Alexandros Kosiaris has submitted this change and it was merged.
Change subject: postgres: Allow to not set password for users if not on master
......................................................................
postgres: Allow to not set password for users if not on master
That way we can use postgres::user on a slave. Use that in puppetdb
Change-Id: I87a3d13eaacbbb7f1ce6c9c65fb7b4a6d8bda300
---
M hieradata/common/puppetmaster/puppetdb.yaml
M modules/postgresql/manifests/user.pp
M modules/puppetmaster/manifests/puppetdb/database.pp
3 files changed, 17 insertions(+), 7 deletions(-)
Approvals:
Alexandros Kosiaris: Verified; Looks good to me, approved
diff --git a/hieradata/common/puppetmaster/puppetdb.yaml
b/hieradata/common/puppetmaster/puppetdb.yaml
index 2c64fd1..973588f 100644
--- a/hieradata/common/puppetmaster/puppetdb.yaml
+++ b/hieradata/common/puppetmaster/puppetdb.yaml
@@ -4,13 +4,11 @@
database: all
password: "%{::puppetmaster::puppetdb::database::replication_pass}"
cidr: 10.192.16.184/32
- pgversion: 9.4
attrs: REPLICATION
puppetdb@nihal-v4:
user: puppetdb
database: puppetdb
password: "%{::puppetmaster::puppetdb::database::puppetdb_pass}"
cidr: 10.192.16.184/32
- pgversion: 9.4
master: nitrogen.eqiad.wmnet
slaves: [nihal.codfw.wmnet]
diff --git a/modules/postgresql/manifests/user.pp
b/modules/postgresql/manifests/user.pp
index 1877235..b72948f 100644
--- a/modules/postgresql/manifests/user.pp
+++ b/modules/postgresql/manifests/user.pp
@@ -37,6 +37,7 @@
trusty => '9.3',
},
$attrs = '',
+ $master = true,
$ensure = 'present'
) {
@@ -64,10 +65,13 @@
# NOTE: This has the potential of the password leaking by process
# listing tools like ps. Need to investigate better ways of setting the
# password .e.g. hashed with md5 in the manifest
- exec { "pass_set-${name}":
- command => $pass_set,
- user => 'postgres',
- onlyif => $userexists,
+ # This will not be run on a slave as it is read-only
+ if $master {
+ exec { "pass_set-${name}":
+ command => $pass_set,
+ user => 'postgres',
+ onlyif => $userexists,
+ }
}
$changes = [
diff --git a/modules/puppetmaster/manifests/puppetdb/database.pp
b/modules/puppetmaster/manifests/puppetdb/database.pp
index 2f6264b..139d5b4 100644
--- a/modules/puppetmaster/manifests/puppetdb/database.pp
+++ b/modules/puppetmaster/manifests/puppetdb/database.pp
@@ -13,6 +13,7 @@
root_dir => '/srv/postgres',
use_ssl => true,
}
+ $on_master = true
} else {
$require_class = 'postgresql::slave'
class { 'postgresql::slave':
@@ -22,11 +23,17 @@
replication_pass => $replication_pass,
use_ssl => true,
}
+ $on_master = false
}
# Postgres replication and users
$postgres_users = hiera('puppetmaster::puppetdb::postgres_users', undef)
if $postgres_users {
- create_resources(postgresql::user, $postgres_users)
+ $postgres_users_defaults = {
+ pgversion => 9.4,
+ master => $on_master
+ }
+ create_resources(postgresql::user, $postgres_users,
+ $postgres_users_defaults)
}
# Create the puppetdb user for localhost
# This works on every server and is used for read-only db lookups
@@ -37,6 +44,7 @@
password => $puppetdb_pass,
cidr => "${::main_ipaddress}/32",
pgversion => '9.4',
+ master => $on_master,
}
# Create the database
--
To view, visit https://gerrit.wikimedia.org/r/311969
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I87a3d13eaacbbb7f1ce6c9c65fb7b4a6d8bda300
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
