Ottomata has submitted this change and it was merged.
Change subject: Hieraize keyholder::agent configuration
......................................................................
Hieraize keyholder::agent configuration
Move keyholder::agent configuration to hiera to simplify keyholder
configuration. Proliferation of *::deploy::source classes is messy
and complicates the already too complex process of adding a new
service group/key to the deployment masters.
Bug: T130419
Change-Id: Id5002cc9449deb0223f27af67a30a86c6187bfd9
---
M hieradata/labs/deployment-prep/common.yaml
M hieradata/role/common/deployment/server.yaml
M modules/admin/data/data.yaml
D modules/eventlogging/manifests/deployment/source.pp
M modules/keyholder/manifests/agent.pp
D modules/phabricator/manifests/deployment/source.pp
M modules/role/manifests/deployment/server.pp
D modules/role/manifests/deployment/services.pp
A modules/scap/manifests/server.pp
9 files changed, 78 insertions(+), 93 deletions(-)
Approvals:
Ottomata: Looks good to me, approved
jenkins-bot: Verified
diff --git a/hieradata/labs/deployment-prep/common.yaml
b/hieradata/labs/deployment-prep/common.yaml
index 92d06e0..7ca3da6 100644
--- a/hieradata/labs/deployment-prep/common.yaml
+++ b/hieradata/labs/deployment-prep/common.yaml
@@ -212,3 +212,16 @@
deployment-kafka02.deployment-prep.eqiad.wmflabs:
id: 1
+keyholder::agents:
+ phabricator:
+ trusted_group: project-%{::labsproject}
+ key_fingerprint: 39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10
+ key_secret: phabricator/phab_deploy_private_key
+ eventlogging:
+ trusted_group: project-%{::labsproject}
+ key_fingerprint: 02:9b:99:e2:f0:16:70:a3:d2:5a:e6:02:a3:73:0e:b0
+ key_file: eventlogging_rsa
+ deploy-service:
+ trusted_group: deploy-service
+ key_fingerprint: 6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8
+ key_file: servicedeploy_rsa
diff --git a/hieradata/role/common/deployment/server.yaml
b/hieradata/role/common/deployment/server.yaml
index e7a047b..a4675f3 100644
--- a/hieradata/role/common/deployment/server.yaml
+++ b/hieradata/role/common/deployment/server.yaml
@@ -6,6 +6,7 @@
- wdqs-admins
- eventlogging-admins
- aqs-admins
+ - deploy-phabricator
debdeploy::grains:
debdeploy-deployment:
value: standard
@@ -23,9 +24,20 @@
light_process_count: 0
light_process_file_prefix:
-# Override keyholder_group for role::deployment::services
-# so that aqs-admins can deploy AQS via scap using the
-# deploy-service key.
-role::deployment::services::keyholder_group:
- - deploy-service
- - aqs-admins
+keyholder::agents:
+ phabricator:
+ trusted_group: deploy-phabricator
+ key_fingerprint: 39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10
+ key_secret: phabricator/phab_deploy_private_key
+ eventlogging:
+ trusted_group: eventlogging-admins
+ key_fingerprint: b6:4e:1a:1b:4b:70:ef:91:31:cd:a3:18:9a:ca:41:44
+ deploy-service:
+ trusted_group:
+ - deploy-service
+ - aqs-admins
+ key_fingerprint: 6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8
+ key_file: servicedeploy_rsa
+ dumpsdeploy:
+ trusted_group: ops
+ key_fingerprint: 86:c9:17:ab:b7:00:79:b5:8a:c5:b5:ee:29:24:c9:2f'
diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index 9ed5d59..e40b53f 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -494,6 +494,12 @@
members: [krenair]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
+ deploy-phabricator:
+ description: Group of phabricator deployers
+ gid: 777
+ members: [twentyafterfour,demon,rush]
+ privileges: []
+
users:
rush:
ensure: present
diff --git a/modules/eventlogging/manifests/deployment/source.pp
b/modules/eventlogging/manifests/deployment/source.pp
deleted file mode 100644
index 35420e9..0000000
--- a/modules/eventlogging/manifests/deployment/source.pp
+++ /dev/null
@@ -1,39 +0,0 @@
-# == Class eventlogging::deployment::source
-# Include this class on a scap3 deployment server,
-# e.g. tin, deployment-tin, etc.
-# It sets up private keys and adds them to keyholder,
-# allowing certain groups to deploy via ssh using
-# the configured ssh key for the deploy user.
-#
-class eventlogging::deployment::source {
- require ::keyholder
- require ::keyholder::monitoring
-
- $key_fingerprint = $::realm ? {
- 'labs' => $::labsproject ? {
- 'deployment-prep' =>
'02:9b:99:e2:f0:16:70:a3:d2:5a:e6:02:a3:73:0e:b0',
- default => undef,
- },
- 'production' => 'b6:4e:1a:1b:4b:70:ef:91:31:cd:a3:18:9a:ca:41:44',
- default => undef,
- }
-
- if !$key_fingerprint {
- fail('Could not determine keyholder key_fingerprint for scap when
setting up eventlogging deployment source for eventlogging.')
- }
-
- # Use eventlogging-admins group for deployment in production,
- # and just the current labs project group in labs.
- $trusted_group = $::realm ? {
- 'labs' => "project-${::labsproject}",
- default => 'eventlogging-admins',
- }
-
- # For betalabs/deployment-prep, the eventlogging private key has been
- # added to deployment-puppetmaster:/var/lib/git/private/labs/files/ssh/tin.
- keyholder::agent { 'eventlogging':
- trusted_group => $trusted_group,
- key_fingerprint => $key_fingerprint,
- key_file => 'eventlogging_rsa',
- }
-}
diff --git a/modules/keyholder/manifests/agent.pp
b/modules/keyholder/manifests/agent.pp
index 1665e20..8cdc9de 100644
--- a/modules/keyholder/manifests/agent.pp
+++ b/modules/keyholder/manifests/agent.pp
@@ -24,7 +24,7 @@
# === Examples
#
# keyholder::agent { 'mwdeploy':
-# keyfile => 'mwdeploy_key_rsa',
+# key_file => 'mwdeploy_key_rsa',
# trusted_group => ['wikidev', 'mwdeploy'],
# key_fingerprint => '00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00'
# require => Group['wikidev'],
@@ -35,7 +35,11 @@
$key_fingerprint,
$key_file = "${name}_rsa",
$key_content = undef,
+ $key_secret = undef,
) {
+ require ::keyholder
+ require ::keyholder::monitoring
+
file { "/etc/keyholder-auth.d/${name}.yml":
content => inline_template("---\n<% [*@trusted_group].each do |g|
%><%= g %>: ['<%= @key_fingerprint %>']\n<% end %>"),
owner => 'root',
@@ -48,6 +52,10 @@
keyholder::private_key { $key_file:
content => $key_content,
}
+ } elsif $key_secret {
+ keyholder::private_key { $key_file:
+ content => secret($key_secret)
+ }
} else {
keyholder::private_key { $key_file:
source => "puppet:///private/ssh/tin/${key_file}",
diff --git a/modules/phabricator/manifests/deployment/source.pp
b/modules/phabricator/manifests/deployment/source.pp
deleted file mode 100644
index ada4d84..0000000
--- a/modules/phabricator/manifests/deployment/source.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-# == Class phabricator::deployment::source
-# Include this class on a scap3 deployment server (e.g. tin,
deployment-bastion)
-# to configure the keyholder agent.
-#
-# This sets up private keys and adds them to keyholder, allowing members of the
-# trusted_group to deploy via ssh using the configured ssh key for the
-# deploy user.
-#
-# TODO: I'd like to move this information to hiera so that we can consolodate
-# the keyholder configuration in one place instead of scattering it around in
-# service::deployment::source classes.
-
-class phabricator::deployment::source(
- $key_fingerprint = '39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10',
- $trusted_group = 'phabricator-roots'
-) {
- require ::keyholder
- require ::keyholder::monitoring
-
- keyholder::agent { 'phabricator':
- trusted_group => $trusted_group,
- key_fingerprint => $key_fingerprint,
- key_content => secret('phabricator/phab_deploy_private_key'),
- }
-}
diff --git a/modules/role/manifests/deployment/server.pp
b/modules/role/manifests/deployment/server.pp
index c318aae..322bdb3 100644
--- a/modules/role/manifests/deployment/server.pp
+++ b/modules/role/manifests/deployment/server.pp
@@ -7,12 +7,12 @@
# Can't include this while scap is present on the deployment server:
# include misc::deployment::scripts
include role::deployment::mediawiki
- # NOTE: keyholder_group for role::deployment::services
- # is overridden in hieradata/common/deployment/server.yaml
- include role::deployment::services
- include eventlogging::deployment::source
- include phabricator::deployment::source
- include snapshot::deployment::source
+
+ # scap::server will ensure that all keyholder::agents
+ # declared in hiera will exist. scap::server is
+ # for generic repository deployment and does not have
+ # anything to do with Mediawiki.
+ include scap::server
class { 'deployment::deployment_server':
deployment_group => $deployment_group,
diff --git a/modules/role/manifests/deployment/services.pp
b/modules/role/manifests/deployment/services.pp
deleted file mode 100644
index cecd9ca..0000000
--- a/modules/role/manifests/deployment/services.pp
+++ /dev/null
@@ -1,16 +0,0 @@
-# === Class role::deployment::services
-# Installs the keyholder agent for deploying services
-class role::deployment::services (
- $keyholder_user = 'deploy-service',
- $keyholder_group = 'deploy-service',
- $key_fingerprint = '6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8',
-) {
- require ::keyholder
- require ::keyholder::monitoring
-
- keyholder::agent { $keyholder_user:
- trusted_group => $keyholder_group,
- key_fingerprint => $key_fingerprint,
- key_file => 'servicedeploy_rsa',
- }
-}
diff --git a/modules/scap/manifests/server.pp b/modules/scap/manifests/server.pp
new file mode 100644
index 0000000..543a182
--- /dev/null
+++ b/modules/scap/manifests/server.pp
@@ -0,0 +1,26 @@
+# == Class: scap::server
+#
+# Configures dependencies for a scap3 deployment server. This includes
+# setting up ssh agent keys and repositories configured for deployment.
+#
+# This class creates keyholder::agent resources based on
+# the contents of the 'keyholder::agents' hiera variable.
+#
+# Legacy scap and mediawiki deployment dependencies are in
+# scap::master.
+#
+class scap::server {
+ require ::scap
+
+ # keyholder is an ssh agent proxy that allows members of select groups to
+ # connect using ssh keys shared with the group. This facilitates multiple
+ # deployers to deploy over ssh to corresponding scap::target instances.
+
+ # For a given deployment server, we list the details of each key in hiera
+ # under keyholder::agents, actual keys are stored in the `secret` module
+ # which is kept in a private location in the puppet modulepath.
+ $agent_keys = hiera_hash('keyholder::agents', {})
+
+ # Create an instance of keyholder::agent for each of the key specs in
hiera:
+ create_resources('keyholder::agent', $agent_keys)
+}
--
To view, visit https://gerrit.wikimedia.org/r/279198
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Id5002cc9449deb0223f27af67a30a86c6187bfd9
Gerrit-PatchSet: 24
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: 20after4 <[email protected]>
Gerrit-Reviewer: 20after4 <[email protected]>
Gerrit-Reviewer: ArielGlenn <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Mobrovac <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>
Gerrit-Reviewer: Thcipriani <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
