Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Fixes #20852 - Refactor module #136

Closed
wants to merge 6 commits into from
Closed

[WIP] Fixes #20852 - Refactor module #136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
81ed476
Clean up reverse proxy inclusion
ekohl Oct 17, 2017
59fc6b1
Remove pulp nodes
ekohl Mar 26, 2018
f8a4d8a
Factor puppet out to a separate class
ekohl Oct 17, 2017
8c16107
Remove redundant require
ekohl Oct 17, 2017
a0d7c37
Set proxy certs via simple includes
ekohl Oct 17, 2017
cbeda98
Refactor pulp handling
ekohl Oct 17, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 30 additions & 90 deletions manifests/dispatch_router.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,120 +3,60 @@
# Install and configure Qpid Dispatch Router
#
class foreman_proxy_content::dispatch_router (
$listener_host = $::foreman_proxy_content::qpid_router_agent_addr,
$listener_port = $::foreman_proxy_content::qpid_router_agent_port,
$logging = $::foreman_proxy_content::qpid_router_logging,
$logging_path = $::foreman_proxy_content::qpid_router_logging_path,
$logging_level = $::foreman_proxy_content::qpid_router_logging_level,
$ssl_ciphers = $::foreman_proxy_content::qpid_router_ssl_ciphers,
$ssl_protocols = $::foreman_proxy_content::qpid_router_ssl_protocols,
) {

class { '::qpid::router': }
include ::qpid::router

# SSL Certificate Configuration
class { '::certs::qpid_router':
require => Class['qpid::router::install'],
}
~> qpid::router::ssl_profile { 'client':
ca => $certs::ca_cert,
cert => $certs::qpid_router::client_cert,
key => $certs::qpid_router::client_key,
include ::certs
include ::certs::qpid_router

Class['qpid::router::install'] -> Class['certs::qpid_router']

qpid::router::ssl_profile { 'client':
ca => $certs::ca_cert,
cert => $certs::qpid_router::client_cert,
key => $certs::qpid_router::client_key,
subscribe => Class['certs', 'certs::qpid_router'],
}
~> qpid::router::ssl_profile { 'server':

qpid::router::ssl_profile { 'server':
ca => $certs::ca_cert,
cert => $certs::qpid_router::server_cert,
key => $certs::qpid_router::server_key,
ciphers => $foreman_proxy_content::qpid_router_ssl_ciphers,
protocols => $foreman_proxy_content::qpid_router_ssl_protocols,
ciphers => $ssl_ciphers,
protocols => $ssl_protocols,
subscribe => Class['certs', 'certs::qpid_router'],
}

# Listen for katello-agent clients
qpid::router::listener { 'clients':
host => $foreman_proxy_content::qpid_router_agent_addr,
port => $foreman_proxy_content::qpid_router_agent_port,
host => $listener_host,
port => $listener_port,
ssl_profile => 'server',
}

# Enable logging to syslog or file
if $foreman_proxy_content::qpid_router_logging == 'file' {
file { $foreman_proxy_content::qpid_router_logging_path:
if $logging == 'file' {
file { $logging_path:
ensure => directory,
owner => 'qdrouterd',
}
}

$output_real = $foreman_proxy_content::qpid_router_logging ? {
'file' => "${foreman_proxy_content::qpid_router_logging_path}/qdrouterd.log",
$output_real = $logging ? {
'file' => "${logging_path}/qdrouterd.log",
'syslog' => 'syslog',
}

qpid::router::log { 'logging':
level => $foreman_proxy_content::qpid_router_logging_level,
level => $logging_level,
output => $output_real,
}

# Act as hub if pulp master, otherwise connect to hub
if $foreman_proxy_content::pulp_master {
qpid::router::listener {'hub':
host => $foreman_proxy_content::qpid_router_hub_addr,
port => $foreman_proxy_content::qpid_router_hub_port,
role => 'inter-router',
ssl_profile => 'server',
}

# Connect dispatch router to the local qpid
qpid::router::connector { 'broker':
host => $foreman_proxy_content::qpid_router_broker_addr,
port => $foreman_proxy_content::qpid_router_broker_port,
ssl_profile => 'client',
role => 'route-container',
idle_timeout => 0,
}

qpid::router::link_route { 'broker-pulp-route-out':
prefix => 'pulp.',
direction => 'out',
connection => 'broker',
}

qpid::router::link_route { 'broker-pulp-task-route-in':
prefix => 'pulp.task',
direction => 'in',
connection => 'broker',
}

qpid::router::link_route { 'broker-qmf-route-in':
prefix => 'qmf.',
connection => 'broker',
direction => 'in',
}

qpid::router::link_route { 'broker-qmf-route-out':
prefix => 'qmf.',
connection => 'broker',
direction => 'out',
}
} else {
qpid::router::connector { 'hub':
host => $foreman_proxy_content::parent_fqdn,
port => $foreman_proxy_content::qpid_router_hub_port,
ssl_profile => 'client',
role => 'inter-router',
idle_timeout => 0,
}

qpid::router::link_route { 'hub-pulp-route-in':
prefix => 'pulp.',
direction => 'in',
}

qpid::router::link_route { 'hub-pulp-route-out':
prefix => 'pulp.',
direction => 'out',
}

qpid::router::link_route { 'hub-qmf-route-in':
prefix => 'qmf.',
direction => 'in',
}

qpid::router::link_route { 'hub-qmf-route-out':
prefix => 'qmf.',
direction => 'out',
}
}
}
124 changes: 16 additions & 108 deletions manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,139 +133,47 @@
Boolean $manage_broker = $foreman_proxy_content::params::manage_broker,
) inherits foreman_proxy_content::params {
include ::certs
include ::certs::foreman_proxy
include ::foreman_proxy
include ::foreman_proxy::plugin::pulp
Class['certs::foreman_proxy'] ~> Class['foreman_proxy::service']

$pulp = $::foreman_proxy::plugin::pulp::pulpnode_enabled
$pulp_node = $::foreman_proxy::plugin::pulp::pulpnode_enabled
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We really should replace the node nomenclature.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, but what should be the correct name?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reached out to pulp-dev list to look for commonly accepted nomenclature. The best I could arrive at is 'parent' and 'child' from the responses I got.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given in how many places this naming is currently used, I'm leaning to keeping that outside of this refactor.


if $pulp_node and $pulp_master {
fail("Can't enable both pulp node and master support")
}

$foreman_proxy_fqdn = $::fqdn
$foreman_url = $::foreman_proxy::foreman_base_url
$reverse_proxy_real = $pulp or $reverse_proxy
$setup_reverse_proxy = $pulp_node or $reverse_proxy

$rhsm_port = $reverse_proxy_real ? {
$rhsm_port = $setup_reverse_proxy ? {
true => $reverse_proxy_port,
false => '443'
}

ensure_packages('katello-debug')

class { '::certs::foreman_proxy':
hostname => $foreman_proxy_fqdn,
require => Class['certs'],
notify => Service['foreman-proxy'],
}

class { '::certs::katello':
hostname => $rhsm_hostname,
deployment_url => $rhsm_url,
rhsm_port => $rhsm_port,
require => Class['certs'],
}

if $pulp or $reverse_proxy_real {
class { '::certs::apache':
hostname => $foreman_proxy_fqdn,
require => Class['certs'],
}
~> class { '::foreman_proxy_content::reverse_proxy':
path => '/',
url => "${foreman_url}/",
port => $reverse_proxy_port,
subscribe => Class['certs::foreman_proxy'],
ssl_protocol => $ssl_protocol,
}
if $setup_reverse_proxy {
include ::foreman_proxy_content::reverse_proxy
}

if $pulp_master or $pulp {
if $qpid_router {
class { '::foreman_proxy_content::dispatch_router':
require => Class['pulp'],
}
}

class { '::pulp::crane':
cert => $certs::apache::apache_cert,
key => $certs::apache::apache_key,
ca_cert => $certs::ca_cert,
data_dir => '/var/lib/pulp/published/docker/v2/app',
ssl_protocol => $ssl_protocol,
require => Class['certs::apache'],
}

include ::foreman_proxy_content::pub_dir
if $pulp_master {
include ::foreman_proxy_content::pulp::master
}

if $pulp {
include ::apache

file {'/etc/httpd/conf.d/pulp_nodes.conf':
ensure => file,
content => template('foreman_proxy_content/pulp_nodes.conf.erb'),
owner => 'root',
group => 'root',
mode => '0644',
}

if $manage_broker {
include ::foreman_proxy_content::broker
}

class { '::certs::qpid_client':
require => Class['certs'],
}
~> class { '::pulp':
enable_ostree => $enable_ostree,
enable_rpm => $enable_yum,
enable_iso => $enable_file,
enable_deb => $enable_deb,
enable_puppet => $enable_puppet,
enable_docker => $enable_docker,
default_password => $pulp_admin_password,
messaging_transport => 'qpid',
messaging_auth_enabled => false,
messaging_ca_cert => pick($pulp_ca_cert, $::certs::ca_cert),
messaging_client_cert => $certs::messaging_client_cert,
messaging_url => "ssl://${qpid_router_broker_addr}:${qpid_router_broker_port}",
broker_url => "qpid://${qpid_router_broker_addr}:${qpid_router_broker_port}",
broker_use_ssl => true,
manage_broker => false,
manage_httpd => true,
manage_plugins_httpd => true,
manage_squid => true,
puppet_wsgi_processes => $pulp_puppet_wsgi_processes,
max_tasks_per_child => $pulp_max_tasks_per_child,
num_workers => $pulp_num_workers,
repo_auth => true,
node_server_ca_cert => $certs::pulp_server_ca_cert,
https_cert => $certs::apache::apache_cert,
https_key => $certs::apache::apache_key,
ssl_protocol => $ssl_protocol,
ca_cert => $certs::ca_cert,
yum_max_speed => $pulp_max_speed,
proxy_port => $pulp_proxy_port,
proxy_url => $pulp_proxy_url,
proxy_username => $pulp_proxy_username,
proxy_password => $pulp_proxy_password,
worker_timeout => $pulp_worker_timeout,
}

pulp::apache::fragment{'gpg_key_proxy':
ssl_content => template('foreman_proxy_content/_pulp_gpg_proxy.erb', 'foreman_proxy_content/httpd_pub.erb'),
}
if $pulp_node {
include ::foreman_proxy_content::pulp::node
}

if $puppet {
# We can't pull the certs out to the top level, because of how it gets the default
# parameter values from the main ::certs class. Kafo can't handle that case, so
# it remains here for now.
include ::puppet
if $::puppet::server and $::puppet::server::foreman {
class { '::certs::puppet':
hostname => $foreman_proxy_fqdn,
require => Class['certs'],
before => Class['puppet'],
}
}
include ::foreman_proxy_content::puppet
}

if $certs_tar {
Expand Down
65 changes: 65 additions & 0 deletions manifests/pulp/master.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# The pulp master configuration
#
# This scenario assumes the pulp master is already configured otherwise,
# usually via puppet-katello. Here we only configure the qpid router (if
# desired) and crane.
class foreman_proxy_content::pulp::master (
Boolean $qpid_router = $::foreman_proxy_content::qpid_router,
String $hub_host = $::foreman_proxy_content::qpid_router_hub_addr,
Integer[0, 65535] $hub_port = $::foreman_proxy_content::qpid_router_hub_port,
String $broker_host = $::foreman_proxy_content::qpid_router_broker_addr,
Integer[0, 65535] $broker_port = $::foreman_proxy_content::qpid_router_broker_port,
) {
if $qpid_router {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should be it's own manifest? Pulp does not actually talk to the router and you may choose to deploy the router separately from your Pulp host or even your qpid host. That is, you could have Pulp server, Qpid server and Qdrouter running all separately or router and qpid paired.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're right.

include ::foreman_proxy_content::dispatch_router

qpid::router::listener {'hub':
host => $hub_host,
port => $hub_port,
role => 'inter-router',
ssl_profile => 'server',
}

# Connect dispatch router to the local qpid
qpid::router::connector { 'broker':
host => $broker_host,
port => $broker_port,
ssl_profile => 'client',
role => 'route-container',
idle_timeout => 0,
}

qpid::router::link_route { 'broker-pulp-route-out':
prefix => 'pulp.',
direction => 'out',
connection => 'broker',
}

qpid::router::link_route { 'broker-pulp-task-route-in':
prefix => 'pulp.task',
direction => 'in',
connection => 'broker',
}

qpid::router::link_route { 'broker-qmf-route-in':
prefix => 'qmf.',
direction => 'in',
connection => 'broker',
}

qpid::router::link_route { 'broker-qmf-route-out':
prefix => 'qmf.',
direction => 'out',
connection => 'broker',
}
}

include ::certs::apache
class { '::pulp::crane':
cert => $::certs::apache::apache_cert,
key => $::certs::apache::apache_key,
ca_cert => $::certs::ca_cert,
data_dir => '/var/lib/pulp/published/docker/v2/app',
subscribe => Class['certs::apache'],
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can run on a Smart proxy as well serving up docker content off the Pulp server there.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's why I added enable_crane there.

}
Loading