier}.example.com", | |
| foreman_fqdn => "${::project}-foreman-01.${::app_tier}.example.com", | |
| #pulp_proxy_url => $::katello::proxy_url, | |
| #pulp_proxy_port => $::katello::proxy_port, | |
| #pulp_proxy_username => $::katello::proxy_username, | |
| #pulp_proxy_password => $::katello::proxy_password, | |
| # | |
| # pulp_max_tasks_per_child | |
| # pulp_puppet_wsgi_processes | |
| # pulp_num_workers | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # == Class: service_foreman::qpid | |
| # | |
| # Sets up a qpid for katello | |
| # | |
| class service_foreman::qpid inherits service_foreman { | |
| include ::service_foreman::repos | |
| include ::service_foreman::certs | |
| class { '::certs::qpid': | |
| generate => false, | |
| deploy => true, | |
| } | |
| class { 'katello': | |
| enable_candlepin => false, | |
| enable_qpid => true, | |
| enable_qpid_client => false, | |
| enable_pulp => false, | |
| enable_application => false, | |
| qpid_interface => $::default_interface, | |
| } | |
| # https://github.com/Katello/puppet-qpid/issues/46 | |
| Package['qpid-cpp-client'] -> Package['qpid-tools'] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment