Andrew Bogott has uploaded a new change for review. https://gerrit.wikimedia.org/r/284103
Change subject: Allow horizon to query the labs puppetmaster for a list of classes ...................................................................... Allow horizon to query the labs puppetmaster for a list of classes Change-Id: I3d071d7396942b0846abad61ef5ee6fd754807a5 --- M modules/puppetmaster/manifests/labs.pp A modules/puppetmaster/templates/auth-labs-master.conf.erb M modules/role/manifests/labs/puppetmaster.pp 3 files changed, 49 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/03/284103/1 diff --git a/modules/puppetmaster/manifests/labs.pp b/modules/puppetmaster/manifests/labs.pp index 820b03d..ca6c466 100644 --- a/modules/puppetmaster/manifests/labs.pp +++ b/modules/puppetmaster/manifests/labs.pp @@ -21,4 +21,11 @@ user => 'gitpuppet', minute => '*/1', } + + file { '/etc/puppet/auth.conf': + owner => 'root', + group => 'root', + mode => '0444', + content => template('puppetmaster/auth-labs-master.conf.erb'), + } } diff --git a/modules/puppetmaster/templates/auth-labs-master.conf.erb b/modules/puppetmaster/templates/auth-labs-master.conf.erb new file mode 100644 index 0000000..2e41d29 --- /dev/null +++ b/modules/puppetmaster/templates/auth-labs-master.conf.erb @@ -0,0 +1,40 @@ +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +path ~ ^/node/([^/]+)$ +method find +allow $1 + +path /certificate_revocation_list/ca +method find +allow * + +path ~ ^/report/([^/]+)$ +method save +allow $1 + +path /file +allow * + +path /certificate/ca +auth any +method find +allow * + +path /certificate/ +auth any +method find +allow * + +path /certificate_request +auth any +allow * +method find, save + +path /resource_type +auth any +allow <% scope.function_ipresolve([scope.function_hiera(['labs_horizon_host']), 4]) %> + +path / +auth any diff --git a/modules/role/manifests/labs/puppetmaster.pp b/modules/role/manifests/labs/puppetmaster.pp index 17c5cb7..612dd43 100644 --- a/modules/role/manifests/labs/puppetmaster.pp +++ b/modules/role/manifests/labs/puppetmaster.pp @@ -14,10 +14,11 @@ $labs_metal = hiera('labs_baremetal_servers', []) $ldapconfig = $ldap::role::config::labs::ldapconfig $basedn = $ldapconfig['basedn'] + $horizon_host_ip = ipresolve(hiera('labs_horizon_host'), 4) # Only allow puppet access from the instances - $allow_from = flatten([$labs_ranges, '208.80.154.14', $labs_metal]) + $allow_from = flatten([$labs_ranges, '208.80.154.14', $horizon_host_ip, $labs_metal]) class { '::puppetmaster': server_name => hiera('labs_puppet_master'), -- To view, visit https://gerrit.wikimedia.org/r/284103 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3d071d7396942b0846abad61ef5ee6fd754807a5 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits