Giuseppe Lavagetto has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/339416 )
Change subject: role::puppetmaster: use profile::conftool
......................................................................
role::puppetmaster: use profile::conftool
Instead of including the role::conftool::master from site.pp in the
frontends and the inclusion of the conftool class everywhere.
Change-Id: I2d52d44b33d6d0090e69b30c2c5936d7f6e2432c
---
M hieradata/common.yaml
A hieradata/common/profile/conftool/client.yaml
M hieradata/role/common/puppetmaster/frontend.yaml
M manifests/site.pp
M modules/profile/manifests/conftool/client.pp
A modules/profile/manifests/conftool/master.pp
M modules/puppetmaster/manifests/init.pp
M modules/role/manifests/puppetmaster/backend.pp
M modules/role/manifests/puppetmaster/frontend.pp
M modules/role/manifests/puppetmaster/standalone.pp
10 files changed, 69 insertions(+), 18 deletions(-)
Approvals:
Giuseppe Lavagetto: Verified; Looks good to me, approved
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 8c879f3..8f2f595 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -459,3 +459,8 @@
cumin_masters:
- neodymium.eqiad.wmnet
- sarin.codfw.wmnet
+
+# Etcd client global configuration
+etcd_client_srv_domain: "%{::site}.wmnet"
+etcd_host: ''
+etcd_port: ''
diff --git a/hieradata/common/profile/conftool/client.yaml
b/hieradata/common/profile/conftool/client.yaml
new file mode 100644
index 0000000..bbe0df1
--- /dev/null
+++ b/hieradata/common/profile/conftool/client.yaml
@@ -0,0 +1,2 @@
+# Conftool
+profile::conftool::client::namespace: "/conftool"
diff --git a/hieradata/role/common/puppetmaster/frontend.yaml
b/hieradata/role/common/puppetmaster/frontend.yaml
index 7328447..01573ad 100644
--- a/hieradata/role/common/puppetmaster/frontend.yaml
+++ b/hieradata/role/common/puppetmaster/frontend.yaml
@@ -14,3 +14,5 @@
apache::logrotate::period: "daily"
apache::logrotate::rotate: 7
cluster: puppet
+# Conftool
+profile::conftool::master::sync_dir: "/etc/conftool/data"
diff --git a/manifests/site.pp b/manifests/site.pp
index d1ab29d..d5f4020 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -2412,7 +2412,7 @@
node /^puppetmaster[12]001\.(codfw|eqiad)\.wmnet$/ {
role(
ipmi::mgmt, access_new_install,
- puppetmaster::frontend, conftool::master,
+ puppetmaster::frontend,
pybal_config
)
include ::standard
diff --git a/modules/profile/manifests/conftool/client.pp
b/modules/profile/manifests/conftool/client.pp
index c69d2d8..ad45ce8 100644
--- a/modules/profile/manifests/conftool/client.pp
+++ b/modules/profile/manifests/conftool/client.pp
@@ -8,21 +8,21 @@
# - The etcd credentials for the root user in /root/.etcdrc
#
class profile::conftool::client(
- $srv_dns = hiera('etcd::srv_dns'),
- $host = hiera('etcd::host'),
- $port = hiera('etcd::port'),
+ $srv_domain = hiera('etcd_client_srv_domain'),
+ $host = hiera('etcd_host'),
+ $port = hiera('etcd_port'),
$root_password = hiera('etcd::auth::common::root_password'),
- $tcpircbot_host = hiera('profile::conftool::client::tcpircbot_host'),
- $tcpircbot_port = hiera('profile::conftool::client::tcpircbot_port'),
- $namespace = hiera('profile::conftool::client::namespace'),
+ $namespace = hiera('profile::conftool::client::namespace',
'/conftool'),
+ $tcpircbot_host = hiera('profile::conftool::client::tcpircbot_host',
'icinga.wikimedia.org'),
+ $tcpircbot_port = hiera('profile::conftool::client::tcpircbot_port', 9200),
) {
require_package('python-conftool')
class { '::etcd::client::globalconfig':
- srv_dns => $srv_dns,
- host => $host,
- port => $port,
- protocol => 'https',
+ srv_domain => $srv_domain,
+ host => $host,
+ port => $port,
+ protocol => 'https',
}
::etcd::client::config { '/root/.etcdrc':
diff --git a/modules/profile/manifests/conftool/master.pp
b/modules/profile/manifests/conftool/master.pp
new file mode 100644
index 0000000..66988d6
--- /dev/null
+++ b/modules/profile/manifests/conftool/master.pp
@@ -0,0 +1,42 @@
+# == Class profile::conftool::master
+#
+# Class to configure a conftool master, that will be able to
+# sync data from yaml files in $sync_dir
+#
+# [*parameters*]
+# sync_dir The directory to sync from in conftool-merge
+#
+class profile::conftool::master(
+ $sync_dir = hiera('profile::conftool::master::sync_dir'),
+) {
+
+ system::role { 'conftool-master':
+ description => 'Conftool master',
+ }
+
+ # All the configuration we have for the client is needed by the master
+ require ::profile::conftool::client
+
+ # We also need to know where the puppet repo is. We cannot require a
profile
+ # here because the puppet classes are not well structured. TODO: fix this
+ # and transform the git dir into a parameter
+ require ::puppetmaster::gitclone
+
+ file { '/etc/conftool/data':
+ ensure => link,
+ target =>
"${::puppetmaster::base_repo::gitdir}/operations/puppet/conftool-data",
+ force => true,
+ before => File['/usr/local/bin/conftool-merge'],
+ }
+
+ file { '/usr/local/bin/conftool-merge':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0500',
+ content => template('conftool/conftool-merge.erb'),
+ }
+
+ # Note: we do not include etcd's own auth defines as we are discouraging
using it
+ # in favour of proxying via nginx. This might change when/if we switch to
etcd 3
+}
diff --git a/modules/puppetmaster/manifests/init.pp
b/modules/puppetmaster/manifests/init.pp
index 15d14b1..374b6ea 100644
--- a/modules/puppetmaster/manifests/init.pp
+++ b/modules/puppetmaster/manifests/init.pp
@@ -55,7 +55,6 @@
$hiera_config=$::realm,
$secure_private=true,
$extra_auth_rules='',
- $include_conftool=true,
$prevent_cherrypicks=true,
$git_user='gitpuppet',
$git_group='gitpuppet',
@@ -177,10 +176,6 @@
source => "puppet:///modules/puppetmaster/${hiera_config}.hiera.yaml",
}
- if $include_conftool {
- # This is required for the conftool perser function
- include ::conftool
- }
# Small utility to generate ECDSA certs and submit the CSR to the puppet
master
file { '/usr/local/bin/puppet-ecdsacert':
ensure => present,
diff --git a/modules/role/manifests/puppetmaster/backend.pp
b/modules/role/manifests/puppetmaster/backend.pp
index d5717f3..c19a1c8 100644
--- a/modules/role/manifests/puppetmaster/backend.pp
+++ b/modules/role/manifests/puppetmaster/backend.pp
@@ -32,5 +32,5 @@
port => 8141,
srange => "(@resolve((${puppetmaster_frontend_ferm}))
@resolve((${puppetmaster_frontend_ferm}), AAAA))"
}
-
+ require ::profile::conftool::client
}
diff --git a/modules/role/manifests/puppetmaster/frontend.pp
b/modules/role/manifests/puppetmaster/frontend.pp
index 3ff4775..df272b0 100644
--- a/modules/role/manifests/puppetmaster/frontend.pp
+++ b/modules/role/manifests/puppetmaster/frontend.pp
@@ -4,6 +4,8 @@
include ::base::firewall
include role::backup::host
+
+ # Everything below this point belongs in a profile
backup::set { 'var-lib-puppet-ssl': }
backup::set { 'var-lib-puppet-volatile': }
@@ -90,4 +92,8 @@
port => 8141,
srange => "(@resolve((${puppetmaster_frontend_ferm}))
@resolve((${puppetmaster_frontend_ferm}), AAAA))"
}
+
+ # This is the role again
+ include ::profile::conftool::client
+ include ::profile::conftool::master
}
diff --git a/modules/role/manifests/puppetmaster/standalone.pp
b/modules/role/manifests/puppetmaster/standalone.pp
index 7cab601..8fd8516 100644
--- a/modules/role/manifests/puppetmaster/standalone.pp
+++ b/modules/role/manifests/puppetmaster/standalone.pp
@@ -79,7 +79,6 @@
server_name => $server_name,
allow_from => $allow_from,
secure_private => false,
- include_conftool => false,
prevent_cherrypicks => $prevent_cherrypicks,
extra_auth_rules => $extra_auth_rules,
config => $config,
--
To view, visit https://gerrit.wikimedia.org/r/339416
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2d52d44b33d6d0090e69b30c2c5936d7f6e2432c
Gerrit-PatchSet: 8
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
