/
exporter.pp
140 lines (119 loc) · 5.32 KB
/
exporter.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# Sets up target nodes with nessary services and access for RSAN
# When Applied to the Infrastruture Agent Node group,
# Will dynamically configure all matching nodes to allow access to key elements of Puppet Enterprise to the RSAN node
# @param [Array] rsan_importer_ips
# An array of rsan ip addresses
# Defaults to the output of a PuppetDB query
# @param [Optional[String]] rsan_host
# The certname of the rsan node
# @example
# include rsan::exporter
class rsan::exporter (
Array $rsan_importer_ips = rsan::get_rsan_importer_ips(),
Optional[String] $rsan_host = undef,
){
########################1. Export Logging Function######################
# Need to determine automatically the Network Fact IP for the RSAN::importer node automatically, applies to all infrastructure nodes
#########################################################################
class { '::nfs':
server_enabled => true
}
# Convert the array of RSAN IP address into an list of clients with options for the NFS export.
# This reduce will return a string of space deliminated IP addresses with the NFS options.
# For example, the output for ['1.2.3.4'] is " 1.2.3.4(ro,insecure,async,no_root_squash)"
# For example, the output for ['1.2.3.4', '5.6.7.8'] is
# " 1.2.3.4(ro,insecure,async,no_root_squash) 5.6.7.8(ro,insecure,async,no_root_squash)"
$_rsan_clients = $rsan_importer_ips.reduce('') |$memo, $ip| {
"${memo} ${ip}(ro,insecure,async,no_root_squash)"
}
$clients = "${_rsan_clients} localhost(ro)"
nfs::server::export{ '/var/log/':
ensure => 'mounted',
clients => $clients,
mount => "/var/pesupport/${facts['fqdn']}/log",
nfstag => 'rsan',
}
nfs::server::export{ '/opt/puppetlabs/':
ensure => 'mounted',
clients => $clients,
mount => "/var/pesupport/${facts['fqdn']}/opt",
nfstag => 'rsan',
}
nfs::server::export{ '/etc/puppetlabs/':
ensure => 'mounted',
clients => $clients,
mount => "/var/pesupport/${facts['fqdn']}/etc",
nfstag => 'rsan',
}
######################2. Metrics Dash Board deployment ###############
# Assuming use of puppet metrics dashboard for telemetry all nodes need
# include puppet_metrics_dashboard::profile::master::install
###################################################################
include puppet_metrics_dashboard::profile::master::install
#####################3. RSANpostgres command access ######################
# Determine if node is pe_postgres host and conditionally apply Select Access for the RSAN node cert to all PE databases
# and conditionally apply include puppet_metrics_dashboard::profile::master::postgres_access
######################################################################
if $facts['pe_postgresql_info'] != undef and $facts['pe_postgresql_info']['installed_server_version'] != '' {
include puppet_metrics_dashboard::profile::master::postgres_access
if $rsan_host {
$_rsan_host = $rsan_host
} else {
$_query = puppetdb_query('resources[certname] {
type = "Class" and
title = "Rsan::Importer" and
nodes {
deactivated is null and
expired is null
}
order by certname asc
limit 1
}')
unless $_query.empty {
$_rsan_host = $_query[0]['certname']
}
}
# If $rsan_host is not defined and the query fails to find a rsan host, issue a warning.
if $_rsan_host == undef {
notify { 'You must specify rsan_host (or apply the rsan class to an agent) to enable access.': }
} else {
pe_postgresql::server::role { 'rsan': }
if $facts['pe_postgresql_info']['installed_server_version'] {
$postgres_version = $facts['pe_postgresql_info']['installed_server_version']
} else {
$postgres_version = '9.4'
}
$dbs = ['pe-activity', 'pe-classifier', 'pe-inventory', 'pe-puppetdb', 'pe-rbac', 'pe-orchestrator']
$dbs.each |$db|{
pe_postgresql::server::database_grant { "CONNECT to rsan for ${db}":
privilege => 'CONNECT',
db => $db,
role => 'rsan',
require => Pe_postgresql::Server::Role['rsan']
}
$grant_cmd = "GRANT SELECT ON ALL TABLES IN SCHEMA \"public\" TO rsan"
pe_postgresql_psql { "${grant_cmd} on ${db}":
command => $grant_cmd,
db => $db,
port => $pe_postgresql::server::port,
psql_user => $pe_postgresql::server::user,
psql_group => $pe_postgresql::server::group,
psql_path => $pe_postgresql::server::psql_path,
unless => "SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE privilege_type = 'SELECT' AND grantee = 'rsan'",
require => [
Class['pe_postgresql::server'],
Pe_postgresql::Server::Role['rsan']
]
}
puppet_enterprise::pg::cert_allowlist_entry { "allow-rsan-access for ${db}":
user => 'rsan',
database => $db,
allowed_client_certname => $_rsan_host,
pg_ident_conf_path => "/opt/puppetlabs/server/data/postgresql/${postgres_version}/data/pg_ident.conf",
ip_mask_allow_all_users_ssl => '0.0.0.0/0',
ipv6_mask_allow_all_users_ssl => '::/0',
}
}
}
}
}