[MediaWiki-commits] [Gerrit] network: add $production_networks - change (operations/puppet)

Faidon Liambotis (Code Review) Thu, 24 Dec 2015 06:30:07 -0800

Faidon Liambotis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/260926


Change subject: network: add $production_networks
......................................................................

network: add $production_networks

This includes all the networks under the "production" realm (public +
private).

It's a little hacky right now, we probably need a better way to make
arbitrary lookups on our network data structure (per realm, per
public/private, per afi, etc.) and to be able to use it in a consistent
way from both ferm and the rest of our puppet code (e.g. various
application-specific ACLs).

Bug: T122396
Change-Id: I4369dfed0f0645ae37432cbfbe172e38330fa57e
---
M manifests/network.pp
M modules/base/templates/firewall/defs.erb
2 files changed, 16 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/26/260926/1

diff --git a/manifests/network.pp b/manifests/network.pp
index 564b22d..36b0095 100644
--- a/manifests/network.pp
+++ b/manifests/network.pp
@@ -14,6 +14,8 @@
         '2a02:ec80::/32',
     ]
 
+    # are you really sure you want to use this? maybe what you really need is
+    # the trusted/production networks. See $production_networks for this.
     $all_networks = flatten([$external_networks, '10.0.0.0/8'])
     $all_networks_lo = flatten([$all_networks, '127.0.0.0/8', '::1/128'])
 
@@ -319,6 +321,9 @@
         },
     }
 
+    $production_networks_ipv4 = inline_template("<%= 
@all_network_subnets['production'].collect { |site, a| a.collect { |sphere, b| 
b.collect { |subnet, c| c['ipv4'] } } }.flatten.compact %>")
+    $production_networks_ipv6 = inline_template("<%= 
@all_network_subnets['production'].collect { |site, a| a.collect { |sphere, b| 
b.collect { |subnet, c| c['ipv6'] } } }.flatten.compact %>")
+    $production_networks = flatten([$production_networks_ipv4, 
$production_networks_ipv6])
 
     # Networks hosting MediaWiki application servers
     if $::realm == 'production' {
diff --git a/modules/base/templates/firewall/defs.erb 
b/modules/base/templates/firewall/defs.erb
index 0aab1ec..6b46451 100644
--- a/modules/base/templates/firewall/defs.erb
+++ b/modules/base/templates/firewall/defs.erb
@@ -3,12 +3,23 @@
 all_networks = scope.lookupvar('network::constants::all_networks')
 all_network_subnets = 
scope.lookupvar('network::constants::all_network_subnets')
 special_hosts = scope.lookupvar('network::constants::special_hosts')
+production_networks = 
scope.lookupvar('network::constants::production_networks')
+production_networks_ipv4 = 
scope.lookupvar('network::constants::production_networks_ipv4')
+production_networks_ipv6 = 
scope.lookupvar('network::constants::production_networks_ipv6')
 analytics_networks = scope.lookupvar('network::constants::analytics_networks')
 mw_appserver_networks = 
scope.lookupvar('network::constants::mw_appserver_networks')
 -%>
 
+@def $INTERNAL_V4 = (10.0.0.0/8);
+@def $INTERNAL_V6 = (2620:0:100::/56);
+@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6);
 @def $EXTERNAL_NETWORKS = (<%- external_networks.each do |external_net| -%><%= 
external_net %> <% end -%>);
 @def $ALL_NETWORKS = (<%- all_networks.each do |net| -%><%= net %> <% end -%>);
+
+@def $PRODUCTION_NETWORKS = (<%- production_networks.each do |net| -%><%= net 
%> <% end -%>);
+@def $PRODUCTION_NETWORKS_IPV4 = (<%- production_networks_ipv4.each do |net| 
-%><%= net %> <% end -%>);
+@def $PRODUCTION_NETWORKS_IPV6 = (<%- production_networks_ipv6.each do |net| 
-%><%= net %> <% end -%>);
+
 @def $ANALYTICS_NETWORKS = (<%- analytics_networks.each do |net| -%><%= net %> 
<% end -%>);
 @def $MW_APPSERVER_NETWORKS = (<%- mw_appserver_networks.each do |net| -%><%= 
net %> <% end -%>);
 
@@ -37,7 +48,3 @@
                <%- end -%>
        <%- end -%>
 <%- end -%>
-
-@def $INTERNAL_V4 = (10.0.0.0/8);
-@def $INTERNAL_V6 = (2620:0:100::/56);
-@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6);

-- 
To view, visit https://gerrit.wikimedia.org/r/260926
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4369dfed0f0645ae37432cbfbe172e38330fa57e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] network: add $production_networks - change (operations/puppet)

Reply via email to