Alexandros Kosiaris has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/311969

Change subject: postgres: Allow to not set password for users if not on master
......................................................................

postgres: Allow to not set password for users if not on master

That way we can use postgres::user on a slave. Use that in puppetdb

Change-Id: I87a3d13eaacbbb7f1ce6c9c65fb7b4a6d8bda300
---
M hieradata/common/puppetmaster/puppetdb.yaml
M modules/postgresql/manifests/user.pp
M modules/puppetmaster/manifests/puppetdb/database.pp
3 files changed, 17 insertions(+), 7 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/69/311969/1

diff --git a/hieradata/common/puppetmaster/puppetdb.yaml 
b/hieradata/common/puppetmaster/puppetdb.yaml
index 2c64fd1..973588f 100644
--- a/hieradata/common/puppetmaster/puppetdb.yaml
+++ b/hieradata/common/puppetmaster/puppetdb.yaml
@@ -4,13 +4,11 @@
     database: all
     password: "%{::puppetmaster::puppetdb::database::replication_pass}"
     cidr: 10.192.16.184/32
-    pgversion: 9.4
     attrs: REPLICATION
   puppetdb@nihal-v4:
     user: puppetdb
     database: puppetdb
     password: "%{::puppetmaster::puppetdb::database::puppetdb_pass}"
     cidr: 10.192.16.184/32
-    pgversion: 9.4
 master: nitrogen.eqiad.wmnet
 slaves: [nihal.codfw.wmnet]
diff --git a/modules/postgresql/manifests/user.pp 
b/modules/postgresql/manifests/user.pp
index 1877235..b72948f 100644
--- a/modules/postgresql/manifests/user.pp
+++ b/modules/postgresql/manifests/user.pp
@@ -37,6 +37,7 @@
         trusty  => '9.3',
     },
     $attrs = '',
+    $master = true,
     $ensure = 'present'
     ) {
 
@@ -64,10 +65,13 @@
         # NOTE: This has the potential of the password leaking by process
         # listing tools like ps. Need to investigate better ways of setting the
         # password .e.g. hashed with md5 in the manifest
-        exec { "pass_set-${name}":
-            command => $pass_set,
-            user    => 'postgres',
-            onlyif  => $userexists,
+        # This will not be run on a slave as it is read-only
+        if $master {
+            exec { "pass_set-${name}":
+                command => $pass_set,
+                user    => 'postgres',
+                onlyif  => $userexists,
+            }
         }
 
         $changes = [
diff --git a/modules/puppetmaster/manifests/puppetdb/database.pp 
b/modules/puppetmaster/manifests/puppetdb/database.pp
index 2f6264b..139d5b4 100644
--- a/modules/puppetmaster/manifests/puppetdb/database.pp
+++ b/modules/puppetmaster/manifests/puppetdb/database.pp
@@ -13,6 +13,7 @@
             root_dir => '/srv/postgres',
             use_ssl  => true,
         }
+        $on_master = true
     } else {
         $require_class = 'postgresql::slave'
         class { 'postgresql::slave':
@@ -22,11 +23,17 @@
             replication_pass => $replication_pass,
             use_ssl          => true,
         }
+        $on_master = false
     }
     # Postgres replication and users
     $postgres_users = hiera('puppetmaster::puppetdb::postgres_users', undef)
     if $postgres_users {
-        create_resources(postgresql::user, $postgres_users)
+        $postgres_users_defaults = {
+            pgversion => 9.4,
+            master    => $on_master
+        }
+        create_resources(postgresql::user, $postgres_users,
+            $postgres_users_defaults)
     }
     # Create the puppetdb user for localhost
     # This works on every server and is used for read-only db lookups
@@ -37,6 +44,7 @@
         password  => $puppetdb_pass,
         cidr      => "${::main_ipaddress}/32",
         pgversion => '9.4',
+        master    => $on_master,
     }
 
     # Create the database

-- 
To view, visit https://gerrit.wikimedia.org/r/311969
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I87a3d13eaacbbb7f1ce6c9c65fb7b4a6d8bda300
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to