system-config/modules/openstack_project/manifests/puppetmaster.pp

# == Class: openstack_project::puppetmaster
#
class openstack_project::puppetmaster (
  $root_rsa_key = 'xxx',
) {
  include logrotate

  cron { 'updatecloudlauncher':
    ensure => absent,
  }

  logrotate::file { 'updatecloudlauncher':
    ensure  => present,
    log     => '/var/log/puppet_run_cloud_launcher.log',
    options => ['compress',
      'copytruncate',
      'delaycompress',
      'missingok',
      'rotate 7',
      'daily',
      'notifempty',
    ],
  }

# Cloud credentials are stored in this directory for launch-node.py.
  file { '/root/ci-launch':
    ensure => directory,
    owner  => 'root',
    group  => 'admin',
    mode   => '0750',
  }

  # For signing key management
  package { 'gnupg':
    ensure => present,
  }
  package { 'gnupg-curl':
    ensure => present,
  }
  file { '/root/signing.gnupg':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0700',
  }
  file { '/root/signing.gnupg/gpg.conf':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0400',
    source  => 'puppet:///modules/openstack_project/puppetmaster/signing.conf',
    require => File['/root/signing.gnupg'],
  }
  file { '/root/signing.gnupg/sks-keyservers.netCA.pem':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0400',
    source  => 'puppet:///modules/openstack_project/puppetmaster/sks-ca.pem',
    require => File['/root/signing.gnupg'],
  }

  # Certificate Authority for zuul services.
  file { '/etc/zuul-ca':
    ensure  => directory,
    owner   => 'root',
    group   => 'puppet',
    mode    => '0640',
  }

  file { '/etc/zuul-ca/openssl.cnf':
    ensure  => present,
    owner   => 'root',
    group   => 'puppet',
    mode    => '0640',
    source  => 'puppet:///modules/openstack_project/puppetmaster/zuul_ca.cnf',
    require => File['/etc/zuul-ca'],
  }

  file { '/etc/zuul-ca/certs':
    ensure  => directory,
    owner   => 'root',
    group   => 'puppet',
    mode    => '0640',
    require => File['/etc/zuul-ca'],
  }

  file { '/etc/zuul-ca/crl':
    ensure  => directory,
    owner   => 'root',
    group   => 'puppet',
    mode    => '0640',
    require => File['/etc/zuul-ca'],
  }

  file { '/etc/zuul-ca/newcerts':
    ensure  => directory,
    owner   => 'root',
    group   => 'puppet',
    mode    => '0640',
    require => File['/etc/zuul-ca'],
  }

  file { '/etc/zuul-ca/private':
    ensure  => directory,
    owner   => 'root',
    group   => 'puppet',
    mode    => '0640',
    require => File['/etc/zuul-ca'],
  }
}
Cleanup openstack_project manifest lint errors. Now with extra unwrap! Change-Id: I7c622ffa77821f33f911793fc6b6cdaaba37904a Reviewed-on: https://review.openstack.org/15052 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins 2012-11-15 14:25:13 -08:00			`# == Class: openstack_project::puppetmaster`
			`#`
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins 2012-09-06 10:32:48 -07:00			`class openstack_project::puppetmaster (`
Default to a bogus rsa key on puppetmaster This allows rapid testing with 'include o_p:puppetmaster' and lines up with the instructions in doc/source/puppet.rst Change-Id: I9bd30bedefef24e2691d851e038a02864eca45ab 2015-03-10 19:35:23 -07:00			`$root_rsa_key = 'xxx',`
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins 2012-09-06 10:32:48 -07:00			`) {`
Add some system logging to run_all When we want to watch run_all happen, it's hard, because there is no logging. To fix that - make there be some logging. Then, rotate the logs. Change-Id: I0eed7aeeec0ff21e58d57d6385cc59b74bbf31fb 2014-04-18 13:53:36 -07:00			`include logrotate`
Add keys and script for puppet over ssh In anticipation of driving puppet over ssh, we need keys on the hosts and the scripts on the master. Don't turn them on yet, because we want to be able to do some by-hand testing of the mechanism. Change-Id: I2c353777e2f8fb5a2e733ce405ba40427ce901e5 2014-03-17 04:01:33 -04:00
Run cloud-launcher every hour on puppetmaster.o.o Create a wrapper script and crontab entry on puppetmaster. Change-Id: Ida2a86d13731c40141163d43236b9856d227e5af Signed-off-by: Paul Belanger <pabelanger@redhat.com> 2017-04-17 17:27:06 -04:00			`cron { 'updatecloudlauncher':`
Stop running puppet from puppetmaster Bridge can run puppet on the remote hosts. Stop running on puppetmaster so that we can run from bridge. Put it in the disabled group so that we don't try to run puppet on it from bridge. Change-Id: Ibcfa7e902c07c55e3a84f8232a11792c5f7d80e9 2018-08-11 07:23:27 -05:00			`ensure => absent,`
Run cloud-launcher every hour on puppetmaster.o.o Create a wrapper script and crontab entry on puppetmaster. Change-Id: Ida2a86d13731c40141163d43236b9856d227e5af Signed-off-by: Paul Belanger <pabelanger@redhat.com> 2017-04-17 17:27:06 -04:00			`}`

Rotate cloud launcher log files Change-Id: I6aa9b6fee2dfffb0f1e2909a346065b8a60aec60 2018-01-25 11:00:00 +11:00			`logrotate::file { 'updatecloudlauncher':`
			`ensure => present,`
			`log => '/var/log/puppet_run_cloud_launcher.log',`
			`options => ['compress',`
			`'copytruncate',`
			`'delaycompress',`
			`'missingok',`
			`'rotate 7',`
			`'daily',`
			`'notifempty',`
			`],`
			`}`

Create ci-launch directory on the puppetmaster. While credentials for clouds are uploaded by hand, the place they are put is constant and has one correct setting for mode and owner, so lets automate it. Change-Id: I98ce4493c260f97c3ac1028d7065536178760d72 2013-08-30 15:41:46 +12:00			`# Cloud credentials are stored in this directory for launch-node.py.`
			`file { '/root/ci-launch':`
			`ensure => directory,`
			`owner => 'root',`
Make ci-launch directory readable by admin users Commit 5ae5e6cc added puppetry for /root/ci-launch on the Puppet master server, but set permissions on it too restrictive for users launching new servers to be able to read the files within it. * launch/README: Note that the user following these directions should also be in the admin group. * modules/openstack_project/manifests/puppetmaster.pp: Set group ownership of /root/ci-launch to admin so members of that group will be able to read the files within it. Change-Id: I6c657eb4311b27ce329f249df3e60c2b902677ae 2013-09-13 18:52:59 +00:00			`group => 'admin',`
Create ci-launch directory on the puppetmaster. While credentials for clouds are uploaded by hand, the place they are put is constant and has one correct setting for mode and owner, so lets automate it. Change-Id: I98ce4493c260f97c3ac1028d7065536178760d72 2013-08-30 15:41:46 +12:00			`mode => '0750',`
Manage clouds.yaml on puppetmaster with puppet For launch_node and for ansible-inventory we need a functioning clouds.yaml file. The file should really just contain the entries we actually need, becuase we don't want to be listing all the hosts in nodepool. However, we do want ALL of the entries available, so the all-clouds template has them all there. Not sure where we want that file to go though. Change-Id: Ibee80f9a4d8f159a626e2b4c2e9639134a559ae4 2015-11-25 12:13:47 -05:00			`}`

Add a node for artifact signing jobs Create the signing01.ci.openstack.org job node and puppet the signing subkey onto it via pubring.gpg and secring.gpg files stored in private hiera. Also set up some basic configuration and packages on the management bastion to aid in key management/rotation, and add the beginnings of administrative documentation for this. Change-Id: Iecddb778994a38f7898e0c20e7f3f8e93f0a7f60 Depends-On: I70c3b82185681ee64791cda653360c26a93bd466 Story: #2000336 Signed-off-by: Jeremy Stanley <fungi@yuggoth.org> 2016-06-22 23:29:17 +00:00			`# For signing key management`
			`package { 'gnupg':`
			`ensure => present,`
			`}`
			`package { 'gnupg-curl':`
			`ensure => present,`
			`}`
			`file { '/root/signing.gnupg':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0700',`
			`}`
			`file { '/root/signing.gnupg/gpg.conf':`
			`ensure => present,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0400',`
			`source => 'puppet:///modules/openstack_project/puppetmaster/signing.conf',`
			`require => File['/root/signing.gnupg'],`
			`}`
			`file { '/root/signing.gnupg/sks-keyservers.netCA.pem':`
			`ensure => present,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0400',`
			`source => 'puppet:///modules/openstack_project/puppetmaster/sks-ca.pem',`
			`require => File['/root/signing.gnupg'],`
			`}`

Add CA service to puppetmaster.o.o for zuul We want to start encrypting our gearman traffic for zuulv3, as such we'll need to bring online a CA service. The idea here, is we create a new CA for each interconnecting service we want SSL certs for. As an example /etc/zuul-ca will be used to generate SSL certs for our gearman service. Change-Id: I8c341559292c78d5428fe16837f28494a76e65db Signed-off-by: Paul Belanger <pabelanger@redhat.com> Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org> 2017-06-14 11:51:56 -04:00			`# Certificate Authority for zuul services.`
			`file { '/etc/zuul-ca':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'puppet',`
			`mode => '0640',`
			`}`

			`file { '/etc/zuul-ca/openssl.cnf':`
			`ensure => present,`
			`owner => 'root',`
			`group => 'puppet',`
			`mode => '0640',`
			`source => 'puppet:///modules/openstack_project/puppetmaster/zuul_ca.cnf',`
			`require => File['/etc/zuul-ca'],`
			`}`

			`file { '/etc/zuul-ca/certs':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'puppet',`
			`mode => '0640',`
			`require => File['/etc/zuul-ca'],`
			`}`

			`file { '/etc/zuul-ca/crl':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'puppet',`
			`mode => '0640',`
			`require => File['/etc/zuul-ca'],`
			`}`

			`file { '/etc/zuul-ca/newcerts':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'puppet',`
			`mode => '0640',`
			`require => File['/etc/zuul-ca'],`
			`}`

			`file { '/etc/zuul-ca/private':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'puppet',`
			`mode => '0640',`
			`require => File['/etc/zuul-ca'],`
			`}`
Make a class for each type of server. Change-Id: I520b77a4d83958a6a1c2472e87b28f6b8822d890 2012-07-20 19:38:57 -07:00			`}`