Rush has uploaded a new change for review.
https://gerrit.wikimedia.org/r/254426
Change subject: WIP: Further hiera-ize role/labs/openstack/
......................................................................
WIP: Further hiera-ize role/labs/openstack/
There is still some low hanging consolidation fruit
left here. This isn't the final form
* moving values into yaml
* moving private values into hiera private
* using role keyword in site consistently (needed for lookup)
* refactor class relationships based on the reduced
need for classes as param stores
Change-Id: Ib7080dce519c99c5368d01380c8708ec43c069ce
---
M hieradata/common.yaml
M hieradata/eqiad.yaml
M manifests/role/labs/openstack/designate.pp
M manifests/role/labs/openstack/glance.pp
M manifests/role/labs/openstack/keystone.pp
M manifests/role/labs/openstack/nova.pp
M manifests/site.pp
M modules/openstack/templates/kilo/keystone/keystone.conf.erb
8 files changed, 88 insertions(+), 210 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/26/254426/1
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 554622b..3a1a403 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -299,3 +299,23 @@
dhcp_start: '10.68.16.4'
network_public_ip: '208.80.155.255'
dmz_cidr: '208.80.155.0/22,10.0.0.0/8'
+
+keystoneconfig:
+ db_name: 'keystone'
+ db_user: 'keystone'
+ ldap_base_dn: 'dc=wikimedia,dc=org'
+ ldap_user_dn: 'uid=novaadmin,ou=people,dc=wikimedia,dc=org'
+ ldap_user_id_attribute: 'uid'
+ ldap_tenant_id_attribute: 'cn'
+ ldap_user_name_attribute: 'uid'
+ ldap_tenant_name_attribute: 'cn'
+ ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
+ auth_protocol: 'http'
+ auth_port: '35357'
+ db_host: 'm5-master.eqiad.wmnet'
+ ldap_host: 'ldap-eqiad.wikimedia.org'
+ token_driver: 'normal'
+
+glanceconfig:
+ db_host: 'm5-master.eqiad.wmnet'
+ bind_ip: "%{::ipaddress_eth0}"
diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml
index 9c861cd..ba14771 100644
--- a/hieradata/eqiad.yaml
+++ b/hieradata/eqiad.yaml
@@ -100,3 +100,13 @@
auth_port: '35357'
auth_protocol: 'http'
auth_host: 208.80.154.92
+
+designateconfig:
+ db_host: 'm5-master.eqiad.wmnet'
+ db_name: 'designate'
+ pool_manager_db_name: 'designate_pool_manager'
+ pdns_db_host: 'm5-master.eqiad.wmnet'
+ dhcp_domain: 'eqiad'
+ pdns_db_name: 'pdns'
+ rabbit_host: *labsnovacontroller
+ controller_hostname: *labsnovacontroller
diff --git a/manifests/role/labs/openstack/designate.pp
b/manifests/role/labs/openstack/designate.pp
index 058d64b..9b11cd7 100644
--- a/manifests/role/labs/openstack/designate.pp
+++ b/manifests/role/labs/openstack/designate.pp
@@ -1,72 +1,29 @@
-class role::labs::openstack::designate::config {
-
- include openstack
- include passwords::designate
- include passwords::pdns
- include passwords::labs::rabbitmq
-
- $commondesignateconfig = {
- db_name => 'designate',
- pool_manager_db_name => 'designate_pool_manager',
- db_user => $passwords::designate::db_user,
- db_pass => $passwords::designate::db_pass,
- rabbit_user => $passwords::labs::rabbitmq::rabbit_userid,
- rabbit_pass => $passwords::labs::rabbitmq::rabbit_password,
- pdns_db_name => 'pdns',
- pdns_db_user => $passwords::pdns::db_user,
- pdns_db_pass => $passwords::pdns::db_pass,
- pdns_db_admin_user => $passwords::pdns::db_admin_user,
- pdns_db_admin_pass => $passwords::pdns::db_admin_pass,
- }
-}
-
-class role::labs::openstack::designate::config::eqiad inherits
role::labs::openstack::designate::config {
-
- include role::labs::openstack::keystone::config::eqiad
-
- $nova_controller = hiera('labs_nova_controller')
- $keystoneconfig =
$role::labs::openstack::keystone::config::eqiad::keystoneconfig
-
- $controller_hostname = $nova_controller
- $db_host = 'm5-master.eqiad.wmnet'
- $pdns_db_host = 'm5-master.eqiad.wmnet'
- $auth_uri = "http://${nova_controller}:5000";
-
- $eqiaddesignateconfig = {
- db_host => $db_host,
- pdns_db_host => $pdns_db_host,
- auth_uri => $auth_uri,
- rabbit_host => $controller_hostname,
- controller_hostname => $controller_hostname,
- keystone_admin_token => $keystoneconfig['admin_token'],
- keystone_auth_host => $keystoneconfig['bind_ip'],
- keystone_auth_protocol => $keystoneconfig['auth_protocol'],
- keystone_auth_port => $keystoneconfig['auth_port'],
- dhcp_domain => 'eqiad',
- }
- $designateconfig = merge($eqiaddesignateconfig, $commondesignateconfig)
-}
-
class role::labs::openstack::designate::server {
- include role::labs::openstack::designate::config::eqiad
+ include openstack
- # Firewall
- $wikitech = ipresolve('wikitech.wikimedia.org',4)
- $horizon = ipresolve('horizon.wikimedia.org',4)
- $controller = ipresolve(hiera('labs_nova_controller'),4)
+ $keystone_host = hiera('labs_keystone_host')
+ $nova_controller = hiera('labs_nova_controller')
+ $keystoneconfig = hiera_hash('keystoneconfig', {})
+ $designateconfig = hiera_hash('designateconfig', {})
- $designateconfig = $::site ? {
- 'eqiad' =>
$role::labs::openstack::designate::config::eqiad::designateconfig,
- }
+ $wikitech_ip = ipresolve('wikitech.wikimedia.org',4)
+ $horizon_ip = ipresolve('horizon.wikimedia.org',4)
+ $controller_ip = ipresolve($nova_controller,4)
+
+ $designateconfig['auth_uri'] =
"http://${nova_controller}:5000";
+ $designateconfig['keystone_auth_host'] = ipresolve($keystone_host,4)
+ $designateconfig['keystone_auth_port'] = $keystoneconfig['auth_port']
+ $designateconfig['keystone_admin_token'] = $keystoneconfig['admin_token']
+ $designateconfig['keystone_auth_protocol'] =
$keystoneconfig['auth_protocol']
class { 'openstack::designate::service':
- designateconfig => $designateconfig,
+ designateconfig => $designateconfig,
}
# Poke a firewall hole for the designate api
ferm::rule { 'designate-api':
- rule => "saddr (${wikitech} ${horizon} ${controller}) proto tcp dport
(9001) ACCEPT;",
+ rule => "saddr (${wikitech_ip} ${horizon_ip} ${controller_ip}) proto
tcp dport (9001) ACCEPT;",
}
file { '/var/lib/designate/.ssh/':
diff --git a/manifests/role/labs/openstack/glance.pp
b/manifests/role/labs/openstack/glance.pp
index 90720f8..545da92 100644
--- a/manifests/role/labs/openstack/glance.pp
+++ b/manifests/role/labs/openstack/glance.pp
@@ -1,46 +1,14 @@
-class role::labs::openstack::glance::config {
-
- include passwords::openstack::glance
- include passwords::labs::rabbitmq
-
- $commonglanceconfig = {
- db_name => 'glance',
- db_user => 'glance',
- db_pass => $passwords::openstack::glance::glance_db_pass,
- rabbit_user => $passwords::labs::rabbitmq::rabbit_userid,
- rabbit_pass => $passwords::labs::rabbitmq::rabbit_password,
- }
-}
-
-class role::labs::openstack::glance::config::eqiad inherits
role::labs::openstack::glance::config {
-
- include role::labs::openstack::keystone::config::eqiad
-
- $keystoneconfig =
$role::labs::openstack::keystone::config::eqiad::keystoneconfig
- $keystone_host = hiera('labs_keystone_host')
- $db_host = 'm5-master.eqiad.wmnet'
- $bind_ip = $::ipaddress_eth0
- $auth_uri = "http://${keystone_host}:5000";
-
- $eqiadglanceconfig = {
- db_host => $db_host,
- bind_ip => $bind_ip,
- auth_uri => $auth_uri,
- keystone_admin_token => $keystoneconfig['admin_token'],
- keystone_auth_host => $keystoneconfig['bind_ip'],
- keystone_auth_protocol => $keystoneconfig['auth_protocol'],
- keystone_auth_port => $keystoneconfig['auth_port'],
- }
- $glanceconfig = merge($eqiadglanceconfig, $commonglanceconfig)
-}
-
class role::labs::openstack::glance::server {
- include role::labs::openstack::glance::config::eqiad
+ $keystone_host = hiera('labs_keystone_host')
+ $keystoneconfig = hiera_hash('keystoneconfig', {})
+ $glanceconfig = hiera_hash('glanceconfig', {})
- $glanceconfig = $::site ? {
- 'eqiad' => $role::labs::openstack::glance::config::eqiad::glanceconfig,
- }
+ $glanceconfig['auth_uri'] = "http://${keystone_host}:5000";
+ $glanceconfig['keystone_auth_host'] = ipresolve($keystone_host,4)
+ $glanceconfig['keystone_auth_port'] = $keystoneconfig['auth_port']
+ $glanceconfig['keystone_admin_token'] = $keystoneconfig['admin_token']
+ $glanceconfig['keystone_auth_protocol'] = $keystoneconfig['auth_protocol']
class { 'openstack::glance::service':
glanceconfig => $glanceconfig,
diff --git a/manifests/role/labs/openstack/keystone.pp
b/manifests/role/labs/openstack/keystone.pp
index e28ad25..7ed30b2 100644
--- a/manifests/role/labs/openstack/keystone.pp
+++ b/manifests/role/labs/openstack/keystone.pp
@@ -1,61 +1,11 @@
-class role::labs::openstack::keystone::config {
+class role::labs::openstack::keystone::server {
- include passwords::openstack::keystone
-
- $commonkeystoneconfig = {
- db_name => 'keystone',
- db_user => 'keystone',
- db_pass =>
$passwords::openstack::keystone::keystone_db_pass,
- ldap_base_dn => 'dc=wikimedia,dc=org',
- ldap_user_dn =>
'uid=novaadmin,ou=people,dc=wikimedia,dc=org',
- ldap_user_id_attribute => 'uid',
- ldap_tenant_id_attribute => 'cn',
- ldap_user_name_attribute => 'uid',
- ldap_tenant_name_attribute => 'cn',
- ldap_user_pass =>
$passwords::openstack::keystone::keystone_ldap_user_pass,
- ldap_proxyagent =>
'cn=proxyagent,ou=profile,dc=wikimedia,dc=org',
- ldap_proxyagent_pass =>
$passwords::openstack::keystone::keystone_ldap_proxyagent_pass,
- auth_protocol => 'http',
- auth_port => '35357',
- admin_token =>
$passwords::openstack::keystone::keystone_admin_token,
- token_driver_password =>
$passwords::openstack::keystone::keystone_db_pass,
- }
-}
-
-class role::labs::openstack::keystone::config::eqiad inherits
role::labs::openstack::keystone::config {
-
- $keystone_host = hiera('labs_keystone_host')
-
- $eqiadkeystoneconfig = {
- db_host => 'm5-master.eqiad.wmnet',
- ldap_host => 'ldap-eqiad.wikimedia.org',
- bind_ip => ipresolve($keystone_host,4),
- # Temporarily disable the redis keystone driver... it doesn't work in
icehouse
- token_driver => 'normal',
- }
- $keystoneconfig = merge($eqiadkeystoneconfig, $commonkeystoneconfig)
-}
-
-class role::labs::openstack::keystone::server ($glanceconfig) {
-
- include role::labs::openstack::keystone::config::eqiad
- include role::labs::openstack::keystone::redis
-
- $keystoneconfig = $::site ? {
- 'eqiad' =>
$role::labs::openstack::keystone::config::eqiad::keystoneconfig,
- }
+ $nova_controller = hiera('labs_nova_controller')
+ $keystoneconfig = hiera_hash('keystoneconfig', {})
class { 'openstack::keystone::service':
keystoneconfig => $keystoneconfig,
- glanceconfig => $glanceconfig,
}
-}
-
-class role::labs::openstack::keystone::redis {
-
- include passwords::openstack::keystone
-
- $nova_controller = hiera('labs_nova_controller')
$replication = {
'labcontrol2001' => $nova_controller
@@ -65,7 +15,7 @@
maxmemory => '250mb',
persist => 'aof',
redis_replication => $replication,
- password =>
$passwords::openstack::keystone::keystone_db_pass,
+ password => $keystoneconfig['db_pass'],
dir => '/var/lib/redis/',
auto_aof_rewrite_min_size => '64mb',
}
diff --git a/manifests/role/labs/openstack/nova.pp
b/manifests/role/labs/openstack/nova.pp
index ed27ff3..5cd3e8f 100644
--- a/manifests/role/labs/openstack/nova.pp
+++ b/manifests/role/labs/openstack/nova.pp
@@ -37,6 +37,8 @@
# This is the wikitech UI
class role::labs::openstack::nova::manager {
+ requires_realm('production')
+
include ::nutcracker::monitoring
include ::mediawiki::packages::php5
include ::mediawiki::cgroup
@@ -45,17 +47,7 @@
include role::labs::openstack::nova::common
$novaconfig = $role::labs::openstack::nova::common::novaconfig
- case $::realm {
- 'production': {
- $certificate = 'wikitech.wikimedia.org'
- }
- default: {
- fail('unknown realm')
- }
- }
-
sslcert::certificate { $certificate: }
-
monitoring::service { 'https':
description => 'HTTPS',
check_command => "check_ssl_http!${certificate}",
@@ -110,37 +102,27 @@
class role::labs::openstack::nova::controller {
require openstack
+ include ::openstack::controller_firewall
+
include role::labs::puppetmaster
- include role::labs::openstack::glance::config::eqiad
include role::labs::openstack::nova::wikiupdates
+ include role::labs::openstack::glance::server
+ include role::labs::openstack::keystone::server
include role::labs::openstack::nova::common
$novaconfig = $role::labs::openstack::nova::common::novaconfig
- $glanceconfig = $::site ? {
- 'eqiad' => $role::labs::openstack::glance::config::eqiad::glanceconfig,
- }
- $keystoneconfig = $::site ? {
- 'eqiad' =>
$role::labs::openstack::keystone::config::eqiad::keystoneconfig,
- }
-
class { '::openstack::nova::conductor':
- novaconfig => $novaconfig,
- }
- class { '::openstack::nova::scheduler':
- novaconfig => $novaconfig,
- }
- class { '::openstack::glance::service':
- glanceconfig => $glanceconfig,
- }
- class { '::openstack::queue-server':
- novaconfig => $novaconfig,
- }
- class { 'role::labs::openstack::keystone::server':
- glanceconfig => $glanceconfig,
+ novaconfig => $novaconfig,
}
- class { '::openstack::controller_firewall': }
+ class { '::openstack::nova::scheduler':
+ novaconfig => $novaconfig,
+ }
+
+ class { '::openstack::queue-server':
+ novaconfig => $novaconfig,
+ }
class { '::openstack::adminscripts':
novaconfig => $novaconfig
@@ -172,8 +154,8 @@
class role::labs::openstack::nova::network {
require openstack
- include role::labs::openstack::nova::common
include role::labs::openstack::nova::wikiupdates
+ include role::labs::openstack::nova::common
$novaconfig = $role::labs::openstack::nova::common::novaconfig
interface::ip { 'openstack::network_service_public_dynamic_snat':
@@ -241,7 +223,7 @@
}
class { '::openstack::nova::compute':
- novaconfig => $novaconfig,
+ novaconfig => $novaconfig,
}
mount { '/var/lib/nova/instances':
diff --git a/manifests/site.pp b/manifests/site.pp
index a5ab8d9..2944221 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1032,25 +1032,17 @@
# Holmium hosts openstack-designate, the labs DNS service.
node 'holmium.wikimedia.org' {
- role labsdns
+ role labsdns, labs::openstack::designate::server, labsdnsrecursor
include standard
-
include base::firewall
- include role::labsdnsrecursor
- include role::labs::openstack::designate::server
-
include ldap::role::client::labs
}
# labservices1001 will be the new holmium
node 'labservices1001.wikimedia.org' {
- role labsdns
+ role labsdns, labsdnsrecursor, labs::openstack::designate::server
include standard
-
include base::firewall
- include role::labsdnsrecursor
- include role::labs::openstack::designate::server
-
include ldap::role::client::labs
}
@@ -1159,13 +1151,14 @@
node 'labcontrol1001.wikimedia.org' {
$is_puppet_master = true
$is_labs_puppet_master = true
- role labs::openstack::nova::controller
+
+ role labs::openstack::nova::controller,
+ salt::masters::labs,
+ deployment::salt_masters,
+ dns::ldap
include standard
include ldap::role::client::labs
- include role::salt::masters::labs
- include role::deployment::salt_masters
- include role::dns::ldap
# Monitoring checks for toollabs that page
include toollabs::monitoring::icinga
@@ -1180,11 +1173,13 @@
$is_puppet_master = true
$is_labs_puppet_master = true
- role labs::openstack::nova::controller
+ role labs::openstack::nova::controller,
+ salt::masters::labs,
+ deployment::salt_masters
+
include standard
include ldap::role::client::labs
- include role::salt::masters::labs
- include role::deployment::salt_masters
+
# The dns controller grabs an IP, so leave this disabled until/unless
# this server is the primary labs controller.
#include role::dns::ldap
@@ -1213,15 +1208,13 @@
}
node 'labnet1001.eqiad.wmnet' {
-
role labs::openstack::nova::api
include standard
}
node 'labnet1002.eqiad.wmnet' {
- role labs::openstack::nova::api
+ role labs::openstack::nova::api, labs::openstack::nova::network
include standard
- include role::labs::openstack::nova::network
}
node 'labnodepool1001.eqiad.wmnet' {
@@ -1279,7 +1272,6 @@
node /labstore100[12]\.eqiad\.wmnet/ {
role labs::nfs::fileserver
-
}
node 'labstore1003.eqiad.wmnet' {
@@ -1288,7 +1280,6 @@
node /labstore200[12]\.codfw\.wmnet/ {
$cluster = 'labsnfs'
-
role labs::nfs::fileserver
}
diff --git a/modules/openstack/templates/kilo/keystone/keystone.conf.erb
b/modules/openstack/templates/kilo/keystone/keystone.conf.erb
index e732694..f53b21f 100644
--- a/modules/openstack/templates/kilo/keystone/keystone.conf.erb
+++ b/modules/openstack/templates/kilo/keystone/keystone.conf.erb
@@ -49,7 +49,7 @@
# public_port = 5000
# The port number which the public admin listens on
-admin_port = <%= @glanceconfig["keystone_auth_port"] %>
+admin_port = <%= @keystoneconfig["auth_port"] %>
# The port number which the OpenStack Compute service listens on
# compute_port = 8774
--
To view, visit https://gerrit.wikimedia.org/r/254426
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib7080dce519c99c5368d01380c8708ec43c069ce
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
