[MediaWiki-commits] [Gerrit] Allow horizon to query the labs puppetmaster for a list of c... - change (operations/puppet)

Mon, 18 Apr 2016 15:54:07 -0700 

Andrew Bogott has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/284103

Change subject: Allow horizon to query the labs puppetmaster for a list of 
classes
......................................................................

Allow horizon to query the labs puppetmaster for a list of classes

Change-Id: I3d071d7396942b0846abad61ef5ee6fd754807a5
---
M modules/puppetmaster/manifests/labs.pp
A modules/puppetmaster/templates/auth-labs-master.conf.erb
M modules/role/manifests/labs/puppetmaster.pp
3 files changed, 49 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/03/284103/1

diff --git a/modules/puppetmaster/manifests/labs.pp 
b/modules/puppetmaster/manifests/labs.pp
index 820b03d..ca6c466 100644
--- a/modules/puppetmaster/manifests/labs.pp
+++ b/modules/puppetmaster/manifests/labs.pp
@@ -21,4 +21,11 @@
         user    => 'gitpuppet',
         minute  => '*/1',
     }
+
+    file { '/etc/puppet/auth.conf':
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0444',
+        content => template('puppetmaster/auth-labs-master.conf.erb'),
+    }
 }
diff --git a/modules/puppetmaster/templates/auth-labs-master.conf.erb 
b/modules/puppetmaster/templates/auth-labs-master.conf.erb
new file mode 100644
index 0000000..2e41d29
--- /dev/null
+++ b/modules/puppetmaster/templates/auth-labs-master.conf.erb
@@ -0,0 +1,40 @@
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+path /certificate_revocation_list/ca
+method find
+allow *
+
+path ~ ^/report/([^/]+)$
+method save
+allow $1
+
+path /file
+allow *
+
+path /certificate/ca
+auth any
+method find
+allow *
+
+path /certificate/
+auth any
+method find
+allow *
+
+path /certificate_request
+auth any
+allow *
+method find, save
+
+path /resource_type
+auth any
+allow <% 
scope.function_ipresolve([scope.function_hiera(['labs_horizon_host']), 4]) %>
+
+path /
+auth any
diff --git a/modules/role/manifests/labs/puppetmaster.pp 
b/modules/role/manifests/labs/puppetmaster.pp
index 17c5cb7..612dd43 100644
--- a/modules/role/manifests/labs/puppetmaster.pp
+++ b/modules/role/manifests/labs/puppetmaster.pp
@@ -14,10 +14,11 @@
     $labs_metal = hiera('labs_baremetal_servers', [])
     $ldapconfig = $ldap::role::config::labs::ldapconfig
     $basedn = $ldapconfig['basedn']
+    $horizon_host_ip = ipresolve(hiera('labs_horizon_host'), 4)
 
 
     # Only allow puppet access from the instances
-    $allow_from = flatten([$labs_ranges, '208.80.154.14', $labs_metal])
+    $allow_from = flatten([$labs_ranges, '208.80.154.14', $horizon_host_ip, 
$labs_metal])
 
     class { '::puppetmaster':
         server_name    => hiera('labs_puppet_master'),

-- 
To view, visit https://gerrit.wikimedia.org/r/284103
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3d071d7396942b0846abad61ef5ee6fd754807a5
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to