Filippo Giunchedi has submitted this change and it was merged.
Change subject: keyholder key cleanup
......................................................................
keyholder key cleanup
* Clean up the mess that is scap::target and keyholder::agent
* Make ssh_agent_proxy look up keys by name instead of fingerprint
** This avoids needing to store fingerprints in puppet manifests
* password-protected key test is now optional and skipped on beta
Bug: T132747
Change-Id: Id298a3e0f12e31afd7ea83970e192330ffbd4243
---
M hieradata/common/scap/server.yaml
M hieradata/labs/deployment-prep/common.yaml
M hieradata/labs/phabricator/common.yaml
M modules/eventlogging/manifests/deployment/target.pp
M modules/keyholder/files/keyholder
M modules/keyholder/files/ssh-agent-proxy
M modules/keyholder/manifests/agent.pp
M modules/keyholder/manifests/init.pp
D modules/keyholder/manifests/private_key.pp
M modules/mediawiki/manifests/users.pp
D modules/phabricator/manifests/deployment/target.pp
M modules/phabricator/manifests/init.pp
M modules/role/manifests/deployment/mediawiki.pp
M modules/role/manifests/snapshot/deployment.pp
M modules/scap/manifests/server.pp
M modules/scap/manifests/target.pp
M modules/service/manifests/deploy/scap.pp
M modules/service/manifests/node.pp
M modules/service/manifests/uwsgi.pp
M modules/zotero/manifests/init.pp
20 files changed, 155 insertions(+), 206 deletions(-)
Approvals:
Filippo Giunchedi: Verified; Looks good to me, approved
diff --git a/hieradata/common/scap/server.yaml
b/hieradata/common/scap/server.yaml
index 260e18f..03826ad 100644
--- a/hieradata/common/scap/server.yaml
+++ b/hieradata/common/scap/server.yaml
@@ -13,26 +13,19 @@
phabricator:
trusted_groups:
- deploy-phabricator
- key_fingerprint: 39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10
- key_secret: phabricator/phab_deploy_private_key
eventlogging:
trusted_groups:
- eventlogging-admins
- key_fingerprint: b6:4e:1a:1b:4b:70:ef:91:31:cd:a3:18:9a:ca:41:44
deploy-service:
trusted_groups:
- deploy-service
- aqs-admins
- key_fingerprint: 6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8
- key_file: servicedeploy_rsa
- # Note: dumpsdeploy normally would have ops as trusted group,
- # but ops is added implicitly anyway
dumpsdeploy:
- key_fingerprint: 86:c9:17:ab:b7:00:79:b5:8a:c5:b5:ee:29:24:c9:2f
-
+ trusted_groups:
+ - ops
# scap::source declarations. These are created
# by the scap::server class. Each source listed here
@@ -64,4 +57,3 @@
# cxserver is the ContentTranslation server.
cxserver/deploy:
repository: cxserver/deploy
-
diff --git a/hieradata/labs/deployment-prep/common.yaml
b/hieradata/labs/deployment-prep/common.yaml
index d7edbe9..ba85571 100644
--- a/hieradata/labs/deployment-prep/common.yaml
+++ b/hieradata/labs/deployment-prep/common.yaml
@@ -216,20 +216,14 @@
phabricator:
trusted_groups:
- project-%{::labsproject}
- key_fingerprint: 39:b3:2c:a7:b2:80:65:ff:0c:97:e1:22:88:6c:59:10
- key_secret: phabricator/phab_deploy_private_key
eventlogging:
trusted_groups:
- project-%{::labsproject}
- key_fingerprint: 02:9b:99:e2:f0:16:70:a3:d2:5a:e6:02:a3:73:0e:b0
deploy-service:
trusted_groups:
- deploy-service
- key_fingerprint: 6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8
- key_file: servicedeploy_rsa
-
# deployment-prep scap::source declarations. These are created
# by the scap::server class. Each source listed here
diff --git a/hieradata/labs/phabricator/common.yaml
b/hieradata/labs/phabricator/common.yaml
index aa2496f..70043f3 100644
--- a/hieradata/labs/phabricator/common.yaml
+++ b/hieradata/labs/phabricator/common.yaml
@@ -2,4 +2,4 @@
deployment:
source:
key_fingerprint: '36:75:c2:fa:34:02:c8:8c:ff:30:09:aa:f7:77:96:41'
- trusted_group: 'project-phabricator'
+ trusted_groups: 'project-phabricator'
diff --git a/modules/eventlogging/manifests/deployment/target.pp
b/modules/eventlogging/manifests/deployment/target.pp
index 07a46ea..6ecd1ae 100644
--- a/modules/eventlogging/manifests/deployment/target.pp
+++ b/modules/eventlogging/manifests/deployment/target.pp
@@ -41,11 +41,10 @@
include eventlogging::dependencies
scap::target { "eventlogging/${title}":
- package_name => $package_name,
- deploy_user => 'eventlogging',
- public_key_source =>
"puppet:///modules/eventlogging/deployment/eventlogging_rsa.pub.${::realm}",
- service_name => $service_name,
- sudo_rules => $sudo_rules,
- manage_user => false,
+ package_name => $package_name,
+ deploy_user => 'eventlogging',
+ service_name => $service_name,
+ sudo_rules => $sudo_rules,
+ manage_user => false,
}
}
diff --git a/modules/keyholder/files/keyholder
b/modules/keyholder/files/keyholder
index 942bbc1..7ad7fb3 100755
--- a/modules/keyholder/files/keyholder
+++ b/modules/keyholder/files/keyholder
@@ -25,8 +25,15 @@
exit 1
}
+KEYHOLDERCONF="/etc/keyholder-auth.d/keyholder.conf"
+REQUIRE_ENCRYPTED_KEYS="yes"
+
+[ -f "$KEYHOLDERCONF" ] && source "$KEYHOLDERCONF"
+
is_valid_private_key() {
- # Check that $1 is a passphrase-protected private key file.
+ [ $REQUIRE_ENCRYPTED_KEYS == "yes" ] || return 0;
+
+ # check that $1 is a password-protected rsa private key file.
[ -f "$1" ] && /usr/bin/openssl rsa -in "$1" -check -pubout -passin pass:
2>&1 | \
/bin/grep -q "bad password"
}
@@ -45,16 +52,23 @@
SSH_AUTH_SOCK="/run/keyholder/${service}.sock" /usr/bin/ssh-add -l | sed
's/^/- /'
done
;;
+ list-keys)
+ prefers_root
+ SSH_AUTH_SOCK="/run/keyholder/agent.sock" /usr/bin/ssh-add -l | sed
's/^[0-9]* //'
+ ;;
add)
requires_root
SSH_AUTH_SOCK=/run/keyholder/agent.sock /usr/bin/sudo -u keyholder -E
/usr/bin/ssh-add "$@"
;;
arm)
requires_root
+ KEYS=""
for key in /etc/keyholder.d/*; do
+ [[ $key = *.pub ]] && continue
is_valid_private_key "$key" || ( echo "$key is not an acceptable key.
Does it have a passphrase?"; continue )
- $0 add "$key"
+ KEYS="$KEYS $key"
done
+ $0 add $KEYS
;;
disarm)
requires_root
diff --git a/modules/keyholder/files/ssh-agent-proxy
b/modules/keyholder/files/ssh-agent-proxy
index 134a8eb..2bbf4ff 100644
--- a/modules/keyholder/files/ssh-agent-proxy
+++ b/modules/keyholder/files/ssh-agent-proxy
@@ -49,6 +49,7 @@
import socket
import socketserver
import struct
+import subprocess
import sys
import syslog
@@ -88,15 +89,30 @@
return string, offset + struct.calcsize(fmt)
+def get_key_fingerprints():
+ """Look up the key fingerprints for all keys held by keyholder"""
+ keymap = {}
+ for fname in glob.glob('/etc/keyholder.d/*.pub'):
+ line = subprocess.check_output(['/usr/bin/ssh-keygen', '-lf', fname],
+ universal_newlines=True)
+ bits, fingerprint, note = line.split(' ', 2)
+ keyfile = os.path.splitext(os.path.basename(fname))[0]
+ keymap[keyfile] = fingerprint.replace(':', '')
+ return keymap
+
def get_key_perms(path):
"""Recursively walk `path`, loading YAML configuration files."""
key_perms = {}
+ fingerprints = get_key_fingerprints()
for fname in glob.glob(os.path.join(path, '*.y*ml')):
with open(fname) as yml:
for group, keys in yaml.safe_load(yml).items():
for key in keys:
- key = key.replace(':', '')
- key_perms.setdefault(key, set()).add(group)
+ if key not in fingerprints:
+ print('fingerprint not found for key %s' % key)
+ continue
+ fingerprint = fingerprints[key]
+ key_perms.setdefault(fingerprint, set()).add(group)
return key_perms
diff --git a/modules/keyholder/manifests/agent.pp
b/modules/keyholder/manifests/agent.pp
index 260545d..34ad7f5 100644
--- a/modules/keyholder/manifests/agent.pp
+++ b/modules/keyholder/manifests/agent.pp
@@ -2,40 +2,38 @@
#
# Resource for creating keyholder agents on a node
#
+# Most instances of this resource are created from hiera, see scap::server
+# and scap/server.yaml
+#
# === Parameters
#
# [*name*]
-# Used for service names, socket names, and default key name
+# This is the name of the ssh key managed by this agent. The key comes from
+# a call to secret which translates to:
+# puppet/private/modules/secret/secrets/keyholder/${name}[.pub]
#
-# [*key_file*]
-# The name of the key file stored in puppet private
-# Should exist prior to running a defined resource
+# [*ensure*]
+# Defaults to 'present', this is passed directly to the file resources
+# that this resource manages.
#
# [*trusted_groups*]
-# An array of group names or GIDs of the trusted user groups with which the
agent
-# should be shared. It is the caller's responsibility to ensure
+# An array of group names or GIDs of the trusted user groups with which the
+# agent should be shared. It is the caller's responsibility to ensure
# the groups exist.
-#
-# [*key_fingerprint*]
-# Fingerprint of the public half of the private keyfile specified
-# by $key_file
#
# === Examples
#
# keyholder::agent { 'mwdeploy':
-# key_file => 'mwdeploy_key_rsa',
-# trusted_group => ['wikidev', 'mwdeploy'],
-# key_fingerprint => '00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00'
-# require => Group['wikidev'],
+# trusted_groups => ['wikidev', 'mwdeploy'],
# }
#
define keyholder::agent(
- $key_fingerprint,
$trusted_groups = ['ops'],
- $key_file = "${name}_rsa",
- $key_content = undef,
- $key_secret = undef,
+ $ensure = 'present',
+ $key_name = $name,
) {
+ validate_ensure($ensure)
+
require ::keyholder
require ::keyholder::monitoring
@@ -46,26 +44,30 @@
$real_trusted_groups = $trusted_groups
}
- file { "/etc/keyholder-auth.d/${name}.yml":
- content => inline_template("---\n<% [*@real_trusted_groups].each do
|g| %><%= g %>: ['<%= @key_fingerprint %>']\n<% end %>"),
+ $key_name_safe = regsubst($key_name, '\W', '_', 'G')
+
+ file { "/etc/keyholder.d/${key_name_safe}":
+ ensure => $ensure,
+ content => secret("keyholder/${key_name_safe}"),
owner => 'root',
group => 'keyholder',
mode => '0440',
}
- # lint:ignore:puppet_url_without_modules
- if $key_content {
- keyholder::private_key { $key_file:
- content => $key_content,
- }
- } elsif $key_secret {
- keyholder::private_key { $key_file:
- content => secret($key_secret)
- }
- } else {
- keyholder::private_key { $key_file:
- source => "puppet:///private/ssh/tin/${key_file}",
- }
+ file { "/etc/keyholder.d/${key_name_safe}.pub":
+ ensure => $ensure,
+ content => secret("keyholder/${key_name_safe}.pub"),
+ owner => 'root',
+ group => 'keyholder',
+ mode => '0440',
}
- # lint:endignore
+
+ # generate the mapping between groups and keys. Used by ssh-agent-proxy
+ file { "/etc/keyholder-auth.d/${key_name_safe}.yml":
+ ensure => $ensure,
+ content => inline_template("---\n<%= [*@real_trusted_groups].map { |g|
\"#{g}: [#{@key_name_safe}]\" }.join(\"\\n\") %>\n"),
+ owner => 'root',
+ group => 'keyholder',
+ mode => '0440',
+ }
}
diff --git a/modules/keyholder/manifests/init.pp
b/modules/keyholder/manifests/init.pp
index 9c1f9b0..891568d 100644
--- a/modules/keyholder/manifests/init.pp
+++ b/modules/keyholder/manifests/init.pp
@@ -25,7 +25,7 @@
#
# $ SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh remote-host ...
#
-class keyholder {
+class keyholder($require_encrypted_keys='yes') {
require_package('python3', 'python3-yaml')
@@ -113,6 +113,13 @@
require => Service['keyholder-agent'],
}
+ file { '/etc/keyholder-auth.d/keyholder.conf':
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ content => "REQUIRE_ENCRYPTED_KEYS='${require_encrypted_keys}'",
+ }
+
# The `keyholder` script provides a simplified command-line
# interface for managing the agent. See `keyholder --help`.
diff --git a/modules/keyholder/manifests/private_key.pp
b/modules/keyholder/manifests/private_key.pp
deleted file mode 100644
index 5c06ebf..0000000
--- a/modules/keyholder/manifests/private_key.pp
+++ /dev/null
@@ -1,50 +0,0 @@
-# == Define: keyholder::private_key
-#
-# Provisions a private key file in /etc/keyholder.d.
-#
-# === Parameters
-#
-# [*ensure*]
-# If 'present', config will be enabled; if 'absent', disabled.
-# The default is 'present'.
-#
-# [*content*]
-# If defined, will be used as the content of the key file.
-# Undefined by default. Mutually exclusive with 'source'.
-#
-# [*source*]
-# Path to key file. Undefined by default.
-# Mutually exclusive with 'content'.
-#
-# === Examples
-#
-# keyholder::private_key { 'mwdeploy_rsa':
-# ensure => present,
-# content => secret('ssh/tin/mwdeploy_rsa'),
-# }
-#
-define keyholder::private_key(
- $ensure = present,
- $content = undef,
- $source = undef,
-) {
- validate_ensure($ensure)
-
- if $source == undef and $content == undef {
- fail('you must provide either "source" or "content"')
- }
- if $source != undef and $content != undef {
- fail('"source" and "content" are mutually exclusive')
- }
-
- $title_safe = regsubst($title, '\W', '_', 'G')
-
- file { "/etc/keyholder.d/${title_safe}":
- ensure => $ensure,
- content => $content,
- source => $source,
- owner => 'root',
- group => 'keyholder',
- mode => '0440',
- }
-}
diff --git a/modules/mediawiki/manifests/users.pp
b/modules/mediawiki/manifests/users.pp
index e92e4ce..46537ef 100644
--- a/modules/mediawiki/manifests/users.pp
+++ b/modules/mediawiki/manifests/users.pp
@@ -5,7 +5,6 @@
#
class mediawiki::users(
$web = 'www-data',
- $mwdeploy_pub_key = 'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQC/81k2eXC0lM00+kg+5+p3kAHoOwAcbBjktlM7DENrrWdvkSlJasPDtHsU0+7woyGz2hHpI0SA8eBAEngl1X7uX4w1HU/VcG6np/kVMVrXPtn+sy4JtYTEVLuGzUstoc8PNxEDKvEQS7WGNLZtrgY0xWYsd7grt5tI/8qvhHd7coT6EWOcisRVnGY20r+/IWgsREZarbiW+0CSdQS0UzBbKQX/Hv+1asfZ24Qmq+yvXc2GuP+ewAm5gh0+5dUBHt69Ocq3PwCvqEypOrwpaqTGJbjvGLyaRN+YBNwoVwwl3EICYOJVDnNr/UxmzBT9RAJMHcpj6XrYiCTL1P9MUXyP54nZGOeqodSVn/L62lCwlh92D+E9qa6QFk8ikjKUr34vSI5jmQnscfaVz0k96YZP9B3J6+FDZOC8E/3SGRONrf4Fd4EAZGLQnoSdmwDHGGiHs8cjKnj4SinMabFzE3ReMV5k+Kdp999ne/vC2aryDSgc+EIXz731FmjPFmG5mdb/obGWHtU58kAbTSxPGV38uh1xvOSaSshfhYqK14G57x0ieUxV3zSZmJ5BuN5JbthgVNkAlMEATT2S6Cw+bBY7xgsE/0Wv139y0ChmatFyNv3uVbnMMTtJTBQGz+9Qb4xWTw1mxCxR5PmNmEaNI9+o/uk8M7fNd1muQfOUQPQkBQ==
Mediawiki deployment key',
) {
# The mwdeploy account is used by various scripts in the MediaWiki
@@ -25,7 +24,7 @@
}
ssh::userkey { 'mwdeploy':
- content => $mwdeploy_pub_key,
+ content => secret('keyholder/mwdeploy.pub'),
}
# Grant mwdeploy sudo rights to run anything as itself, apache and the
diff --git a/modules/phabricator/manifests/deployment/target.pp
b/modules/phabricator/manifests/deployment/target.pp
deleted file mode 100644
index 0cf7ce4..0000000
--- a/modules/phabricator/manifests/deployment/target.pp
+++ /dev/null
@@ -1,18 +0,0 @@
-# == Class phabricator::deployment::target
-# This sets up sudo rules and the deploy_user for phabricator deployments with
-# scap3.
-
-class phabricator::deployment::target(
- $deploy_user,
- $deploy_key,
- $deploy_target= 'phabricator/deployment',
-) {
- scap::target { $deploy_target:
- deploy_user => $deploy_user,
- public_key_source => $deploy_key,
- sudo_rules => [
- 'ALL=(root) NOPASSWD: /usr/sbin/service phd *',
- 'ALL=(root) NOPASSWD: /usr/sbin/service apache2 *',
- ]
- }
-}
diff --git a/modules/phabricator/manifests/init.pp
b/modules/phabricator/manifests/init.pp
index 0d537fd..ae712f6 100644
--- a/modules/phabricator/manifests/init.pp
+++ b/modules/phabricator/manifests/init.pp
@@ -38,8 +38,6 @@
# [*deploy_target*]
# The name of the scap3 deployment repo, e.g. phabricator/deployment
#
-# [*deploy_key*]
-# The url of the public key for the deploy_user to deploy with scap
# === Examples
#
@@ -65,7 +63,6 @@
$serveralias = '',
$deploy_user = 'phab-deploy',
$deploy_target = 'phabricator/deployment',
- $deploy_key =
"puppet:///modules/phabricator/phab-deploy-key.${::realm}",
) {
$deploy_root = "/srv/deployment/${deploy_target}"
@@ -134,10 +131,13 @@
}
}
- class { '::phabricator::deployment::target':
- deploy_user => $deploy_user,
- deploy_key => $deploy_key,
- deploy_target => $deploy_target,
+ scap::target { $deploy_target:
+ deploy_user => $deploy_user,
+ key_name => 'phabricator',
+ sudo_rules => [
+ 'ALL=(root) NOPASSWD: /usr/sbin/service phd *',
+ 'ALL=(root) NOPASSWD: /usr/sbin/service apache2 *',
+ ]
}
file { $phabdir:
diff --git a/modules/role/manifests/deployment/mediawiki.pp
b/modules/role/manifests/deployment/mediawiki.pp
index 852d951..3719161 100644
--- a/modules/role/manifests/deployment/mediawiki.pp
+++ b/modules/role/manifests/deployment/mediawiki.pp
@@ -3,7 +3,6 @@
class role::deployment::mediawiki(
$keyholder_user = 'mwdeploy',
$keyholder_group = ['wikidev', 'mwdeploy'],
- $key_fingerprint = 'f5:18:a3:44:77:a2:31:23:cb:7b:44:e1:4b:45:27:11',
) {
# All needed classes for deploying mediawiki
@@ -18,7 +17,6 @@
keyholder::agent { $keyholder_user:
trusted_groups => $keyholder_group,
- key_fingerprint => $key_fingerprint,
}
# Wikitech credentials file
diff --git a/modules/role/manifests/snapshot/deployment.pp
b/modules/role/manifests/snapshot/deployment.pp
index c504ae0..c3fe5b0 100644
--- a/modules/role/manifests/snapshot/deployment.pp
+++ b/modules/role/manifests/snapshot/deployment.pp
@@ -1,7 +1,8 @@
+# Defines snapshot data dump deployment target(s)
class role::snapshot::deployment {
scap::target { 'dumps/dumps':
- deploy_user => 'datasets',
- public_key_source =>
'puppet:///modules/snapshots/deployment/dumpsdeploy_rsa.pub',
- manage_user => false,
+ deploy_user => 'datasets',
+ manage_user => false,
+ key_name => 'dumpsdeploy',
}
}
diff --git a/modules/scap/manifests/server.pp b/modules/scap/manifests/server.pp
index 5210cc1..e163efc 100644
--- a/modules/scap/manifests/server.pp
+++ b/modules/scap/manifests/server.pp
@@ -43,9 +43,7 @@
# class { 'scap::server':
# keyholder_agents => {
# 'deploy-service' => {
-# 'trusted_group' => 'deploy-service',
-# 'key_fingerprint' =>
'xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx',
-# 'key_file' => 'servicedeploy_rsa',
+# 'trusted_groups' => 'deploy-service',
# },
# },
# sources => {
diff --git a/modules/scap/manifests/target.pp b/modules/scap/manifests/target.pp
index ff3f67c..8479ca4 100644
--- a/modules/scap/manifests/target.pp
+++ b/modules/scap/manifests/target.pp
@@ -10,9 +10,13 @@
# [*deploy_user*]
# user that will be used for deployments
#
-# [*public_key_source*]
-# puppet source argument to pass to ssh::userkey for installing
-# $deploy_user's public ssh key.
+# [*key_name*]
+# The name of a keyholder ssh key used to access this deployment target.
+# This should correspond to a key which is defined in keyholder::agent
+# (which are defined by hiera data in common::scap::server)
+# Warning: If key_name is left undefined, then you must define the correct
+# ssh::userkey for your deploy_user so that scap can connect to the target
+# from the deployment server with a corresponding key in keyholder.
#
# [*service_name*]
# service name that should be allowed to be restarted via sudo by
@@ -32,20 +36,20 @@
#
# Usage:
#
-# scap::target { 'mockbase':
-# deploy_user => 'deploy-mockbase',
-# public_key_source => 'puppet://modules/mockbase/deploy-test_rsa.pub'
-# }
-#
# scap::target { 'eventlogging/eventlogging':
# deploy_user => 'eventlogging',
-# public_key_source =>
"puppet:///modules/eventlogging/deployment/eventlogging_rsa.pub.${::realm}",
+# }
+#
+#
+# scap::target { 'dumps/dumps':
+# deploy_user => 'datasets',
# manage_user => false,
+# key_name => 'dumps',
# }
#
define scap::target(
$deploy_user,
- $public_key_source,
+ $key_name = $deploy_user,
$service_name = undef,
$package_name = $title,
$manage_user = true,
@@ -55,27 +59,33 @@
include scap
include scap::ferm
- if $manage_user and !defined(Group[$deploy_user]) {
- group { $deploy_user:
- ensure => present,
- system => true,
- before => User[$deploy_user],
+ if $manage_user
+ {
+ if !defined(Group[$deploy_user]) {
+ group { $deploy_user:
+ ensure => present,
+ system => true,
+ before => User[$deploy_user],
+ }
}
- } else {
- Group[$deploy_user] -> Scap::Target[$title]
+ if !defined(User[$deploy_user]) {
+ user { $deploy_user:
+ ensure => present,
+ shell => '/bin/bash',
+ home => '/var/lib/scap',
+ system => true,
+ managehome => true,
+ }
+ }
+ if !defined(Ssh::Userkey[$deploy_user]) {
+ ssh::userkey { $deploy_user:
+ ensure => 'present',
+ content => secret("keyholder/${key_name}.pub"),
+ }
+ }
}
- if $manage_user and !defined(User[$deploy_user]) {
- user { $deploy_user:
- ensure => present,
- shell => '/bin/bash',
- home => '/var/lib/scap',
- system => true,
- managehome => true,
- }
- } else {
- User[$deploy_user] -> Scap::Target[$title]
- }
+
if $::realm == 'labs' {
if !defined(Security::Access::Config["scap-allow-${deploy_user}"]) {
@@ -96,12 +106,6 @@
owner => $deploy_user}],
provider => 'scap3',
require => [Package['scap'], User[$deploy_user]],
- }
-
- if !defined(Ssh::Userkey[$deploy_user]) {
- ssh::userkey { $deploy_user:
- source => $public_key_source,
- }
}
# XXX: Temporary work-around for switching services from Trebuchet to Scap3
diff --git a/modules/service/manifests/deploy/scap.pp
b/modules/service/manifests/deploy/scap.pp
index 4778d7a..85c8017 100644
--- a/modules/service/manifests/deploy/scap.pp
+++ b/modules/service/manifests/deploy/scap.pp
@@ -3,14 +3,9 @@
# Creates user and permissions for deploy user
# on service hosts
#
-# === Parameters
+# Deprecated: you should use scap::target directly instead of this wrapper.
#
-# [*public_key_file*]
-# This is the public_key for the deploy-service user. The private part of
this
-# key should reside in the private puppet repo for the environment. By
default
-# this public key is set to the deploy-service user's public key for
production
-# private puppet. It should be overwritten using hiera in non-production
-# environements.
+# === Parameters
#
# [*user*]
# the user to create for deployment
@@ -20,15 +15,14 @@
# user. Default: undef.
#
define service::deploy::scap(
- $public_key_file = 'puppet:///modules/service/servicedeploy_rsa.pub',
$user = 'deploy-service',
$service_name = undef,
$manage_user = false,
) {
+ warning('service::deploy::scap is deprecated. Use scap::target instead')
scap::target { $title:
- public_key_source => $public_key_file,
- deploy_user => $user,
- service_name => $service_name,
- manage_user => $manage_user,
+ deploy_user => $user,
+ service_name => $service_name,
+ manage_user => $manage_user,
}
}
diff --git a/modules/service/manifests/node.pp
b/modules/service/manifests/node.pp
index f39337a..8308e87 100644
--- a/modules/service/manifests/node.pp
+++ b/modules/service/manifests/node.pp
@@ -72,7 +72,8 @@
# crashes. Default: true
#
# [*deployment*]
-# If this value is set to 'scap3' then deploy via scap3, otherwise, use
trebuchet
+# If this value is set to 'scap3' then deploy via scap3, otherwise,
+# use trebuchet
# Default: undef
#
# [*deployment_user*]
@@ -126,9 +127,9 @@
case $deployment {
'scap3': {
if ! defined(Service::Deploy::Trebuchet[$repo]) {
- service::deploy::scap{ $repo:
+ scap::target { $repo:
service_name => $title,
- user => $deployment_user,
+ deploy_user => $deployment_user,
before => Base::Service_unit[$title],
manage_user => true,
}
diff --git a/modules/service/manifests/uwsgi.pp
b/modules/service/manifests/uwsgi.pp
index 3f97ae9..0857f4e 100644
--- a/modules/service/manifests/uwsgi.pp
+++ b/modules/service/manifests/uwsgi.pp
@@ -70,9 +70,9 @@
$deployment_user = 'deploy-service',
$deployment_manage_user = true,
) {
- service::deploy::scap { $repo:
+ scap::target { $repo:
service_name => $title,
- user => $deployment_user,
+ deploy_user => $deployment_user,
before => Uwsgi::App[$title],
manage_user => $deployment_manage_user,
}
diff --git a/modules/zotero/manifests/init.pp b/modules/zotero/manifests/init.pp
index 85537c5..d7541b9 100644
--- a/modules/zotero/manifests/init.pp
+++ b/modules/zotero/manifests/init.pp
@@ -34,17 +34,15 @@
}
scap::target { 'zotero/translators':
- deploy_user => 'deploy-service',
- public_key_source => 'puppet:///modules/service/servicedeploy_rsa.pub',
- service_name => 'zotero',
- before => Service['zotero'],
+ deploy_user => 'deploy-service',
+ service_name => 'zotero',
+ before => Service['zotero'],
}
scap::target { 'zotero/translation-server':
- deploy_user => 'deploy-service',
- public_key_source => 'puppet:///modules/service/servicedeploy_rsa.pub',
- service_name => 'zotero',
- before => Service['zotero'],
+ deploy_user => 'deploy-service',
+ service_name => 'zotero',
+ before => Service['zotero'],
}
#
/srv/deployment/zotero/translation-server/defaults/preferences/defaults.js
--
To view, visit https://gerrit.wikimedia.org/r/289236
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Id298a3e0f12e31afd7ea83970e192330ffbd4243
Gerrit-PatchSet: 30
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: 20after4 <mmod...@wikimedia.org>
Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Mobrovac <mobro...@wikimedia.org>
Gerrit-Reviewer: Ori.livneh <o...@wikimedia.org>
Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
