Refactor __consul_agent type to support distribution packages

This commit is contained in:
fnux 2020-01-21 10:06:09 +01:00
parent c09165d122
commit 70200cd28f
3 changed files with 225 additions and 152 deletions

View file

@ -116,6 +116,9 @@ verify-incoming
verify-outgoing verify-outgoing
enforce the use of TLS and verify the peers authenticity on outgoing connections enforce the use of TLS and verify the peers authenticity on outgoing connections
use-distribution-package
uses distribution package instead of upstream binary
EXAMPLES EXAMPLES
-------- --------

View file

@ -2,6 +2,7 @@
# #
# 2015 Steven Armstrong (steven-cdist at armstrong.cc) # 2015 Steven Armstrong (steven-cdist at armstrong.cc)
# 2015-2019 Nico Schottelius (nico-cdist at schottelius.org) # 2015-2019 Nico Schottelius (nico-cdist at schottelius.org)
# 2019 Timothée Floure (timothee.floure at ungleich.ch)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -19,133 +20,64 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
# #
os=$(cat "$__global/explorer/os") os=$(cat "$__global/explorer/os")
case "$os" in ###
alpine|scientific|centos|debian|devuan|redhat|ubuntu) # Type parameters.
# whitelist safeguard
:
;;
*)
echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
;;
esac
state="$(cat "$__object/parameter/state")" state="$(cat "$__object/parameter/state")"
user="$(cat "$__object/parameter/user")" user="$(cat "$__object/parameter/user")"
group="$(cat "$__object/parameter/group")" group="$(cat "$__object/parameter/group")"
release=$(cat "$__global/explorer/lsb_release")
if [ -f "$__object/parameter/use-distribution-package" ]; then
use_distribution_package=1
fi
###
# Those are default that might be overriden by os-specific logic.
data_dir="/var/lib/consul" data_dir="/var/lib/consul"
conf_dir="/etc/consul/conf.d" conf_dir="/etc/consul/conf.d"
conf_file="config.json" conf_file="config.json"
tls_dir="$conf_dir/tls"
# FIXME: there has got to be a better way to handle the dependencies in this case ###
case "$state" in # Sane deployment, based on distribution package when available.
present)
__group "$group" --system --state "$state" distribution_setup () {
require="__group/$group" \ case "$os" in
__user "$user" --system --gid "$group" \ debian)
--home "$data_dir" --state "$state" # consul is only available starting Debian 10 (buster).
export require="__user/consul" # See https://packages.debian.org/buster/consul
;; if [ $release -lt 10 ]; then
absent) echo "Consul is not available for your debian release." >&2
echo "Sorry, state=absent currently not supported :-(" >&2 echo "Please use the 'manual' (i.e. non-package) installation or \
upgrade the target system." >&2
exit 1 exit 1
require="$__object_name" \ fi
__user "$user" --system --gid "$group" --state "$state"
require="__user/$user" \
__group "$group" --system --state "$state"
;;
esac
__directory /etc/consul \ # Override previously defined environment to match debian packaging.
--owner root --group "$group" --mode 750 --state "$state" conf_dir='/etc/consul.d'
require="__directory/etc/consul" \ user='consul'
__directory "$conf_dir" \ grou='consul'
--owner root --group "$group" --mode 750 --state "$state"
if [ -f "$__object/parameter/ca-file-source" ] || [ -f "$__object/parameter/cert-file-source" ] || [ -f "$__object/parameter/key-file-source" ]; then
# create directory for ssl certs
require="__directory/etc/consul" \
__directory /etc/consul/ssl \
--owner root --group "$group" --mode 750 --state "$state"
fi
__directory "$data_dir" \
--owner "$user" --group "$group" --mode 770 --state "$state"
# Generate json config file
(
echo "{"
# parameters we define ourself
printf ' "data_dir": "%s"\n' "$data_dir"
cd "$__object/parameter/"
for param in *; do
case "$param" in
state|user|group|json-config) continue ;;
ca-file-source|cert-file-source|key-file-source)
source="$(cat "$__object/parameter/$param")"
destination="/etc/consul/ssl/${source##*/}"
require="__directory/etc/consul/ssl" \
__file "$destination" \
--owner root --group consul --mode 640 \
--source "$source" \
--state "$state"
key="$(echo "${param%-*}" | tr '-' '_')"
printf ' ,"%s": "%s"\n' "$key" "$destination"
;;
disable-remote-exec|disable-update-check|leave-on-terminate|rejoin-after-leave|server|enable-syslog|verify-incoming|verify-outgoing)
# handle boolean parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": true\n' "$key"
;;
retry-join)
# join multiple parameters into json array
retry_join="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join")"
# remove trailing ,
printf ' ,"retry_join": [%s]\n' "${retry_join%*,}"
;;
retry-join-wan)
# join multiple parameters into json array over wan
retry_join_wan="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join-wan")"
# remove trailing ,
printf ' ,"retry_join_wan": [%s]\n' "${retry_join_wan%*,}"
;;
bootstrap-expect)
# integer key=value parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": %s\n' "$key" "$(cat "$__object/parameter/$param")"
;; ;;
*) *)
# string key=value parameters echo "Your operating system ($os) is currently not supported with the \
key="$(echo "$param" | tr '-' '_')" --use-distribution-package flag (${__type##*/})." >&2
printf ' ,"%s": "%s"\n' "$key" "$(cat "$__object/parameter/$param")" echo "Please use non-package installation or contribute an \
implementation for if you can." >&2
exit 1
;; ;;
esac esac
done
if [ -f "$__object/parameter/json-config" ]; then # Install consul package.
json_config="$(cat "$__object/parameter/json-config")" __package consul --state $state
if [ "$json_config" = "-" ]; then
json_config="$__object/stdin" export config_deployment_requires="__package/consul"
fi }
# remove leading and trailing whitespace and commas from first and last line
# indent each line with 3 spaces for consistency ###
json=$(sed -e 's/^[ \t]*/ /' -e '1s/^[ \t,]*//' -e '$s/[ \t,]*$//' "$json_config") # LEGACY manual deployment, kept for compatibility reasons.
printf ' ,%s\n' "$json"
fi
echo "}"
) | \
require="__directory${conf_dir}" \
__config_file "${conf_dir}/${conf_file}" \
--owner root --group "$group" --mode 640 \
--state "$state" \
--onchange 'service consul status >/dev/null && service consul reload || true' \
--source -
init_sysvinit() init_sysvinit()
{ {
@ -179,8 +111,43 @@ init_upstart()
require="__file/etc/init/consul.conf" __start_on_boot consul require="__file/etc/init/consul.conf" __start_on_boot consul
} }
# Install init script to start on boot manual_setup () {
case "$os" in case "$os" in
alpine|scientific|centos|debian|devuan|redhat|ubuntu)
# whitelist safeguard
:
;;
*)
echo "Your operating system ($os) is currently not supported by this \
type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
;;
esac
# FIXME: there has got to be a better way to handle the dependencies in this case
case "$state" in
present)
__group "$group" --system --state "$state"
require="__group/$group" __user "$user" \
--system --gid "$group" --home "$data_dir" --state "$state"
;;
*)
echo "The $state state is not (yet?) supported by this type." >&2
exit 1
;;
esac
# Create data directory.
require="__user/consul"__directory "$data_dir" \
--owner "$user" --group "$group" --mode 770 --state "$state"
# Create config directory.
require="__user/consul" __directory "$conf_dir" \
--parents --owner root --group "$group" --mode 750 --state "$state"
# Install init script to start on boot
case "$os" in
devuan) devuan)
init_sysvinit debian init_sysvinit debian
;; ;;
@ -222,4 +189,106 @@ case "$os" in
ubuntu) ubuntu)
init_upstart init_upstart
;; ;;
esac esac
config_deployment_requires="__user/consul __directory/$conf_dir"
}
###
# Trigger requested installation method.
if [ $use_distribution_package ]; then
distribution_setup
else
manual_setup
fi
###
# Generate and deploy configuration.
json_configuration=$(
echo "{"
# parameters we define ourself
printf ' "data_dir": "%s"\n' "$data_dir"
cd "$__object/parameter/"
for param in *; do
case "$param" in
state|user|group|json-config|use-distribution-package) continue ;;
ca-file-source|cert-file-source|key-file-source)
source="$(cat "$__object/parameter/$param")"
destination="/etc/consul/ssl/${source##*/}"
require="__directory/etc/consul/ssl" \
__file "$destination" \
--owner root --group consul --mode 640 \
--source "$source" \
--state "$state"
key="$(echo "${param%-*}" | tr '-' '_')"
printf ' ,"%s": "%s"\n' "$key" "$destination"
;;
disable-remote-exec|disable-update-check|leave-on-terminate\
|rejoin-after-leave|server|enable-syslog|verify-incoming|verify-outgoing)
# handle boolean parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": true\n' "$key"
;;
retry-join)
# join multiple parameters into json array
retry_join="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join")"
# remove trailing ,
printf ' ,"retry_join": [%s]\n' "${retry_join%*,}"
;;
retry-join-wan)
# join multiple parameters into json array over wan
retry_join_wan="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join-wan")"
# remove trailing ,
printf ' ,"retry_join_wan": [%s]\n' "${retry_join_wan%*,}"
;;
bootstrap-expect)
# integer key=value parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": %s\n' "$key" "$(cat "$__object/parameter/$param")"
;;
*)
# string key=value parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": "%s"\n' "$key" "$(cat "$__object/parameter/$param")"
;;
esac
done
if [ -f "$__object/parameter/json-config" ]; then
json_config="$(cat "$__object/parameter/json-config")"
if [ "$json_config" = "-" ]; then
json_config="$__object/stdin"
fi
# remove leading and trailing whitespace and commas from first and last line
# indent each line with 3 spaces for consistency
json=$(sed -e 's/^[ \t]*/ /' -e '1s/^[ \t,]*//' -e '$s/[ \t,]*$//' "$json_config")
printf ' ,%s\n' "$json"
fi
echo "}"
)
echo "$json_configuration" | require="$config_deployment_requires" \
__file "$conf_dir/$conf_file" \
--owner root --group "$group" --mode 640 \
--state "$state" \
--source -
# Set configuration deployment as requirement for service restart.
restart_requires="__file/$conf_dir/$conf_file"
###
# Install TLS certificates.
if [ -f "$__object/parameter/ca-file-source" ] || \
[ -f "$__object/parameter/cert-file-source" ] || \
[ -f "$__object/parameter/key-file-source" ]; then
requires="__file/$conf_dir/$conf_file" __directory $conf_dir/tls \
--owner root --group "$group" --mode 750 --state "$state"
# Append to service restart requirements.
restart_requires="$restart_requires __directory/$conf_dir/tls"
fi
###
# Restart consul agent after everything else.
require="$restart_requires" __service consul --action restart

View file

@ -6,3 +6,4 @@ server
enable-syslog enable-syslog
verify-incoming verify-incoming
verify-outgoing verify-outgoing
use-distribution-package