Yuvipanda has submitted this change and it was merged. Change subject: labs: Make labs puppetmaster use the standalone role ......................................................................
labs: Make labs puppetmaster use the standalone role One of the biggest problems with the self hosted puppetmaster role was the copypasta, requiring changes to happen twice and drift between them as well. This makes the labs puppetmaster use the same role as per-project puppetmasters, making sure that if we break standalone puppetmasters we break the labs puppetmaster as well. Change-Id: Ie1c809f9eec99ba1e20aef73b75f219fc3975821 --- M modules/role/manifests/labs/puppetmaster.pp M modules/role/manifests/puppetmaster/standalone.pp 2 files changed, 37 insertions(+), 60 deletions(-) Approvals: Yuvipanda: Verified; Looks good to me, approved diff --git a/modules/role/manifests/labs/puppetmaster.pp b/modules/role/manifests/labs/puppetmaster.pp index d85e09e..732cc94 100644 --- a/modules/role/manifests/labs/puppetmaster.pp +++ b/modules/role/manifests/labs/puppetmaster.pp @@ -15,71 +15,29 @@ $labs_instance_range = $novaconfig['fixed_range'] $horizon_host = hiera('labs_horizon_host') $horizon_host_ip = ipresolve(hiera('labs_horizon_host'), 4) - - # Only allow puppet access from the instances $allow_from = flatten([$labs_instance_range, '208.80.154.14', $horizon_host_ip, $labs_metal]) - if $use_enc { - # Setup ENC - require_package('python3-yaml', 'python3-ldap3') - - include ldap::yamlcreds - - file { '/etc/puppet-enc.yaml': - content => ordered_yaml({ - host => hiera('labs_puppet_master'), - }), - mode => '0444', - owner => 'root', - group => 'root', - } - - file { '/usr/local/bin/puppet-enc': - source => 'puppet:///modules/role/labs/puppet-enc.py', - mode => '0555', - owner => 'root', - group => 'root', - } - - $encconfig = { - 'node_terminus' => 'exec', - 'external_nodes' => '/usr/local/bin/puppet-enc', - } - } else { - $encconfig = { - 'ldapserver' => $ldapconfig['servernames'][0], - 'ldapbase' => "ou=hosts,${basedn}", - 'ldapstring' => '(&(objectclass=puppetClient)(associatedDomain=%s))', - 'ldapuser' => $ldapconfig['proxyagent'], - 'ldappassword' => $ldapconfig['proxypass'], - 'ldaptls' => true, - 'node_terminus' => 'ldap' - } - } - class { '::puppetmaster': - server_name => hiera('labs_puppet_master'), - allow_from => $allow_from, - secure_private => false, - extra_auth_rules => template('role/labs/puppetmaster/extra_auth_rules.conf.erb'), - config => merge($encconfig, { - 'thin_storeconfigs' => false, - 'autosign' => true, - }) + class { 'role::puppetmaster::standalone': + autosign => true, + prevent_cherrypicks => true, + allow_from => $allow_from, + git_sync_minutes => '1', + use_enc => $use_enc, + extra_auth_rules => template('role/labs/puppetmaster/extra_auth_rules.conf.erb'), + server_name => hiera('labs_puppet_master'), } - - # Run a cron that pulls the ops/puppet repo & labs/private every minute. - # We do not have equivalent of puppet merge for the labs puppetmaster + # Kill these crons, since role::puppetmaster::standalone does this for us cron { 'update_public_puppet_repos': - ensure => present, + ensure => absent, command => '(cd /var/lib/git/operations/puppet && /usr/bin/git pull && /usr/bin/git submodule update --init) > /dev/null 2>&1', user => 'gitpuppet', minute => '*/1', } cron { 'update_private_puppet_repos': - ensure => present, + ensure => absent, command => '(cd /var/lib/git/operations/labs/private && /usr/bin/git pull) > /dev/null 2>&1', user => 'gitpuppet', minute => '*/1', diff --git a/modules/role/manifests/puppetmaster/standalone.pp b/modules/role/manifests/puppetmaster/standalone.pp index ef094d0..6178177 100644 --- a/modules/role/manifests/puppetmaster/standalone.pp +++ b/modules/role/manifests/puppetmaster/standalone.pp @@ -16,9 +16,29 @@ # [*prevent_cherrypicks*] # Set to true to prevent manual cherry-picking / modification of # the puppet git repository. Is accomplished using git hooks. +# +# [*allow_from*] +# Array of CIDRs from which to allow access to this puppetmaster. +# Defaults to the entire 10.x range, so no real access control. +# +# [*git_sync_minutes*] +# How frequently should the git repositories be sync'd to upstream. +# Defaults to 10. +# +# [*extra_auth_rules*] +# A string that gets added to auth.conf as extra auth rules for +# the puppetmaster. +# +# [*server_name*] +# Hostname for the puppetmaster. Defaults to fqdn. Is used for SSL +# certificates, virtualhost routing, etc class role::puppetmaster::standalone( $autosign = false, $prevent_cherrypicks = false, + $allow_from = ['10.0.0.0/8'], + $git_sync_minutes = '10', + $extra_auth_rules = '', + $server_name = $::fqdn, $use_enc = true, ) { include ldap::role::config::labs @@ -64,22 +84,21 @@ } } - # Allow access from everywhere! Use certificates to - # control access - $allow_from = ['10.0.0.0/8'] - class { '::puppetmaster': - server_name => $::fqdn, + server_name => $server_name, allow_from => $allow_from, secure_private => false, include_conftool => false, prevent_cherrypicks => $prevent_cherrypicks, + extra_auth_rules => $extra_auth_rules, config => merge($encconfig, { 'thin_storeconfigs' => false, 'autosign' => $autosign, - }) + }), } # Update git checkout - include ::puppetmaster::gitsync + class { 'puppetmaster::gitsync': + run_every_minutes => $git_sync_minutes, + } } -- To view, visit https://gerrit.wikimedia.org/r/312301 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie1c809f9eec99ba1e20aef73b75f219fc3975821 Gerrit-PatchSet: 7 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits