Alexandros Kosiaris has submitted this change and it was merged.
Change subject: keyholder: ops into trusted groups unconditionally
......................................................................
keyholder: ops into trusted groups unconditionally
ops should be able to deploy code for any repo at any point in time in
order to fix problems. Provide the entire group with that functionality
for all currently scap provisioning keyholder keys by changing the
define to implicitly and unconditionally include ops
Change-Id: I3b5253f3fcccb4b14623fb8dd5c09c21ebfaa164
---
M hieradata/common/scap/server.yaml
M hieradata/labs/deployment-prep/common.yaml
M modules/keyholder/manifests/agent.pp
M modules/role/manifests/deployment/mediawiki.pp
4 files changed, 28 insertions(+), 15 deletions(-)
Approvals:
Alexandros Kosiaris: Verified; Looks good to me, approved
diff --git a/hieradata/common/scap/server.yaml
b/hieradata/common/scap/server.yaml
index 4568ed2..260e18f 100644
--- a/hieradata/common/scap/server.yaml
+++ b/hieradata/common/scap/server.yaml
@@ -11,23 +11,26 @@
keyholder_agents:
phabricator:
- trusted_group: deploy-phabricator
+ trusted_groups:
+ - deploy-phabricator
key_fingerprint: 39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10
key_secret: phabricator/phab_deploy_private_key
eventlogging:
- trusted_group: eventlogging-admins
+ trusted_groups:
+ - eventlogging-admins
key_fingerprint: b6:4e:1a:1b:4b:70:ef:91:31:cd:a3:18:9a:ca:41:44
deploy-service:
- trusted_group:
+ trusted_groups:
- deploy-service
- aqs-admins
key_fingerprint: 6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8
key_file: servicedeploy_rsa
+ # Note: dumpsdeploy normally would have ops as trusted group,
+ # but ops is added implicitly anyway
dumpsdeploy:
- trusted_group: ops
key_fingerprint: 86:c9:17:ab:b7:00:79:b5:8a:c5:b5:ee:29:24:c9:2f
diff --git a/hieradata/labs/deployment-prep/common.yaml
b/hieradata/labs/deployment-prep/common.yaml
index 6a1ae68..0210177 100644
--- a/hieradata/labs/deployment-prep/common.yaml
+++ b/hieradata/labs/deployment-prep/common.yaml
@@ -113,7 +113,8 @@
- 10.68.23.25:11211:1 # deployment-memc04
- 10.68.23.49:11211:1 # deployment-memc05
"varnish::packages::version": latest
-"keyholder::trusted_group": wikidev
+"keyholder::trusted_groups":
+ - wikidev
"base::environment::core_dump_pattern":
'/data/project/cores/%{::instancename}-core.%h.%e.%p.%t'
# T100509 Java7 on gallium does not support the hardned sshd MAC and KEX setup
@@ -204,16 +205,19 @@
scap::server::keyholder_agents:
phabricator:
- trusted_group: project-%{::labsproject}
+ trusted_groups:
+ - project-%{::labsproject}
key_fingerprint: 39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10
key_secret: phabricator/phab_deploy_private_key
eventlogging:
- trusted_group: project-%{::labsproject}
+ trusted_groups:
+ - project-%{::labsproject}
key_fingerprint: 02:9b:99:e2:f0:16:70:a3:d2:5a:e6:02:a3:73:0e:b0
deploy-service:
- trusted_group: deploy-service
+ trusted_groups:
+ - deploy-service
key_fingerprint: 6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8
key_file: servicedeploy_rsa
diff --git a/modules/keyholder/manifests/agent.pp
b/modules/keyholder/manifests/agent.pp
index 8cdc9de..260545d 100644
--- a/modules/keyholder/manifests/agent.pp
+++ b/modules/keyholder/manifests/agent.pp
@@ -11,11 +11,10 @@
# The name of the key file stored in puppet private
# Should exist prior to running a defined resource
#
-# [*trusted_group*]
-# The name or GID of the trusted user group with which the agent
+# [*trusted_groups*]
+# An array of group names or GIDs of the trusted user groups with which the
agent
# should be shared. It is the caller's responsibility to ensure
-# the group exists. An array of group identifiers can also be provided
-# to allow access by multiple groups.
+# the groups exist.
#
# [*key_fingerprint*]
# Fingerprint of the public half of the private keyfile specified
@@ -31,8 +30,8 @@
# }
#
define keyholder::agent(
- $trusted_group,
$key_fingerprint,
+ $trusted_groups = ['ops'],
$key_file = "${name}_rsa",
$key_content = undef,
$key_secret = undef,
@@ -40,8 +39,15 @@
require ::keyholder
require ::keyholder::monitoring
+ # Always add ops in the mix
+ if !('ops' in $trusted_groups) {
+ $real_trusted_groups = concat($trusted_groups, 'ops')
+ } else {
+ $real_trusted_groups = $trusted_groups
+ }
+
file { "/etc/keyholder-auth.d/${name}.yml":
- content => inline_template("---\n<% [*@trusted_group].each do |g|
%><%= g %>: ['<%= @key_fingerprint %>']\n<% end %>"),
+ content => inline_template("---\n<% [*@real_trusted_groups].each do
|g| %><%= g %>: ['<%= @key_fingerprint %>']\n<% end %>"),
owner => 'root',
group => 'keyholder',
mode => '0440',
diff --git a/modules/role/manifests/deployment/mediawiki.pp
b/modules/role/manifests/deployment/mediawiki.pp
index 18d34bd..852d951 100644
--- a/modules/role/manifests/deployment/mediawiki.pp
+++ b/modules/role/manifests/deployment/mediawiki.pp
@@ -17,7 +17,7 @@
require ::keyholder::monitoring
keyholder::agent { $keyholder_user:
- trusted_group => $keyholder_group,
+ trusted_groups => $keyholder_group,
key_fingerprint => $key_fingerprint,
}
--
To view, visit https://gerrit.wikimedia.org/r/288624
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I3b5253f3fcccb4b14623fb8dd5c09c21ebfaa164
Gerrit-PatchSet: 11
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Mobrovac <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
