[MediaWiki-commits] [Gerrit] operations/puppet[production]: [WIP] puppetmaster: Attempt to kill is_labs_master

Mon, 08 Aug 2016 21:48:42 -0700 

Alex Monk has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/303757

Change subject: [WIP] puppetmaster: Attempt to kill is_labs_master
......................................................................

[WIP] puppetmaster: Attempt to kill is_labs_master

Change-Id: I0f2a7e9979b92c48cf0dbbf5b95b4188b87288ce
---
M hieradata/common.yaml
M modules/puppetmaster/manifests/gitclone.pp
M modules/puppetmaster/manifests/init.pp
M modules/puppetmaster/templates/auth-master.conf.erb
M modules/role/manifests/labs/puppetmaster.pp
5 files changed, 31 insertions(+), 26 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/57/303757/1

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 0609bdd..a9ae782 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -5,6 +5,13 @@
   - esams
   - ulsfo
 
+puppetmaster::extra_auth_rules: |-
+  # Temporary allow rhodium to compile all the catalogs while testing
+  # allow nodes to retrieve their own catalog
+  path ~ ^/catalog/([^/]+)$
+  method find
+  allow rhodium.eqiad.wmnet
+
 # Main statsd instance
 statsd: statsd.eqiad.wmnet:8125
 
diff --git a/modules/puppetmaster/manifests/gitclone.pp 
b/modules/puppetmaster/manifests/gitclone.pp
index 879e632..05b5cff 100644
--- a/modules/puppetmaster/manifests/gitclone.pp
+++ b/modules/puppetmaster/manifests/gitclone.pp
@@ -3,8 +3,9 @@
 # This class handles the repositories from which the puppetmasters pull
 #
 # === Parameters
-# [*is_labs_master*]
-# Differentiates production and labs masters
+# [*secure_private*]
+# If false, /etc/puppet/private will be labs/private.git.
+# Otherwise, some magic is done to have local repositories and sync between 
puppetmasters.
 #
 # [*is_git_master*]
 # If True, the git private repository here will be considered a master.
@@ -13,7 +14,7 @@
 # For servers that are a master for the private repo, a list of hosts to 
replicate to
 #
 class puppetmaster::gitclone(
-    $is_labs_master = false,
+    $secure_private = true,
     $is_git_master = false,
     $replicate_to = undef,
     ){
@@ -72,7 +73,7 @@
             mode    => '0640';
     }
 
-    if ! $is_labs_master {
+    if $secure_private {
         # Set up private repo.
         # Note that puppet does not actually clone the repo -- puppetizing that
         # turns out to be a big, insecure mess.
diff --git a/modules/puppetmaster/manifests/init.pp 
b/modules/puppetmaster/manifests/init.pp
index 70b2a2f..ae63753 100644
--- a/modules/puppetmaster/manifests/init.pp
+++ b/modules/puppetmaster/manifests/init.pp
@@ -24,6 +24,8 @@
 #        Specifies which file to use for hiera.yaml.  Defaults to $::realm
 #    - $is_git_master:
 #        If True, the git private repository here will be considered a master
+#    - $extra_auth_rules:
+#        Extra authentication rules to add before the default policy.
 
 class puppetmaster(
             $server_name='puppet',
@@ -40,9 +42,10 @@
                 '*.esams.wmnet',
                 '*.codfw.wmnet',
             ],
-            $is_labs_master=false,
             $is_git_master=false,
             $hiera_config=$::realm,
+            $secure_private=true,
+            $extra_auth_rules='',
     ){
 
     $gitdir = '/var/lib/git'
@@ -108,7 +111,7 @@
     }
 
     class { 'puppetmaster::gitclone':
-        is_labs_master => $is_labs_master,
+        secure_private => $secure_private,
         is_git_master  => $is_git_master,
         replicate_to   => $workers,
     }
@@ -118,14 +121,6 @@
     include puppetmaster::gitpuppet
     include puppetmaster::monitoring
 
-    if $is_labs_master {
-        # This is required for the mwyaml hiera backend
-        require_package('ruby-httpclient')
-
-        # This variable is used by the auth.conf template
-        $horizon_host = hiera('labs_horizon_host')
-    }
-
     file { '/etc/puppet/auth.conf':
         owner   => 'root',
         group   => 'root',
@@ -133,6 +128,10 @@
         content => template('puppetmaster/auth-master.conf.erb'),
     }
 
+    if $hiera_config == "labs" || $hiera_config == "labtest" {
+        # This is required for the mwyaml hiera backend
+        require_package('ruby-httpclient')
+    }
     class { '::puppetmaster::hiera':
         source => "puppet:///modules/puppetmaster/${hiera_config}.hiera.yaml",
     }
diff --git a/modules/puppetmaster/templates/auth-master.conf.erb 
b/modules/puppetmaster/templates/auth-master.conf.erb
index d00cca7..51b62a0 100644
--- a/modules/puppetmaster/templates/auth-master.conf.erb
+++ b/modules/puppetmaster/templates/auth-master.conf.erb
@@ -61,13 +61,9 @@
 
 ### Authenticated ACLs - these rules apply only when the client
 ### has a valid certificate and is thus authenticated
-<% if @is_labs_master != true %>
-# Temporary allow rhodium to compile all the catalogs while testing<% end %>
-# allow nodes to retrieve their own catalog
 path ~ ^/catalog/([^/]+)$
 method find
-allow $1<% if @is_labs_master != true %>
-allow rhodium.eqiad.wmnet<% end %>
+allow $1
 
 # allow nodes to retrieve their own node definition
 path ~ ^/node/([^/]+)$
@@ -113,12 +109,9 @@
 auth any
 method find, save
 allow *
-<% if @is_labs_master %>
-# Allow Horizon to ask the puppetmaster about available roles
-path /resource_type
-auth any
-allow <%= @horizon_host %>
-<% end %>
+
+<%- @extra_auth_rules -%>
+
 # deny everything else; this ACL is not strictly necessary, but
 # illustrates the default policy.
 path /
diff --git a/modules/role/manifests/labs/puppetmaster.pp 
b/modules/role/manifests/labs/puppetmaster.pp
index c394c2a..f110d03 100644
--- a/modules/role/manifests/labs/puppetmaster.pp
+++ b/modules/role/manifests/labs/puppetmaster.pp
@@ -10,6 +10,7 @@
     $basedn = $ldapconfig['basedn']
     $novaconfig = hiera_hash('novaconfig', {})
     $labs_instance_range = $novaconfig['fixed_range']
+    $horizon_host = hiera('labs_horizon_host')
     $horizon_host_ip = ipresolve(hiera('labs_horizon_host'), 4)
 
 
@@ -19,7 +20,11 @@
     class { '::puppetmaster':
         server_name    => hiera('labs_puppet_master'),
         allow_from     => $allow_from,
-        is_labs_master => true,
+        secure_private => false,
+        extra_auth_rules => "# Allow Horizon to ask the puppetmaster about 
available roles
+path /resource_type
+auth any
+allow ${horizon_host}"
         config         => {
             'thin_storeconfigs' => false,
             'node_terminus'     => 'ldap',

-- 
To view, visit https://gerrit.wikimedia.org/r/303757
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0f2a7e9979b92c48cf0dbbf5b95b4188b87288ce
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk <a...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to