BBlack has submitted this change and it was merged. Change subject: move majority of privates/files usage to secret() ......................................................................
move majority of privates/files usage to secret() This is all of the trivial cases, where a fixed path was hardcoded as the source attribute of a 'file', 'ssh::userkey', or 'exim4::dkim' definition, all of which are known to handle the source/content switch ok. Change-Id: I0db6fdb1c75355b58095e0ec29d6028bbc614649 --- M manifests/mail.pp M manifests/role/access_new_install.pp M manifests/role/ci.pp M manifests/role/designate.pp M manifests/role/ganeti.pp M manifests/role/mha.pp M modules/authdns/manifests/account.pp M modules/gerrit/manifests/jetty.pp M modules/icinga/manifests/init.pp M modules/icinga/manifests/nsca/client.pp M modules/icinga/manifests/nsca/daemon.pp M modules/keyholder/manifests/private_key.pp M modules/labstore/manifests/init.pp M modules/lvs/manifests/balancer/runcommand.pp M modules/mailman/manifests/webui.pp M modules/mw-rc-irc/manifests/ircserver.pp M modules/openstack/manifests/glance/service.pp M modules/openstack/manifests/nova/compute.pp M modules/puppet/manifests/self/gitclone.pp M modules/puppetmaster/manifests/gitpuppet.pp M modules/scap/manifests/l10nupdate.pp M modules/statistics/manifests/sites/stats.pp 22 files changed, 34 insertions(+), 34 deletions(-) Approvals: BBlack: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/mail.pp b/manifests/mail.pp index 22957e4..1bc238e 100644 --- a/manifests/mail.pp +++ b/manifests/mail.pp @@ -97,7 +97,7 @@ exim4::dkim { 'wikimedia.org': domain => 'wikimedia.org', selector => 'wikimedia', - source => 'puppet:///private/dkim/wikimedia.org-wikimedia.key', + content => secret('dkim/wikimedia.org-wikimedia.key'), } } @@ -113,7 +113,7 @@ exim4::dkim { 'lists.wikimedia.org': domain => 'lists.wikimedia.org', selector => 'wikimedia', - source => 'puppet:///private/dkim/lists.wikimedia.org-wikimedia.key', + content => secret('dkim/lists.wikimedia.org-wikimedia.key'), } } @@ -121,7 +121,7 @@ exim4::dkim { 'wiki-mail': domain => 'wikimedia.org', selector => 'wiki-mail', - source => 'puppet:///private/dkim/wikimedia.org-wiki-mail.key', + content => secret('dkim/wikimedia.org-wiki-mail.key'), } } diff --git a/manifests/role/access_new_install.pp b/manifests/role/access_new_install.pp index ab761dd..d6385de 100644 --- a/manifests/role/access_new_install.pp +++ b/manifests/role/access_new_install.pp @@ -6,12 +6,12 @@ owner => 'root', group => 'root', mode => '0400', - source => 'puppet:///private/ssh/new_install/new_install', + content => secret('ssh/new_install/new_install'), } file { '/root/.ssh/new_install.pub': owner => 'root', group => 'root', mode => '0444', - source => 'puppet:///private/ssh/new_install/new_install.pub', + content => secret('ssh/new_install/new_install.pub'), } } diff --git a/manifests/role/ci.pp b/manifests/role/ci.pp index 15f5e0b..f476ef4 100644 --- a/manifests/role/ci.pp +++ b/manifests/role/ci.pp @@ -104,7 +104,7 @@ owner => 'jenkins', group => 'jenkins', mode => '0400', - source => 'puppet:///private/ssh/ci/jenkins-mwext-sync_id_rsa', + content => secret('ssh/ci/jenkins-mwext-sync_id_rsa'), require => User['jenkins'], } @@ -208,7 +208,7 @@ ensure => present, owner => 'npmtravis', mode => '0400', - source => 'puppet:///private/ssh/ci/npmtravis_id_rsa', + content => secret('ssh/ci/npmtravis_id_rsa'), require => File['/home/npmtravis/.ssh'], } diff --git a/manifests/role/designate.pp b/manifests/role/designate.pp index e5ddbef..75de288 100644 --- a/manifests/role/designate.pp +++ b/manifests/role/designate.pp @@ -101,6 +101,6 @@ owner => 'designate', group => 'designate', mode => '0400', - source => 'puppet:///private/ssh/puppet_cert_manager/cert_manager' + content => secret('ssh/puppet_cert_manager/cert_manager') } } diff --git a/manifests/role/ganeti.pp b/manifests/role/ganeti.pp index 05bb1c0..afd3221 100644 --- a/manifests/role/ganeti.pp +++ b/manifests/role/ganeti.pp @@ -17,7 +17,7 @@ owner => 'root', group => 'root', mode => '0400', - source => 'puppet:///private/ganeti/id_dsa', + content => secret('ganeti/id_dsa'), } # This is here for completeness file { '/root/.ssh/id_dsa.pub': diff --git a/manifests/role/mha.pp b/manifests/role/mha.pp index 5d7d118..e0ba1e5 100644 --- a/manifests/role/mha.pp +++ b/manifests/role/mha.pp @@ -15,7 +15,7 @@ owner => 'mysql', group => 'mysql', mode => '0400', - source => 'puppet:///private/ssh/mysql/mysql.key', + content => secret('ssh/mysql/mysql.key'), } ssh::userkey { 'mysql': diff --git a/modules/authdns/manifests/account.pp b/modules/authdns/manifests/account.pp index a5e184a..31ddbe4 100644 --- a/modules/authdns/manifests/account.pp +++ b/modules/authdns/manifests/account.pp @@ -35,17 +35,17 @@ owner => $user, group => $group, mode => '0400', - source => 'puppet:///private/authdns/id_ed25519', + content => secret('authdns/id_ed25519'), } file { "${home}/.ssh/id_ed25519.pub": ensure => 'present', owner => $user, group => $group, mode => '0400', - source => 'puppet:///private/authdns/id_ed25519.pub', + content => secret('authdns/id_ed25519.pub'), } ssh::userkey { $user: - source => 'puppet:///private/authdns/id_ed25519.pub', + content => secret('authdns/id_ed25519.pub'), } file { "${home}/git-shell-commands": diff --git a/modules/gerrit/manifests/jetty.pp b/modules/gerrit/manifests/jetty.pp index db990f2..6ccdbf9 100644 --- a/modules/gerrit/manifests/jetty.pp +++ b/modules/gerrit/manifests/jetty.pp @@ -60,7 +60,7 @@ group => 'gerrit2', mode => '0600', require => File['/var/lib/gerrit2/.ssh'], - source => 'puppet:///private/gerrit/id_rsa', + content => secret('gerrit/id_rsa'), } file { '/var/lib/gerrit2/review_site': diff --git a/modules/icinga/manifests/init.pp b/modules/icinga/manifests/init.pp index a227db1..9c41169 100644 --- a/modules/icinga/manifests/init.pp +++ b/modules/icinga/manifests/init.pp @@ -60,7 +60,7 @@ } file { '/etc/icinga/nsca_frack.cfg': - source => 'puppet:///private/nagios/nsca_frack.cfg', + content => secret('nagios/nsca_frack.cfg'), owner => 'icinga', group => 'icinga', mode => '0644', diff --git a/modules/icinga/manifests/nsca/client.pp b/modules/icinga/manifests/nsca/client.pp index 9754fac..b55343a 100644 --- a/modules/icinga/manifests/nsca/client.pp +++ b/modules/icinga/manifests/nsca/client.pp @@ -8,7 +8,7 @@ } file { '/etc/send_nsca.cfg': - source => 'puppet:///private/icinga/send_nsca.cfg', + content => secret('icinga/send_nsca.cfg'), owner => 'root', mode => '0400', require => Package['nsca-client'], diff --git a/modules/icinga/manifests/nsca/daemon.pp b/modules/icinga/manifests/nsca/daemon.pp index 96a180b..b8f41a9 100644 --- a/modules/icinga/manifests/nsca/daemon.pp +++ b/modules/icinga/manifests/nsca/daemon.pp @@ -11,7 +11,7 @@ } file { '/etc/nsca.cfg': - source => 'puppet:///private/icinga/nsca.cfg', + content => secret('icinga/nsca.cfg'), owner => 'root', mode => '0400', require => Package['nsca'], diff --git a/modules/keyholder/manifests/private_key.pp b/modules/keyholder/manifests/private_key.pp index fec9d50..5c06ebf 100644 --- a/modules/keyholder/manifests/private_key.pp +++ b/modules/keyholder/manifests/private_key.pp @@ -20,7 +20,7 @@ # # keyholder::private_key { 'mwdeploy_rsa': # ensure => present, -# source => 'puppet:///private/ssh/tin/mwdeploy_rsa', +# content => secret('ssh/tin/mwdeploy_rsa'), # } # define keyholder::private_key( diff --git a/modules/labstore/manifests/init.pp b/modules/labstore/manifests/init.pp index ebd33996..243fda6 100644 --- a/modules/labstore/manifests/init.pp +++ b/modules/labstore/manifests/init.pp @@ -45,7 +45,7 @@ owner => 'root', group => 'root', mode => '0400', - source => 'puppet:///private/labstore/id_labstore', + content => secret('labstore/id_labstore'), } file { '/etc/default/nfs-common': diff --git a/modules/lvs/manifests/balancer/runcommand.pp b/modules/lvs/manifests/balancer/runcommand.pp index cd9b97d..353cd95 100644 --- a/modules/lvs/manifests/balancer/runcommand.pp +++ b/modules/lvs/manifests/balancer/runcommand.pp @@ -19,6 +19,6 @@ owner => root, group => root, mode => '0600', - source => "puppet:///private/pybal/pybal-check"; + content => secret('pybal/pybal-check'); } } diff --git a/modules/mailman/manifests/webui.pp b/modules/mailman/manifests/webui.pp index 2a1f1fd..a653f69 100644 --- a/modules/mailman/manifests/webui.pp +++ b/modules/mailman/manifests/webui.pp @@ -17,7 +17,7 @@ # htdigest file for private list archives file { '/etc/apache2/arbcom-l.htdigest': - source => 'puppet:///private/mailman/arbcom-l.htdigest', + content => secret('mailman/arbcom-l.htdigest'), owner => 'root', group => 'www-data', mode => '0440', diff --git a/modules/mw-rc-irc/manifests/ircserver.pp b/modules/mw-rc-irc/manifests/ircserver.pp index 4196952..6bf8225 100644 --- a/modules/mw-rc-irc/manifests/ircserver.pp +++ b/modules/mw-rc-irc/manifests/ircserver.pp @@ -10,7 +10,7 @@ mode => '0444', owner => 'irc', group => 'irc', - source => 'puppet:///private/misc/ircd.conf'; + content => secret('misc/ircd.conf'); '/usr/etc/ircd.motd': mode => '0444', owner => 'irc', diff --git a/modules/openstack/manifests/glance/service.pp b/modules/openstack/manifests/glance/service.pp index 53fb7cc..d3ab79a 100644 --- a/modules/openstack/manifests/glance/service.pp +++ b/modules/openstack/manifests/glance/service.pp @@ -83,7 +83,7 @@ ssh::userkey { 'glancesync': require => user['glancesync'], ensure => present, - source => 'puppet:///private/ssh/glancesync/glancesync.pub', + content => secret('ssh/glancesync/glancesync.pub'), } file { '/home/glancesync/.ssh': ensure => directory, @@ -93,7 +93,7 @@ require => user['glancesync'], } file { '/home/glancesync/.ssh/id_rsa': - source => 'puppet:///private/ssh/glancesync/glancesync.key', + content => secret('ssh/glancesync/glancesync.key'), owner => 'glancesync', group => 'glance', mode => '0600', diff --git a/modules/openstack/manifests/nova/compute.pp b/modules/openstack/manifests/nova/compute.pp index 073c259..6b0789d 100644 --- a/modules/openstack/manifests/nova/compute.pp +++ b/modules/openstack/manifests/nova/compute.pp @@ -43,14 +43,14 @@ require => Package['nova-common'], } file { '/var/lib/nova/.ssh/id_rsa': - source => 'puppet:///private/ssh/nova/nova.key', + content => secret('ssh/nova/nova.key'), owner => 'nova', group => 'nova', mode => '0600', require => File['/var/lib/nova/.ssh'], } file { '/var/lib/nova/.ssh/id_rsa.pub': - source => 'puppet:///private/ssh/nova/nova.pub', + content => secret('ssh/nova/nova.pub'), owner => 'nova', group => 'nova', mode => '0600', @@ -83,7 +83,7 @@ } ssh::userkey { 'nova': - source => 'puppet:///private/ssh/nova/nova.pub', + content => secret('ssh/nova/nova.pub'), } service { 'libvirt-bin': diff --git a/modules/puppet/manifests/self/gitclone.pp b/modules/puppet/manifests/self/gitclone.pp index b78ed1d..aa64807 100644 --- a/modules/puppet/manifests/self/gitclone.pp +++ b/modules/puppet/manifests/self/gitclone.pp @@ -37,7 +37,7 @@ owner => 'root', group => 'root', mode => '0600', - source => 'puppet:///private/ssh/labs-puppet-key', + content => secret('ssh/labs-puppet-key'), } file { $volatiledir: ensure => directory, diff --git a/modules/puppetmaster/manifests/gitpuppet.pp b/modules/puppetmaster/manifests/gitpuppet.pp index 1f30292..e6ed816 100644 --- a/modules/puppetmaster/manifests/gitpuppet.pp +++ b/modules/puppetmaster/manifests/gitpuppet.pp @@ -19,7 +19,7 @@ owner => 'gitpuppet', group => 'gitpuppet', mode => '0400', - source => 'puppet:///private/ssh/gitpuppet/gitpuppet.key', + content => secret('ssh/gitpuppet/gitpuppet.key'), require => File['/home/gitpuppet/.ssh'], } file { '/home/gitpuppet/.ssh/gitpuppet-private-repo': @@ -27,7 +27,7 @@ owner => 'gitpuppet', group => 'gitpuppet', mode => '0400', - source => 'puppet:///private/ssh/gitpuppet/gitpuppet-private.key', + content => secret('ssh/gitpuppet/gitpuppet-private.key'), require => File['/home/gitpuppet/.ssh'], } ssh::userkey { 'gitpuppet': diff --git a/modules/scap/manifests/l10nupdate.pp b/modules/scap/manifests/l10nupdate.pp index 57a70bb..d164880 100644 --- a/modules/scap/manifests/l10nupdate.pp +++ b/modules/scap/manifests/l10nupdate.pp @@ -36,13 +36,13 @@ owner => 'l10nupdate', group => 'l10nupdate', mode => '0400', - source => 'puppet:///private/ssh/tin/l10nupdate/id_rsa', + content => secret('ssh/tin/l10nupdate/id_rsa'), } file { '/home/l10nupdate/.ssh/id_rsa.pub': owner => 'l10nupdate', group => 'l10nupdate', mode => '0444', - source => 'puppet:///private/ssh/tin/l10nupdate/id_rsa.pub', + content => secret('ssh/tin/l10nupdate/id_rsa.pub'), } # Make sure the log directory exists and has adequate permissions. diff --git a/modules/statistics/manifests/sites/stats.pp b/modules/statistics/manifests/sites/stats.pp index 647b9cc..d31a0a2 100644 --- a/modules/statistics/manifests/sites/stats.pp +++ b/modules/statistics/manifests/sites/stats.pp @@ -14,7 +14,7 @@ owner => 'root', group => 'root', mode => '0644', - source => 'puppet:///private/apache/htpasswd.stats', + content => secret('apache/htpasswd.stats'), } # add htpasswd file for private geowiki data @@ -22,7 +22,7 @@ owner => 'root', group => 'www-data', mode => '0640', - source => 'puppet:///private/apache/htpasswd.stats-geowiki', + content => secret('apache/htpasswd.stats-geowiki'), } # link geowiki checkout from docroot -- To view, visit https://gerrit.wikimedia.org/r/224213 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0db6fdb1c75355b58095e0ec29d6028bbc614649 Gerrit-PatchSet: 4 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Hashar <has...@free.fr> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits