Alexandros Kosiaris has uploaded a new change for review.
https://gerrit.wikimedia.org/r/248850
Change subject: puppetmaster: Move the role into the role module
......................................................................
puppetmaster: Move the role into the role module
Move the puppetmaster role into the role module
Change-Id: I3571dab849cc8874367ec57dedbb3a1fb34aef92
---
D manifests/role/puppetmaster.pp
A modules/role/manifests/puppetmaster/backend.pp
A modules/role/manifests/puppetmaster/frontend.pp
A modules/role/manifests/puppetmaster/labs.pp
4 files changed, 119 insertions(+), 117 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/50/248850/1
diff --git a/manifests/role/puppetmaster.pp b/manifests/role/puppetmaster.pp
deleted file mode 100644
index 8edcbc2..0000000
--- a/manifests/role/puppetmaster.pp
+++ /dev/null
@@ -1,117 +0,0 @@
-# vim: set tabstop=4 shiftwidth=4 softtabstop=4 expandtab textwidth=80 smarttab
-
-class role::puppetmaster::frontend {
- include passwords::puppet::database
-
- include role::backup::host
- backup::set { 'var-lib-puppet-ssl': }
- backup::set { 'var-lib-puppet-volatile': }
-
- system::role { 'puppetmaster':
- description => 'Puppetmaster frontend'
- }
-
- class { '::puppetmaster':
- server_type => 'frontend',
- workers => [
- {
- 'worker' => 'palladium.eqiad.wmnet',
- 'loadfactor' => 10,
- },
- {
- 'worker' => 'strontium.eqiad.wmnet',
- 'loadfactor' => 20,
- },
- ],
- config => {
- 'storeconfigs' => true, # Required by thin_storeconfigs on
puppet 3.x
- 'thin_storeconfigs' => true,
- 'dbadapter' => 'mysql',
- 'dbuser' => 'puppet',
- 'dbpassword' =>
$passwords::puppet::database::puppet_production_db_pass,
- 'dbserver' => 'm1-master.eqiad.wmnet',
- }
- }
-}
-
-class role::puppetmaster::backend {
- include passwords::puppet::database
- include base::firewall
-
- system::role { 'puppetmaster':
- description => 'Puppetmaster backend'
- }
-
- class { '::puppetmaster':
- server_type => 'backend',
- config => {
- 'storeconfigs' => true, # Required by thin_storeconfigs on
puppet 3.x
- 'thin_storeconfigs' => true,
- # lint:ignore:quoted_booleans
- # Not a simple boolean, this must be quoted.
- 'ca' => 'false',
- # lint:endignore
- 'ca_server' => 'palladium.eqiad.wmnet',
- 'dbadapter' => 'mysql',
- 'dbuser' => 'puppet',
- 'dbpassword' =>
$passwords::puppet::database::puppet_production_db_pass,
- 'dbserver' => 'm1-master.eqiad.wmnet',
- 'dbconnections' => '256',
- }
- }
-
- ferm::service { 'puppetmaster-backend':
- proto => 'tcp',
- port => 8141,
- }
-
- $puppetmaster_hostname = hiera('puppetmaster')
- ferm::service { 'ssh_puppet_merge':
- proto => 'tcp',
- port => '22',
- srange => "@resolve(${puppetmaster_hostname})"
- }
-}
-
-class role::puppetmaster::labs {
- include network::constants
-
- $labs_ranges = [
-
$network::constants::all_network_subnets['production']['eqiad']['private']['labs-instances1-a-eqiad']['ipv4'],
-
$network::constants::all_network_subnets['production']['eqiad']['private']['labs-instances1-b-eqiad']['ipv4'],
-
$network::constants::all_network_subnets['production']['eqiad']['private']['labs-instances1-c-eqiad']['ipv4'],
-
$network::constants::all_network_subnets['production']['eqiad']['private']['labs-instances1-d-eqiad']['ipv4'],
- ]
-
- include ldap::role::config::labs
- $ldapconfig = $ldap::role::config::labs::ldapconfig
- $basedn = $ldapconfig['basedn']
-
- # Only allow puppet access from the instances
- $allow_from = $::realm ? {
- 'production' => flatten([$labs_ranges, '208.80.154.14']),
- 'labs' => [ '192.168.0.0/21' ],
- }
-
- class { '::puppetmaster':
- server_name => hiera('labs_puppet_master'),
- allow_from => $allow_from,
- config => {
- 'thin_storeconfigs' => false,
- 'node_terminus' => 'ldap',
- 'ldapserver' => $ldapconfig['servernames'][0],
- 'ldapbase' => "ou=hosts,${basedn}",
- 'ldapstring' =>
'(&(objectclass=puppetClient)(associatedDomain=%s))',
- 'ldapuser' => $ldapconfig['proxyagent'],
- 'ldappassword' => $ldapconfig['proxypass'],
- 'ldaptls' => true,
- 'autosign' => true,
- };
- }
-
- if ! defined(Class['puppetmaster::certmanager']) {
- class { 'puppetmaster::certmanager':
- remote_cert_cleaner => hiera('labs_certmanager_hostname'),
- }
- }
-}
diff --git a/modules/role/manifests/puppetmaster/backend.pp
b/modules/role/manifests/puppetmaster/backend.pp
new file mode 100644
index 0000000..652ed74
--- /dev/null
+++ b/modules/role/manifests/puppetmaster/backend.pp
@@ -0,0 +1,40 @@
+# vim: set tabstop=4 shiftwidth=4 softtabstop=4 expandtab textwidth=80 smarttab
+
+class role::puppetmaster::backend {
+ include passwords::puppet::database
+ include base::firewall
+
+ system::role { 'puppetmaster':
+ description => 'Puppetmaster backend'
+ }
+
+ class { '::puppetmaster':
+ server_type => 'backend',
+ config => {
+ 'storeconfigs' => true, # Required by thin_storeconfigs on
puppet 3.x
+ 'thin_storeconfigs' => true,
+ # lint:ignore:quoted_booleans
+ # Not a simple boolean, this must be quoted.
+ 'ca' => 'false',
+ # lint:endignore
+ 'ca_server' => 'palladium.eqiad.wmnet',
+ 'dbadapter' => 'mysql',
+ 'dbuser' => 'puppet',
+ 'dbpassword' =>
$passwords::puppet::database::puppet_production_db_pass,
+ 'dbserver' => 'm1-master.eqiad.wmnet',
+ 'dbconnections' => '256',
+ }
+ }
+
+ ferm::service { 'puppetmaster-backend':
+ proto => 'tcp',
+ port => 8141,
+ }
+
+ $puppetmaster_hostname = hiera('puppetmaster')
+ ferm::service { 'ssh_puppet_merge':
+ proto => 'tcp',
+ port => '22',
+ srange => "@resolve(${puppetmaster_hostname})"
+ }
+}
diff --git a/modules/role/manifests/puppetmaster/frontend.pp
b/modules/role/manifests/puppetmaster/frontend.pp
new file mode 100644
index 0000000..1a0aadb
--- /dev/null
+++ b/modules/role/manifests/puppetmaster/frontend.pp
@@ -0,0 +1,35 @@
+# vim: set tabstop=4 shiftwidth=4 softtabstop=4 expandtab textwidth=80 smarttab
+
+class role::puppetmaster::frontend {
+ include passwords::puppet::database
+
+ include role::backup::host
+ backup::set { 'var-lib-puppet-ssl': }
+ backup::set { 'var-lib-puppet-volatile': }
+
+ system::role { 'puppetmaster':
+ description => 'Puppetmaster frontend'
+ }
+
+ class { '::puppetmaster':
+ server_type => 'frontend',
+ workers => [
+ {
+ 'worker' => 'palladium.eqiad.wmnet',
+ 'loadfactor' => 10,
+ },
+ {
+ 'worker' => 'strontium.eqiad.wmnet',
+ 'loadfactor' => 20,
+ },
+ ],
+ config => {
+ 'storeconfigs' => true, # Required by thin_storeconfigs on
puppet 3.x
+ 'thin_storeconfigs' => true,
+ 'dbadapter' => 'mysql',
+ 'dbuser' => 'puppet',
+ 'dbpassword' =>
$passwords::puppet::database::puppet_production_db_pass,
+ 'dbserver' => 'm1-master.eqiad.wmnet',
+ }
+ }
+}
diff --git a/modules/role/manifests/puppetmaster/labs.pp
b/modules/role/manifests/puppetmaster/labs.pp
new file mode 100644
index 0000000..7aef552
--- /dev/null
+++ b/modules/role/manifests/puppetmaster/labs.pp
@@ -0,0 +1,44 @@
+# vim: set tabstop=4 shiftwidth=4 softtabstop=4 expandtab textwidth=80 smarttab
+
+class role::puppetmaster::labs {
+ include network::constants
+
+ $labs_ranges = [
+
$network::constants::all_network_subnets['production']['eqiad']['private']['labs-instances1-a-eqiad']['ipv4'],
+
$network::constants::all_network_subnets['production']['eqiad']['private']['labs-instances1-b-eqiad']['ipv4'],
+
$network::constants::all_network_subnets['production']['eqiad']['private']['labs-instances1-c-eqiad']['ipv4'],
+
$network::constants::all_network_subnets['production']['eqiad']['private']['labs-instances1-d-eqiad']['ipv4'],
+ ]
+
+ include ldap::role::config::labs
+ $ldapconfig = $ldap::role::config::labs::ldapconfig
+ $basedn = $ldapconfig['basedn']
+
+ # Only allow puppet access from the instances
+ $allow_from = $::realm ? {
+ 'production' => flatten([$labs_ranges, '208.80.154.14']),
+ 'labs' => [ '192.168.0.0/21' ],
+ }
+
+ class { '::puppetmaster':
+ server_name => hiera('labs_puppet_master'),
+ allow_from => $allow_from,
+ config => {
+ 'thin_storeconfigs' => false,
+ 'node_terminus' => 'ldap',
+ 'ldapserver' => $ldapconfig['servernames'][0],
+ 'ldapbase' => "ou=hosts,${basedn}",
+ 'ldapstring' =>
'(&(objectclass=puppetClient)(associatedDomain=%s))',
+ 'ldapuser' => $ldapconfig['proxyagent'],
+ 'ldappassword' => $ldapconfig['proxypass'],
+ 'ldaptls' => true,
+ 'autosign' => true,
+ };
+ }
+
+ if ! defined(Class['puppetmaster::certmanager']) {
+ class { 'puppetmaster::certmanager':
+ remote_cert_cleaner => hiera('labs_certmanager_hostname'),
+ }
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/248850
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3571dab849cc8874367ec57dedbb3a1fb34aef92
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
