From b2fdc37515f1b659176f2c7b4769afa5183643ef Mon Sep 17 00:00:00 2001 From: jweatherford Date: Mon, 19 Oct 2020 09:55:44 -0400 Subject: [PATCH] tree moved --- Dockerfile | 238 ++++++++ Jenkinsfile | 2 + LICENSE | 202 +++++++ README.md | 55 +- download.yaml | 106 ++++ helm/.helmignore | 26 + helm/CHANGELOG.md | 371 ++++++++++++ helm/Chart.yaml | 23 + helm/LICENSE | 201 +++++++ helm/OWNERS | 10 + helm/README.md | 331 ++++++++++ helm/init/README.md | 45 ++ helm/requirements.yaml | 6 + helm/templates/NOTES.txt | 25 + helm/templates/_helpers.tpl | 328 ++++++++++ helm/templates/hiera-configmap.yaml | 11 + helm/templates/postgresql-configmap.yaml | 12 + helm/templates/private_key.pkcs7.pem.yaml | 11 + helm/templates/public_key.pkcs7.pem.yaml | 11 + helm/templates/puppet-preInstall.job.yaml | 61 ++ helm/templates/puppetboard-ingress.yaml | 36 ++ helm/templates/puppetdb-deployment.yaml | 104 ++++ .../puppetdb-preInstall.configMap.yaml | 17 + helm/templates/puppetdb-pvc.yaml | 30 + helm/templates/puppetdb-secret.yaml | 12 + helm/templates/puppetdb-service.yaml | 18 + helm/templates/puppetserver-code-pvc.yaml | 23 + helm/templates/puppetserver-data-pvc.yaml | 23 + .../puppetserver-deployment-masters.yaml | 347 +++++++++++ .../templates/puppetserver-hpa-compilers.yaml | 34 ++ helm/templates/puppetserver-hpa-masters.yaml | 34 ++ .../puppetserver-ingress-compilers.yaml | 36 ++ .../puppetserver-ingress-masters.yaml | 34 ++ .../puppetserver-init-configmap.yaml | 25 + .../puppetserver-manifests-configmap.yaml | 10 + .../puppetserver-preInstall.configMap.yaml | 17 + helm/templates/puppetserver-pvc.yaml | 30 + ...uppetserver-service-agents-to-masters.yaml | 27 + ...ppetserver-service-compilers-headless.yaml | 24 + .../puppetserver-service-compilers.yaml | 27 + .../puppetserver-service-masters.yaml | 25 + .../puppetserver-statefulset-compilers.yaml | 357 +++++++++++ helm/templates/r10k-code-secret.yaml | 18 + helm/templates/r10k-code.configmap.yaml | 41 ++ helm/templates/r10k-hiera-secret.yaml | 18 + helm/templates/r10k-hiera.configmap.yaml | 41 ++ helm/values.yaml | 567 ++++++++++++++++++ scripts/10-analytics.sh | 30 + scripts/20-use-templates-initially.sh | 22 + scripts/30-set-permissions.sh | 4 + scripts/40-update-puppetdb-conf.sh | 5 + scripts/50-set-certname.sh | 6 + scripts/55-set-masterport.sh | 11 + scripts/60-setup-autosign.sh | 7 + scripts/70-set-dns-alt-names.sh | 17 + scripts/80-ca.sh | 70 +++ scripts/85-setup-storeconfigs.sh | 24 + scripts/90-log-config.sh | 24 + scripts/docker-entrypoint.sh | 21 + scripts/healthcheck.sh | 18 + scripts/logback.xml | 14 + scripts/puppetdb.conf | 3 + scripts/puppetserver | 17 + scripts/puppetserver.conf | 79 +++ scripts/request-logging.xml | 9 + 65 files changed, 4429 insertions(+), 2 deletions(-) create mode 100644 Dockerfile create mode 100644 Jenkinsfile create mode 100644 LICENSE create mode 100644 download.yaml create mode 100644 helm/.helmignore create mode 100644 helm/CHANGELOG.md create mode 100644 helm/Chart.yaml create mode 100644 helm/LICENSE create mode 100644 helm/OWNERS create mode 100644 helm/README.md create mode 100644 helm/init/README.md create mode 100644 helm/requirements.yaml create mode 100644 helm/templates/NOTES.txt create mode 100644 helm/templates/_helpers.tpl create mode 100644 helm/templates/hiera-configmap.yaml create mode 100644 helm/templates/postgresql-configmap.yaml create mode 100644 helm/templates/private_key.pkcs7.pem.yaml create mode 100644 helm/templates/public_key.pkcs7.pem.yaml create mode 100644 helm/templates/puppet-preInstall.job.yaml create mode 100644 helm/templates/puppetboard-ingress.yaml create mode 100644 helm/templates/puppetdb-deployment.yaml create mode 100644 helm/templates/puppetdb-preInstall.configMap.yaml create mode 100644 helm/templates/puppetdb-pvc.yaml create mode 100644 helm/templates/puppetdb-secret.yaml create mode 100644 helm/templates/puppetdb-service.yaml create mode 100644 helm/templates/puppetserver-code-pvc.yaml create mode 100644 helm/templates/puppetserver-data-pvc.yaml create mode 100644 helm/templates/puppetserver-deployment-masters.yaml create mode 100644 helm/templates/puppetserver-hpa-compilers.yaml create mode 100644 helm/templates/puppetserver-hpa-masters.yaml create mode 100644 helm/templates/puppetserver-ingress-compilers.yaml create mode 100644 helm/templates/puppetserver-ingress-masters.yaml create mode 100644 helm/templates/puppetserver-init-configmap.yaml create mode 100644 helm/templates/puppetserver-manifests-configmap.yaml create mode 100644 helm/templates/puppetserver-preInstall.configMap.yaml create mode 100644 helm/templates/puppetserver-pvc.yaml create mode 100644 helm/templates/puppetserver-service-agents-to-masters.yaml create mode 100644 helm/templates/puppetserver-service-compilers-headless.yaml create mode 100644 helm/templates/puppetserver-service-compilers.yaml create mode 100644 helm/templates/puppetserver-service-masters.yaml create mode 100644 helm/templates/puppetserver-statefulset-compilers.yaml create mode 100644 helm/templates/r10k-code-secret.yaml create mode 100644 helm/templates/r10k-code.configmap.yaml create mode 100644 helm/templates/r10k-hiera-secret.yaml create mode 100644 helm/templates/r10k-hiera.configmap.yaml create mode 100644 helm/values.yaml create mode 100644 scripts/10-analytics.sh create mode 100644 scripts/20-use-templates-initially.sh create mode 100644 scripts/30-set-permissions.sh create mode 100644 scripts/40-update-puppetdb-conf.sh create mode 100644 scripts/50-set-certname.sh create mode 100644 scripts/55-set-masterport.sh create mode 100644 scripts/60-setup-autosign.sh create mode 100644 scripts/70-set-dns-alt-names.sh create mode 100644 scripts/80-ca.sh create mode 100644 scripts/85-setup-storeconfigs.sh create mode 100644 scripts/90-log-config.sh create mode 100644 scripts/docker-entrypoint.sh create mode 100644 scripts/healthcheck.sh create mode 100644 scripts/logback.xml create mode 100644 scripts/puppetdb.conf create mode 100644 scripts/puppetserver create mode 100644 scripts/puppetserver.conf create mode 100644 scripts/request-logging.xml diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..08591c2 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,238 @@ +# +# BASE IMAGE +# +#ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082 +ARG BASE_REGISTRY=registry1.dsop.io/ironbank +ARG BASE_IMAGE=redhat/ubi/ubi8 +ARG BASE_TAG=8.2 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as base + +# +# LABEL +# +LABEL name="Puppet Server" \ + maintainer="jweatherford@oteemo.com" \ + vendor="Puppet Labs" \ + version="6.13.0" \ + release="1" \ + summary="Puppet Server Image" \ + description="Puppet Server Image" + +# +# BUILD ARGUMENTS +# +ARG PUPPET_VERSION=6.13.0 + +# +# UPDATE BASE and install RPMs, COPY gems +# + +COPY puppetserver-6.13.0-1.el8.noarch.rpm /opt/puppetserver-6.13.0-1.el8.noarch.rpm +COPY puppetdb-6.12.0-1.el8.noarch.rpm /opt/puppetdb-6.12.0-1.el8.noarch.rpm +COPY puppet-agent-6.18.0-1.el8.x86_64.rpm /opt/puppet-agent-6.18.0-1.el8.x86_64.rpm +COPY puppetdb-termini-6.12.0-1.el8.noarch.rpm /opt/puppetdb-termini-6.12.0-1.el8.noarch.rpm +COPY colored2-3.1.2.gem /opt/colored2-3.1.2.gem +COPY cri-2.15.10.gem /opt/cri-2.15.10.gem +COPY faraday-0.17.3.gem /opt/faraday-0.17.3.gem +COPY faraday_middleware-0.14.0.gem /opt/faraday_middleware-0.14.0.gem +COPY fast_gettext-1.1.2.gem /opt/fast_gettext-1.1.2.gem +COPY gettext-3.2.9.gem /opt/gettext-3.2.9.gem +COPY gettext-setup-0.34.gem /opt/gettext-setup-0.34.gem +COPY locale-2.1.3.gem /opt/locale-2.1.3.gem +COPY log4r-1.1.10.gem /opt/log4r-1.1.10.gem +COPY minitar-0.9.gem /opt/minitar-0.9.gem +COPY multi_json-1.15.0.gem /opt/multi_json-1.15.0.gem +COPY multipart-post-2.1.1.gem /opt/multipart-post-2.1.1.gem +COPY puppet_forge-2.3.4.gem /opt/puppet_forge-2.3.4.gem +COPY r10k-3.6.0.gem /opt/r10k-3.6.0.gem +COPY semantic_puppet-1.0.2.gem /opt/semantic_puppet-1.0.2.gem +COPY text-1.3.1.gem /opt/text-1.3.1.gem + + +RUN yum update -y && \ + yum -y upgrade + +RUN yum -y install java-1.8.0-openjdk-headless net-tools procps + +RUN rpm -Uvh /opt/puppet-agent-6.18.0-1.el8.x86_64.rpm +RUN rpm -Uvh /opt/puppetserver-6.13.0-1.el8.noarch.rpm +RUN rpm -Uvh /opt/puppetdb-6.12.0-1.el8.noarch.rpm + +############################################ +# Original Dockerfile contents + +ARG build_type=release +ARG UBUNTU_CODENAME=ironbank + +ARG PACKAGES=ca-certificates\ git +ARG DUMB_INIT_VERSION="1.2.2" + + +###################################################### +# base +###################################################### + +ARG PACKAGES=ca-certificates\ git +ARG DUMB_INIT_VERSION="1.2.2" + +#LABEL org.label-schema.maintainer="Puppet Release Team " \ +# org.label-schema.vendor="Puppet" \ +# org.label-schema.url="https://github.com/puppetlabs/puppetserver" \ +# org.label-schema.license="Apache-2.0" \ +# org.label-schema.vcs-url="https://github.com/puppetlabs/puppetserver" \ +# org.label-schema.schema-version="1.0" \ +# org.label-schema.dockerfile="/Dockerfile" + +ENV PUPPERWARE_ANALYTICS_TRACKING_ID="UA-132486246-4" \ + PUPPERWARE_ANALYTICS_APP_NAME="puppetserver" \ + PUPPERWARE_ANALYTICS_ENABLED=false \ + PUPPETSERVER_JAVA_ARGS="-Xms512m -Xmx512m" \ + PATH=/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin:$PATH \ + SSLDIR=/etc/puppetlabs/puppet/ssl \ + LOGDIR=/var/log/puppetlabs/puppetserver \ + PUPPETSERVER_HOSTNAME="" \ + DNS_ALT_NAMES="" \ + PUPPET_MASTERPORT=8140 \ + AUTOSIGN="" \ + PUPPETSERVER_MAX_ACTIVE_INSTANCES=1 \ + PUPPETSERVER_MAX_REQUESTS_PER_INSTANCE=0 \ + CA_ENABLED=true \ + CA_HOSTNAME=puppet \ + CA_MASTERPORT=8140 \ + CA_ALLOW_SUBJECT_ALT_NAMES=false \ + USE_PUPPETDB=true \ + PUPPETDB_SERVER_URLS=https://puppetdb:8081 \ + PUPPET_STORECONFIGS_BACKEND="puppetdb" \ + PUPPET_STORECONFIGS=true \ + PUPPET_REPORTS="puppetdb" + + +#ADD https://github.com/Yelp/dumb-init/releases/download/v"$DUMB_INIT_VERSION"/dumb-init_"$DUMB_INIT_VERSION"_amd64.deb / +COPY dumb-init-1.2.2-6.el8.x86_64.rpm /opt/dumb-init-1.2.2-6.el8.x86_64.rpm + + +COPY scripts/docker-entrypoint.sh \ + scripts/healthcheck.sh \ + / + +#COPY docker/puppetserver/docker-entrypoint.d /docker-entrypoint.d + +# Because cloning the repo would be too easy, we have to do it the damned hard way for IRONBANK +RUN mkdir /docker-entrypoint.d && \ + chmod 0755 /docker-entrypoint.d +COPY scripts/10-analytics.sh /docker-entrypoint.d/ +COPY scripts/20-use-templates-initially.sh /docker-entrypoint.d/ +COPY scripts/30-set-permissions.sh /docker-entrypoint.d/ +COPY scripts/40-update-puppetdb-conf.sh /docker-entrypoint.d/ +COPY scripts/50-set-certname.sh /docker-entrypoint.d/ +COPY scripts/55-set-masterport.sh /docker-entrypoint.d/ +COPY scripts/60-setup-autosign.sh /docker-entrypoint.d/ +COPY scripts/70-set-dns-alt-names.sh /docker-entrypoint.d/ +COPY scripts/80-ca.sh /docker-entrypoint.d/ +COPY scripts/85-setup-storeconfigs.sh /docker-entrypoint.d/ +COPY scripts/90-log-config.sh /docker-entrypoint.d/ + + +### Original apt base +# no need to pin versions or clear apt cache as its still being used +# hadolint ignore=DL3008,DL3009 +#RUN chmod +x /docker-entrypoint.sh /healthcheck.sh && \ +# apt-get update && \ +# apt-get install -y --no-install-recommends $PACKAGES && \ +# dpkg -i dumb-init_"$DUMB_INIT_VERSION"_amd64.deb && \ +# rm dumb-init_"$DUMB_INIT_VERSION"_amd64.deb + +# IRONBANK version +RUN chmod +x /docker-entrypoint.sh /healthcheck.sh && \ + yum -y update && \ + yum -y upgrade && \ + rpm -Uvh /opt/dumb-init-1.2.2-6.el8.x86_64.rpm && \ + rm -f /opt/dumb-init-1.2.2-6.el8.x86_64.rpm + + +###################################################### +# release (build from packages) +###################################################### + +FROM base as release + +ARG version +ARG UBUNTU_CODENAME +ARG install_path=puppetserver="$version"-1"$UBUNTU_CODENAME" +#ARG deb_uri=https://apt.puppetlabs.com/puppet6-release-$UBUNTU_CODENAME.deb +#ARG rpm_repo=puppet6-release-el-8.noarch.rpm + +###################################################### +# final image +###################################################### + +# dynamically selects "edge" or "release" alias based on ARG +# hadolint ignore=DL3006 +FROM release as final + +ARG build_type +ARG vcs_ref +ARG version +ARG build_date +ARG install_path +#ARG deb_uri +ARG rpm_repo +# used by entrypoint to submit metrics to Google Analytics; +# published images should use "production" for this build_arg +ARG pupperware_analytics_stream="production" + +# hadolint ignore=DL3020 +#ADD $deb_uri /puppet.deb + +## hadolint ignore=DL3008,DL3028 +#RUN dpkg -i /puppet.deb && \ +# rm /puppet.deb && \ +# apt-get update && \ +# apt-get install --no-install-recommends -y $install_path puppetdb-termini && \ +# apt-get clean && \ +# rm -rf /var/lib/apt/lists/* && \ +# gem install --no-rdoc --no-ri r10k && \ +# puppet config set autosign true --section master && \ +# cp -pr /etc/puppetlabs/puppet /var/tmp && \ +# cp -pr /opt/puppetlabs/server/data/puppetserver /var/tmp && \ +# rm -rf /var/tmp/puppet/ssl + +RUN rpm -Uvh /opt/puppetdb-termini-6.12.0-1.el8.noarch.rpm && \ + yum clean all && \ + rm -rf /var/yum/cache/* && \ + gem install --local --no-rdoc --no-ri --ignore-dependencies /opt/*.gem && \ + puppet config set autosign true --section master && \ + cp -pr /etc/puppetlabs/puppet /var/tmp && \ + cp -pr /opt/puppetlabs/server/data/puppetserver /var/tmp && \ + rm -rf /var/tmp/puppet/ssl + +COPY scripts/puppetserver /etc/default/puppetserver +COPY scripts/logback.xml \ + scripts/request-logging.xml \ + /etc/puppetlabs/puppetserver/ +COPY scripts/puppetserver.conf /etc/puppetlabs/puppetserver/conf.d/ +COPY scripts/puppetdb.conf /var/tmp/puppet/ + +COPY Dockerfile / + + + +############################################# + + +# CLEANUP + +RUN yum clean all +RUN rm -rfv /var/cache/yum +RUN rm -rvf /opt/*.rpm +RUN rm -rvf /opt/*.gem + +EXPOSE 8140 + +USER puppet + +ENTRYPOINT ["dumb-init", "/docker-entrypoint.sh"] +CMD ["foreground"] + +# k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK +HEALTHCHECK --interval=10s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"] \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..c0759cf --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSR@puppet-server') _ +dccsrPipeline(version: '6.13.0') diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..82714d7 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/README.md b/README.md index f2a2b88..1084122 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,54 @@ -# master-project-template +# Puppet Server v6.13.0 -Project template for all Iron Bank container repositories. \ No newline at end of file +You can run a copy of Puppet Server with the following Docker command: + + docker run --name puppet --hostname puppet puppet/puppetserver + +Although it is not strictly necessary to name the container puppet, this is useful when working with the other Puppet images, as they will look for a master on that hostname by default. + +If you would like to start the Puppet Server with your own Puppet code, you can mount your own directory at /etc/puppetlabs/code: + + docker run --name puppet --hostname puppet -v ./code:/etc/puppetlabs/code/ puppet/puppetserver + +You can find out more about Puppet Server in the official documentation. + +See the pupperware repository for running a full Puppet stack using Docker Compose. + +**Configuration** +The following environment variables are supported: + +| Name | Usage / Default | +| ------ | ------ | +| PUPPETSERVER_HOSTNAME | The DNS name used on the masters SSL certificate - sets the certname and server in puppet.conf

Defaults to unset. | +| DNS_ALT_NAMES | Additional DNS names to add to the masters SSL certificate

Note only effective on initial run when certificates are generated | +| PUPPET_MASTERPORT | The port of the puppet master

8140 | +| AUTOSIGN | Whether or not to enable autosigning on the puppetserver instance. Valid values match true | +| CA_ENABLED | Whether or not this puppetserver instance has a running CA (Certificate Authority)

true | +| CA_HOSTNAME | The DNS hostname for the puppetserver running the CA. Does nothing unless CA_ENABLED=false

puppet | +| CA_MASTERPORT | The listening port of the CA. Does nothing unless CA_ENABLED=false

8140 | +| CA_ALLOW_SUBJECT_ALT_NAMES | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless CA_ENABLED=true.

false | +| PUPPET_REPORTS | Sets reports in puppet.conf

puppetdb | +| PUPPET_STORECONFIGS | Sets storeconfigs in puppet.conf

true | +| PUPPET_STORECONFIGS_BACKEND | Sets storeconfigs_backend in puppet.conf

puppetdb | +| PUPPETDB_SERVER_URLS | The server_urls to set in /etc/puppetlabs/puppet/puppetdb.conf

https://puppetdb:8081 | +| USE_PUPPETDB | Whether to connect to puppetdb Sets PUPPET_REPORTS to log and PUPPET_STORECONFIGS to false if those unset

true | +| PUPPETSERVER_MAX_ACTIVE_INSTANCES | The maximum number of JRuby instances allowed

1 | +| PUPPETSERVER_MAX_REQUESTS_PER_INSTANCE | The maximum HTTP requests a JRuby instance will handle in its lifetime (disable instance flushing)

0 | +| PUPPETSERVER_JAVA_ARGS | Arguments passed directly to the JVM when starting the service

-Xms512m -Xmx512m | +| PUPPERWARE_ANALYTICS_ENABLED | Set to true to enable Google Analytics

false | + +#**Initialization Scripts**# +If you would like to do additional initialization, add a directory called /docker-custom-entrypoint.d/ and fill it with .sh scripts. These scripts will be executed at the end of the entrypoint script, before the service is ran. + +#**Analytics Data Collection**# +The puppetserver container collects usage data. This is disabled by default. You can enable it by passing --env PUPPERWARE_ANALYTICS_ENABLED=true to your docker run command. + +##**What data is collected?**## +Version of the puppetserver container. +Anonymized IP address is used by Google Analytics for Geolocation data, but the IP address is not collected. + +##**Why does the puppetserver container collect data?**## +We collect data to help us understand how the containers are used and make decisions about upcoming changes. + +##**How can I opt out of puppetserver container data collection?**## +This is disabled by default. diff --git a/download.yaml b/download.yaml new file mode 100644 index 0000000..5f5f562 --- /dev/null +++ b/download.yaml @@ -0,0 +1,106 @@ +resources: + - url: https://cbs.centos.org/kojifiles/packages/dumb-init/1.2.2/6.el8/x86_64/dumb-init-1.2.2-6.el8.x86_64.rpm + filename: "dumb-init-1.2.2-6.el8.x86_64.rpm" + validation: + type: sha512 + value: bcfabdb039ce06a49d39d4bcc1d70fa38ee56ed50edc06019648a14ec898ad5afa1ec30dbff2da166c8f5557316b2b3659523787d34cb81223cf3a373242fa3f + - url: http://yum.puppetlabs.com/puppet6/el/8/x86_64/puppetserver-6.13.0-1.el8.noarch.rpm + filename: "puppetserver-6.13.0-1.el8.noarch.rpm" + validation: + type: sha512 + value: c5b1b4f986c6134cbb138037aefeb0399c92a7ff897c729e4c43863894cdefb808449d7c23e6da6273ca305d9821d8d85577f8ea8fbdbfa237ab45f42cac01cb + - url: http://yum.puppetlabs.com/puppet6/el/8/x86_64/puppetdb-6.12.0-1.el8.noarch.rpm + filename: "puppetdb-6.12.0-1.el8.noarch.rpm" + validation: + type: sha512 + value: 07e13e28c72af46b063ae2bf9de7fc39a6fb6d878d54e44b179e0038e08e07c813baca4d19869cc6420b3b458ff913f20ad58de900736e6a4e160fc1de6ecf04 + - url: https://yum.puppet.com/puppet6/el/8/x86_64/puppet-agent-6.18.0-1.el8.x86_64.rpm + filename: "puppet-agent-6.18.0-1.el8.x86_64.rpm" + validation: + type: sha512 + value: 6a9644ccd2937d8f6ef4319af8f11ecd270aa1770b55fe2be48b8666002fc58a24b2f8e6793600c21866dd3bdc7f1d8cb248f8860c11fd2fb7b0dc962f9ee88a + - url: https://yum.puppet.com/puppet6/el/8/x86_64/puppetdb-termini-6.12.0-1.el8.noarch.rpm + filename: "puppetdb-termini-6.12.0-1.el8.noarch.rpm" + validation: + type: sha512 + value: 3e541326cf4c2de0205883313df8f3748b935c859faa9fa01e72db7d764b1dbfea558b9a0e347e1ef1fe09627b9b6d0131f61e5cdcc49db9cc0bccb38db5a0a7 + - url: https://rubygems.org/downloads/colored2-3.1.2.gem + filename: colored2-3.1.2.gem + validation: + type: sha512 + value: 20a3d610e7ff4097129eebf8d5f6cd5618cd5763dc14ad97c2570047c4f75ff371d3bea1b528f8c1b806b102e13834fd0092f9ae50590f11e70157e4584b915b + - url: https://rubygems.org/downloads/cri-2.15.10.gem + filename: cri-2.15.10.gem + validation: + type: sha512 + value: 577ee6ba07f08d46e67420fb2e579647857207a2d88f1782545b28e6f26cd6b93d554c904e00af38d7f87eb0fd476c66552ec6b1469fa268faad1ff5d1ab8f15 + - url: https://rubygems.org/downloads/faraday-0.17.3.gem + filename: faraday-0.17.3.gem + validation: + type: sha512 + value: 5e950a01181692224767b598924fd3892696f7d56688e33281b031af7b047ca3e7ccdedbd486f82fd1fed6779b24517523d3177407435aa50cccb9cb95b43143 + - url: https://rubygems.org/downloads/faraday_middleware-0.14.0.gem + filename: faraday_middleware-0.14.0.gem + validation: + type: sha512 + value: 8b361b04a9adfee2cd2ce3cfa07fba3f5fb8f4e9b77778023e536e4fe0078e5d56627d2c86a4a4794c833544bbb2d1d67f32c2e016b306296a05b0e863eecfe6 + - url: https://rubygems.org/downloads/fast_gettext-1.1.2.gem + filename: fast_gettext-1.1.2.gem + validation: + type: sha512 + value: 7b83e9ecac0538b9ccc0134cda863f9c8a048e97809dedec24ee53b38fd6011b7aa06503d155594af954f4a009fa61f9cc9be156914c60791350b61d409fbbf2 + - url: https://rubygems.org/downloads/gettext-3.2.9.gem + filename: gettext-3.2.9.gem + validation: + type: sha512 + value: 21496c38cfc16a2b280f30bb94ff4560007eaa7f02c2341cb26aca2969a663c0863cdb650b4eadfd262d8585111dfb572e2ebc66a7a879045de50bf9da80a501 + - url: https://rubygems.org/downloads/gettext-setup-0.34.gem + filename: gettext-setup-0.34.gem + validation: + type: sha512 + value: 54b49f471f4d513f689680e6e5f418440727ac411b0b702249f2551e4a786bd01571cf1098cc2de55b5a5028c5fcc576ef5ced5359b87fa1affda400bf760de8 + - url: https://rubygems.org/downloads/locale-2.1.3.gem + filename: locale-2.1.3.gem + validation: + type: sha512 + value: 09e305e4aa3359eebe87ceef1c4cdd8ad87c57d08daafb3c0bcdc31c05a82784ae0e2b2e5113dea5fbd22b641e707961d880f4274f36454ec7b2927ba396f986 + - url: https://rubygems.org/downloads/log4r-1.1.10.gem + filename: log4r-1.1.10.gem + validation: + type: sha512 + value: a3a9e6c9ef5b388106afc4d402455ec480729cb58054794e6ff6c963b4d819776bf5b57ef5ab7499ddc9a6b3c10f299a133f3f5986d94ee0a438b64ede5bc143 + - url: https://rubygems.org/downloads/minitar-0.9.gem + filename: minitar-0.9.gem + validation: + type: sha512 + value: de9d75a2839d7c1bbcfe23eec3d77d2e9fd233b4469d70a9d037f3bca3565102e6978286428e0bcde9748ca635915b73ecaa11356e1d45ccc8521fc663e4925e + - url: https://rubygems.org/downloads/multi_json-1.15.0.gem + filename: multi_json-1.15.0.gem + validation: + type: sha512 + value: 5021b66bd607bde8679899ff48fbf596cdf6a4f6c026472b20f25bd1933d105bef597c143ab529804d7b5a4a244476be24555f13a7fbe9fef30bbe1fb92978eb + - url: https://rubygems.org/downloads/multipart-post-2.1.1.gem + filename: multipart-post-2.1.1.gem + validation: + type: sha512 + value: afa16717ee136f0bbbc20fe243252831604740bb61fa7288a2437a4a67638f660a4bd491b5326b034173e9e8352f2659f27dc8aaa761721f7111b7e9e704582f + - url: https://rubygems.org/downloads/puppet_forge-2.3.4.gem + filename: puppet_forge-2.3.4.gem + validation: + type: sha512 + value: f903f3ecbfdfe80b4c9d769ba1f622bf64cd723fd9165d1e3ed27296eb0e2e67f827fbc5faf460391e462cfd1cc652e573093dae29622726b3e5a37e01cf61ec + - url: https://rubygems.org/downloads/r10k-3.6.0.gem + filename: r10k-3.6.0.gem + validation: + type: sha512 + value: 3b495bf951fd5040378769e78a88c7b1fee33d8f2bb80691666425770707d3e23bc58a35c76a7bc2af1a86ed4ce63578e84d125f77d418fdf1e414ab79975bcb + - url: https://rubygems.org/downloads/semantic_puppet-1.0.2.gem + filename: semantic_puppet-1.0.2.gem + validation: + type: sha512 + value: b059d8c7b13ae96dfe012318e7c6ee483cc09986d5d065c8422167a27a14d8e99433229c90388a7ff9ee425a0f5b6a6a6d5bc55f8b81901490afd8039ea86480 + - url: https://rubygems.org/downloads/text-1.3.1.gem + filename: text-1.3.1.gem + validation: + type: sha512 + value: 0380fc77e2f0d427afd9015ed904947311139e52adf3d49b748d0e6ee32c579073ec979f0cdbc117b53e3d841f25ce9f271637dd7edb5f6e124e369cca788eb8 diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 0000000..a2d1fea --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# helm/charts +OWNERS +hack/ +ci/ +puppetserver-*.tgz diff --git a/helm/CHANGELOG.md b/helm/CHANGELOG.md new file mode 100644 index 0000000..d073601 --- /dev/null +++ b/helm/CHANGELOG.md @@ -0,0 +1,371 @@ +# Change Log + +This file documents all notable changes to Puppet Server Helm Chart. The release +numbering uses [semantic versioning](http://semver.org). + +NOTE: The change log until version `v0.2.4` is auto-generated. + +## [v5.0.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v5.0.1) (2020-09-19) + +- Fix for resource names of Horizontal Pod Autoscalers. +- Several `README` updates. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v5.0.0...v5.0.1) + +## [v5.0.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v5.0.0) (2020-09-12) + +- Externalize the creation of PostgreSQL backend using the Bitnami's PostgreSQL Helm chart. +- Add high-availability and performance read replicas support for PostgreSQL. +- Add storage persistence for PostgreSQL. +- Allow only manual storage deletion for PostgreSQL. +- Tweak r10k cronjob schedules and Puppet Server components storage size. +- Add Hiera v5 example with explanations. +- Improve info comments and exemplary values in Values file. +- Bump PuppetDB to `v6.12.0`, and PostgreSQL to `v11.9.*`. +- Add `CODEOWNERS`. +- Numerous other small tweaks. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v4.4.0...v5.0.0) + +## [v4.4.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v4.4.0) (2020-08-24) + +- Allow for changing the default Puppet Server ports for Masters and Compilers. +- Switch to percentage `rollingUpdate` strategy for Puppet Masters. +- Set `updateStrategy` to `RollingUpdate` for Puppet Compilers. +- Bump `puppetserver` to `v6.12.1`, `puppetdb` to `v6.11.3`, `r10k` to `v3.5.2`, `puppetboard` to `v2.2.0`, `postgres` to `v9.6.19`. +- Code style fixes in "values.yaml". +- Improve `Testing the Deployed Chart Resources` in `README.md`. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v4.3.0...v4.4.0) + +## [v4.3.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v4.3.0) (2020-07-24) + +- Liveness and readiness probes for Puppet Server. +- Adjust further resource naming. +- Style improvements in `README`. +- Small fixes in `values`. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v4.2.1...v4.3.0) + +## [v4.2.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v4.2.1) (2020-07-08) + +- Fix naming for Puppet Server Masters' Ingress. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v4.2.0...v4.2.1) + +## [v4.2.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v4.2.0) (2020-06-23) + +- Add Helm v2 backward compatibility. +- Update README to reflect Helm v2 backward compatibility. +- Improve post-deployment NOTES to show recommended Puppet Server Masters K8s Service name. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v4.1.1...v4.2.0) + +## [v4.1.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v4.1.1) (2020-06-22) + +- Small adjustments in `README` for new chart app name and new default Puppetboard image owner. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v4.1.0...v4.1.1) + +## [v4.1.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v4.1.0) (2020-06-22) + +- Rework Puppetboard support. +- Add Puppetboard Service. +- Add optional Puppetboard Ingress. +- Change default chart app name to `puppetserver`. +- Bump Puppetboard to `v2.1.2`, r10k to `v3.5.1`, and PostgreSQL to `v9.6.18`. +- Other small improvements and fixes. +- Update `OWNERS`. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v4.0.0...v4.1.0) + +## [v4.0.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v4.0.0) (2020-06-08) + +- Support for multiple Puppetserver Compilers (optionally) on different K8s nodes (incl. across different cloud zones). +- Improved support for multiple Puppetserver Masters. +- Switch to sidecar containers for r10k. +- Support for separate load-balancing between Puppetserver Master/s and Compiler/s. +- Simplified topology requirements (especially in the cloud). +- Improved resource naming. +- Ability to set K8s resource limits per component. +- Readiness probes for r10k. +- Improved built-in Go helpers. +- Lowered resource usage of the Puppetserver `initContainers`. +- More syntax consistent and easier to navigate templates code. +- Bump Puppetserver to `v6.10.0`, PuppetDB to `v6.10.1`, and PostgreSQL to `v9.6.17`. +- Various small improvements and fixes. +- Simpler documentation. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v3.0.2...v4.0.0) + +## [v3.0.2](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v3.0.2) (2020-05-01) + +- Add Puppet repo instruction to `README`. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v3.0.1...v3.0.2) + +## [v3.0.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v3.0.1) (2020-05-01) + +- Documentation updates to reflect the new GitHub repo and contact details of the chart. +- Updated `install` and `test` instructions. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v3.0.0...v3.0.1) + +## [v3.0.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v3.0.0) (2020-04-05) + +- Helm v3 support. +- Improved documentation. +- Log msg fixes. +- Bump versions of Puppet Server (to v6.9.2) and PuppetDB (to v6.9.1). +- Other small fixes. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.8.2...v3.0.0) + +## [v1.8.2](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.8.2) (2020-03-22) + +- Better default auto-scaling and resource limits values for Puppetserver. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.8.1...v1.8.2) + +## [v1.8.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.8.1) (2020-03-21) + +- Fix auto-scaling of Puppetserver. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.8.0...v1.8.1) + +## [v1.8.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.8.0) (2020-03-13) + +- Better distinction between storage selectors. +- Bump default versions: Puppetserver to `6.9.0` and PuppetDB to `6.9.0`. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.7.2...v1.8.0) + +## [v1.7.2](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.7.2) (2020-02-11) + +- Improve further `Chart.yaml`. +- Clean outdated comments in Values file. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.7.1...v1.7.2) + +## [v1.7.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.7.1) (2020-02-01) + +- Improve `Chart.yaml`. +- Bump default versions: Puppetserver to `6.8.0`, PostgreSQL to `9.6.16` and PuppetDB to `6.8.1`. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.7.0...v1.7.1) + +## [v1.7.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.7.0) (2020-01-27) + +- Add support for multiple Puppet Compile Masters. +- Fix passing extra container environment variables. +- Indentation improvements. +- Bump default PuppetDB version to `6.8.0`. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.6.6...v1.7.0) + +## [v1.6.6](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.6.6) (2020-01-09) + +- Fix outdated r10k exemplary variable in README. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.6.5...v1.6.6) + +## [v1.6.5](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.6.5) (2020-01-05) + +- Fixes for Helm packaging. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.6.4...v1.6.5) + +## [v1.6.4](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.6.4) (2020-01-04) + +- Corrections and additional info for use of Ingress resource. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.6.3...v1.6.4) + +## [v1.6.3](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.6.3) (2020-01-03) + +- Allow for using the chart as a chart package. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.6.2...v1.6.3) + +## [v1.6.2](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.6.2) (2020-01-01) + +- Puppetserver Service: + +1. Allow for more general way of setting the network protocol. +2. Improve the way of setting the loadBalancerIP. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.6.1...v1.6.2) + +## [v1.6.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.6.1) (2019-12-31) + +- Add comments in Values file for Puppetserver Service. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.6.0...v1.6.1) + +## [v1.6.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.6.0) (2019-12-26) + +- Add optional affinity for "r10k" pod assignment. +- File permission fixes for "r10k" jobs' SSH keys. +- Security fixes for the "r10k" jobs. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.5.3...v1.6.0) + +## [v1.5.3](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.5.3) (2019-12-09) + +- Small README fixes. +- Add information about the chart in the main [README.md](https://github.com/puppetlabs/pupperware/blob/master/README.md) of Puppetlabs's Pupperware repo. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.5.2...v1.5.3) + +## [v1.5.2](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.5.2) (2019-12-06) + +- Fix PuppetDB usage of pre-generated Puppet SSL certs. +- Increase deadline time for Puppet pre-install job. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.5.1...v1.5.2) + +## [v1.5.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.5.1) (2019-12-03) + +- Small Indentation Fixes. +- Use Recommended Dir for PostreSQL's PGDATA. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.5.0...v1.5.1) + +## [v1.5.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.5.0) (2019-12-02) + +- Fixes and additions to setting SSH credentials from existing K8s secret. +- Create separate r10k jobs/schedules for Control Repo and Hiera Data. +- Place r10k cache on PVC. +- Deprecate HTTPS authentication. +- Indentation corrections. +- General code clean-up. +- Updates to README. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.4.0...v1.5.0) + +## [v1.4.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.4.0) (2019-11-28) + +- Add optional usage of pre-generated Puppet SSL certificates. +- Use default path for eYaml keys. +- Small Values file comment fixes. +- Code clean-up and lint fixes. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.3.1...v1.4.0) + +## [v1.3.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.3.1) (2019-11-25) + +- Small Values file fix. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.3.0...v1.3.1) + +## [v1.3.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.3.0) (2019-11-25) + +- [Firewall Related] Add support for separate r10k network protocols to gather the code of Puppet and Hiera repos. +- Increase default r10k sync runtime interval to every 5 minutes. +- Syntax improvements. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.2.2...v1.3.0) + +## [v1.2.2](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.2.2) (2019-11-24) + +- Fixes and +- `r10k` now runs with the `puppet` username and group id - meaning all the files in `/etc/puppetlabs` are now owned by Puppet Server. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.2.1...v1.2.2) + +## [v1.2.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.2.1) (2019-11-22) + +- Fixes for "r10k" extra container args. +- Values file small fixes. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.2.0...v1.2.1) + +## [v1.2.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.2.0) (2019-11-21) + +- Add optional extra container environment variables. +- Add optional "r10k" extra container arguments. +- Bump PupptDB to v6.7.3. +- Small code indentation improvements. +- README updates. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.1.0...v1.2.0) + +## [v1.1.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.1.0) (2019-11-19) + +- Switch Pulling the Hiera Data Repo from Using "git_sync" to "r10k". + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.0.1...v1.1.0) + +## [v1.0.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.0.1) (2019-11-11) + +- Fix Permissions for Hiera, Puppet Server and eYaml Configs. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v1.0.0...v1.0.1) + +## [v1.0.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v1.0.0) (2019-11-08) + +- Differentiate "nodeSelector" for Pods with Common Storage. +- Fix for PostgreSQL on AWS. +- Small Syntax and Indentation Fixes. +- Improve README. +- Improve Values Comments. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.3.5...v1.0.0) + +## [v0.3.5](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.3.5) (2019-10-31) + +- Add Optional `selector` for PVs/PVCs. +- Switch to Apache v2.0 License. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.3.4...v0.3.5) + +## [v0.3.4](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.3.4) (2019-10-28) + +- Add Ingress. +- Improve Tmpl Helpers. +- Improve `NOTES`. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.3.3...v0.3.4) + +## [v0.3.3](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.3.3) (2019-10-27) + +- Add Optional Static Data Volumes. +- Add Configurable PVC's Size. +- Add Optional PVC's Annotations. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.3.2...v0.3.3) + +## [v0.3.2](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.3.2) (2019-10-26) + +- Add optional extra Pod Annotations. +- Add optional Pod Priority Scheduling. +- Add LICENSE. +- Add CHANGELOG. +- Update README. +- Fixes. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.3.1...v0.3.2) + +## [v0.3.1](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.3.1) (2019-10-24) + +- Add optional "nodeSelector", "affinity" and "tolerations" for Pod Deployments. +- Improve Values Comments. +- Bump Component Versions. + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.2.4...v0.3.1) + +## [v0.2.4](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.2.4) (2019-10-12) + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.2.3...v0.2.4) + +## [v0.2.3](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.2.3) (2019-10-11) + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.2.2...v0.2.3) + +## [v0.2.2](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.2.2) (2019-10-09) + +[Full Changelog](https://github.com/puppetlabs/puppetserver-helm-chart/compare/v0.2.0...v0.2.2) + +## [v0.2.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v0.2.0) (2019-09-20) + +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..3a0b914 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +name: puppetserver +version: 5.0.1 +appVersion: 6.12.1 +description: Puppet automates the delivery and operation of software. +keywords: ["puppet", "puppetserver", "automation", "iac", "infrastructure", "cm", "ci", "cd"] +home: https://puppet.com/ +icon: https://secure.gravatar.com/avatar/fdd009b7c1ec96e088b389f773e87aec.jpg?s=80&r=g&d=mm +sources: + - https://github.com/puppetlabs/pupperware/ + - https://github.com/postgres/postgres + - https://github.com/bitnami/charts/tree/master/bitnami/postgresql +maintainers: + - name: Xtigyro + email: miroslav.hadzhiev@gmail.com + - name: underscorgan + email: morgan@puppet.com + - name: slconley + email: slconley@gmail.com + - name: Pupperware Team + email: pupperware@puppet.com +engine: gotpl +kubeVersion: ">=1.10.0-0" diff --git a/helm/LICENSE b/helm/LICENSE new file mode 100644 index 0000000..29f81d8 --- /dev/null +++ b/helm/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/helm/OWNERS b/helm/OWNERS new file mode 100644 index 0000000..4f259d2 --- /dev/null +++ b/helm/OWNERS @@ -0,0 +1,10 @@ +approvers: +- Miroslav Hadzhiev (Xtigyro) +- Morgan Rhodes (underscorgan) +- Sean Conley (slconley) +reviewers: +- Miroslav Hadzhiev (Xtigyro) +- Morgan Rhodes (underscorgan) +- Sean Conley (slconley) +- Scott Cressi (scottcressi) +- Ethan J. Brown (Iristyle) diff --git a/helm/README.md b/helm/README.md new file mode 100644 index 0000000..f6a755c --- /dev/null +++ b/helm/README.md @@ -0,0 +1,331 @@ +# HELM Chart for Puppet Server + +## Introduction + +This chart bootstraps Puppet Server and its components on a Kubernetes cluster using the Helm package manager. + +## Prerequisites + +### Code Repos + +* You must specify your Puppet Control Repo using `puppetserver.puppeturl` variable in the `values.yaml` file or include `--set puppetserver.puppeturl=` in the command line of `helm install`. You can specify your separate Hieradata Repo as well using the `hiera.hieradataurl` variable. + +* You can also use private repos. Just remember to specify your credentials using `r10k.code.viaSsh.credentials.ssh.value`. You can set similar credentials for your Hieradata Repo. + +### Load-Balancing Puppet Server + +In case a Load Balancer (LB) must sit in front of Puppet Server - please keep in mind that having a Network LB (operating at OSI Layer 4) is preferable. + +### NGINX Ingress Controller Configuration + +The Ingress resource is disabled by default, but if it is enabled then ssl-passthrough must be used so that puppet agents will get the expected server certificate when connecting to the service. This feature must be enabled on the Ingress resource itself, but also must be enabled via command line argument to the NGINX Ingress Controller. More information on that can be found [here](). + +> **NOTE**: Ingress URLs must be passed in the `Values.puppetserver.masters.fqdns.alternateServerNames`. Also - in the `Values.puppetserver.compilers.fqdns.alternateServerNames` (if Puppet Compilers and their Ingress resources are deployed). + +## Migrating from Bare-Metal Puppet Infrastructure + +### Auto-Signing Certificate Requests + +In general, the easiest way to switch the Puppet Agents from using one Puppet master to another is by enabling the auto-signing of CSRs. By default, that has been pre-enabled in the Puppet Server Docker container. It can be disabled in the Values file by passing an extra environment variable: `AUTOSIGN=false` (in `.Values.puppetserver.extraEnv`). + +You will also need to remove the existing certificates in `/etc/puppetlabs/puppet/ssl` on each Puppet agent. + +### Using Pre-Generated Puppet Master Certificates + +If you prefer not to auto-sign or manually sign the Puppet Agents' CSRs - you can use the same Puppet master and PuppetDB certificates which you used in your bare-metal setup. Please archive into two separate files and place your certificates in the `init/puppet-certs/puppetserver` and `init/puppet-certs/puppetdb` directories and enable their usage in the Values file (`.Values.puppetserver.preGeneratedCertsJob.enabled`). + +> **NOTE**: For more information please check - [README.md](init/README.md). For more general knowledge on the matter you can also read the article - + +## Horizontal Scaling + +To achieve better availability and higher throughput of Puppet Infrastructure, you'll need to scale out Puppet Masters and/or Puppet Compilers. + +### Multiple Puppet Masters + +To achieve better availability of Puppet Infrastructure, you can scale out Puppet Server Masters using `.Values.puppetserver.masters.multiMasters`. These Servers are known as masters, and are responsible for the creation and signing of your Puppet Agents' certificates. They are also responsible for receiving catalog requests from agents and synchronize the results with each other. + +### Multiple Puppet Compilers + +To achieve better throughput of Puppet Infrastructure, you can enable and scale out Puppet Server Compilers using `.Values.puppetserver.compilers`. These Servers are known as compile masters, and are simply additional load-balanced Puppet Servers that receive catalog requests from agents and synchronize the results with each other. + +### Multiple PostgreSQL Read Replicas + +To achieve better throughput of Puppet Infrastructure, you can enable and scale out PostgreSQL cluster using `.Values.postgresql.replication.enabled` and `.Values.postgresql.replication.slaveReplicas`. + +## Chart Components + +* Creates three deployments: Puppet Server Master/s, and PuppetDB. +* Creates three statefulsets (optional): Puppet Server Compiler/s, PostgreSQL Master, and PostgreSQL Read Replicas. +* Creates seven services that expose: Puppet Server Masters, Puppet Server Compilers (optional), PuppetDB, PostgreSQL, and Puppetboard (optional). +* Creates secrets to hold credentials for PuppetDB, PosgreSQL, and r10k. + +## Installing the Chart + +### Add Puppet Server Helm Repository + +Before installing Puppet Server Helm chart, you need to add the [Puppet Server Helm repository](https://puppetlabs.github.io/puppetserver-helm-chart) to your Helm client as below. + +```bash +helm repo add puppet https://puppetlabs.github.io/puppetserver-helm-chart +``` + +### Install the Chart + +To install the chart with the release name `puppetserver`. + +```bash +helm install --namespace puppetserver --name puppetserver puppet/puppetserver --set puppetserver.puppeturl='https://github.com/$SOMEUSER/control-repo.git' +``` + +> Note - If you do not specify a name, helm will select a name for you. + +### Installed Components + +You can use `kubectl get` to view all of the installed components. + +```console +$ kubectl get --namespace puppetserver all +NAME READY STATUS RESTARTS AGE +pod/puppetserver-postgresql-master-0 1/1 Running 0 9m25s +pod/puppetserver-postgresql-slave-0 1/1 Running 0 9m25s +pod/puppetserver-puppetdb-fc4978b6d-z9bsx 2/2 Running 0 9m25s +pod/puppetserver-puppetserver-compiler-0 2/2 Running 0 9m25s +pod/puppetserver-puppetserver-master-7b59cb946-9bwv6 2/2 Running 0 9m25s + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/agents-to-puppet ClusterIP 10.96.236.202 8140/TCP 9m25s +service/puppet ClusterIP 10.96.51.23 8140/TCP 9m25s +service/puppet-compilers ClusterIP 10.96.185.43 8140/TCP 9m25s +service/puppet-compilers-headless ClusterIP None 443/TCP 9m25s +service/puppetdb ClusterIP 10.96.160.91 8080/TCP,8081/TCP,80/TCP 9m25s +service/puppetserver-postgresql ClusterIP 10.96.48.166 5432/TCP 9m25s +service/puppetserver-postgresql-headless ClusterIP None 5432/TCP 9m25s +service/puppetserver-postgresql-read ClusterIP 10.96.219.155 5432/TCP 9m25s + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/puppetserver-puppetdb 1/1 1 1 9m25s +deployment.apps/puppetserver-puppetserver-master 1/1 1 1 9m25s + +NAME DESIRED CURRENT READY AGE +replicaset.apps/puppetserver-puppetdb-fc4978b6d 1 1 1 9m25s +replicaset.apps/puppetserver-puppetserver-master-7b59cb946 1 1 1 9m25s + +NAME READY AGE +statefulset.apps/puppetserver-postgresql-master 1/1 9m25s +statefulset.apps/puppetserver-postgresql-slave 1/1 9m25s +statefulset.apps/puppetserver-puppetserver-compiler 1/1 9m25s + +NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE +horizontalpodautoscaler.autoscaling/puppetserver-compilers-autoscaler StatefulSet/puppetserver-puppetserver-compilers 33%/75%, 47%/75% 1 3 0 9m25s +``` + +## Configuration + +The following table lists the configurable parameters of the Puppetserver chart and their default values. + +| Parameter | Description | Default| +| --------- | ----------- | -------| +| `puppetserver.name` | puppetserver component label | `puppetserver`| +| `puppetserver.image` | puppetserver image | `puppet/puppetserver`| +| `puppetserver.tag` | puppetserver img tag | `6.12.1`| +| `puppetserver.pullPolicy` | puppetserver img pull policy | `IfNotPresent`| +| `puppetserver.masters.resources` | puppetserver masters resource limits | ``| +| `puppetserver.masters.extraEnv` | puppetserver masters additional container env vars |``| +| `puppetserver.masters.readinessProbeInitialDelay` | the initial delay for the puppetserver masters readiness probe | `180`| +| `puppetserver.masters.readinessProbePeriodSeconds` | how often (in seconds) to perform the puppetserver masters readiness probe | `60`| +| `puppetserver.masters.readinessProbeTimeout` | the timeout for the puppetserver masters readiness probe | `20`| +| `puppetserver.masters.readinessProbeFailureThreshold` | the failure threshold for the puppetserver masters readiness probe | `3`| +| `puppetserver.masters.readinessProbeSuccessThreshold` | the success threshold for the puppetserver masters readiness probe | `1`| +| `puppetserver.masters.livenessProbeInitialDelay` | the initial delay for the puppetserver masters liveness probe | `420`| +| `puppetserver.masters.livenessProbePeriodSeconds` | how often (in seconds) to perform the puppetserver masters liveness probe | `30`| +| `puppetserver.masters.livenessProbeTimeout` | the timeout for the puppetserver masters liveness probe | `10`| +| `puppetserver.masters.livenessProbeFailureThreshold` | the failure threshold for the puppetserver masters liveness probe | `3`| +| `puppetserver.masters.livenessProbeSuccessThreshold` | the success threshold for the puppetserver masters liveness probe | `1`| +| `puppetserver.masters.fqdns.alternateServerNames` | puppetserver masters alternate fqdns |``| +| `puppetserver.masters.service.type` | puppetserver masters svc type | `ClusterIP`| +| `puppetserver.masters.service.ports` | puppetserver masters svc exposed ports | `puppetserver`| +| `puppetserver.masters.service.annotations`| puppetserver masters svc annotations |``| +| `puppetserver.masters.service.labels`| puppetserver additional masters svc labels |``| +| `puppetserver.masters.service.loadBalancerIP`| puppetserver masters svc loadbalancer ip |``| +| `puppetserver.masters.ingress.enabled`| puppetserver masters ingress creation enabled |`false`| +| `puppetserver.masters.ingress.annotations`| puppetserver masters ingress annotations |``| +| `puppetserver.masters.ingress.extraLabels`| puppetserver masters ingress extraLabels |``| +| `puppetserver.masters.ingress.hosts`| puppetserver masters ingress hostnames |``| +| `puppetserver.masters.ingress.tls`| puppetserver masters ingress tls configuration |``| +| `puppetserver.masters.multiMasters.enabled` | If true, creates multiple Puppetserver masters | `false`| +| `puppetserver.masters.multiMasters.manualScaling.masters` | If multiple masters are enabled, this field sets masters count | `1`| +| `puppetserver.masters.multiMasters.autoScaling.enabled` | If true, creates masters Horizontal Pod Autoscaler | `false`| +| `puppetserver.masters.multiMasters.autoScaling.minMasters` | If masters autoscaling enabled, this field sets minimum masters count | `1`| +| `puppetserver.masters.multiMasters.autoScaling.maxMasters` | If masters autoscaling enabled, this field sets maximum masters count | `3`| +| `puppetserver.masters.multiMasters.autoScaling.cpuUtilizationPercentage` | Target masters CPU utilization percentage to scale | `75`| +| `puppetserver.masters.multiMasters.autoScaling.memoryUtilizationPercentage` | Target masters memory utilization percentage to scale | `75`| +| `puppetserver.compilers.enabled` | If true, creates Puppetserver compilers | `false`| +| `puppetserver.compilers.resources` | puppetserver compilers resource limits |``| +| `puppetserver.compilers.podAntiAffinity` | puppetserver compilers pod affinity constraints |`false`| +| `puppetserver.compilers.annotations`| puppetserver compilers statefulset annotations |``| +| `puppetserver.compilers.extraEnv` | puppetserver compilers additional container env vars |``| +| `puppetserver.compilers.readinessProbeInitialDelay` | the initial delay for the puppetserver masters readiness probe | `180`| +| `puppetserver.compilers.readinessProbePeriodSeconds` | how often (in seconds) to perform the puppetserver masters readiness probe | `60`| +| `puppetserver.compilers.readinessProbeTimeout` | the timeout for the puppetserver masters readiness probe | `20`| +| `puppetserver.compilers.readinessProbeFailureThreshold` | the failure threshold for the puppetserver masters readiness probe | `3`| +| `puppetserver.compilers.readinessProbeSuccessThreshold` | the success threshold for the puppetserver masters readiness probe | `1`| +| `puppetserver.compilers.livenessProbeInitialDelay` | the initial delay for the puppetserver masters liveness probe | `420`| +| `puppetserver.compilers.livenessProbePeriodSeconds` | how often (in seconds) to perform the puppetserver masters liveness probe | `30`| +| `puppetserver.compilers.livenessProbeTimeout` | the timeout for the puppetserver masters liveness probe | `10`| +| `puppetserver.compilers.livenessProbeFailureThreshold` | the failure threshold for the puppetserver masters liveness probe | `3`| +| `puppetserver.compilers.livenessProbeSuccessThreshold` | the success threshold for the puppetserver masters liveness probe | `1`| +| `puppetserver.compilers.manualScaling.compilers` | If multiple compilers are enabled, this field sets compiler count | `1`| +| `puppetserver.compilers.autoScaling.enabled` | If true, creates compilers Horizontal Pod Autoscaler | `false`| +| `puppetserver.compilers.autoScaling.minCompilers` | If autoscaling enabled, this field sets minimum compiler count | `1`| +| `puppetserver.compilers.autoScaling.maxCompilers` | If compilers autoscaling enabled, this field sets maximum compiler count | `3`| +| `puppetserver.compilers.autoScaling.cpuUtilizationPercentage` | Target compilers CPU utilization percentage to scale | `75`| +| `puppetserver.compilers.autoScaling.memoryUtilizationPercentage` | Target compilers memory utilization percentage to scale | `75`| +| `puppetserver.compilers.podManagementPolicy` | puppetserver compilers statefulset pod management policy | `OrderedReady`| +| `puppetserver.compilers.fqdns.alternateServerNames` | puppetserver compilers alternate fqdns |``| +| `puppetserver.compilers.service.type` | puppetserver compilers svc type | `ClusterIP`| +| `puppetserver.compilers.service.ports` | puppetserver compilers svc exposed ports | `puppetserver`| +| `puppetserver.compilers.service.annotations`| puppetserver compilers svc annotations |``| +| `puppetserver.compilers.service.labels`| puppetserver compilers additional svc labels |``| +| `puppetserver.compilers.service.loadBalancerIP`| puppetserver compilers svc loadbalancer ip |``| +| `puppetserver.compilers.service.headless.ports`| puppetserver compilers headless svc loadbalancer ip |`https`| +| `puppetserver.compilers.service.headless.annotations`| puppetserver compilers headless svc annotations |``| +| `puppetserver.compilers.service.headless.labels`| puppetserver compilers additional headless svc labels |``| +| `puppetserver.compilers.ingress.enabled`| puppetserver compilers ingress creation enabled |`false`| +| `puppetserver.compilers.ingress.annotations`| puppetserver compilers ingress annotations |``| +| `puppetserver.compilers.ingress.extraLabels`| puppetserver compilers ingress extraLabels |``| +| `puppetserver.compilers.ingress.hosts`| puppetserver compilers ingress hostnames |``| +| `puppetserver.compilers.ingress.tls`| puppetserver compilers ingress tls configuration |``| +| `puppetserver.preGeneratedCertsJob.enabled` | puppetserver pre-generated certs |`false`| +| `puppetserver.preGeneratedCertsJob.jobDeadline` | puppetserver pre-generated certs job deadline in seconds |`60`| +| `puppetserver.puppeturl`| puppetserver control repo url |``| +| `r10k.name` | r10k component label | `r10k`| +| `r10k.image` | r10k img | `puppet/r10k`| +| `r10k.tag` | r10k img tag | `3.5.1`| +| `r10k.pullPolicy` | r10k img pull policy | `IfNotPresent`| +| `r10k.code.resources` | r10k control repo resource limits |``| +| `r10k.code.cronJob.schedule` | r10k control repo cron job schedule policy | `*/15 * * * *`| +| `r10k.code.extraArgs` | r10k control repo additional container env args |``| +| `r10k.code.extraEnv` | r10k control repo additional container env vars |``| +| `r10k.code.viaSsh.credentials.ssh.value`| r10k control repo ssh key file |``| +| `r10k.code.viaSsh.credentials.known_hosts.value`| r10k control repo ssh known hosts file |``| +| `r10k.code.viaSsh.credentials.existingSecret`| r10k control repo ssh secret that holds ssh key and known hosts files |``| +| `r10k.hiera.resources` | r10k hiera data resource limits |``| +| `r10k.hiera.cronJob.schedule` | r10k hiera data cron job schedule policy | `*/2 * * * *`| +| `r10k.hiera.extraArgs` | r10k hiera data additional container env args |``| +| `r10k.hiera.extraEnv` | r10k hiera data additional container env vars |``| +| `r10k.hiera.viaSsh.credentials.ssh.value`| r10k hiera data ssh key file |``| +| `r10k.hiera.viaSsh.credentials.known_hosts.value`| r10k hiera data ssh known hosts file |``| +| `r10k.hiera.viaSsh.credentials.existingSecret`| r10k hiera data ssh secret that holds ssh key and known hosts files |``| +| `postgresql.enabled` | postgres deployment as puppetdb backend | `true`| +| `postgresql.name` | postgres component label | `postgresql`| +| `postgresql.resources` | postgres resource limits |``| +| `postgresql.postgresqlDatabase` | postgres database name |`puppetdb`| +| `postgresql.initdbUser` | postgres username to run initdb scripts at first boot |`postgres`| +| `postgresql.initdbScriptsConfigMap` | postgres initdb scripts run at first boot |`postgresql-custom-extensions`| +| `postgresql.persistence.enabled` | postgres database persistence |`true`| +| `postgresql.persistence.existingClaim` | postgres manually managed pvc |``| +| `postgresql.persistence.size` | postgres persistence pvc size |`10Gi`| +| `postgresql.persistence.annotations` | postgres persistence resource policy via annotations |`keep`| +| `postgresql.replication.enabled` | postgres replication availability |`false`| +| `postgresql.replication.slaveReplicas` | postgres replication slave replicas |`1`| +| `puppetdb.name` | puppetdb component label | `puppetdb`| +| `puppetdb.image` | puppetdb img | `puppet/puppetdb`| +| `puppetdb.tag` | puppetdb img tag | `6.12.0`| +| `puppetdb.pullPolicy` | puppetdb img pull policy | `IfNotPresent`| +| `puppetdb.resources` | puppetdb resource limits |``| +| `puppetdb.extraEnv` | puppetdb additional container env vars |``| +| `puppetboard.enabled` | puppetboard availability | `false`| +| `puppetboard.name` | puppetboard component label | `puppetboard`| +| `puppetboard.image` | puppetboard img | `xtigyro/puppetboard`| +| `puppetboard.tag` | puppetboard img tag | `2.1.2`| +| `puppetboard.pullPolicy` | puppetboard img pull policy | `IfNotPresent`| +| `puppetboard.resources` | puppetboard resource limits |``| +| `puppetboard.extraEnv` | puppetboard additional container env vars |``| +| `puppetboard.ingress.enabled`| puppetboard ingress creation enabled |`false`| +| `puppetboard.ingress.annotations`| puppetboard ingress annotations |``| +| `puppetboard.ingress.extraLabels`| puppetboard ingress extraLabels |``| +| `puppetboard.ingress.hosts`| puppetboard ingress hostnames |``| +| `puppetboard.ingress.tls`| puppetboard ingress tls configuration |``| +| `hiera.name` | hiera component label | `hiera`| +| `hiera.hieradataurl`| hieradata repo url |``| +| `hiera.config`| hieradata yaml config |``| +| `hiera.eyaml.private_key`| hiera eyaml private key |``| +| `hiera.eyaml.public_key`| hiera eyaml public key |``| +| `global.credentials.username`| puppetdb and postgresql username |`puppetdb`| +| `global.credentials.password`| puppetdb and postgresql password |`unbreakablePassword`| +| `global.credentials.existingSecret`| existing k8s secret that holds puppetdb and postgresql username and password |``| +| `nameOverride`| puppetserver components name for `component:` labels |``| +| `nodeSelector`| Node labels for pod assignment |``| +| `affinity`| Affinity for pod assignment |``| +| `tolerations`| Tolerations for pod assignment |``| +| `priorityClass`| Leverage a priorityClass to ensure your pods survive resource shortages |``| +| `podAnnotations`| Extra Pod annotations |``| +| `storage.storageClass`| Storage Class |``| +| `storage.annotations`| Storage annotations |``| +| `storage.size`| PVCs Storage Size |`400Mi`| + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +helm install --namespace puppetserver --name puppetserver puppet/puppetserver --set puppetserver.puppeturl='https://github.com/$SOMEUSER/puppet.git',hiera.hieradataurl='https://github.com/$SOMEUSER/hieradata.git' +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```bash +helm install --namespace puppetserver --name puppetserver puppet/puppetserver -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Testing the Deployed Chart Resources + +```bash +kubectl port-forward -n puppetserver svc/agents-to-puppet 8140:8140 & +kubectl port-forward -n puppetserver svc/puppet-compilers 8141:8140 & + +TIME_NOW="$(date +"%Y%m%dT%H%M")" +cp "/etc/hosts"{,.backup_"$TIME_NOW"} +echo '127.0.0.1 puppet agents-to-puppet puppet-compilers' >> /etc/hosts +# if Ingress is used, e.g. +# INGRESS_IP="$(kubectl -n puppetserver get ingress | grep '\-masters' | tr -s " " | cut -d' ' -f4 | cut -d',' -f1)" +# echo "$INGRESS_IP" puppet.local.masters puppet.local.compilers >> /etc/hosts + +docker run -dit --network host --name goofy_xtigyro --entrypoint /bin/bash puppet/puppet-agent +docker exec -it goofy_xtigyro bash +puppet agent -t --server puppet --masterport 8140 --waitforcert 15 --summarize --certname ubuntu-goofy_xtigyro +puppet agent -t --server puppet-compilers --ca_server agents-to-puppet --masterport 8141 --ca_port 8140 --summarize --certname ubuntu-goofy_xtigyro +# if Ingress is used, e.g. +# puppet agent -t --server puppet.local.compilers --ca_server puppet.local.masters --masterport 443 --ca_port 443 --summarize --certname ubuntu-goofy_xtigyro +puppet agent -t --server puppet-compilers --masterport 8141 --summarize --certname ubuntu-goofy_xtigyro +exit +docker rm -f goofy_xtigyro + +docker run -dit --network host --name buggy_xtigyro --entrypoint /bin/bash puppet/puppet-agent +docker exec -it buggy_xtigyro bash +puppet agent -t --server puppet-compilers --ca_server agents-to-puppet --masterport 8141 --ca_port 8140 --summarize --certname ubuntu-buggy_xtigyro +puppet agent -t --server puppet-compilers --masterport 8141 --summarize --certname ubuntu-buggy_xtigyro +# if Ingress is used, e.g. +# puppet agent -t --server puppet.local.compilers --ca_server puppet.local.masters --masterport 443 --ca_port 443 --summarize --certname ubuntu-buggy_xtigyro +puppet agent -t --server puppet --masterport 8140 --waitforcert 15 --summarize --certname ubuntu-buggy_xtigyro +exit +docker rm -f buggy_xtigyro + +yes | mv "/etc/hosts.backup_"$TIME_NOW"" "/etc/hosts" +unset TIME_NOW + +jobs | grep 'port-forward' | grep 'puppetserver' +# [1]+ Running kubectl port-forward -n puppetserver svc/puppet 8140:8140 & +kill %[job_numbers_above] +``` + +## Credits + +* [Miroslav Hadzhiev](https://www.linkedin.com/in/mehadzhiev/), Lead Author and Owner +* [Pupperware Team](mailto:pupperware@puppet.com), Co-Author and Owner +* [Morgan Rhodes](mailto:morgan@puppet.com), Maintainer +* [Sean Conley](https://www.linkedin.com/in/seanconley/), Maintainer +* [Scott Cressi](https://www.linkedin.com/in/scottcressi/), Co-Author +* [Kai Sisterhenn](https://www.sistason.de/), Contributor +* [chwehrli](https://github.com/chwehrli), Contributor +* [Niels Højen](https://github.com/nielshojen), Contributor diff --git a/helm/init/README.md b/helm/init/README.md new file mode 100644 index 0000000..ed486ef --- /dev/null +++ b/helm/init/README.md @@ -0,0 +1,45 @@ +# How-To Instruction for Using Your Pre-Generated Puppet Certs + +Please archive the contents of your `/etc/puppetlabs/puppet/ssl/*` of your bare-metal Puppet Server master and `/opt/puppetlabs/server/data/puppetdb/certs/*` of your bare-metal PuppetDB instance into two separate `.gz` files and place them respectively into the `puppet-certs/puppetserver` and `puppet-certs/puppetdb` directories. + +> **NOTE**: Please keep only your archive files in each `puppet-certs/` subdir. + +The content of the two archives should be very similar to: + +```console +root@puppet:/# ll /etc/puppetlabs/puppet/ssl/ +total 36 +drwxr-x--- 4 puppet puppet 4096 Nov 26 20:21 ca/ +drwxr-xr-x 2 puppet puppet 4096 Nov 26 20:21 certificate_requests/ +drwxr-xr-x 2 puppet puppet 4096 Nov 26 20:21 certs/ +-rw-r----- 1 puppet puppet 950 Nov 26 20:21 crl.pem +drwxr-x--- 2 puppet puppet 4096 Nov 26 20:21 private/ +drwxr-x--- 2 puppet puppet 4096 Nov 26 20:21 private_keys/ +drwxr-xr-x 2 puppet puppet 4096 Nov 26 20:21 public_keys/ + +root@puppetdb:/opt/puppetlabs/server/data/puppetdb/certs# ls -l +total 20 +drwxr-xr-x 2 puppetdb puppetdb 4096 Dec 5 21:49 certificate_requests +drwx------ 2 puppetdb puppetdb 4096 Dec 5 22:36 certs +-rw-r--r-- 1 puppetdb puppetdb 950 Dec 5 21:49 crl.pem +drwx------ 2 puppetdb puppetdb 4096 Dec 5 22:36 private_keys +drwxr-xr-x 2 puppetdb puppetdb 4096 Dec 5 21:49 public_keys +``` + +The content of the `init/puppet-certs/puppetserver` and `init/puppet-certs/puppetdb` chart's dirs should be similar to: + +```console +/repos/xtigyro/puppetserver-helm-chart # ll init/puppet-certs/puppetserver/ +total 24 +drwxrws--- 2 xtigyro-samba sambashare 4096 Dec 5 22:00 ./ +drwxrws--- 4 xtigyro-samba sambashare 4096 Dec 5 21:45 ../ +-rw-rw---- 1 xtigyro-samba sambashare 71 Dec 5 21:45 .gitignore +-rw-r--r-- 1 xtigyro-samba sambashare 10013 Dec 5 22:00 puppetserver-certs.gz + +/repos/xtigyro/puppetserver-helm-chart # ll init/puppet-certs/puppetdb/ +total 24 +drwxrws--- 2 xtigyro-samba sambashare 4096 Dec 5 22:00 ./ +drwxrws--- 4 xtigyro-samba sambashare 4096 Dec 5 21:45 ../ +-rw-rw---- 1 xtigyro-samba sambashare 71 Dec 5 21:45 .gitignore +-rw-r--r-- 1 xtigyro-samba sambashare 10158 Dec 5 22:00 puppetdb-certs.gz +``` diff --git a/helm/requirements.yaml b/helm/requirements.yaml new file mode 100644 index 0000000..00c75d1 --- /dev/null +++ b/helm/requirements.yaml @@ -0,0 +1,6 @@ +dependencies: + + - name: postgresql + version: "9.4.*" + repository: https://charts.bitnami.com/bitnami + condition: postgresql.enabled diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt new file mode 100644 index 0000000..dd202a1 --- /dev/null +++ b/helm/templates/NOTES.txt @@ -0,0 +1,25 @@ +Puppet Server has been installed/upgraded. + +Release Name: "{{ template "puppetserver.fullname" . }}" +{{- if .Values.puppetserver.compilers.enabled }} +Masters Service Name: "{{ template "puppetserver.puppetserver.agents-to-masters.serviceName" . }}" +{{- else }} +Masters Service Name: "{{ template "puppetserver.puppetserver-masters.serviceName" . }}" +{{- end }} +Masters Service Type: "{{.Values.puppetserver.masters.service.type}}" +Masters Service Port: "{{.Values.puppetserver.masters.service.ports.puppetserver.port}}" +Masters Ingress Enabled: "{{.Values.puppetserver.masters.ingress.enabled}}" +{{- if .Values.puppetserver.compilers.enabled }} +Compilers Service Name: "{{ template "puppetserver.puppetserver-compilers.serviceName" . }}" +Compilers Service Type: "{{.Values.puppetserver.compilers.service.type}}" +Compilers Service Port: "{{.Values.puppetserver.compilers.service.ports.puppetserver.port}}" +Compilers Headless Service Port: "{{.Values.puppetserver.compilers.service.headless.ports.https.port}}" +Compilers Ingress Enabled: "{{.Values.puppetserver.compilers.ingress.enabled}}" +{{- end }} +Control Repo: "{{.Values.puppetserver.puppeturl}}" +{{- if .Values.hiera.hieradataurl }} +Hieradata Repo: "{{.Values.hiera.hieradataurl}}" +{{- end }} + +If you need to get your password for PuppetDB and PostgreSQL: +$ printf $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "puppetdb.secret" . }} -o jsonpath="{.data.password}" | base64 --decode);echo diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..c6e75b3 --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,328 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "puppetserver.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 29 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "puppetserver.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 52 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "puppetserver.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 29 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf .Release.Name | trunc 29 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 29 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the args array for "r10k_code_cronjob.sh" +*/}} +{{- define "r10k.code.args" -}} +{{- join " " .Values.r10k.code.extraArgs }} +{{- end -}} + +{{/* +Create the args array for "r10k_hiera_cronjob.sh" +*/}} +{{- define "r10k.hiera.args" -}} +{{- join " " .Values.r10k.hiera.extraArgs }} +{{- end -}} + +{{/* +Create unified labels for Puppetserver components +*/}} +{{- define "puppetserver.common.matchLabels" -}} +app: {{ template "puppetserver.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "puppetserver.common.metaLabels" -}} +chart: {{ template "puppetserver.chart" . }} +heritage: {{ .Release.Service }} +{{- end -}} + +{{- define "puppetserver.puppet.labels" -}} +{{ include "puppetserver.common.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.hiera.labels" -}} +{{ include "puppetserver.hiera.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.hiera.matchLabels" -}} +component: {{ .Values.hiera.name | quote }} +{{ include "puppetserver.common.matchLabels" . }} +{{- end -}} + +{{- define "puppetserver.r10k.labels" -}} +{{ include "puppetserver.r10k.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.r10k.matchLabels" -}} +component: {{ .Values.r10k.name | quote }} +{{ include "puppetserver.common.matchLabels" . }} +{{- end -}} + +{{- define "puppetserver.postgresql.labels" -}} +{{ include "puppetserver.postgresql.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.postgresql.matchLabels" -}} +component: {{ .Values.postgresql.name | quote }} +{{ include "puppetserver.common.matchLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetdb.labels" -}} +{{ include "puppetserver.puppetdb.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetdb.matchLabels" -}} +component: {{ .Values.puppetdb.name | quote }} +{{ include "puppetserver.common.matchLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetboard.labels" -}} +{{ include "puppetserver.puppetboard.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetboard.matchLabels" -}} +component: {{ .Values.puppetboard.name | quote }} +{{ include "puppetserver.common.matchLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetserver.labels" -}} +{{ include "puppetserver.puppetserver.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetserver.matchLabels" -}} +component: {{ .Values.puppetserver.name | quote }} +{{ include "puppetserver.common.matchLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetserver-compilers.labels" -}} +{{ include "puppetserver.puppetserver-compilers.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetserver-compilers.matchLabels" -}} +component: "{{ .Values.puppetserver.name }}-compilers" +{{ include "puppetserver.common.matchLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetserver-data.labels" -}} +{{ include "puppetserver.puppetserver-data.matchLabels" . }} +{{ include "puppetserver.common.metaLabels" . }} +{{- end -}} + +{{- define "puppetserver.puppetserver-data.matchLabels" -}} +component: "{{ .Values.puppetserver.name }}-serverdata" +{{ include "puppetserver.common.matchLabels" . }} +{{- end -}} + +{{/* +Set mandatory Puppet Server Masters' Service name. +*/}} +{{- define "puppetserver.puppetserver-masters.serviceName" -}} +puppet +{{- end -}} + +{{/* +Set secondary Puppet Server Masters' Service name for Puppet Agents. +*/}} +{{- define "puppetserver.puppetserver.agents-to-masters.serviceName" -}} +agents-to-puppet +{{- end -}} + +{{/* +Set mandatory Puppet Server Compilers' Service name. +*/}} +{{- define "puppetserver.puppetserver-compilers.serviceName" -}} +puppet-compilers +{{- end -}} + +{{/* +Puppet Masters' port. +*/}} +{{- define "puppetserver.puppetserver-masters.port" -}} +{{- if .Values.puppetserver.masters.service.ports.puppetserver.port -}} +{{- .Values.puppetserver.masters.service.ports.puppetserver.port -}} +{{- else -}} +8140 +{{- end -}} +{{- end -}} + +{{/* +Puppet Compilers' port. +*/}} +{{- define "puppetserver.puppetserver-compilers.port" -}} +{{- if .Values.puppetserver.compilers.service.ports.puppetserver.port -}} +{{- .Values.puppetserver.compilers.service.ports.puppetserver.port -}} +{{- else -}} +8140 +{{- end -}} +{{- end -}} + +{{/* +Set's the affinity for pod placement +when running with multiple Puppet compilers. +*/}} +{{- define "puppetserver.compilers.affinity" -}} + {{- if (or (.Values.affinity) (and (.Values.puppetserver.compilers.enabled) (.Values.puppetserver.compilers.podAntiAffinity))) }} + affinity: + {{- if (.Values.affinity) }} + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if (.Values.puppetserver.compilers.podAntiAffinity) }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "puppetserver.puppetserver-compilers.matchLabels" . | nindent 18 }} + topologyKey: kubernetes.io/hostname + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Calculates the max. number of compilers +*/}} +{{- define "puppetserver.compilers.maxNo" -}} +{{- if not (.Values.puppetserver.compilers.autoScaling.enabled) -}} +{{- .Values.puppetserver.compilers.manualScaling.compilers -}} +{{- else -}} +{{- .Values.puppetserver.compilers.autoScaling.maxCompilers -}} +{{- end -}} +{{- end -}} + +{{- define "puppetserver.compilers.hostnames" -}} + {{- $dot := . -}} + {{- range $compilersLoopCount, $e := until ((include "puppetserver.compilers.maxNo" $dot) | int) -}} + {{- printf "%s-puppetserver-compiler-%d" (include "puppetserver.name" $dot) $compilersLoopCount -}} + {{- if lt $compilersLoopCount ( sub ((include "puppetserver.compilers.maxNo" $dot) | int) 1 ) -}} + {{- printf "," -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL username +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.credentials.username }} + {{- .Values.global.credentials.username -}} +{{- else -}} + {{- .Values.postgresqlUsername -}} +{{- end -}} +{{- end -}} + +{{/* +Return PuppetDB and PostgreSQL password +*/}} +{{- define "postgresql.password" -}} +{{- if .Values.global.credentials.password }} + {{- .Values.global.credentials.password -}} +{{- else if .Values.postgresqlPassword -}} + {{- .Values.postgresqlPassword -}} +{{- else -}} + unbreakablePassword +{{- end -}} +{{- end -}} + +{{/* +Return PuppetDB and PostgreSQL password +*/}} +{{- define "postgresql.postgres.password" -}} +{{- if .Values.global.credentials.password }} + {{- .Values.global.credentials.password -}} +{{- else if .Values.postgresqlPostgresPassword -}} + {{- .Values.postgresqlPostgresPassword -}} +{{- else -}} + unbreakablePassword +{{- end -}} +{{- end -}} + +{{/* +Create the name for the PuppetDB password secret. +*/}} +{{- define "puppetdb.secret" -}} +{{- if .Values.global.credentials.existingSecret -}} + {{- .Values.global.credentials.existingSecret -}} +{{- else -}} + puppetdb-secret +{{- end -}} +{{- end -}} + +{{/* +Create the name for the r10k.code secret. +*/}} +{{- define "r10k.code.secret" -}} +{{- if .Values.r10k.code.viaSsh.credentials.existingSecret -}} + {{- .Values.r10k.code.viaSsh.credentials.existingSecret -}} +{{- else -}} + r10k-code-creds +{{- end -}} +{{- end -}} + +{{/* +Create the name for the r10k.hiera secret. +*/}} +{{- define "r10k.hiera.secret" -}} +{{- if .Values.r10k.hiera.viaSsh.credentials.existingSecret -}} + {{- .Values.r10k.hiera.viaSsh.credentials.existingSecret -}} +{{- else -}} + r10k-hiera-creds +{{- end -}} +{{- end -}} + +{{/* ************************************************************************************* +The following definitions were more complex and necessary during part of this development. +Now they are essentially just stubs but left here in case they might be needed again soon. +************************************************************************************* */}} + +{{/* +Create the name for the hiera eyaml key configMap (private/public keys combined). +*/}} +{{- define "puppetserver.hiera.existingMap" -}} +{{- if .Values.hiera.eyaml.existingMap -}} + {{- .Values.hiera.eyaml.existingMap -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name for the hiera eyaml private key configMap. +*/}} +{{- define "puppetserver.hiera.privateMap" -}} + eyamlpriv-config +{{- end -}} + +{{/* +Create the name for the hiera eyaml public cert configMap. +*/}} +{{- define "puppetserver.hiera.publicMap" -}} + eyamlpub-config +{{- end -}} diff --git a/helm/templates/hiera-configmap.yaml b/helm/templates/hiera-configmap.yaml new file mode 100644 index 0000000..3f2c4fb --- /dev/null +++ b/helm/templates/hiera-configmap.yaml @@ -0,0 +1,11 @@ +{{- if .Values.hiera.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: hiera-config + labels: + {{- include "puppetserver.hiera.labels" . | nindent 4 }} +data: + hiera.yaml: |- + {{ .Values.hiera.config | nindent 4 }} +{{- end }} diff --git a/helm/templates/postgresql-configmap.yaml b/helm/templates/postgresql-configmap.yaml new file mode 100644 index 0000000..4aab0f3 --- /dev/null +++ b/helm/templates/postgresql-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.postgresql.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgresql-custom-extensions + labels: + {{- include "puppetserver.postgresql.labels" . | nindent 4 }} +data: + extensions.sql: | + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS pgcrypto; +{{- end }} diff --git a/helm/templates/private_key.pkcs7.pem.yaml b/helm/templates/private_key.pkcs7.pem.yaml new file mode 100644 index 0000000..be08be1 --- /dev/null +++ b/helm/templates/private_key.pkcs7.pem.yaml @@ -0,0 +1,11 @@ +{{- if and (.Values.hiera.eyaml.private_key) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: eyamlpriv-config + labels: + {{- include "puppetserver.hiera.labels" . | nindent 4 }} +data: + private_key.pkcs7.pem: |- + {{ .Values.hiera.eyaml.private_key | nindent 4 }} +{{- end }} diff --git a/helm/templates/public_key.pkcs7.pem.yaml b/helm/templates/public_key.pkcs7.pem.yaml new file mode 100644 index 0000000..810ec91 --- /dev/null +++ b/helm/templates/public_key.pkcs7.pem.yaml @@ -0,0 +1,11 @@ +{{- if and (.Values.hiera.eyaml.public_key) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: eyamlpub-config + labels: + {{- include "puppetserver.hiera.labels" . | nindent 4 }} +data: + public_key.pkcs7.pem: |- + {{ .Values.hiera.eyaml.public_key | nindent 4 }} +{{- end }} diff --git a/helm/templates/puppet-preInstall.job.yaml b/helm/templates/puppet-preInstall.job.yaml new file mode 100644 index 0000000..b1fa628 --- /dev/null +++ b/helm/templates/puppet-preInstall.job.yaml @@ -0,0 +1,61 @@ +{{- if .Values.puppetserver.preGeneratedCertsJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "puppetserver.name" . }}-puppet-preinstall" + labels: + {{- include "puppetserver.puppet.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": "hook-succeeded,hook-failed" +spec: + activeDeadlineSeconds: {{.Values.puppetserver.preGeneratedCertsJob.jobDeadline}} + template: + metadata: + name: "{{ template "puppetserver.name" . }}-preinstall" + labels: + {{- include "puppetserver.puppet.labels" . | nindent 8 }} + spec: + restartPolicy: Never + containers: + - name: copy-ro-puppetserver-certs + image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" + imagePullPolicy: "{{.Values.puppetserver.pullPolicy}}" + command: [ "sh", "-c" ] + args: + - mkdir -p /etc/puppetlabs/puppet/ssl; + CERTS_FILE=`ls /puppet-certs/puppetserver`; + tar xf /puppet-certs/puppetserver/"$CERTS_FILE" -C /etc/puppetlabs/puppet/ssl --strip-components 1; + volumeMounts: + - name: puppetserver-certs + mountPath: /puppet-certs/puppetserver + - name: puppet-puppet-storage + mountPath: /etc/puppetlabs/puppet/ + - name: copy-ro-puppetdb-certs + image: "{{.Values.puppetdb.image}}:{{.Values.puppetdb.tag}}" + imagePullPolicy: "{{.Values.puppetdb.pullPolicy}}" + command: [ "sh", "-c" ] + args: + - mkdir -p /opt/puppetlabs/server/data/puppetdb/certs; + CERTS_FILE=`ls /puppet-certs/puppetdb`; + tar xf /puppet-certs/puppetdb/"$CERTS_FILE" -C /opt/puppetlabs/server/data/puppetdb/certs --strip-components 1; + volumeMounts: + - name: puppetdb-certs + mountPath: /puppet-certs/puppetdb + - name: puppetdb-storage + mountPath: /opt/puppetlabs/server/data/puppetdb/certs + volumes: + - name: puppet-puppet-storage + persistentVolumeClaim: + claimName: puppet-puppet-claim + - name: puppetdb-storage + persistentVolumeClaim: + claimName: puppetdb-claim + - name: puppetserver-certs + configMap: + name: "{{ template "puppetserver.name" . }}-puppetserver-preinstall" + - name: puppetdb-certs + configMap: + name: "{{ template "puppetserver.name" . }}-puppetdb-preinstall" +{{- end }} diff --git a/helm/templates/puppetboard-ingress.yaml b/helm/templates/puppetboard-ingress.yaml new file mode 100644 index 0000000..65f239f --- /dev/null +++ b/helm/templates/puppetboard-ingress.yaml @@ -0,0 +1,36 @@ +{{- if .Values.puppetboard.enabled }} +{{- if .Values.puppetboard.ingress.enabled }} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := "puppetdb" }} +{{- $servicePort := "80" -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + {{- if .Values.puppetboard.ingress.annotations }} + annotations: + {{ toYaml .Values.puppetboard.ingress.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} + {{- range $key, $value := .Values.puppetboard.ingress.extraLabels }} + {{ $key }}: {{ $value }} + {{- end }} + name: puppetboard +spec: + rules: + {{- range .Values.puppetboard.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: + - path: /{{ rest $url | join "/" }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end -}} + {{- if .Values.puppetboard.ingress.tls }} + tls: + {{ toYaml .Values.puppetboard.ingress.tls | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/helm/templates/puppetdb-deployment.yaml b/helm/templates/puppetdb-deployment.yaml new file mode 100644 index 0000000..08fb4e0 --- /dev/null +++ b/helm/templates/puppetdb-deployment.yaml @@ -0,0 +1,104 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "puppetserver.name" . }}-puppetdb + labels: + {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "puppetserver.puppetdb.matchLabels" . | nindent 6 }} + strategy: + type: Recreate + template: + metadata: + labels: + {{- include "puppetserver.puppetdb.labels" . | nindent 8 }} + {{- if .Values.podAnnotations }} + annotations: + {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + hostname: puppetdb + containers: + - name: puppetdb + image: "{{.Values.puppetdb.image}}:{{.Values.puppetdb.tag}}" + imagePullPolicy: "{{.Values.puppetdb.pullPolicy}}" + resources: + {{- toYaml .Values.puppetdb.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.puppetdb.extraEnv }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + - name: PUPPETSERVER_HOSTNAME + value: "puppet" + - name: PUPPETSERVER_PORT + value: "{{ template "puppetserver.puppetserver-masters.port" . }}" + - name: PUPPETDB_POSTGRES_HOSTNAME + value: "{{ template "puppetserver.name" . }}-postgresql" + - name: PUPPETDB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "puppetdb.secret" . }} + key: password + - name: PUPPETDB_USER + valueFrom: + secretKeyRef: + name: {{ template "puppetdb.secret" . }} + key: username + ports: + - name: pdb-http + containerPort: 8080 + - name: pdb-https + containerPort: 8081 + volumeMounts: + - name: puppetdb-storage + mountPath: /opt/puppetlabs/server/data/puppetdb/certs + {{- if .Values.puppetboard.enabled }} + - name: puppetboard + image: "{{.Values.puppetboard.image}}:{{.Values.puppetboard.tag}}" + imagePullPolicy: "{{.Values.puppetboard.pullPolicy}}" + resources: + {{- toYaml .Values.puppetboard.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.puppetboard.extraEnv }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + - name: PUPPETDB_HOST + value: "puppetdb" + - name: PUPPETDB_PORT + value: "8081" + - name: PUPPETDB_SSL_VERIFY + value: "/opt/puppetlabs/server/data/puppetdb/certs/certs/ca.pem" + - name: PUPPETDB_CERT + value: "/opt/puppetlabs/server/data/puppetdb/certs/certs/public.pem" + - name: PUPPETDB_KEY + value: "/opt/puppetlabs/server/data/puppetdb/certs/private_keys/private.pem" + ports: + - name: puppetboard + containerPort: 80 + volumeMounts: + - name: puppetdb-storage + mountPath: /opt/puppetlabs/server/data/puppetdb/certs + {{- end }} + volumes: + - name: puppetdb-storage + persistentVolumeClaim: + claimName: puppetdb-claim + {{- if .Values.nodeSelector }} + nodeSelector: + {{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{ toYaml .Values.affinity | nindent 10 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{ toYaml .Values.tolerations| nindent 10 }} + {{- end }} + {{- if and (.Capabilities.APIVersions.Has "scheduling.k8s.io/v1beta1") (.Values.priorityClassName) }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} diff --git a/helm/templates/puppetdb-preInstall.configMap.yaml b/helm/templates/puppetdb-preInstall.configMap.yaml new file mode 100644 index 0000000..98b02fa --- /dev/null +++ b/helm/templates/puppetdb-preInstall.configMap.yaml @@ -0,0 +1,17 @@ +{{- if .Values.puppetserver.preGeneratedCertsJob.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "puppetserver.name" . }}-puppetdb-preinstall + labels: + {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": "hook-succeeded,hook-failed" +binaryData: + {{- $root := . }} + {{- range $path, $bytes := .Files.Glob "init/puppet-certs/puppetdb/*.gz" }} + {{ base $path }}: {{ $root.Files.Get $path | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/helm/templates/puppetdb-pvc.yaml b/helm/templates/puppetdb-pvc.yaml new file mode 100644 index 0000000..85434d6 --- /dev/null +++ b/helm/templates/puppetdb-pvc.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: puppetdb-claim + labels: + {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} + {{- if or (.Values.puppetserver.preGeneratedCertsJob.enabled) (.Values.storage.annotations) }} + annotations: + {{- end }} + {{- if .Values.puppetserver.preGeneratedCertsJob.enabled }} + "helm.sh/hook": "pre-install" + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": "before-hook-creation" + {{- end }} + {{- if .Values.storage.annotations }} + {{ toYaml .Values.storage.annotations }} + {{- end }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storage.size | quote }} + {{- if .Values.storage.storageClass }} + {{- if (eq "-" .Values.storage.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.storage.storageClass }}" + {{- end }} + {{- end }} diff --git a/helm/templates/puppetdb-secret.yaml b/helm/templates/puppetdb-secret.yaml new file mode 100644 index 0000000..8f948b5 --- /dev/null +++ b/helm/templates/puppetdb-secret.yaml @@ -0,0 +1,12 @@ +{{- if not .Values.global.credentials.existingSecret -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "puppetdb.secret" . }} + labels: + {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} +type: Opaque +data: + username: {{ .Values.global.credentials.username | b64enc | quote }} + password: {{ include "postgresql.password" . | b64enc | quote }} +{{- end -}} diff --git a/helm/templates/puppetdb-service.yaml b/helm/templates/puppetdb-service.yaml new file mode 100644 index 0000000..caddc86 --- /dev/null +++ b/helm/templates/puppetdb-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: puppetdb + labels: + {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} +spec: + ports: + - name: pdb-http + port: 8080 + - name: pdb-https + port: 8081 + {{- if .Values.puppetboard.enabled }} + - name: puppetboard + port: 80 + {{- end }} + selector: + {{- include "puppetserver.puppetdb.matchLabels" . | nindent 4 }} diff --git a/helm/templates/puppetserver-code-pvc.yaml b/helm/templates/puppetserver-code-pvc.yaml new file mode 100644 index 0000000..fedf26e --- /dev/null +++ b/helm/templates/puppetserver-code-pvc.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: puppet-code-claim + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} + {{- if .Values.storage.annotations }} + annotations: + {{ toYaml .Values.storage.annotations | nindent 4 }} + {{- end }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storage.size | quote }} + {{- if .Values.storage.storageClass }} + {{- if (eq "-" .Values.storage.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.storage.storageClass }}" + {{- end }} + {{- end }} diff --git a/helm/templates/puppetserver-data-pvc.yaml b/helm/templates/puppetserver-data-pvc.yaml new file mode 100644 index 0000000..b5a2df5 --- /dev/null +++ b/helm/templates/puppetserver-data-pvc.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: puppet-serverdata-claim + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} + {{- if .Values.storage.annotations }} + annotations: + {{ toYaml .Values.storage.annotations | nindent 4 }} + {{- end }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storage.size | quote }} + {{- if .Values.storage.storageClass }} + {{- if (eq "-" .Values.storage.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.storage.storageClass }}" + {{- end }} + {{- end }} diff --git a/helm/templates/puppetserver-deployment-masters.yaml b/helm/templates/puppetserver-deployment-masters.yaml new file mode 100644 index 0000000..f1c01c1 --- /dev/null +++ b/helm/templates/puppetserver-deployment-masters.yaml @@ -0,0 +1,347 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "puppetserver.name" . }}-puppetserver-master + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} +spec: + {{- if .Values.puppetserver.masters.multiMasters.enabled }} + {{- if not (.Values.puppetserver.masters.multiMasters.autoScaling.enabled) }} + replicas: {{ .Values.puppetserver.masters.multiMasters.manualScaling.masters }} + {{- end }} + {{- end }} + selector: + matchLabels: + {{- include "puppetserver.puppetserver.matchLabels" . | nindent 6 }} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 20% + maxUnavailable: 0% + template: + metadata: + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/hiera-configmap.yaml") . | sha256sum }} + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + hostname: {{ template "puppetserver.puppetserver-masters.serviceName" . }} + initContainers: + - name: perms-and-dirs + image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" + imagePullPolicy: "{{.Values.puppetserver.pullPolicy}}" + resources: + requests: + memory: 128Mi + cpu: 200m + limits: + memory: 256Mi + cpu: 300m + {{- if .Values.puppetserver.masters.multiMasters.enabled }} + env: + - name: PUPPET_DATA_DIR + value: "/etc/puppetlabs/code/environments" + - name: PUPPET_SSL_CERT_PEM + value: "/etc/puppetlabs/puppet/ssl/certs/{{ template "puppetserver.puppetserver-masters.serviceName" . }}.pem" + {{- end }} + command: [ "sh", "-c" ] + args: + - mkdir -p /etc/puppetlabs/puppet/eyaml/keys; + {{- if .Values.puppetserver.masters.multiMasters.enabled }} + cp /etc/puppetlabs/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh; + chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh; + chmod +x /etc/puppetlabs/puppet/check_for_masters.sh; + bash /etc/puppetlabs/puppet/check_for_masters.sh; + {{- end }} + mkdir -p /etc/puppetlabs/code/environments; + mkdir -p /etc/puppetlabs/puppet/manifests; + mkdir -p /etc/puppetlabs/code/r10k_cache; + chown -R puppet:puppet /etc/puppetlabs; + {{- if .Values.puppetserver.puppeturl }} + cp /etc/puppetlabs/puppet/configmap/r10k_code_entrypoint.sh /etc/puppetlabs/puppet/r10k_code_entrypoint.sh; + cp /etc/puppetlabs/puppet/configmap/r10k_code_cronjob.sh /etc/puppetlabs/puppet/r10k_code_cronjob.sh; + cp /etc/puppetlabs/puppet/configmap/r10k_code.yaml /etc/puppetlabs/puppet/r10k_code.yaml; + chown puppet:puppet /etc/puppetlabs/puppet/r10k_code_entrypoint.sh /etc/puppetlabs/puppet/r10k_code_cronjob.sh /etc/puppetlabs/puppet/r10k_code.yaml; + chmod +x /etc/puppetlabs/puppet/r10k_code_entrypoint.sh /etc/puppetlabs/puppet/r10k_code_cronjob.sh; + {{- end }} + {{- if .Values.hiera.hieradataurl }} + cp /etc/puppetlabs/puppet/configmap/r10k_hiera_entrypoint.sh /etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh; + cp /etc/puppetlabs/puppet/configmap/r10k_hiera_cronjob.sh /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh; + cp /etc/puppetlabs/puppet/configmap/r10k_hiera.yaml /etc/puppetlabs/puppet/r10k_hiera.yaml; + chown puppet:puppet /etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh /etc/puppetlabs/puppet/r10k_hiera.yaml; + chmod +x /etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh; + {{- end }} + {{- if .Values.hiera.config }} + cp /etc/puppetlabs/puppet/configmap/hiera.yaml /etc/puppetlabs/puppet/hiera.yaml; + chown puppet:puppet /etc/puppetlabs/puppet/hiera.yaml; + {{- end }} + cp /etc/puppetlabs/puppet/configmap/site.pp /etc/puppetlabs/puppet/manifests/site.pp; + chown puppet:puppet /etc/puppetlabs/puppet/manifests/site.pp; + {{- if or (.Values.hiera.eyaml.private_key) (.Values.hiera.eyaml.existingMap) }} + cp /etc/puppetlabs/puppet/configmap/eyaml/private_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem; + chown puppet:puppet /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem; + {{- end }} + {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.existingMap) }} + cp /etc/puppetlabs/puppet/configmap/eyaml/public_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem; + chown puppet:puppet /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem; + {{- end }} + securityContext: + runAsUser: 0 + runAsNonRoot: false + privileged: true + volumeMounts: + - name: puppet-code-storage + mountPath: /etc/puppetlabs/code/ + - name: puppet-puppet-storage + mountPath: /etc/puppetlabs/puppet/ + {{- if .Values.puppetserver.puppeturl }} + - name: r10k-code-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_code_entrypoint.sh + subPath: r10k_code_entrypoint.sh + - name: r10k-code-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_code_cronjob.sh + subPath: r10k_code_cronjob.sh + - name: r10k-code-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_code.yaml + subPath: r10k_code.yaml + {{- end }} + {{- if .Values.hiera.hieradataurl }} + - name: r10k-hiera-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_hiera_entrypoint.sh + subPath: r10k_hiera_entrypoint.sh + - name: r10k-hiera-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_hiera_cronjob.sh + subPath: r10k_hiera_cronjob.sh + - name: r10k-hiera-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_hiera.yaml + subPath: r10k_hiera.yaml + {{- end }} + {{- if .Values.puppetserver.masters.multiMasters.enabled }} + - name: init-masters-volume + mountPath: /etc/puppetlabs/puppet/configmap/check_for_masters.sh + subPath: check_for_masters.sh + {{- end }} + {{- if .Values.hiera.config }} + - name: hiera-volume + mountPath: /etc/puppetlabs/puppet/configmap/hiera.yaml + subPath: hiera.yaml + {{- end }} + - name: manifests-volume + mountPath: /etc/puppetlabs/puppet/configmap/site.pp + subPath: site.pp + {{- if .Values.hiera.eyaml.existingMap }} + - name: eyaml-volume + mountPath: /etc/puppetlabs/puppet/configmap/eyaml + {{- end }} + {{- if and (.Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.existingMap)}} + - name: eyamlpub-volume + mountPath: /etc/puppetlabs/puppet/configmap/eyaml/public_key.pkcs7.pem + subPath: public_key.pkcs7.pem + {{- end }} + {{- if and (.Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingMap)}} + - name: eyamlpriv-volume + mountPath: /etc/puppetlabs/puppet/configmap/eyaml/private_key.pkcs7.pem + subPath: private_key.pkcs7.pem + {{- end }} + containers: + - name: {{ template "puppetserver.fullname" . }} + image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" + imagePullPolicy: "{{.Values.puppetserver.pullPolicy}}" + resources: + {{- toYaml .Values.puppetserver.masters.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.puppetserver.masters.extraEnv }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # necessary to set certname and server in puppet.conf, required by + # puppetserver ca cli application + - name: PUPPETSERVER_HOSTNAME + value: "{{ template "puppetserver.puppetserver-masters.serviceName" . }}" + - name: PUPPET_MASTERPORT + value: "{{ template "puppetserver.puppetserver-masters.port" . }}" + - name: DNS_ALT_NAMES + value: "{{ template "puppetserver.compilers.hostnames" . }},{{ template "puppetserver.puppetserver-compilers.serviceName" . }},{{ template "puppetserver.puppetserver.agents-to-masters.serviceName" . }},{{.Values.puppetserver.compilers.fqdns.alternateServerNames}},{{.Values.puppetserver.masters.fqdns.alternateServerNames}}" + - name: PUPPETDB_SERVER_URLS + value: "https://puppetdb:8081" + - name: CA_ALLOW_SUBJECT_ALT_NAMES + value: "true" + readinessProbe: + httpGet: + path: /status/v1/simple + port: {{ template "puppetserver.puppetserver-masters.port" .}} + scheme: HTTPS + initialDelaySeconds: {{ .Values.puppetserver.masters.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.puppetserver.masters.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.puppetserver.masters.readinessProbeTimeout }} + failureThreshold: {{ .Values.puppetserver.masters.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.puppetserver.masters.readinessProbeSuccessThreshold }} + livenessProbe: + tcpSocket: + port: {{ template "puppetserver.puppetserver-masters.port" .}} + initialDelaySeconds: {{ .Values.puppetserver.masters.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.puppetserver.masters.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.puppetserver.masters.livenessProbeTimeout }} + failureThreshold: {{ .Values.puppetserver.masters.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.puppetserver.masters.livenessProbeSuccessThreshold }} + ports: + - containerPort: {{ template "puppetserver.puppetserver-masters.port" .}} + volumeMounts: + - name: puppet-code-storage + mountPath: /etc/puppetlabs/code/ + - name: puppet-puppet-storage + mountPath: /etc/puppetlabs/puppet/ + - name: puppet-serverdata-storage + mountPath: /opt/puppetlabs/server/data/puppetserver/ + {{- if .Values.puppetserver.puppeturl }} + # r10k Code Sidecar + - name: r10k-code + image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}" + imagePullPolicy: "{{.Values.r10k.pullPolicy}}" + resources: + {{- toYaml .Values.r10k.code.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.r10k.code.extraEnv }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + command: [ "sh", "-c", "/etc/puppetlabs/puppet/r10k_code_entrypoint.sh" ] + securityContext: + runAsUser: 999 # "puppet" UID + runAsGroup: 999 # "puppet" GID + volumeMounts: + {{- with .Values.r10k.code.viaSsh.credentials }} + {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} + - name: r10k-code-secret + mountPath: /home/puppet/.ssh + {{- end }} + {{- end }} + - name: puppet-code-storage + mountPath: /etc/puppetlabs/code/ + - name: puppet-puppet-storage + mountPath: /etc/puppetlabs/puppet/ + readinessProbe: + exec: + command: ["/bin/sh", "-ec", "test -f ~/.r10k_code_cronjob.success"] + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 20 + successThreshold: 1 + timeoutSeconds: 5 + {{- end }} + {{- if .Values.hiera.hieradataurl }} + # r10k Hiera Sidecar + - name: r10k-hiera + image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}" + imagePullPolicy: "{{.Values.r10k.pullPolicy}}" + resources: + {{- toYaml .Values.r10k.hiera.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.r10k.hiera.extraEnv }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + command: [ "sh", "-c", "/etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh" ] + securityContext: + runAsUser: 999 # "puppet" UID + runAsGroup: 999 # "puppet" GID + volumeMounts: + {{- with .Values.r10k.hiera.viaSsh.credentials }} + {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} + - name: r10k-hiera-secret + mountPath: /home/puppet/.ssh + {{- end }} + {{- end }} + - name: puppet-code-storage + mountPath: /etc/puppetlabs/code/ + - name: puppet-puppet-storage + mountPath: /etc/puppetlabs/puppet/ + readinessProbe: + exec: + command: ["/bin/sh", "-ec", "test -f ~/.r10k_hiera_cronjob.success"] + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 20 + successThreshold: 1 + timeoutSeconds: 5 + {{- end }} + securityContext: + fsGroup: 999 # "puppet" GID + volumes: + - name: puppet-code-storage + persistentVolumeClaim: + claimName: puppet-code-claim + - name: puppet-puppet-storage + persistentVolumeClaim: + claimName: puppet-puppet-claim + - name: puppet-serverdata-storage + persistentVolumeClaim: + claimName: puppet-serverdata-claim + {{- if .Values.puppetserver.masters.multiMasters.enabled }} + - name: init-masters-volume + configMap: + name: init-masters-config + {{- end }} + {{- if .Values.hiera.config }} + - name: hiera-volume + configMap: + name: hiera-config + {{- end }} + - name: manifests-volume + configMap: + name: manifests-config + {{- if .Values.hiera.eyaml.existingMap }} + - name: eyaml-volume + configMap: + name: {{ .Values.hiera.eyaml.existingMap }} + {{- end }} + {{- if and (.Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.existingMap)}} + - name: eyamlpub-volume + configMap: + name: {{ template "puppetserver.hiera.publicMap" . }} + {{- end }} + {{- if and (.Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingMap)}} + - name: eyamlpriv-volume + configMap: + name: {{ template "puppetserver.hiera.privateMap" . }} + {{- end }} + {{- if or (.Values.r10k.code.viaSsh.credentials.existingSecret) (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) }} + - name: r10k-code-secret + secret: + secretName: {{ template "r10k.code.secret" . }} + defaultMode: 288 # = mode 0440 + {{- end }} + {{- if .Values.puppetserver.puppeturl }} + - name: r10k-code-volume + configMap: + name: r10k-code-config + {{- end }} + {{- if .Values.hiera.hieradataurl }} + - name: r10k-hiera-volume + configMap: + name: r10k-hiera-config + {{- end }} + {{- if or (.Values.r10k.hiera.viaSsh.credentials.existingSecret) (and (.Values.r10k.hiera.viaSsh.credentials.ssh.value) (.Values.r10k.hiera.viaSsh.credentials.known_hosts.value)) }} + - name: r10k-hiera-secret + secret: + secretName: {{ template "r10k.hiera.secret" . }} + defaultMode: 288 # = mode 0440 + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{ toYaml .Values.affinity | nindent 10 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{ toYaml .Values.tolerations| nindent 10 }} + {{- end }} + {{- if and (.Capabilities.APIVersions.Has "scheduling.k8s.io/v1beta1") (.Values.priorityClassName) }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} diff --git a/helm/templates/puppetserver-hpa-compilers.yaml b/helm/templates/puppetserver-hpa-compilers.yaml new file mode 100644 index 0000000..8691da8 --- /dev/null +++ b/helm/templates/puppetserver-hpa-compilers.yaml @@ -0,0 +1,34 @@ +{{- if .Values.puppetserver.compilers.enabled }} +{{- if .Values.puppetserver.compilers.autoScaling.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "puppetserver.name" . }}-compilers-autoscaler + labels: + {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ template "puppetserver.name" . }}-puppetserver-compiler + minReplicas: {{ .Values.puppetserver.compilers.autoScaling.minCompilers }} + maxReplicas: {{ .Values.puppetserver.compilers.autoScaling.maxCompilers }} + metrics: + {{- with .Values.puppetserver.compilers.autoScaling.cpuUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.puppetserver.compilers.autoScaling.memoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/templates/puppetserver-hpa-masters.yaml b/helm/templates/puppetserver-hpa-masters.yaml new file mode 100644 index 0000000..2b5804d --- /dev/null +++ b/helm/templates/puppetserver-hpa-masters.yaml @@ -0,0 +1,34 @@ +{{- if .Values.puppetserver.masters.multiMasters.enabled }} +{{- if .Values.puppetserver.masters.multiMasters.autoScaling.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "puppetserver.name" . }}-masters-autoscaler + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "puppetserver.name" . }}-puppetserver-master + minReplicas: {{ .Values.puppetserver.masters.multiMasters.autoScaling.minMasters }} + maxReplicas: {{ .Values.puppetserver.masters.multiMasters.autoScaling.maxMasters }} + metrics: + {{- with .Values.puppetserver.masters.multiMasters.autoScaling.cpuUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.puppetserver.masters.multiMasters.autoScaling.memoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/templates/puppetserver-ingress-compilers.yaml b/helm/templates/puppetserver-ingress-compilers.yaml new file mode 100644 index 0000000..98a7843 --- /dev/null +++ b/helm/templates/puppetserver-ingress-compilers.yaml @@ -0,0 +1,36 @@ +{{- if .Values.puppetserver.compilers.enabled }} +{{- if .Values.puppetserver.compilers.ingress.enabled -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "puppetserver.puppetserver-compilers.serviceName" . }} +{{- $servicePort := .Values.puppetserver.compilers.service.ports.puppetserver.port -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + {{- if .Values.puppetserver.compilers.ingress.annotations }} + annotations: + {{ toYaml .Values.puppetserver.compilers.ingress.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} + {{- range $key, $value := .Values.puppetserver.compilers.ingress.extraLabels }} + {{ $key }}: {{ $value }} + {{- end }} + name: {{ template "puppetserver.fullname" . }}-compilers +spec: + rules: + {{- range .Values.puppetserver.compilers.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: + - path: /{{ rest $url | join "/" }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end -}} + {{- if .Values.puppetserver.compilers.ingress.tls }} + tls: + {{ toYaml .Values.puppetserver.compilers.ingress.tls | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/helm/templates/puppetserver-ingress-masters.yaml b/helm/templates/puppetserver-ingress-masters.yaml new file mode 100644 index 0000000..7d4be9e --- /dev/null +++ b/helm/templates/puppetserver-ingress-masters.yaml @@ -0,0 +1,34 @@ +{{- if .Values.puppetserver.masters.ingress.enabled -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "puppetserver.puppetserver-masters.serviceName" . }} +{{- $servicePort := .Values.puppetserver.masters.service.ports.puppetserver.port -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + {{- if .Values.puppetserver.masters.ingress.annotations }} + annotations: + {{ toYaml .Values.puppetserver.masters.ingress.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} + {{- range $key, $value := .Values.puppetserver.masters.ingress.extraLabels }} + {{ $key }}: {{ $value }} + {{- end }} + name: {{ template "puppetserver.fullname" . }}-masters +spec: + rules: + {{- range .Values.puppetserver.masters.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: + - path: /{{ rest $url | join "/" }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end -}} + {{- if .Values.puppetserver.masters.ingress.tls }} + tls: + {{ toYaml .Values.puppetserver.masters.ingress.tls | nindent 4 }} + {{- end -}} +{{- end -}} diff --git a/helm/templates/puppetserver-init-configmap.yaml b/helm/templates/puppetserver-init-configmap.yaml new file mode 100644 index 0000000..8243c2c --- /dev/null +++ b/helm/templates/puppetserver-init-configmap.yaml @@ -0,0 +1,25 @@ +{{- if .Values.puppetserver.masters.multiMasters.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: init-masters-config + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} +data: + check_for_masters.sh: | + #!/usr/bin/env bash + if [[ -d "$PUPPET_DATA_DIR" ]]; then + echo "A Puppetserver master has already started running." + echo "Waiting to finish the generation of the Puppet SSL certs..." + sleep 5 + while [[ ! -f "$PUPPET_SSL_CERT_PEM" ]]; + do + echo "Still waiting..." + sleep 5 + done + sleep 15 + echo "Puppet SSL certs have been generated. Continuing..." + else + echo "No other Puppetserver master is running. Continuing..." + fi +{{- end }} diff --git a/helm/templates/puppetserver-manifests-configmap.yaml b/helm/templates/puppetserver-manifests-configmap.yaml new file mode 100644 index 0000000..2c9295a --- /dev/null +++ b/helm/templates/puppetserver-manifests-configmap.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: manifests-config + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} +data: + site.pp: | + hiera_include('classes') diff --git a/helm/templates/puppetserver-preInstall.configMap.yaml b/helm/templates/puppetserver-preInstall.configMap.yaml new file mode 100644 index 0000000..2239bfb --- /dev/null +++ b/helm/templates/puppetserver-preInstall.configMap.yaml @@ -0,0 +1,17 @@ +{{- if .Values.puppetserver.preGeneratedCertsJob.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "puppetserver.name" . }}-puppetserver-preinstall + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": "hook-succeeded,hook-failed" +binaryData: +{{- $root := . }} + {{- range $path, $bytes := .Files.Glob "init/puppet-certs/puppetserver/*.gz" }} + {{ base $path }}: {{ $root.Files.Get $path | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/helm/templates/puppetserver-pvc.yaml b/helm/templates/puppetserver-pvc.yaml new file mode 100644 index 0000000..882f2f4 --- /dev/null +++ b/helm/templates/puppetserver-pvc.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: puppet-puppet-claim + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} + {{- if or (.Values.puppetserver.preGeneratedCertsJob.enabled) (.Values.storage.annotations) }} + annotations: + {{- end }} + {{- if .Values.puppetserver.preGeneratedCertsJob.enabled }} + "helm.sh/hook": "pre-install" + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": "before-hook-creation" + {{- end }} + {{- if .Values.storage.annotations }} + {{ toYaml .Values.storage.annotations }} + {{- end }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storage.size | quote }} + {{- if .Values.storage.storageClass }} + {{- if (eq "-" .Values.storage.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.storage.storageClass }}" + {{- end }} + {{- end }} diff --git a/helm/templates/puppetserver-service-agents-to-masters.yaml b/helm/templates/puppetserver-service-agents-to-masters.yaml new file mode 100644 index 0000000..f962726 --- /dev/null +++ b/helm/templates/puppetserver-service-agents-to-masters.yaml @@ -0,0 +1,27 @@ +{{- if .Values.puppetserver.compilers.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "puppetserver.puppetserver.agents-to-masters.serviceName" . }} + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} + {{- if .Values.puppetserver.masters.service.labels }} + {{- toYaml .Values.puppetserver.masters.service.labels | nindent 4 }} + {{- end }} + {{- if .Values.puppetserver.masters.service.annotations }} + annotations: + {{- toYaml .Values.puppetserver.masters.service.annotations | nindent 4 }} + {{- end }} +spec: + ports: + {{- range $key, $value := .Values.puppetserver.masters.service.ports }} + - name: {{ $key }} + {{- toYaml $value | nindent 6 }} + {{- end }} + selector: + {{- include "puppetserver.puppetserver.matchLabels" . | nindent 4 }} + type: {{ .Values.puppetserver.masters.service.type }} + {{- if (and (eq .Values.puppetserver.masters.service.type "LoadBalancer") (not (empty .Values.puppetserver.masters.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.puppetserver.masters.service.loadBalancerIP }} + {{- end }} +{{- end }} diff --git a/helm/templates/puppetserver-service-compilers-headless.yaml b/helm/templates/puppetserver-service-compilers-headless.yaml new file mode 100644 index 0000000..6e84546 --- /dev/null +++ b/helm/templates/puppetserver-service-compilers-headless.yaml @@ -0,0 +1,24 @@ +{{- if .Values.puppetserver.compilers.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "puppetserver.puppetserver-compilers.serviceName" . }}-headless + labels: + {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} + {{- if .Values.puppetserver.compilers.service.headless.labels }} + {{- toYaml .Values.puppetserver.compilers.service.headless.labels | nindent 4 }} + {{- end }} + {{- if .Values.puppetserver.compilers.service.headless.annotations }} + annotations: + {{- toYaml .Values.puppetserver.compilers.service.headless.annotations | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + {{- range $key, $value := .Values.puppetserver.compilers.service.headless.ports }} + - name: {{ $key }} + {{- toYaml $value | nindent 6 }} + {{- end }} + selector: + {{- include "puppetserver.puppetserver-compilers.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/helm/templates/puppetserver-service-compilers.yaml b/helm/templates/puppetserver-service-compilers.yaml new file mode 100644 index 0000000..a93eeae --- /dev/null +++ b/helm/templates/puppetserver-service-compilers.yaml @@ -0,0 +1,27 @@ +{{- if .Values.puppetserver.compilers.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "puppetserver.puppetserver-compilers.serviceName" . }} + labels: + {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} + {{- if .Values.puppetserver.compilers.service.labels }} + {{- toYaml .Values.puppetserver.compilers.service.labels | nindent 4 }} + {{- end }} + {{- if .Values.puppetserver.compilers.service.annotations }} + annotations: + {{- toYaml .Values.puppetserver.compilers.service.annotations | nindent 4 }} + {{- end }} +spec: + ports: + {{- range $key, $value := .Values.puppetserver.compilers.service.ports }} + - name: {{ $key }} + {{- toYaml $value | nindent 6 }} + {{- end }} + selector: + {{- include "puppetserver.puppetserver-compilers.matchLabels" . | nindent 4 }} + type: {{ .Values.puppetserver.compilers.service.type }} + {{- if (and (eq .Values.puppetserver.compilers.service.type "LoadBalancer") (not (empty .Values.puppetserver.compilers.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.puppetserver.compilers.service.loadBalancerIP }} + {{- end }} +{{- end }} diff --git a/helm/templates/puppetserver-service-masters.yaml b/helm/templates/puppetserver-service-masters.yaml new file mode 100644 index 0000000..eefb404 --- /dev/null +++ b/helm/templates/puppetserver-service-masters.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "puppetserver.puppetserver-masters.serviceName" . }} + labels: + {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} + {{- if .Values.puppetserver.masters.service.labels }} + {{- toYaml .Values.puppetserver.masters.service.labels | nindent 4 }} + {{- end }} + {{- if .Values.puppetserver.masters.service.annotations }} + annotations: + {{- toYaml .Values.puppetserver.masters.service.annotations | nindent 4 }} + {{- end }} +spec: + ports: + {{- range $key, $value := .Values.puppetserver.masters.service.ports }} + - name: {{ $key }} + {{- toYaml $value | nindent 6 }} + {{- end }} + selector: + {{- include "puppetserver.puppetserver.matchLabels" . | nindent 4 }} + type: {{ .Values.puppetserver.masters.service.type }} + {{- if (and (eq .Values.puppetserver.masters.service.type "LoadBalancer") (not (empty .Values.puppetserver.masters.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.puppetserver.masters.service.loadBalancerIP }} + {{- end }} diff --git a/helm/templates/puppetserver-statefulset-compilers.yaml b/helm/templates/puppetserver-statefulset-compilers.yaml new file mode 100644 index 0000000..c8b404e --- /dev/null +++ b/helm/templates/puppetserver-statefulset-compilers.yaml @@ -0,0 +1,357 @@ +{{- if .Values.puppetserver.compilers.enabled }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "puppetserver.name" . }}-puppetserver-compiler + labels: + {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} + {{- if .Values.puppetserver.compilers.annotations }} + annotations: + {{- toYaml .Values.puppetserver.compilers.annotations | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "puppetserver.puppetserver-compilers.serviceName" . }}-headless + selector: + matchLabels: + {{- include "puppetserver.puppetserver-compilers.matchLabels" . | nindent 6 }} + {{- if not (.Values.puppetserver.compilers.autoScaling.enabled) }} + replicas: {{ .Values.puppetserver.compilers.manualScaling.compilers }} + {{- end }} + podManagementPolicy: {{ .Values.puppetserver.compilers.podManagementPolicy }} + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/hiera-configmap.yaml") . | sha256sum }} + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + initContainers: + - name: perms-and-dirs + image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" + imagePullPolicy: "{{.Values.puppetserver.pullPolicy}}" + resources: + requests: + memory: 128Mi + cpu: 200m + limits: + memory: 256Mi + cpu: 300m + command: [ "sh", "-c" ] + args: + - mkdir -p /etc/puppetlabs/puppet/eyaml/keys; + mkdir -p /etc/puppetlabs/code/environments; + mkdir -p /etc/puppetlabs/puppet/manifests; + mkdir -p /etc/puppetlabs/code/r10k_cache; + chown -R puppet:puppet /etc/puppetlabs; + {{- if .Values.puppetserver.puppeturl }} + cp /etc/puppetlabs/puppet/configmap/r10k_code_entrypoint.sh /etc/puppetlabs/puppet/r10k_code_entrypoint.sh; + cp /etc/puppetlabs/puppet/configmap/r10k_code_cronjob.sh /etc/puppetlabs/puppet/r10k_code_cronjob.sh; + cp /etc/puppetlabs/puppet/configmap/r10k_code.yaml /etc/puppetlabs/puppet/r10k_code.yaml; + chown puppet:puppet /etc/puppetlabs/puppet/r10k_code_entrypoint.sh /etc/puppetlabs/puppet/r10k_code_cronjob.sh /etc/puppetlabs/puppet/r10k_code.yaml; + chmod +x /etc/puppetlabs/puppet/r10k_code_entrypoint.sh /etc/puppetlabs/puppet/r10k_code_cronjob.sh; + {{- end }} + {{- if .Values.hiera.hieradataurl }} + cp /etc/puppetlabs/puppet/configmap/r10k_hiera_entrypoint.sh /etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh; + cp /etc/puppetlabs/puppet/configmap/r10k_hiera_cronjob.sh /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh; + cp /etc/puppetlabs/puppet/configmap/r10k_hiera.yaml /etc/puppetlabs/puppet/r10k_hiera.yaml; + chown puppet:puppet /etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh /etc/puppetlabs/puppet/r10k_hiera.yaml; + chmod +x /etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh; + {{- end }} + {{- if .Values.hiera.config }} + cp /etc/puppetlabs/puppet/configmap/hiera.yaml /etc/puppetlabs/puppet/hiera.yaml; + chown puppet:puppet /etc/puppetlabs/puppet/hiera.yaml; + {{- end }} + cp /etc/puppetlabs/puppet/configmap/site.pp /etc/puppetlabs/puppet/manifests/site.pp; + chown puppet:puppet /etc/puppetlabs/puppet/manifests/site.pp; + {{- if or (.Values.hiera.eyaml.private_key) (.Values.hiera.eyaml.existingMap) }} + cp /etc/puppetlabs/puppet/configmap/eyaml/private_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem; + chown puppet:puppet /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem; + {{- end }} + {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.existingMap) }} + cp /etc/puppetlabs/puppet/configmap/eyaml/public_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem; + chown puppet:puppet /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem; + {{- end }} + securityContext: + runAsUser: 0 + runAsNonRoot: false + privileged: true + volumeMounts: + - name: puppet-code-volume + mountPath: /etc/puppetlabs/code/ + - name: puppet-puppet-volume + mountPath: /etc/puppetlabs/puppet/ + {{- if .Values.puppetserver.puppeturl }} + - name: r10k-code-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_code_entrypoint.sh + subPath: r10k_code_entrypoint.sh + - name: r10k-code-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_code_cronjob.sh + subPath: r10k_code_cronjob.sh + - name: r10k-code-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_code.yaml + subPath: r10k_code.yaml + {{- end }} + {{- if .Values.hiera.hieradataurl }} + - name: r10k-hiera-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_hiera_entrypoint.sh + subPath: r10k_hiera_entrypoint.sh + - name: r10k-hiera-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_hiera_cronjob.sh + subPath: r10k_hiera_cronjob.sh + - name: r10k-hiera-volume + mountPath: /etc/puppetlabs/puppet/configmap/r10k_hiera.yaml + subPath: r10k_hiera.yaml + {{- end }} + {{- if .Values.hiera.config }} + - name: hiera-volume + mountPath: /etc/puppetlabs/puppet/configmap/hiera.yaml + subPath: hiera.yaml + {{- end }} + - name: manifests-volume + mountPath: /etc/puppetlabs/puppet/configmap/site.pp + subPath: site.pp + {{- if .Values.hiera.eyaml.existingMap }} + - name: eyaml-volume + mountPath: /etc/puppetlabs/puppet/configmap/eyaml + {{- end }} + {{- if and (.Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.existingMap)}} + - name: eyamlpub-volume + mountPath: /etc/puppetlabs/puppet/configmap/eyaml/public_key.pkcs7.pem + subPath: public_key.pkcs7.pem + {{- end }} + {{- if and (.Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingMap)}} + - name: eyamlpriv-volume + mountPath: /etc/puppetlabs/puppet/configmap/eyaml/private_key.pkcs7.pem + subPath: private_key.pkcs7.pem + {{- end }} + containers: + - name: {{ template "puppetserver.fullname" . }} + image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" + imagePullPolicy: "{{.Values.puppetserver.pullPolicy}}" + resources: + {{- toYaml .Values.puppetserver.compilers.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.puppetserver.compilers.extraEnv }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # necessary to set certname and server in puppet.conf, required by + # puppetserver ca cli application + - name: PUPPETSERVER_HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: PUPPET_MASTERPORT + value: "{{ template "puppetserver.puppetserver-compilers.port" . }}" + - name: DNS_ALT_NAMES + value: "{{ template "puppetserver.puppetserver-compilers.serviceName" . }},{{.Values.puppetserver.compilers.fqdns.alternateServerNames}}" + - name: PUPPETDB_SERVER_URLS + value: "https://puppetdb:8081" + - name: CA_ENABLED + value: "false" + - name: CA_HOSTNAME + value: "{{ template "puppetserver.puppetserver-masters.serviceName" . }}" + - name: CA_MASTERPORT + value: "{{ template "puppetserver.puppetserver-masters.port" . }}" + readinessProbe: + httpGet: + path: /status/v1/simple + port: {{ template "puppetserver.puppetserver-compilers.port" . }} + scheme: HTTPS + initialDelaySeconds: {{ .Values.puppetserver.compilers.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.puppetserver.compilers.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.puppetserver.compilers.readinessProbeTimeout }} + failureThreshold: {{ .Values.puppetserver.compilers.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.puppetserver.compilers.readinessProbeSuccessThreshold }} + livenessProbe: + tcpSocket: + port: {{ template "puppetserver.puppetserver-compilers.port" . }} + initialDelaySeconds: {{ .Values.puppetserver.compilers.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.puppetserver.compilers.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.puppetserver.compilers.livenessProbeTimeout }} + failureThreshold: {{ .Values.puppetserver.compilers.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.puppetserver.compilers.livenessProbeSuccessThreshold }} + ports: + - containerPort: {{ template "puppetserver.puppetserver-compilers.port" . }} + volumeMounts: + - name: puppet-code-volume + mountPath: /etc/puppetlabs/code/ + - name: puppet-puppet-volume + mountPath: /etc/puppetlabs/puppet/ + {{- if .Values.puppetserver.puppeturl }} + # r10k Code Sidecar + - name: r10k-code + image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}" + imagePullPolicy: "{{.Values.r10k.pullPolicy}}" + resources: + {{- toYaml .Values.r10k.code.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.r10k.code.extraEnv }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + command: [ "sh", "-c", "/etc/puppetlabs/puppet/r10k_code_entrypoint.sh" ] + securityContext: + runAsUser: 999 # "puppet" UID + runAsGroup: 999 # "puppet" GID + volumeMounts: + {{- with .Values.r10k.code.viaSsh.credentials }} + {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} + - name: r10k-code-secret + mountPath: /home/puppet/.ssh + {{- end }} + {{- end }} + - name: puppet-code-volume + mountPath: /etc/puppetlabs/code/ + - name: puppet-puppet-volume + mountPath: /etc/puppetlabs/puppet/ + readinessProbe: + exec: + command: ["/bin/sh", "-ec", "test -f ~/.r10k_code_cronjob.success"] + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 20 + successThreshold: 1 + timeoutSeconds: 5 + {{- end }} + {{- if .Values.hiera.hieradataurl }} + # r10k Hiera Sidecar + - name: r10k-hiera + image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}" + imagePullPolicy: "{{.Values.r10k.pullPolicy}}" + resources: + {{- toYaml .Values.r10k.hiera.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.r10k.hiera.extraEnv }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + command: [ "sh", "-c", "/etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh" ] + securityContext: + runAsUser: 999 # "puppet" UID + runAsGroup: 999 # "puppet" GID + volumeMounts: + {{- with .Values.r10k.hiera.viaSsh.credentials }} + {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} + - name: r10k-hiera-secret + mountPath: /home/puppet/.ssh + {{- end }} + {{- end }} + - name: puppet-code-volume + mountPath: /etc/puppetlabs/code/ + - name: puppet-puppet-volume + mountPath: /etc/puppetlabs/puppet/ + readinessProbe: + exec: + command: ["/bin/sh", "-ec", "test -f ~/.r10k_hiera_cronjob.success"] + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 20 + successThreshold: 1 + timeoutSeconds: 5 + {{- end }} + securityContext: + fsGroup: 999 # "puppet" GID + volumes: + {{- if .Values.hiera.config }} + - name: hiera-volume + configMap: + name: hiera-config + {{- end }} + - name: manifests-volume + configMap: + name: manifests-config + {{- if .Values.hiera.eyaml.existingMap }} + - name: eyaml-volume + configMap: + name: {{ .Values.hiera.eyaml.existingMap }} + {{- end }} + {{- if and (.Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.existingMap)}} + - name: eyamlpub-volume + configMap: + name: {{ template "puppetserver.hiera.publicMap" . }} + {{- end }} + {{- if and (.Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingMap)}} + - name: eyamlpriv-volume + configMap: + name: {{ template "puppetserver.hiera.privateMap" . }} + {{- end }} + {{- if or (.Values.r10k.code.viaSsh.credentials.existingSecret) (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) }} + - name: r10k-code-secret + secret: + secretName: {{ template "r10k.code.secret" . }} + defaultMode: 288 # = mode 0440 + {{- end }} + {{- if .Values.puppetserver.puppeturl }} + - name: r10k-code-volume + configMap: + name: r10k-code-config + {{- end }} + {{- if .Values.hiera.hieradataurl }} + - name: r10k-hiera-volume + configMap: + name: r10k-hiera-config + {{- end }} + {{- if or (.Values.r10k.hiera.viaSsh.credentials.existingSecret) (and (.Values.r10k.hiera.viaSsh.credentials.ssh.value) (.Values.r10k.hiera.viaSsh.credentials.known_hosts.value)) }} + - name: r10k-hiera-secret + secret: + secretName: {{ template "r10k.hiera.secret" . }} + defaultMode: 288 # = mode 0440 + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end }} + {{ template "puppetserver.compilers.affinity" . }} + {{- if .Values.tolerations }} + tolerations: + {{ toYaml .Values.tolerations| nindent 10 }} + {{- end }} + {{- if and (.Capabilities.APIVersions.Has "scheduling.k8s.io/v1beta1") (.Values.priorityClassName) }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: puppet-code-volume + {{- if .Values.storage.annotations }} + annotations: + {{- toYaml .Values.storage.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "{{ .Values.storage.size }}" + {{- if .Values.storage.storageClass }} + {{- if (eq "-" .Values.storage.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.storage.storageClass }}" + {{- end }} + {{- end }} + - metadata: + name: puppet-puppet-volume + {{- if .Values.storage.annotations }} + annotations: + {{- toYaml .Values.storage.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "{{ .Values.storage.size }}" + {{- if .Values.storage.storageClass }} + {{- if (eq "-" .Values.storage.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.storage.storageClass }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/templates/r10k-code-secret.yaml b/helm/templates/r10k-code-secret.yaml new file mode 100644 index 0000000..87fc865 --- /dev/null +++ b/helm/templates/r10k-code-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (.Values.puppetserver.puppeturl) (not .Values.r10k.code.viaSsh.credentials.existingSecret) }} +{{- if and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "r10k.code.secret" . }} + labels: + {{- include "puppetserver.r10k.labels" . | nindent 4 }} +type: Opaque +data: + {{- with .Values.r10k.code.viaSsh.credentials }} + {{- if and (.ssh.value) (.known_hosts.value) }} + id_rsa: {{ .ssh.value | b64enc | quote }} + known_hosts: {{ .known_hosts.value | b64enc | quote }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/templates/r10k-code.configmap.yaml b/helm/templates/r10k-code.configmap.yaml new file mode 100644 index 0000000..273f13b --- /dev/null +++ b/helm/templates/r10k-code.configmap.yaml @@ -0,0 +1,41 @@ +{{- if .Values.puppetserver.puppeturl }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: r10k-code-config + labels: + {{- include "puppetserver.r10k.labels" . | nindent 4 }} +data: + r10k_code.yaml: | + # The location to use for storing cached Git repos + :cachedir: '/etc/puppetlabs/code/r10k_cache' + # A list of git repositories to create + :sources: + # This will clone the git repository and instantiate an environment per + # branch in '/etc/puppetlabs/code/environments' + :puppet_repo: + remote: '{{.Values.puppetserver.puppeturl}}' + basedir: '/etc/puppetlabs/code/environments' + + r10k_code_cronjob.sh: | + #!/usr/bin/env sh + /docker-entrypoint.sh deploy environment --config /etc/puppetlabs/puppet/r10k_code.yaml \ + --puppetfile {{ template "r10k.code.args" . }} > ~/.r10k_code_cronjob.out 2>&1 + retVal=$? + if [ "$retVal" -eq "0" ]; then + touch ~/.r10k_code_cronjob.success > /dev/null 2>&1 + else + rm ~/.r10k_code_cronjob.success > /dev/null 2>&1 + fi + exit $retVal + + r10k_code_entrypoint.sh: | + #!/usr/bin/env sh + set -e + cat > ~/.r10k_code_crontab <<'EOF' + {{ .Values.r10k.code.cronJob.schedule }} /bin/sh -c /etc/puppetlabs/puppet/r10k_code_cronjob.sh + EOF + tail -Fq ~/.r10k_code_cronjob.out & + touch ~/.r10k_code_cronjob.success > /dev/null 2>&1 + exec supercronic ~/.r10k_code_crontab +{{- end }} diff --git a/helm/templates/r10k-hiera-secret.yaml b/helm/templates/r10k-hiera-secret.yaml new file mode 100644 index 0000000..fd604d1 --- /dev/null +++ b/helm/templates/r10k-hiera-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (.Values.hiera.hieradataurl) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) }} +{{- if and (.Values.r10k.hiera.viaSsh.credentials.ssh.value) (.Values.r10k.hiera.viaSsh.credentials.known_hosts.value) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "r10k.hiera.secret" . }} + labels: + {{- include "puppetserver.r10k.labels" . | nindent 4 }} +type: Opaque +data: + {{- with .Values.r10k.hiera.viaSsh.credentials }} + {{- if and (.ssh.value) (.known_hosts.value) }} + id_rsa: {{ .ssh.value | b64enc | quote }} + known_hosts: {{ .known_hosts.value | b64enc | quote }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/templates/r10k-hiera.configmap.yaml b/helm/templates/r10k-hiera.configmap.yaml new file mode 100644 index 0000000..cd9d8bc --- /dev/null +++ b/helm/templates/r10k-hiera.configmap.yaml @@ -0,0 +1,41 @@ +{{- if .Values.hiera.hieradataurl }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: r10k-hiera-config + labels: + {{- include "puppetserver.r10k.labels" . | nindent 4 }} +data: + r10k_hiera.yaml: | + # The location to use for storing cached Git repos + :cachedir: '/etc/puppetlabs/code/r10k_cache' + # A list of git repositories to create + :sources: + # This will clone the git repository and instantiate an environment per + # branch in '/etc/puppetlabs/code/hiera-data' + :hiera_repo: + remote: '{{.Values.hiera.hieradataurl}}' + basedir: '/etc/puppetlabs/code/hiera-data' + + r10k_hiera_cronjob.sh: | + #!/usr/bin/env sh + /docker-entrypoint.sh deploy environment --config /etc/puppetlabs/puppet/r10k_hiera.yaml \ + --puppetfile {{ template "r10k.hiera.args" . }} > ~/.r10k_hiera_cronjob.out 2>&1 + retVal=$? + if [ "$retVal" -eq "0" ]; then + touch ~/.r10k_hiera_cronjob.success > /dev/null 2>&1 + else + rm ~/.r10k_hiera_cronjob.success > /dev/null 2>&1 + fi + exit $retVal + + r10k_hiera_entrypoint.sh: | + #!/usr/bin/env sh + set -e + cat > ~/.r10k_hiera_crontab <<'EOF' + {{ .Values.r10k.hiera.cronJob.schedule }} /bin/sh -c /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh + EOF + tail -Fq ~/.r10k_hiera_cronjob.out & + touch ~/.r10k_hiera_cronjob.success > /dev/null 2>&1 + exec supercronic ~/.r10k_hiera_crontab +{{- end }} diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..677c812 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,567 @@ +# Default values for puppetserver. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +## Puppet Server Configuration +## +puppetserver: + name: puppetserver + image: puppet/puppetserver + tag: 6.12.1 + pullPolicy: IfNotPresent + ## Mandatory Deployment of Puppet Server Master/s + ## + masters: + ## Puppet Server Master resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # requests: + # memory: 1024Mi + # cpu: 750m + # limits: + # memory: 2048Mi + # cpu: 1500m + + ## Additional Masters' container environment variables + ## + extraEnv: {} + + ## Puppet Server Master readiness and liveness probe initial delays and timeouts + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + readinessProbeInitialDelay: 180 + readinessProbePeriodSeconds: 60 + readinessProbeTimeout: 20 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 420 + livenessProbePeriodSeconds: 30 + livenessProbeTimeout: 10 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + + ## Fully qualified domain names (FQDN's) to register + ## the Puppet Server Masters to be internally reachable via DNS. + ## That is necessary to configure "certname" and "server" in `puppet.conf`. + ## Required by Puppet server CA CLI application. + ## "serverName" is pre-set to "puppet". + ## "alternateServerNames" is optional and must differ from + ## Puppet Server Compilers' "alternateServerNames". + ## + fqdns: + alternateServerNames: "" # Comma-separated + + ## Service for Puppet Server Masters + ## The usage of a TCP/Network LB type is strongly preferable + ## Please check the `README.md` for more information + ## + service: + type: ClusterIP + ## The LB type (network protocol) for some cloud providers must be set here. + ports: + puppetserver: + port: 8140 + # protocol: TCP + ## Exemplary annotations for few cloud providers + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # cloud.google.com/load-balancer-type: "Internal" + # service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private" + labels: {} + loadBalancerIP: "" + + ingress: + ## If true, Puppet Server Masters Ingress will be created + ## + enabled: false + ## Puppet Server Masters Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/ssl-passthrough: "true" + ## Puppet Server Masters Ingress additional labels + ## + extraLabels: {} + ## Puppet Server Masters Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - puppet.domain.com + # - domain.com/puppet + ## Puppet Server Masters Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: puppet-server-tls + # hosts: + # - puppet.domain.com + + ## Horizontal Scaling + ## + multiMasters: + ## Optional deployment of multiple Puppet Server Masters + ## NOTE: Must share the same storage volumes + enabled: false + ## Horizontal Pod Manual Scaling for Puppet Server Masters + ## Set the desired number of Puppet Server Masters + manualScaling: + masters: 1 + ## Horizontal Pod Autoscaling for Puppet Server Masters + ## Automatically scales the number of pods (masters) + ## based on observed CPU/memory utilization + ## Note that the metrics must be provided by + ## additionally deployed metrics server of your choice + autoScaling: + enabled: false + minMasters: 1 + maxMasters: 3 + cpuUtilizationPercentage: 75 + memoryUtilizationPercentage: 75 + + ## Optional StatefulSet of Puppet Server Compiler/s + ## + compilers: + enabled: false + ## Puppet Server Compiler resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # requests: + # memory: 1024Mi + # cpu: 750m + # limits: + # memory: 2048Mi + # cpu: 1500m + + ## Affinity for puppetserver pod assignment + ## Schedule compilers on different K8s nodes + ## + podAntiAffinity: false + + ## Puppetserver Compilers' StatefulSet annotations + ## + annotations: {} + + ## Additional Compilers' container environment variables + ## + extraEnv: {} + + ## Puppet Server Compiler readiness and liveness probe initial delays and timeouts + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + readinessProbeInitialDelay: 180 + readinessProbePeriodSeconds: 60 + readinessProbeTimeout: 20 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 420 + livenessProbePeriodSeconds: 30 + livenessProbeTimeout: 10 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + + ## Horizontal Pod Manual Scaling for Puppet Server Compilers + ## Set the desired number of Puppet Server Compilers + ## + manualScaling: + compilers: 1 + ## Horizontal Pod Autoscaling for Puppet Server Compilers + ## Automatically scales the number of pods (compilers) + ## based on observed CPU/memory utilization + ## Note that the metrics must be provided by + ## additionally deployed metrics server of your choice + autoScaling: + enabled: false + minCompilers: 1 + maxCompilers: 3 + cpuUtilizationPercentage: 75 + memoryUtilizationPercentage: 75 + podManagementPolicy: OrderedReady + + ## Fully qualified domain names (FQDN's) to register + ## the Puppet Server Compilers to be internally reachable via DNS. + ## That is necessary to configure "certname" and "server" in `puppet.conf`. + ## Required by Puppet server CA CLI application. + ## "serverName" is pre-set to Compilers' pod names. + ## "alternateServerNames" is optional and must differ from + ## Puppet Server Masters' "alternateServerNames". + ## + fqdns: + alternateServerNames: "" # Comma-separated + + ## Service for Puppet Server Compilers + ## The usage of a TCP/Network LB type is strongly preferable + ## Please check the `README.md` for more information + ## + service: + type: ClusterIP + ## The LB type (network protocol) for some cloud providers must be set here. + ports: + puppetserver: + port: 8140 + # protocol: TCP + ## Exemplary annotations for few cloud providers + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # cloud.google.com/load-balancer-type: "Internal" + # service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private" + labels: {} + loadBalancerIP: "" + ## Headless service for Puppet Server Compilers + headless: + ports: + https: + port: 443 + targetPort: 8140 + protocol: TCP + annotations: {} + labels: {} + + ingress: + ## If true, Puppet Server Compilers Ingress will be created + ## + enabled: false + ## Puppet Server Compilers Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/ssl-passthrough: "true" + ## Puppet Server Compilers Ingress additional labels + ## + extraLabels: {} + ## Puppet Server Compilers Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - puppet-compilers.domain.com + # - domain.com/puppet-compilers + ## Puppet Server Compilers Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: puppet-compilers-server-tls + # hosts: + # - puppet-compilers.domain.com + + ## Use pre-generated Puppet Master certs in `./init/puppet-certs` + ## Check README for related use cases + ## + preGeneratedCertsJob: + enabled: false + jobDeadline: 300 + + ## The pattern of managing Hieradata in a separate repository is + ## both common and acceptable. Doing so provides the ability to decouple + ## the management of configuration data from that of the Puppet code base. + ## A separate Hieradata Repo can be included in the "hiera" section in this file. + ## + puppeturl: "" # git@github.com:$SOMEUSER/puppet.git + +## r10k Repo Configuration +## +r10k: + name: r10k + image: puppet/r10k + tag: 3.5.2 + pullPolicy: IfNotPresent + code: + resources: {} + # requests: + # memory: 256Mi + # cpu: 200m + # limits: + # memory: 512Mi + # cpu: 300m + cronJob: + schedule: "*/5 * * * *" + ## Additional r10k code container arguments + extraArgs: {} + # - --verbose=debug2 # error, warn, notice, info, debug, debug1, debug2 + # - --trace + # - --color + ## Additional r10k code container environment variables + extraEnv: {} + viaSsh: + credentials: + ssh: + ## A multi-line string + value: # | + # PRIV_KEY CONTENTS + known_hosts: + ## A multi-line string + value: # | + # KNOWN_HOSTS CONTENTS + ## or set the r10k known hosts file and SSH Private Key + ## from a pre-existing K8s secret + ## NOTE: Using this secret supercedes all other credentials settings. + existingSecret: "" + hiera: + resources: {} + # requests: + # memory: 256Mi + # cpu: 200m + # limits: + # memory: 512Mi + # cpu: 300m + cronJob: + schedule: "*/4 * * * *" + ## Additional r10k hiera container environment variables + extraArgs: {} + # - --verbose=debug2 # error, warn, notice, info, debug, debug1, debug2 + # - --trace + # - --color + ## Additional puppetserver hiera container environment variables + extraEnv: {} + viaSsh: + credentials: + ssh: + ## A multi-line string + value: # | + # PRIV_KEY CONTENTS + known_hosts: + ## A multi-line string + value: # | + # KNOWN_HOSTS CONTENTS + ## or set the r10k known hosts file and SSH Private Key + ## from a pre-existing K8s secret + ## NOTE: Using this secret supercedes all other credentials settings. + existingSecret: "" + +## PuppetDB Configuration +## +puppetdb: + name: puppetdb + image: puppet/puppetdb + tag: 6.12.0 + pullPolicy: IfNotPresent + resources: {} + # requests: + # memory: 512Mi + # cpu: 500m + # limits: + # memory: 1024Mi + # cpu: 1000m + ## Additional puppetdb container environment variables + extraEnv: {} + +## PostgreSQL Sub-Chart Configuration +## Please check: https://github.com/bitnami/charts/tree/master/bitnami/postgresql +## +postgresql: + enabled: true + name: postgresql + ## Configure resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: + # requests: + # memory: 512Mi + # cpu: 500m + # limits: + # memory: 1024Mi + # cpu: 1000m + ## Create a database + ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run + ## + postgresqlDatabase: puppetdb + ## Specify the PostgreSQL username and password to execute the initdb scripts + ## + initdbUser: postgres + ## ConfigMap with scripts to be run at first boot + ## NOTE: This will override initdbScripts + ## + initdbScriptsConfigMap: postgresql-custom-extensions + ## PostgreSQL data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + size: 10Gi + annotations: + ## The annotation instructs Helm to skip deleting this resource + ## when a helm operation (such as helm uninstall, helm upgrade or helm rollback) + ## would result in its deletion. + ## + helm.sh/resource-policy: keep + ## Replication settings + ## Please check: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml + ## + replication: + enabled: false + slaveReplicas: 1 + +## Puppetboard Configuration +## +puppetboard: + enabled: false + name: puppetboard + image: xtigyro/puppetboard + tag: 2.2.0 + pullPolicy: IfNotPresent + resources: {} + # requests: + # memory: 368Mi + # cpu: 300m + # limits: + # memory: 640Mi + # cpu: 500m + ## Additional puppetboard container environment variables + ## + extraEnv: {} + # ENABLE_CATALOG: True + # ENABLE_QUERY: True + # INVENTORY_FACTS: Hostname,fqdn,IP Address,ipaddress + # GRAPH_FACTS: architecture,puppetversion,osfamily + ingress: + ## If true, Puppetboard Ingress will be created + ## + enabled: false + ## Puppetboard Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + ## Puppetboard Ingress additional labels + ## + extraLabels: {} + ## Puppetboard Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - puppetboard.domain.com + # - domain.com/puppetboard + ## Puppetboard Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: puppetboard-server-tls + # hosts: + # - puppetboard.domain.com + +## Hiera Configuration for Puppet Server +## +hiera: + name: hiera + hieradataurl: "" # git@github.com:$SOMEUSER/hieradata.git + ## A multi-line string + ## + config: # |- + ## Hiera version 5 Example + ## + # --- + # version: 5 + # defaults: + # datadir: data # Datadir has moved into `defaults`. Relative to hiera.yaml's directory. + # data_hash: yaml_data # Default backend: New feature in v5. + # hierarchy: + # - name: "Per-node data" # Human-readable name. Can omit `backend` if using the default. + # path: + # - "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. Add file extension! + # - name: "Per-datacenter secret data (encrypted)" + # lookup_key: eyaml_lookup_key + # path: "secrets/%{facts.whereami}.eyaml" # Can use custom facts. + # options: + # pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem # keep unchanged + # pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem # keep unchanged + # - name: "Virtualization platform" + # path: "virtual/%{facts.virtual}.yaml" # Name and path are now separated. + # - name: "Common" + # path: "common.yaml" + ## Hiera version 3 Example + ## + # --- + # :backends: + # - eyaml + # :hierarchy: + # - "nodes/%{trusted.certname}" + # - "secrets/%{facts.whereami}" + # - "virtual/%{facts.virtual}" + # - "common" + # :eyaml: + # # Set branch name - e.g. "master", "%{::environment}", etc. + # :datadir: /etc/puppetlabs/code/hiera-data/[branch] # keep base path unchanged. + # :extension: 'yaml' + # :pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem # keep unchanged + # :pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem # keep unchanged + eyaml: + ## Choose using either a pre-existing configMap containing keys, or the private_key/public_key set. + ## + existingMap: "" + ## A multi-line string + ## + private_key: # | + # PRIV_KEY CONTENTS + ## A multi-line string + ## + public_key: # | + # PUB_KEY CONTENTS + +## Global Values +## +global: + ## Credentials for PuppetDB and PostgreSQL + ## + credentials: + username: puppetdb + password: "" + ## If used, the following existing secret must contain "username" and "password" keys. + ## NOTE: Using this secret supercedes all other credentials settings. + ## + existingSecret: "" + +## Provide a name in place of Puppet Server components for `app:` labels +## +nameOverride: "" + +## Pod Configuration +## +## Node labels for pod assignment +## +nodeSelector: {} + +## Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} + +## Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +## Leverage a priorityClass to ensure your pods survive resource shortages +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +# priorityClass: system-cluster-critical + +## Extra Pod annotations +## +podAnnotations: {} + +## Storage Configuration +## +storage: + ## Puppet Server data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + ## Please check the `README.md` for more information + ## regarding useful scenarios about "storageClass". + storageClass: "" + ## Puppetserver data Persistent Volume annotations + ## + annotations: {} + size: 400Mi diff --git a/scripts/10-analytics.sh b/scripts/10-analytics.sh new file mode 100644 index 0000000..3dd1d59 --- /dev/null +++ b/scripts/10-analytics.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +if [ "${PUPPERWARE_ANALYTICS_ENABLED}" = "false" ]; then + echo "($0) Pupperware analytics disabled; skipping metric submission" + exit 0 +fi + +# See: https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters +# Tracking ID +tid=$PUPPERWARE_ANALYTICS_TRACKING_ID +# Application Name +an=$PUPPERWARE_ANALYTICS_APP_NAME +# Application Version +av=$PUPPET_SERVER_VERSION +# Anonymous Client ID +_file=/var/tmp/pwclientid +cid=$(cat $_file 2>/dev/null || (cat /proc/sys/kernel/random/uuid | tee $_file)) +# Event Category +ec=${PUPPERWARE_ANALYTICS_STREAM:-dev} +# Event Action +ea=start +# Anonymize ip +aip=1 + +_params="v=1&t=event&tid=${tid}&an=${an}&av=${av}&cid=${cid}&ec=${ec}&ea=${ea}&aip=${aip}" +_url="http://www.google-analytics.com/collect?${_params}" + +echo "($0) Sending metrics ${_url}" +curl --fail --silent --show-error --output /dev/null \ + -X POST -H "Content-Length: 0" $_url diff --git a/scripts/20-use-templates-initially.sh b/scripts/20-use-templates-initially.sh new file mode 100644 index 0000000..b37a77a --- /dev/null +++ b/scripts/20-use-templates-initially.sh @@ -0,0 +1,22 @@ +#! /bin/bash + +# During build, pristine config files get copied to this directory. If +# they are not in the current container, use these templates as the +# default +TEMPLATES=/var/tmp/puppet + +cd /etc/puppetlabs/puppet +for f in auth.conf hiera.yaml puppet.conf puppetdb.conf +do + test -f "$TEMPLATES/$f" && cp -np "$TEMPLATES/$f" . +done +cd / + +if [ -d /var/tmp/puppetserver/vendored-jruby-gems ]; then + echo "Upgrading /opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems" + # clean up existing vendored gems + rm -rf /opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems + cp -R /var/tmp/puppetserver/vendored-jruby-gems /opt/puppetlabs/server/data/puppetserver/ + # remove the tmp dir so we only run this on first runs of new containers + rm -rf /var/tmp/puppetserver/vendored-jruby-gems +fi diff --git a/scripts/30-set-permissions.sh b/scripts/30-set-permissions.sh new file mode 100644 index 0000000..38468f4 --- /dev/null +++ b/scripts/30-set-permissions.sh @@ -0,0 +1,4 @@ +#! /bin/bash + +chown -R puppet:puppet /etc/puppetlabs/puppet/ +chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/ diff --git a/scripts/40-update-puppetdb-conf.sh b/scripts/40-update-puppetdb-conf.sh new file mode 100644 index 0000000..3cd7b35 --- /dev/null +++ b/scripts/40-update-puppetdb-conf.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +if test -n "${PUPPETDB_SERVER_URLS}" ; then + sed -i "s@^server_urls.*@server_urls = ${PUPPETDB_SERVER_URLS}@" /etc/puppetlabs/puppet/puppetdb.conf +fi diff --git a/scripts/50-set-certname.sh b/scripts/50-set-certname.sh new file mode 100644 index 0000000..9d7d107 --- /dev/null +++ b/scripts/50-set-certname.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +if test -n "${PUPPETSERVER_HOSTNAME}"; then + /opt/puppetlabs/bin/puppet config set certname "$PUPPETSERVER_HOSTNAME" + /opt/puppetlabs/bin/puppet config set server "$PUPPETSERVER_HOSTNAME" +fi diff --git a/scripts/55-set-masterport.sh b/scripts/55-set-masterport.sh new file mode 100644 index 0000000..7af0f6c --- /dev/null +++ b/scripts/55-set-masterport.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +hocon() { + /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon "$@" +} + +if test -n "$PUPPET_MASTERPORT"; then + cd /etc/puppetlabs/puppetserver/conf.d/ + hocon -f webserver.conf set webserver.ssl-port $PUPPET_MASTERPORT + cd / +fi diff --git a/scripts/60-setup-autosign.sh b/scripts/60-setup-autosign.sh new file mode 100644 index 0000000..3f7c6bf --- /dev/null +++ b/scripts/60-setup-autosign.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Configure puppet to use a certificate autosign script (if it exists) +# AUTOSIGN=true|false|path_to_autosign.conf +if test -n "${AUTOSIGN}" ; then + puppet config set autosign "$AUTOSIGN" --section master +fi diff --git a/scripts/70-set-dns-alt-names.sh b/scripts/70-set-dns-alt-names.sh new file mode 100644 index 0000000..4fae908 --- /dev/null +++ b/scripts/70-set-dns-alt-names.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# Allow setting dns_alt_names for the compilers certificate. This +# setting will only have an effect when the container is started without +# an existing certificate on the /etc/puppetlabs/puppet volume +if [ -n "${DNS_ALT_NAMES}" ] && [ "${CA_ENABLED}" != "true" ]; then + certname=$(puppet config print certname) + if test ! -f "${SSLDIR}/certs/$certname.pem" ; then + puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section agent + else + actual=$(puppet config print dns_alt_names --section "${config_section}") + if test "${DNS_ALT_NAMES}" != "${actual}" ; then + echo "Warning: DNS_ALT_NAMES has been changed from the value in puppet.conf" + echo " Remove/revoke the old certificate for this to become effective" + fi + fi +fi diff --git a/scripts/80-ca.sh b/scripts/80-ca.sh new file mode 100644 index 0000000..b1309f3 --- /dev/null +++ b/scripts/80-ca.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +ca_running() { + status=$(curl --silent --fail --insecure "https://${CA_HOSTNAME}:${CA_MASTERPORT}/status/v1/simple") + test "$status" = "running" +} + +hocon() { + /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon "$@" +} + +if [[ "$CA_ENABLED" != "true" ]]; then + # we are just an ordinary compiler + echo "turning off CA" + cat > /etc/puppetlabs/puppetserver/services.d/ca.cfg < + + + %d %-5p [%c{2}] %m%n + + + + + + + + + + diff --git a/scripts/puppetdb.conf b/scripts/puppetdb.conf new file mode 100644 index 0000000..06a8f53 --- /dev/null +++ b/scripts/puppetdb.conf @@ -0,0 +1,3 @@ +[main] +server_urls = https://puppetdb:8081 +soft_write_failure = true diff --git a/scripts/puppetserver b/scripts/puppetserver new file mode 100644 index 0000000..65458d3 --- /dev/null +++ b/scripts/puppetserver @@ -0,0 +1,17 @@ +########################################### +# Init settings for puppetserver +########################################### + +# Location of your Java binary (version 7 or higher) +JAVA_BIN="/usr/bin/java" + +# Modify this if you'd like to change the memory allocation, enable JMX, etc +JAVA_ARGS=$PUPPETSERVER_JAVA_ARGS + +# These normally shouldn't need to be edited if using OS packages +USER="puppet" +GROUP="puppet" +INSTALL_DIR="/opt/puppetlabs/server/apps/puppetserver" +CONFIG="/etc/puppetlabs/puppetserver/conf.d" +BOOTSTRAP_CONFIG="/etc/puppetlabs/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" +SERVICE_STOP_RETRIES=60 diff --git a/scripts/puppetserver.conf b/scripts/puppetserver.conf new file mode 100644 index 0000000..f2201b4 --- /dev/null +++ b/scripts/puppetserver.conf @@ -0,0 +1,79 @@ +# configuration for the JRuby interpreters +jruby-puppet: { + # Where the puppet-agent dependency places puppet, facter, etc... + # Puppet server expects to load Puppet from this location + ruby-load-path: [/opt/puppetlabs/puppet/lib/ruby/vendor_ruby] + + # This setting determines where JRuby will install gems. It is used for loading gems, + # and also by the `puppetserver gem` command line tool. + gem-home: /opt/puppetlabs/server/data/puppetserver/jruby-gems + + # This setting defines the complete "GEM_PATH" for jruby. If set, it should include + # the gem-home directory as well as any other directories that gems can be loaded + # from (including the vendored gems directory for gems that ship with puppetserver) + gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"] + + # PLEASE NOTE: Use caution when modifying the below settings. Modifying + # these settings will change the value of the corresponding Puppet settings + # for Puppet Server, but not for the Puppet CLI tools. This likely will not + # be a problem with master-var-dir, master-run-dir, or master-log-dir unless + # some critical setting in puppet.conf is interpolating the value of one + # of the corresponding settings, but it is important that any changes made to + # master-conf-dir and master-code-dir are also made to the corresponding Puppet + # settings when running the Puppet CLI tools. See + # https://docs.puppetlabs.com/puppetserver/latest/puppet_conf_setting_diffs.html#overriding-puppet-settings-in-puppet-server + # for more information. + + # (optional) path to puppet conf dir; if not specified, will use + # /etc/puppetlabs/puppet + master-conf-dir: /etc/puppetlabs/puppet + + # (optional) path to puppet code dir; if not specified, will use + # /etc/puppetlabs/code + master-code-dir: /etc/puppetlabs/code + + # (optional) path to puppet var dir; if not specified, will use + # /opt/puppetlabs/server/data/puppetserver + master-var-dir: /opt/puppetlabs/server/data/puppetserver + + # (optional) path to puppet run dir; if not specified, will use + # /var/run/puppetlabs/puppetserver + master-run-dir: /var/run/puppetlabs/puppetserver + + # (optional) path to puppet log dir; if not specified, will use + # /var/log/puppetlabs/puppetserver + master-log-dir: ${LOGDIR} + + # (optional) maximum number of JRuby instances to allow + max-active-instances: ${PUPPETSERVER_MAX_ACTIVE_INSTANCES} + + # (optional) number of HTTP requests a given JRuby instance will handle in its lifetime + max-requests-per-instance: ${PUPPETSERVER_MAX_REQUESTS_PER_INSTANCE} + + # (optional) Authorize access to Puppet master endpoints via rules + # specified in the legacy Puppet auth.conf file (if true) or via rules + # specified in the Puppet Server HOCON-formatted auth.conf (if false or not + # specified). + #use-legacy-auth-conf: true +} + +# settings related to HTTPS client requests made by Puppet Server +http-client: { + # A list of acceptable protocols for making HTTPS requests + #ssl-protocols: [TLSv1, TLSv1.1, TLSv1.2] + + # A list of acceptable cipher suites for making HTTPS requests + #cipher-suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, + # TLS_RSA_WITH_AES_256_CBC_SHA, + # TLS_RSA_WITH_AES_128_CBC_SHA256, + # TLS_RSA_WITH_AES_128_CBC_SHA] + + # Whether to enable http-client metrics; defaults to 'true'. + #metrics-enabled: true +} + +# settings related to profiling the puppet Ruby code +profiler: { + # enable or disable profiling for the Ruby code; defaults to 'true'. + #enabled: true +} diff --git a/scripts/request-logging.xml b/scripts/request-logging.xml new file mode 100644 index 0000000..c4b6bbf --- /dev/null +++ b/scripts/request-logging.xml @@ -0,0 +1,9 @@ + + + + %h %l %u %user %date "%r" %s %b %h %a %localPort %D + + + + + -- GitLab