Merge pull request #249 from ComputeCanada/includes

Replace site.pp definition of node includes by site.yaml
ComputeCanada · Jul 28, 2023 · 5021123 · 5021123
2 parents c4216b7 + b179ad0
commit 5021123
Show file tree

Hide file tree

Showing 25 changed files with 461 additions and 471 deletions.
diff --git a/Puppetfile b/Puppetfile
@@ -12,11 +12,10 @@ mod 'herculesteam-augeasproviders_pam', '2.2.1'
 mod 'herculesteam-augeasproviders_shellvar', '4.0.0'
 mod 'herculesteam-augeasproviders_ssh', '4.0.0'
 mod 'herculesteam-augeasproviders_sysctl', '2.5.1'
-mod 'iu-duo_unix', '2.0.0'
 mod 'petems-swap_file', '4.0.2'
 mod 'puppet-archive', '4.6.0'
 mod 'puppet-epel', '3.0.1'
-mod 'puppet-fail2ban', '3.3.0'
+mod 'puppet-fail2ban', '4.2.0'
 mod 'puppet-healthcheck', '1.0.1'
 mod 'puppet-logrotate', '5.0.0'
 mod 'puppet-nodejs', '8.1.0'

diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@ profile::accounts:::skel_archives:
 
 | Variable                       | Type   | Description                                                             | Default  |
 | ------------------------------ | :----- | :---------------------------------------------------------------------- | -------- |
-| `profile::consul::client::server_ip`   | String | IP address of the consul server                                         |          |
+| `profile::consul::servers`   | Array[String] | IP addresses of the consul servers                                         |          |
 
 ## profile::cvmfs
 
@@ -86,23 +86,12 @@ profile::accounts:::skel_archives:
 | `profile::freeipa::server::ds_password`| String  | Password of the directory server | |
 | `profile::freeipa::server::hbac_services`| Array[String]  | Name of services to control with HBAC rules | `['sshd', 'jupyterhub-login']` |
 
+## profile::jupyterhub
 
-## profile::mfa
-
-| Variable                 | Type                | Description                        | Default |
-| ------------------------ | :------------------ | :--------------------------------- | ------- |
-| `profile::mfa::provider` | Enum['none', 'duo'] | MFA provider for node tagged 'mfa' | 'none'  |
-
-### duo_unix
-
-| Variable             | Type   | Description                  | Default                  |
-| -------------------- | :----- | :--------------------------- | ------------------------ |
-| `duo_unix::usage`    | String | Either login or pam          | `login`                  |
-| `duo_unix::ikey`     | String | Duo integration              | `''`                     |
-| `duo_unix::skey`     | String | Duo secret key               | `''`                     |
-| `duo_unix::host`     | String | Duo api host                 | `''`                     |
-| `duo_unix::motd`     | String | Enable motd                  | `no`                     |
-| `duo_unix::failmode` | String | Failure mode, secure or safe | `safe`                   |
+| Variable | Type | Description | Default |
+| -------- | :--  | :---------- | ------- |
+| `profile::jupyterhub::hub::register_url` | String | URL to web page for user to register. Empty string removes the link on the hub login page. | "https://mokey.${domain_name}/auth/signup" |
+| `profile::jupyterhub::hub::reset_pw_url` | String | URL to web page for users to reset password. Empty string removes the link on the hub login page. | "https://mokey.${domain_name}/auth/forgotpw" |
 
 ## profile::nfs
 
@@ -116,9 +105,8 @@ profile::accounts:::skel_archives:
 | Variable                                       | Type   | Description                                                             | Default   |
 | ---------------------------------------------- | :----- | :---------------------------------------------------------------------- | --------- |
 | `profile::reverse_proxy::domain_name`          | String | Domain name corresponding to the main DNS record A registered           |           |
-| `profile::reverse_proxy::jupyterhub_subdomain` | String | Subdomain name used to create the vhost for JupyterHub                  | `jupyter` |
-| `profile::reverse_proxy::ipa_subdomain`        | String | Subdomain name used to create the vhost for FreeIPA                     | `ipa`     |
-| `profile::reverse_proxy::mokey_subdomain`      | String | Subdomain name used to create the vhost for Mokey                       | `mokey`   |
+| `profile::reverse_proxy::main2sub_redir` | String | Subdomain to which user should be redirected when hitting domain name directly. Empty string means no redirection | `'jupyter'` |
+| `profile::reverse_proxy::subdomains` | Hash[String, String] | Subdomain names used to create vhosts to arbitrary http endpoints in the cluster| `{"ipa": "ipa.int.${domain_name}", "mokey": "${mokey_ip}:${mokey_port}", "jupyter":"https://127.0.0.1:8000"}` |
 
 ## profile::slurm
 

diff --git a/bootstrap.sh b/bootstrap.sh
@@ -14,8 +14,5 @@ ENC_CMD="eyaml encrypt -o block --pkcs7-public-key=${PKCS7_KEY}"
     $ENC_CMD -l 'profile::freeipa::server::admin_password' -s $(openssl rand -base64 9)
 ) > /etc/puppetlabs/code/environments/production/data/bootstrap.yaml
 
-# Check if the puppet module for consul is present
-# If it is, initialize the consul server
-if [ -d /etc/puppetlabs/code/environments/production/modules/consul ]; then
-    /opt/puppetlabs/bin/puppet apply -e 'include profile::consul::server'
-fi
+# Apply bootstrap classes if any
+puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp  --tags mc_bootstrap
diff --git a/data/common.yaml b/data/common.yaml
@@ -16,8 +16,12 @@ consul_template::config_hash:
     token: "%{hiera('profile::consul::acl_api_token')}"
 
 epel::epel_exclude: 'slurm*'
+epel::epel_source_managed: false
+epel::epel_debuginfo_managed: false
+epel::epel_testing_managed: false
+epel::epel_testing_source_managed: false
+epel::epel_testing_debuginfo_managed: false
 
-fail2ban::config_file_template: "fail2ban/CentOS/%{facts.os.release.major}/etc/fail2ban/jail.conf.epp"
 fail2ban::package_name: fail2ban-server
 fail2ban::jails: ['ssh-route', 'ssh-ban-root']
 fail2ban::custom_jails:
@@ -77,6 +81,20 @@ squid::extra_config_sections:
     config_entries:
       maximum_object_size: "131072 KB"
 
+swap_file::files:
+  default:
+    ensure: "present"
+    swapfile: "/mnt/swap"
+    swapfilesize: "1 GB"
+
+
+mysql::server::remove_default_accounts: true
+mysql::server::override_options:
+    mysqld:
+      innodb_buffer_pool_size: 1024M
+      innodb_log_file_size: 64M
+      innodb_lock_wait_timeout: 900
+
 prometheus::alerts:
   groups:
     - name: 'recorder.rules'
@@ -199,10 +217,6 @@ profile::freeipa::mokey::enable_user_signup: true
 profile::freeipa::mokey::require_verify_admin: true
 profile::freeipa::mokey::access_tags: "%{alias('profile::users::ldap::access_tags')}"
 
-profile::reverse_proxy::jupyterhub_subdomain: jupyter
-profile::reverse_proxy::ipa_subdomain: ipa
-profile::reverse_proxy::mokey_subdomain: mokey
-
 profile::slurm::base::slurm_version: '21.08'
 profile::slurm::base::os_reserved_memory: 512
 profile::slurm::controller::autoscale_version: '0.2.3'
@@ -228,7 +242,7 @@ profile::freeipa::base::domain_name: "%{alias('terraform.data.domain_name')}"
 profile::slurm::base::cluster_name: "%{alias('terraform.data.cluster_name')}"
 
 profile::freeipa::client::server_ip: "%{alias('terraform.tag_ip.mgmt.0')}"
-profile::consul::client::servers: "%{alias('terraform.tag_ip.puppet')}"
+profile::consul::servers: "%{alias('terraform.tag_ip.puppet')}"
 
 profile::nfs::server::domain_name: "%{hiera('profile::freeipa::base::domain_name')}"
 profile::nfs::client::domain_name: "%{hiera('profile::freeipa::base::domain_name')}"
@@ -237,3 +251,10 @@ profile::nfs::client::server_ip: "%{alias('terraform.tag_ip.nfs.0')}"
 profile::nfs::server::devices: "%{alias('terraform.volumes.nfs')}"
 
 profile::reverse_proxy::domain_name: "%{alias('terraform.data.domain_name')}"
+profile::reverse_proxy::subdomains:
+  ipa: "ipa.int.%{lookup('terraform.data.domain_name')}"
+  mokey: "%{lookup('terraform.tag_ip.mgmt.0')}:%{lookup('profile::freeipa::mokey::port')}"
+  jupyter: "https://127.0.0.1:8000"
+
+profile::jupyterhub::hub::register_url: "https://mokey.%{lookup('terraform.data.domain_name')}/auth/signup"
+profile::jupyterhub::hub::reset_pw_url: "https://mokey.%{lookup('terraform.data.domain_name')}/auth/forgotpw"
diff --git a/data/site.yaml b/data/site.yaml
@@ -0,0 +1,60 @@
+---
+lookup_options:
+  magic_castle::site::all:
+    merge: 'first'
+  magic_castle::site::tags:
+    merge: 'hash'
+  magic_castle::site::not_tags:
+    merge: 'hash'
+
+magic_castle::site::all:
+  - profile::base
+  - profile::consul
+  - profile::users::local
+  - profile::sssd::client
+  - profile::metrics::node_exporter
+  - swap_file
+
+magic_castle::site::tags:
+  dtn:
+    - profile::globus
+  login:
+    - profile::fail2ban
+    - profile::cvmfs::client
+    - profile::slurm::submitter
+    - profile::ssh::hostbased_auth::client
+  mfa:
+    - profile::mfa
+  mgmt:
+    - mysql::server
+    - profile::freeipa::server
+    - profile::metrics::server
+    - profile::metrics::slurm_exporter
+    - profile::rsyslog::server
+    - profile::squid::server
+    - profile::slurm::controller
+    - profile::freeipa::mokey
+    - profile::slurm::accounting
+    - profile::accounts
+    - profile::users::ldap
+  node:
+    - profile::cvmfs::client
+    - profile::gpu
+    - profile::jupyterhub::node
+    - profile::slurm::node
+    - profile::ssh::hostbased_auth::client
+    - profile::ssh::hostbased_auth::server
+    - profile::metrics::slurm_job_exporter
+  nfs:
+    - profile::nfs::server
+    - profile::cvmfs::alien_cache
+  proxy:
+    - profile::jupyterhub::hub
+    - profile::reverse_proxy
+
+magic_castle::site::not_tags:
+  nfs:
+    - profile::nfs::client
+  mgmt:
+    - profile::freeipa::client
+    - profile::rsyslog::client
diff --git a/hiera.yaml b/hiera.yaml
@@ -32,3 +32,5 @@ hierarchy:
     options:
       pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/boot_private_key.pkcs7.pem
       pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/boot_public_key.pkcs7.pem
+  - name: "site.pp definition"
+    path: "site.yaml"
diff --git a/manifests/site.pp b/manifests/site.pp
@@ -1,78 +1,31 @@
-stage { ['first', 'second']: }
-Stage['first'] -> Stage['second'] -> Stage['main']
-
 node default {
   $instance_tags = lookup("terraform.instances.${facts['networking']['hostname']}.tags")
 
-  if 'puppet' in $instance_tags {
-    include profile::consul::server
-  } else {
-    include profile::consul::client
-  }
-
-  include profile::base
-  include profile::users::local
-  include profile::sssd::client
-  include profile::metrics::node_exporter
-
-  if 'login' in $instance_tags {
-    include profile::fail2ban
-    include profile::cvmfs::client
-    include profile::slurm::submitter
-    include profile::ssh::hostbased_auth::client
-  }
-
-  if 'mgmt' in $instance_tags {
-    include profile::freeipa::server
-
-    include profile::metrics::server
-    include profile::metrics::slurm_exporter
-    include profile::rsyslog::server
-    include profile::squid::server
-    include profile::slurm::controller
-
-    include profile::freeipa::mokey
-    include profile::slurm::accounting
-
-    include profile::accounts
-    include profile::users::ldap
-  } else {
-    include profile::freeipa::client
-    include profile::rsyslog::client
-  }
-
-  if 'node' in $instance_tags {
-    include profile::cvmfs::client
-    include profile::gpu
-    include profile::jupyterhub::node
-
-    include profile::slurm::node
-    include profile::ssh::hostbased_auth::client
-    include profile::ssh::hostbased_auth::server
-
-    include profile::metrics::slurm_job_exporter
-
-    Class['profile::nfs::client'] -> Service['slurmd']
-    Class['profile::gpu'] -> Service['slurmd']
-  }
-
-  if 'nfs' in $instance_tags {
-    include profile::nfs::server
-    include profile::cvmfs::alien_cache
+  $include_all = lookup('magic_castle::site::all', undef, undef, [])
+
+  $include_tags = flatten(
+    $instance_tags.map | $tag | {
+      lookup("magic_castle::site::tags.${tag}", undef, undef, [])
+    }
+  )
+
+  $include_not_tags = flatten(
+    lookup('magic_castle::site::not_tags', undef, undef, {}).map | $tag, $classes | {
+      if ! ($tag in $instance_tags) {
+        $classes
+      } else {
+        []
+      }
+    }
+  )
+
+  if lookup('magic_castle::site::enable_chaos', undef, undef, false) {
+    $classes = shuffle($include_all + $include_tags + $include_not_tags)
+    notify { 'Chaos order':
+      message => String($classes),
+    }
   } else {
-    include profile::nfs::client
-  }
-
-  if 'proxy' in $instance_tags {
-    include profile::jupyterhub::hub
-    include profile::reverse_proxy
-  }
-
-  if 'dtn' in $instance_tags {
-    include profile::globus
-  }
-
-  if 'mfa' in $instance_tags {
-    include profile::mfa
+    $classes = $include_all + $include_tags + $include_not_tags
   }
+  include($classes)
 }
diff --git a/site/profile/files/nfs/clean-nfs-rbind.service b/site/profile/files/nfs/clean-nfs-rbind.service
diff --git a/site/profile/manifests/accounts.pp b/site/profile/manifests/accounts.pp
@@ -2,10 +2,12 @@
   String $project_regex,
   Array[Struct[{ filename => String[1], source => String[1] }]] $skel_archives = [],
 ) {
-  require profile::freeipa::server
-  require profile::freeipa::mokey
-  require profile::nfs::server
-  require profile::slurm::accounting
+  Service <| tag == profile::slurm |> -> Service['mkhome']
+  Service <| tag == profile::slurm |> -> Service['mkproject']
+  Service <| tag == profile::freeipa |> -> Service['mkhome']
+  Service <| tag == profile::freeipa |> -> Service['mkproject']
+  Mount <| |> -> Service['mkhome']
+  Mount <| |> -> Service['mkproject']
 
   $nfs_devices = lookup('profile::nfs::server::devices', undef, undef, {})
   $with_home = 'home' in $nfs_devices