Yuvipanda has uploaded a new change for review.
https://gerrit.wikimedia.org/r/312301
Change subject: labs: Make labs puppetmaster use the standalone role
......................................................................
labs: Make labs puppetmaster use the standalone role
One of the biggest problems with the self hosted puppetmaster
role was the copypasta, requiring changes to happen twice and
drift between them as well. This makes the labs puppetmaster
use the same role as per-project puppetmasters, making sure
that if we break standalone puppetmasters we break the labs
puppetmaster as well.
Change-Id: Ie1c809f9eec99ba1e20aef73b75f219fc3975821
---
M modules/role/manifests/labs/puppetmaster.pp
M modules/role/manifests/puppetmaster/standalone.pp
2 files changed, 28 insertions(+), 59 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/01/312301/1
diff --git a/modules/role/manifests/labs/puppetmaster.pp
b/modules/role/manifests/labs/puppetmaster.pp
index d85e09e..08ce769 100644
--- a/modules/role/manifests/labs/puppetmaster.pp
+++ b/modules/role/manifests/labs/puppetmaster.pp
@@ -15,71 +15,28 @@
$labs_instance_range = $novaconfig['fixed_range']
$horizon_host = hiera('labs_horizon_host')
$horizon_host_ip = ipresolve(hiera('labs_horizon_host'), 4)
-
-
# Only allow puppet access from the instances
$allow_from = flatten([$labs_instance_range, '208.80.154.14',
$horizon_host_ip, $labs_metal])
- if $use_enc {
- # Setup ENC
- require_package('python3-yaml', 'python3-ldap3')
-
- include ldap::yamlcreds
-
- file { '/etc/puppet-enc.yaml':
- content => ordered_yaml({
- host => hiera('labs_puppet_master'),
- }),
- mode => '0444',
- owner => 'root',
- group => 'root',
- }
-
- file { '/usr/local/bin/puppet-enc':
- source => 'puppet:///modules/role/labs/puppet-enc.py',
- mode => '0555',
- owner => 'root',
- group => 'root',
- }
-
- $encconfig = {
- 'node_terminus' => 'exec',
- 'external_nodes' => '/usr/local/bin/puppet-enc',
- }
- } else {
- $encconfig = {
- 'ldapserver' => $ldapconfig['servernames'][0],
- 'ldapbase' => "ou=hosts,${basedn}",
- 'ldapstring' =>
'(&(objectclass=puppetClient)(associatedDomain=%s))',
- 'ldapuser' => $ldapconfig['proxyagent'],
- 'ldappassword' => $ldapconfig['proxypass'],
- 'ldaptls' => true,
- 'node_terminus' => 'ldap'
- }
- }
- class { '::puppetmaster':
- server_name => hiera('labs_puppet_master'),
- allow_from => $allow_from,
- secure_private => false,
- extra_auth_rules =>
template('role/labs/puppetmaster/extra_auth_rules.conf.erb'),
- config => merge($encconfig, {
- 'thin_storeconfigs' => false,
- 'autosign' => true,
- })
+ class { 'role::puppetmaster::standalone':
+ autosign => true,
+ prevent_cherrypicks => true,
+ allow_from => $allow_from,
+ git_sync_minutes => '1',
+ use_enc => $use_enc,
+ extra_auth_rules =>
template('role/labs/puppetmaster/extra_auth_rules.conf.erb'),
}
-
- # Run a cron that pulls the ops/puppet repo & labs/private every minute.
- # We do not have equivalent of puppet merge for the labs puppetmaster
+ # Kill these crons, since role::puppetmaster::standalone does this for us
cron { 'update_public_puppet_repos':
- ensure => present,
+ ensure => absent,
command => '(cd /var/lib/git/operations/puppet && /usr/bin/git pull &&
/usr/bin/git submodule update --init) > /dev/null 2>&1',
user => 'gitpuppet',
minute => '*/1',
}
cron { 'update_private_puppet_repos':
- ensure => present,
+ ensure => absent,
command => '(cd /var/lib/git/operations/labs/private && /usr/bin/git
pull) > /dev/null 2>&1',
user => 'gitpuppet',
minute => '*/1',
diff --git a/modules/role/manifests/puppetmaster/standalone.pp
b/modules/role/manifests/puppetmaster/standalone.pp
index ef094d0..6c65eb7 100644
--- a/modules/role/manifests/puppetmaster/standalone.pp
+++ b/modules/role/manifests/puppetmaster/standalone.pp
@@ -16,9 +16,23 @@
# [*prevent_cherrypicks*]
# Set to true to prevent manual cherry-picking / modification of
# the puppet git repository. Is accomplished using git hooks.
+#
+# [*allow_from*]
+# Array of CIDRs from which to allow access to this puppetmaster.
+# Defaults to the entire 10.x range, so no real access control.
+#
+# [*git_sync_minutes*]
+# How frequently should the git repositories be sync'd to upstream.
+# Defaults to 10.
+#
+# [*extra_auth_rules*]
+# A string that gets added to auth.conf as extra auth rules for
+# the puppetmaster.
class role::puppetmaster::standalone(
$autosign = false,
$prevent_cherrypicks = false,
+ $allow_from = ['10.0.0.0/8']
+ $git_sync_minutes = '10',
$use_enc = true,
) {
include ldap::role::config::labs
@@ -64,10 +78,6 @@
}
}
- # Allow access from everywhere! Use certificates to
- # control access
- $allow_from = ['10.0.0.0/8']
-
class { '::puppetmaster':
server_name => $::fqdn,
allow_from => $allow_from,
@@ -77,9 +87,11 @@
config => merge($encconfig, {
'thin_storeconfigs' => false,
'autosign' => $autosign,
- })
+ }),
}
# Update git checkout
- include ::puppetmaster::gitsync
+ class { 'puppetmaster::gitsync':
+ run_every_minutes => $git_sync_minutes,
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/312301
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie1c809f9eec99ba1e20aef73b75f219fc3975821
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
