Andrew Bogott has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/399901 )
Change subject: puppet enc getter: only allow acccess to VMs and puppetmasters
......................................................................
puppet enc getter: only allow acccess to VMs and puppetmasters
Bug: T169086
Change-Id: I3f248d7daae25a0574ded87cab237a98359d3c61
---
D modules/openstack/files/puppet/master/encapi/labspuppetbackendgetter.conf
M modules/openstack/manifests/puppet/master/encapi.pp
A
modules/openstack/templates/puppet/master/encapi/labspuppetbackendgetter.conf.erb
M modules/profile/manifests/openstack/base/puppetmaster/common.pp
4 files changed, 31 insertions(+), 20 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/01/399901/1
diff --git
a/modules/openstack/files/puppet/master/encapi/labspuppetbackendgetter.conf
b/modules/openstack/files/puppet/master/encapi/labspuppetbackendgetter.conf
deleted file mode 100644
index f77a7dc..0000000
--- a/modules/openstack/files/puppet/master/encapi/labspuppetbackendgetter.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-server {
- listen 8100;
-
- # Wrap the normal API but only allow GETs.
- location / {
- proxy_pass http://127.0.0.1:8101;
-
- limit_except GET {
- deny all;
- }
- }
-}
diff --git a/modules/openstack/manifests/puppet/master/encapi.pp
b/modules/openstack/manifests/puppet/master/encapi.pp
index 5ddf7d2..3148603 100644
--- a/modules/openstack/manifests/puppet/master/encapi.pp
+++ b/modules/openstack/manifests/puppet/master/encapi.pp
@@ -6,6 +6,8 @@
$statsd_host,
$statsd_prefix,
$mysql_password,
+ $labs_instance_range,
+ $all_puppetmasters,
) {
$horizon_host_ip = ipresolve($horizon_host, 4)
@@ -64,6 +66,6 @@
# open this up to the public even though the actual API has no
# auth protections.
nginx::site { 'labspuppetbackendgetter':
- source =>
'puppet:///modules/openstack/puppet/master/encapi/labspuppetbackendgetter.conf',
+ content =>
template("openstack/master/encapi/labspuppetbackendgetter.conf.erb"),
}
}
diff --git
a/modules/openstack/templates/puppet/master/encapi/labspuppetbackendgetter.conf.erb
b/modules/openstack/templates/puppet/master/encapi/labspuppetbackendgetter.conf.erb
new file mode 100644
index 0000000..77a2ea5
--- /dev/null
+++
b/modules/openstack/templates/puppet/master/encapi/labspuppetbackendgetter.conf.erb
@@ -0,0 +1,19 @@
+server {
+ listen 8100;
+
+ # Wrap the normal API but only allow GETs.
+ location / {
+ proxy_pass http://127.0.0.1:8101;
+
+ limit_except GET {
+ deny all;
+ }
+
+ allow 127.0.0.7;
+<% @all_puppetmasters.each do |node| -%>
+ allow <%= scope.function_ipresolve([node]) %>;
+<% end -%>
+ allow <%= @labs_instance_range %>;
+ deny all;
+ }
+}
diff --git a/modules/profile/manifests/openstack/base/puppetmaster/common.pp
b/modules/profile/manifests/openstack/base/puppetmaster/common.pp
index 746a35e..f3d1f9b 100644
--- a/modules/profile/manifests/openstack/base/puppetmaster/common.pp
+++ b/modules/profile/manifests/openstack/base/puppetmaster/common.pp
@@ -25,13 +25,15 @@
}
class { '::openstack::puppet::master::encapi':
- horizon_host => $horizon_host,
- mysql_host => $encapi_db_host,
- mysql_db => $encapi_db_name,
- mysql_username => $encapi_db_user,
- mysql_password => $encapi_db_pass,
- statsd_host => $statsd_host,
- statsd_prefix => $encapi_statsd_prefix,
+ horizon_host => $horizon_host,
+ mysql_host => $encapi_db_host,
+ mysql_db => $encapi_db_name,
+ mysql_username => $encapi_db_user,
+ mysql_password => $encapi_db_pass,
+ statsd_host => $statsd_host,
+ statsd_prefix => $encapi_statsd_prefix,
+ labs_instance_range => $labs_instance_range,
+ all_puppetmasters => $all_puppetmasters,
}
# Update git checkout. This is done via a cron
--
To view, visit https://gerrit.wikimedia.org/r/399901
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3f248d7daae25a0574ded87cab237a98359d3c61
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
