Alex Monk has uploaded a new change for review. https://gerrit.wikimedia.org/r/303757
Change subject: [WIP] puppetmaster: Attempt to kill is_labs_master ...................................................................... [WIP] puppetmaster: Attempt to kill is_labs_master Change-Id: I0f2a7e9979b92c48cf0dbbf5b95b4188b87288ce --- M hieradata/common.yaml M modules/puppetmaster/manifests/gitclone.pp M modules/puppetmaster/manifests/init.pp M modules/puppetmaster/templates/auth-master.conf.erb M modules/role/manifests/labs/puppetmaster.pp 5 files changed, 31 insertions(+), 26 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/57/303757/1 diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 0609bdd..a9ae782 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -5,6 +5,13 @@ - esams - ulsfo +puppetmaster::extra_auth_rules: |- + # Temporary allow rhodium to compile all the catalogs while testing + # allow nodes to retrieve their own catalog + path ~ ^/catalog/([^/]+)$ + method find + allow rhodium.eqiad.wmnet + # Main statsd instance statsd: statsd.eqiad.wmnet:8125 diff --git a/modules/puppetmaster/manifests/gitclone.pp b/modules/puppetmaster/manifests/gitclone.pp index 879e632..05b5cff 100644 --- a/modules/puppetmaster/manifests/gitclone.pp +++ b/modules/puppetmaster/manifests/gitclone.pp @@ -3,8 +3,9 @@ # This class handles the repositories from which the puppetmasters pull # # === Parameters -# [*is_labs_master*] -# Differentiates production and labs masters +# [*secure_private*] +# If false, /etc/puppet/private will be labs/private.git. +# Otherwise, some magic is done to have local repositories and sync between puppetmasters. # # [*is_git_master*] # If True, the git private repository here will be considered a master. @@ -13,7 +14,7 @@ # For servers that are a master for the private repo, a list of hosts to replicate to # class puppetmaster::gitclone( - $is_labs_master = false, + $secure_private = true, $is_git_master = false, $replicate_to = undef, ){ @@ -72,7 +73,7 @@ mode => '0640'; } - if ! $is_labs_master { + if $secure_private { # Set up private repo. # Note that puppet does not actually clone the repo -- puppetizing that # turns out to be a big, insecure mess. diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp index 70b2a2f..ae63753 100644 --- a/modules/puppetmaster/manifests/init.pp +++ b/modules/puppetmaster/manifests/init.pp @@ -24,6 +24,8 @@ # Specifies which file to use for hiera.yaml. Defaults to $::realm # - $is_git_master: # If True, the git private repository here will be considered a master +# - $extra_auth_rules: +# Extra authentication rules to add before the default policy. class puppetmaster( $server_name='puppet', @@ -40,9 +42,10 @@ '*.esams.wmnet', '*.codfw.wmnet', ], - $is_labs_master=false, $is_git_master=false, $hiera_config=$::realm, + $secure_private=true, + $extra_auth_rules='', ){ $gitdir = '/var/lib/git' @@ -108,7 +111,7 @@ } class { 'puppetmaster::gitclone': - is_labs_master => $is_labs_master, + secure_private => $secure_private, is_git_master => $is_git_master, replicate_to => $workers, } @@ -118,14 +121,6 @@ include puppetmaster::gitpuppet include puppetmaster::monitoring - if $is_labs_master { - # This is required for the mwyaml hiera backend - require_package('ruby-httpclient') - - # This variable is used by the auth.conf template - $horizon_host = hiera('labs_horizon_host') - } - file { '/etc/puppet/auth.conf': owner => 'root', group => 'root', @@ -133,6 +128,10 @@ content => template('puppetmaster/auth-master.conf.erb'), } + if $hiera_config == "labs" || $hiera_config == "labtest" { + # This is required for the mwyaml hiera backend + require_package('ruby-httpclient') + } class { '::puppetmaster::hiera': source => "puppet:///modules/puppetmaster/${hiera_config}.hiera.yaml", } diff --git a/modules/puppetmaster/templates/auth-master.conf.erb b/modules/puppetmaster/templates/auth-master.conf.erb index d00cca7..51b62a0 100644 --- a/modules/puppetmaster/templates/auth-master.conf.erb +++ b/modules/puppetmaster/templates/auth-master.conf.erb @@ -61,13 +61,9 @@ ### Authenticated ACLs - these rules apply only when the client ### has a valid certificate and is thus authenticated -<% if @is_labs_master != true %> -# Temporary allow rhodium to compile all the catalogs while testing<% end %> -# allow nodes to retrieve their own catalog path ~ ^/catalog/([^/]+)$ method find -allow $1<% if @is_labs_master != true %> -allow rhodium.eqiad.wmnet<% end %> +allow $1 # allow nodes to retrieve their own node definition path ~ ^/node/([^/]+)$ @@ -113,12 +109,9 @@ auth any method find, save allow * -<% if @is_labs_master %> -# Allow Horizon to ask the puppetmaster about available roles -path /resource_type -auth any -allow <%= @horizon_host %> -<% end %> + +<%- @extra_auth_rules -%> + # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / diff --git a/modules/role/manifests/labs/puppetmaster.pp b/modules/role/manifests/labs/puppetmaster.pp index c394c2a..f110d03 100644 --- a/modules/role/manifests/labs/puppetmaster.pp +++ b/modules/role/manifests/labs/puppetmaster.pp @@ -10,6 +10,7 @@ $basedn = $ldapconfig['basedn'] $novaconfig = hiera_hash('novaconfig', {}) $labs_instance_range = $novaconfig['fixed_range'] + $horizon_host = hiera('labs_horizon_host') $horizon_host_ip = ipresolve(hiera('labs_horizon_host'), 4) @@ -19,7 +20,11 @@ class { '::puppetmaster': server_name => hiera('labs_puppet_master'), allow_from => $allow_from, - is_labs_master => true, + secure_private => false, + extra_auth_rules => "# Allow Horizon to ask the puppetmaster about available roles +path /resource_type +auth any +allow ${horizon_host}" config => { 'thin_storeconfigs' => false, 'node_terminus' => 'ldap', -- To view, visit https://gerrit.wikimedia.org/r/303757 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0f2a7e9979b92c48cf0dbbf5b95b4188b87288ce Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alex Monk <a...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits