Andrew Bogott has submitted this change and it was merged.
Change subject: Set up ssh keys so that designate can clear salt and puppet
certs.
......................................................................
Set up ssh keys so that designate can clear salt and puppet certs.
Change-Id: I1ecca050b2ce2eb3020f36d2e09bc5cc32f259e0
---
M manifests/role/designate.pp
M manifests/role/nova.pp
M manifests/role/puppet.pp
M manifests/role/salt.pp
A modules/puppetmaster/manifests/certmanager.pp
A modules/puppetmaster/templates/puppet_cert_manager.pub.erb
6 files changed, 43 insertions(+), 1 deletion(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/role/designate.pp b/manifests/role/designate.pp
index aee8c37..44446b6 100644
--- a/manifests/role/designate.pp
+++ b/manifests/role/designate.pp
@@ -88,5 +88,7 @@
rule => "saddr (${wikitech} ${horizon} ${controller}) proto tcp dport
(9001) ACCEPT;",
}
-
+ ssh::userkey { 'puppet_cert_manager_private':
+ source => 'puppet:///private/ssh/puppet_cert_manager/cert_manager'
+ }
}
diff --git a/manifests/role/nova.pp b/manifests/role/nova.pp
index a674ebb..8fdd31f 100644
--- a/manifests/role/nova.pp
+++ b/manifests/role/nova.pp
@@ -59,6 +59,13 @@
default => $nova_controller_hostname,
}
}
+ $designate_hostname = $::realm ? {
+ 'production' => 'holmium.wikimedia.org',
+ 'labs' => $nova_controller_hostname ? {
+ undef => $::ipaddress_eth0,
+ default => $nova_controller_hostname,
+ }
+ }
$controller_address = $::realm ? {
'production' => '208.80.154.18',
'labs' => $nova_controller_ip ? {
diff --git a/manifests/role/puppet.pp b/manifests/role/puppet.pp
index 2a950e3..52a5d30 100644
--- a/manifests/role/puppet.pp
+++ b/manifests/role/puppet.pp
@@ -34,6 +34,10 @@
'ldaptls' => true
};
}
+
+ class { 'puppetmaster::certmanager':
+ remote_cert_cleaner => $novaconfig['designate_hostname'],
+ }
}
diff --git a/manifests/role/salt.pp b/manifests/role/salt.pp
index 655f218..afbba4c 100644
--- a/manifests/role/salt.pp
+++ b/manifests/role/salt.pp
@@ -44,6 +44,12 @@
salt_reactor_options => { 'puppet_server' => 'virt1000.wikimedia.org'
},
}
+ include role::nova::config
+ $novaconfig = $role::nova::config::novaconfig
+
+ class { 'puppetmaster::certmanager':
+ remote_cert_cleaner => $novaconfig['designate_hostname'],
+ }
}
# A salt master manages minions within a project
diff --git a/modules/puppetmaster/manifests/certmanager.pp
b/modules/puppetmaster/manifests/certmanager.pp
new file mode 100644
index 0000000..be10198
--- /dev/null
+++ b/modules/puppetmaster/manifests/certmanager.pp
@@ -0,0 +1,22 @@
+class puppetmaster::certmanager(
+ $remote_cert_cleaner=""
+){
+ user { 'certmanager':
+ home => '/var/lib/puppet',
+ managehome => false,
+ system => true,
+ }
+
+ # Allow remote execution for cert cleanup
+ ssh::userkey { 'certmanager.pub':
+ content => template('puppetmaster/puppet_cert_manager.pub.erb'),
+ user => 'certmanager',
+ }
+
+ sudo::user { 'certmanager':
+ privileges => [
+ 'ALL = (root) NOPASSWD: /usr/bin/puppet cert clean *',
+ 'ALL = (root) NOPASSWD: /usr/bin/salt-key -d *'
+ ]
+ }
+}
diff --git a/modules/puppetmaster/templates/puppet_cert_manager.pub.erb
b/modules/puppetmaster/templates/puppet_cert_manager.pub.erb
new file mode 100644
index 0000000..fcab503
--- /dev/null
+++ b/modules/puppetmaster/templates/puppet_cert_manager.pub.erb
@@ -0,0 +1 @@
+from="<%= scope.function_ipresolve([remote_cert_cleaner, 4]) %>" ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC58c3tShWchHSCEGp4LeJ3hcKhfgNMSF3FFmblVbp5ZUQ7EyL23q2hBr6Wdo2WoWAiiZN7BvQRjoykMvCEJoUVr2Kot8T84pyzR+U1l7ASuuGMQF5z4ftyWT34icEzbTCPdsPx+yPOHfPn9N5i7B55+5D2/R2xgeZ6J0/ab+ZS6vZ+oNnMEvD29RmfwCYdOcVZH6O66Pi4e44kd78rhhLlws0G2XVRvng1Urte75KuBq57G6axFHq7oQyjOQ+yLLlYvr35nDruXZ5ggW2+i9x/6KbybSURWQpXOy8I4e0Uv7K+4fqC1XPwVGexsnmWcMeqbIPpijL+jKe8kq2Q89C9
labs_certs
--
To view, visit https://gerrit.wikimedia.org/r/204067
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I1ecca050b2ce2eb3020f36d2e09bc5cc32f259e0
Gerrit-PatchSet: 11
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Chasemp <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
