Yuvipanda has submitted this change and it was merged.
Change subject: labs: Add a standalone puppetmaster role
......................................................................
labs: Add a standalone puppetmaster role
- Uses the puppetmaster module rather than the puppet module.
- Based off the labs puppetmaster code, but much simplified
- Uses apache + mod_passenger like prod rather than the default
WEBrick server
- Probably does not support precise! Should work on trusty &
jessie.
- Is standalone puppetmaster, does not support replication /
HA like the prod puppetmasters
DEATH TO THE PUPPET MODULE
Bug: T120159
Change-Id: I5f11761bdd2a1f292d3d061363fa53346d1eb768
---
M modules/puppetmaster/manifests/gitclone.pp
M modules/puppetmaster/manifests/gitsync.pp
M modules/puppetmaster/manifests/init.pp
A modules/role/manifests/puppetmaster/standalone.pp
4 files changed, 69 insertions(+), 4 deletions(-)
Approvals:
Yuvipanda: Verified; Looks good to me, approved
diff --git a/modules/puppetmaster/manifests/gitclone.pp
b/modules/puppetmaster/manifests/gitclone.pp
index f7a240d..2929ba1 100644
--- a/modules/puppetmaster/manifests/gitclone.pp
+++ b/modules/puppetmaster/manifests/gitclone.pp
@@ -187,9 +187,22 @@
force => true;
}
} else {
+ file { '/var/lib/git/labs':
+ ensure => directory,
+ owner => 'gitpuppet',
+ group => 'gitpuppet',
+ mode => '0755',
+ }
+
+ git::clone { 'labs/private':
+ require => File["${puppetmaster::gitdir}/labs"],
+ owner => 'gitpuppet',
+ directory => "${puppetmaster::gitdir}/labs/private",
+ }
+
file { '/etc/puppet/private':
ensure => link,
- target => "${puppetmaster::gitdir}/operations/labs/private",
+ target => "${puppetmaster::gitdir}/labs/private",
force => true,
}
}
diff --git a/modules/puppetmaster/manifests/gitsync.pp
b/modules/puppetmaster/manifests/gitsync.pp
index e19da77..2cc2265 100644
--- a/modules/puppetmaster/manifests/gitsync.pp
+++ b/modules/puppetmaster/manifests/gitsync.pp
@@ -1,7 +1,6 @@
# == Class: puppetmaster::gitsync
#
# Sync local operations/puppet.git checkout with upstream.
-# Meant for use with local puppetmasters.
class puppetmaster::gitsync(
$run_every_minutes = '10',
) {
diff --git a/modules/puppetmaster/manifests/init.pp
b/modules/puppetmaster/manifests/init.pp
index dc2a8ca..6525d9a 100644
--- a/modules/puppetmaster/manifests/init.pp
+++ b/modules/puppetmaster/manifests/init.pp
@@ -49,6 +49,7 @@
$hiera_config=$::realm,
$secure_private=true,
$extra_auth_rules='',
+ $include_conftool=true,
){
$gitdir = '/var/lib/git'
@@ -164,6 +165,8 @@
source => "puppet:///modules/puppetmaster/${hiera_config}.hiera.yaml",
}
- # This is required for the conftool perser function
- include ::conftool
+ if $include_conftool {
+ # This is required for the conftool perser function
+ include ::conftool
+ }
}
diff --git a/modules/role/manifests/puppetmaster/standalone.pp
b/modules/role/manifests/puppetmaster/standalone.pp
new file mode 100644
index 0000000..00ee13b
--- /dev/null
+++ b/modules/role/manifests/puppetmaster/standalone.pp
@@ -0,0 +1,50 @@
+# = Class: role::puppetmaster::standalone
+#
+# Sets up a standalone puppetmaster, without frontend/backend
+# separation.
+#
+# Useful only in labs.
+#
+# == Parameters
+#
+# [*autosign*]
+# Set to true to have puppetmaster automatically accept all
+# certificate signing requests. Note that if you want to
+# keep any secrets secure in your puppetmaster, you *can not*
+# use this, and will have to sign manually.
+class role::puppetmaster::standalone(
+ $autosign = false,
+) {
+ include ldap::role::config::labs
+
+ $ldapconfig = $ldap::role::config::labs::ldapconfig
+ $basedn = $ldapconfig['basedn']
+
+ $encconfig = {
+ 'ldapserver' => $ldapconfig['servernames'][0],
+ 'ldapbase' => "ou=hosts,${basedn}",
+ 'ldapstring' =>
'(&(objectclass=puppetClient)(associatedDomain=%s))',
+ 'ldapuser' => $ldapconfig['proxyagent'],
+ 'ldappassword' => $ldapconfig['proxypass'],
+ 'ldaptls' => true,
+ 'node_terminus' => 'ldap'
+ }
+
+ # Allow access from everywhere! Use certificates to
+ # control access
+ $allow_from = ['10.0.0.0/8']
+
+ class { '::puppetmaster':
+ server_name => $::fqdn,
+ allow_from => $allow_from,
+ secure_private => false,
+ include_conftool => false,
+ config => merge($encconfig, {
+ 'thin_storeconfigs' => false,
+ 'autosign' => $autosign,
+ })
+ }
+
+ # Update git checkout
+ include ::puppetmaster::gitsync
+}
--
To view, visit https://gerrit.wikimedia.org/r/311163
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I5f11761bdd2a1f292d3d061363fa53346d1eb768
Gerrit-PatchSet: 11
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
