Volans has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/380947 )
Change subject: cumin (WMCS): allow to setup cumin in a project
......................................................................
cumin (WMCS): allow to setup cumin in a project
* Refactor Cumin's resources for WMCS Cloud VPS to allow to set up a
Cumin master also inside an OpenStack project, without access to
per-project secrets, and without requiring a standalone puppetmaster
inside the project. Everything can be set in hiera in Horizon.
* Keyholder: accept a new optional parameter with an absolute path to a
local SSH private key, to be used when it cannot be stored in secret()
Bug: T176314
Change-Id: I045984c1b87ae4f5a111d0de9f92b498da700275
---
A hieradata/codfw/profile/openstack/main/cumin.yaml
A hieradata/eqiad/profile/openstack/main/cumin.yaml
M modules/keyholder/manifests/agent.pp
M modules/profile/manifests/openstack/main/cumin/master.pp
M modules/profile/manifests/openstack/main/cumin/target.pp
M modules/profile/templates/openstack/main/cumin/aliases.yaml.erb
M modules/profile/templates/openstack/main/cumin/config.yaml.erb
R modules/profile/templates/openstack/main/cumin/ssh_config.erb
M modules/profile/templates/openstack/main/cumin/userkey.erb
9 files changed, 99 insertions(+), 12 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/47/380947/1
diff --git a/hieradata/codfw/profile/openstack/main/cumin.yaml
b/hieradata/codfw/profile/openstack/main/cumin.yaml
new file mode 100644
index 0000000..99d60ca
--- /dev/null
+++ b/hieradata/codfw/profile/openstack/main/cumin.yaml
@@ -0,0 +1,5 @@
+profile::openstack::main::cumin::project_masters: []
+profile::openstack::main::cumin::project_pub_key: null
+profile::openstack::main::cumin::project_ssh_key_path: null
+profile::openstack::main::cumin::aliases:
+ all: O{*} and not O{project:contintcloud} and not
O{project:admin-monitoring}
diff --git a/hieradata/eqiad/profile/openstack/main/cumin.yaml
b/hieradata/eqiad/profile/openstack/main/cumin.yaml
new file mode 100644
index 0000000..99d60ca
--- /dev/null
+++ b/hieradata/eqiad/profile/openstack/main/cumin.yaml
@@ -0,0 +1,5 @@
+profile::openstack::main::cumin::project_masters: []
+profile::openstack::main::cumin::project_pub_key: null
+profile::openstack::main::cumin::project_ssh_key_path: null
+profile::openstack::main::cumin::aliases:
+ all: O{*} and not O{project:contintcloud} and not
O{project:admin-monitoring}
diff --git a/modules/keyholder/manifests/agent.pp
b/modules/keyholder/manifests/agent.pp
index f7d5eb2..8b7c6be 100644
--- a/modules/keyholder/manifests/agent.pp
+++ b/modules/keyholder/manifests/agent.pp
@@ -21,6 +21,12 @@
# agent should be shared. It is the caller's responsibility to ensure
# the groups exist.
#
+# [*priv_key_path*]
+# An optional path to a local SSH private key to use instead of calling
+# secret() to handle WMCS installations, where there isn't secret support on
+# a per-project basis. The name parameter must still be specified.
+# [optional, default: undef]
+#
# === Examples
#
# keyholder::agent { 'mwdeploy':
@@ -31,6 +37,7 @@
$trusted_groups = ['ops'],
$ensure = 'present',
$key_name = $name,
+ $priv_key_path = undef,
) {
validate_ensure($ensure)
@@ -46,9 +53,25 @@
$key_name_safe = regsubst($key_name, '\W', '_', 'G')
+ # Get the keys from secret() unless $priv_key_path is set
+ $content_priv_key = $priv_key_path ? {
+ undef => secret("keyholder/${key_name_safe}");
+ default => undef;
+ }
+ $content_pub_key = $priv_key_path ? {
+ undef => secret("keyholder/${key_name_safe}.pub");
+ default => undef;
+ }
+ # Set the public key path if $priv_key_path is set
+ $source_pub_key = $priv_key_path ? {
+ undef => undef;
+ default => "${priv_key_path}.pub";
+ }
+
file { "/etc/keyholder.d/${key_name_safe}":
ensure => $ensure,
- content => secret("keyholder/${key_name_safe}"),
+ content => $content_priv_key, # undef if $priv_key_path is set
+ source => $priv_key_path, # undef if $content_priv_key is set
show_diff => false,
owner => 'root',
group => 'keyholder',
@@ -57,7 +80,8 @@
file { "/etc/keyholder.d/${key_name_safe}.pub":
ensure => $ensure,
- content => secret("keyholder/${key_name_safe}.pub"),
+ content => $content_pub_key, # undef if $source_pub_key is set
+ source => $source_pub_key, # undef if $content_pub_key is set
show_diff => false,
owner => 'root',
group => 'keyholder',
diff --git a/modules/profile/manifests/openstack/main/cumin/master.pp
b/modules/profile/manifests/openstack/main/cumin/master.pp
index 8bc8db0..0b364bf 100644
--- a/modules/profile/manifests/openstack/main/cumin/master.pp
+++ b/modules/profile/manifests/openstack/main/cumin/master.pp
@@ -1,3 +1,18 @@
+# == profile::openstack::main::cumin::master
+#
+# Profile for setting up a Cumin master for WMCS.
+# It allows to install Cumin master also inside a WMCS Cloud VPS project.
+#
+# === Hiera Parameters required for a project-specific Cumin master
+#
+# [*profile::openstack::main::cumin::project_ssh_priv_key_path*]
+# The absolute path of an SSH passphrase-protected private key available on
+# the host local filesystem.
+#
+# [*profile::openstack::main::cumin::aliases*]
+# Optional hash of Cumin aliases in the form:
+# key: alias query
+#
class profile::openstack::main::cumin::master(
$keystone_protocol =
hiera('profile::openstack::base::keystone::auth_protocol'),
$keystone_host = hiera('profile::openstack::main::nova_controller'),
@@ -5,9 +20,18 @@
$observer_username = hiera('profile::openstack::base::observer_user'),
$observer_password = hiera('profile::openstack::main::observer_password'),
$nova_dhcp_domain = hiera('profile::openstack::main::nova::dhcp_domain'),
+ $aliases = hiera('profile::openstack::main::cumin::aliases'),
+ $project_ssh_priv_key_path =
hiera('profile::openstack::main::cumin::project_ssh_priv_key_path'),
) {
- ::keyholder::agent { 'cumin_openstack_master':
- trusted_groups => ['wmcs-roots', 'root'],
+ if $::labsproject and $project_ssh_priv_key_path and
$project_ssh_priv_key_path != '' {
+ ::keyholder::agent { "cumin_openstack_${::labsproject}_master":
+ trusted_groups => ['root'],
+ priv_key_path => $project_ssh_priv_key_path,
+ }
+ } else {
+ ::keyholder::agent { 'cumin_openstack_master':
+ trusted_groups => ['wmcs-roots', 'root'],
+ }
}
require_package('cumin')
@@ -53,7 +77,7 @@
owner => 'root',
group => 'root',
mode => '0640',
- source =>
'puppet:///modules/profile/openstack/main/cumin/ssh_config',
+ content => template('profile/openstack/main/cumin/ssh_config.erb'),
require => File['/etc/cumin'],
}
}
diff --git a/modules/profile/manifests/openstack/main/cumin/target.pp
b/modules/profile/manifests/openstack/main/cumin/target.pp
index ec642ff..1e204e2 100644
--- a/modules/profile/manifests/openstack/main/cumin/target.pp
+++ b/modules/profile/manifests/openstack/main/cumin/target.pp
@@ -1,19 +1,35 @@
+# == profile::openstack::main::cumin::master
+#
+# Profile to allow a Cumin master for WMCS or a specific Cloud VPS project to
+# connect to this Cloud VPS instance.
+#
+# === Hiera Parameters required for a project-specific Cumin target
+#
+# [*profile::openstack::main::cumin::project_masters*]
+# An array with the list of IPs of the Cumin master(s)
+#
+# [*profile::openstack::main::cumin::project_pub_key*]
+# The SSH public key used by Cumin master
+#
class profile::openstack::main::cumin::target(
- $cumin_auth_group = hiera('profile::openstack::main::cumin_auth_group'),
+ $auth_group = hiera('profile::openstack::main::cumin::auth_group'),
+ $project_masters =
hiera('profile::openstack::main::cumin::project_masters'),
+ $project_pub_key =
hiera('profile::openstack::main::cumin::project_pub_key'),
) {
require ::network::constants
- if $cumin_auth_group == 'cumin_masters' {
- $ssh_authorized_sources_list =
$::network::constants::special_hosts[$::realm][$cumin_auth_group]
+ if $auth_group == 'cumin_masters' {
+ $ssh_authorized_sources_list =
$::network::constants::special_hosts[$::realm][$auth_group]
} else {
# Authorize both the default cumin masters and the custom config,
required for proxies.
$ssh_authorized_sources_list = concat(
$::network::constants::special_hosts[$::realm]['cumin_masters'],
- $::network::constants::special_hosts[$::realm][$cumin_auth_group])
+ $::network::constants::special_hosts[$::realm][$auth_group])
}
$ssh_authorized_sources = join($ssh_authorized_sources_list, ',')
- $cumin_master_pub_key = secret('keyholder/cumin_openstack_master.pub')
+ $ssh_project_authorized_sources = join($project_masters, ',')
+ $pub_key = secret('keyholder/cumin_openstack_master.pub')
ssh::userkey { 'root-cumin':
ensure => present,
diff --git a/modules/profile/templates/openstack/main/cumin/aliases.yaml.erb
b/modules/profile/templates/openstack/main/cumin/aliases.yaml.erb
index c7a4b93..3831840 100644
--- a/modules/profile/templates/openstack/main/cumin/aliases.yaml.erb
+++ b/modules/profile/templates/openstack/main/cumin/aliases.yaml.erb
@@ -1,3 +1,5 @@
# Cumin aliases, in the form:
# key: query_using_the_global_grammar
-all: O{*} and not O{project:contintcloud} and not O{project:admin-monitoring}
+<% @aliases.each do |key, value| -%>
+<%= key %>: <%= value %>
+<% end -%>
diff --git a/modules/profile/templates/openstack/main/cumin/config.yaml.erb
b/modules/profile/templates/openstack/main/cumin/config.yaml.erb
index e9d4f60..d474baf 100644
--- a/modules/profile/templates/openstack/main/cumin/config.yaml.erb
+++ b/modules/profile/templates/openstack/main/cumin/config.yaml.erb
@@ -17,3 +17,7 @@
domain_suffix: <%= @nova_dhcp_domain %>
nova_api_version: 2.12
timeout: 2
+ <%- if @labsproject -%>
+ query_params:
+ project: <%= @labsproject %>
+ <%- end -%>
diff --git a/modules/profile/files/openstack/main/cumin/ssh_config
b/modules/profile/templates/openstack/main/cumin/ssh_config.erb
similarity index 74%
rename from modules/profile/files/openstack/main/cumin/ssh_config
rename to modules/profile/templates/openstack/main/cumin/ssh_config.erb
index 27267b2..e6ccd91 100644
--- a/modules/profile/files/openstack/main/cumin/ssh_config
+++ b/modules/profile/templates/openstack/main/cumin/ssh_config.erb
@@ -1,7 +1,9 @@
+<% if ! @project_ssh_key or @project_ssh_key == '' -%>
# WMCS Bastions
Host bastion-restricted.wmflabs.org
ProxyCommand none
+<% end -%>
# WMCS Instances
Host *
BatchMode yes
@@ -10,4 +12,6 @@
UserKnownHostsFile /dev/null
GlobalKnownHostsFile /dev/null
LogLevel ERROR
+ <%- if ! @project_ssh_key or @project_ssh_key == '' -%>
ProxyCommand ssh -o StrictHostKeyChecking=no -o
UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -o
LogLevel=ERROR -a -W %h:%p bastion-restricted.wmflabs.org
+ <%- end -%>
diff --git a/modules/profile/templates/openstack/main/cumin/userkey.erb
b/modules/profile/templates/openstack/main/cumin/userkey.erb
index 160a802..163cd3e 100644
--- a/modules/profile/templates/openstack/main/cumin/userkey.erb
+++ b/modules/profile/templates/openstack/main/cumin/userkey.erb
@@ -1,2 +1,5 @@
# Cumin Masters. TODO: use 'restrict' once available across the fleet (>
jessie)
-from="<%= @ssh_authorized_sources %>",no-agent-forwarding,<% if
@cumin_auth_group == 'cumin_masters' %>no-port-forwarding,<% end
%>no-x11-forwarding,no-user-rc <%= @cumin_master_pub_key %>
+from="<%= @ssh_authorized_sources %>",no-agent-forwarding,<% if @auth_group ==
'cumin_masters' %>no-port-forwarding,<% end %>no-x11-forwarding,no-user-rc <%=
@pub_key %>
+<% if @project_pub_key and @project_pub_key != '' and
@ssh_project_authorized_sources.length > 0 -%>
+from="<%= @ssh_project_authorized_sources
%>",no-agent-forwarding,no-port-forwarding,no-x11-forwarding,no-user-rc <%=
@cumin_project_pub_key %>
+<% end -%>
--
To view, visit https://gerrit.wikimedia.org/r/380947
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I045984c1b87ae4f5a111d0de9f92b498da700275
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Volans <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
