System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1074 lines
41KB

  1. #
  2. # Top-level variables
  3. #
  4. # There must not be any whitespace between this comment and the variables or
  5. # in between any two variables in order for them to be correctly parsed and
  6. # passed around in test.sh
  7. #
  8. # Note we do not do a hiera lookup here as we set $group on a per node basis
  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup
  10. # here would fail to find any group specific info.
  11. $elasticsearch_nodes = [
  12. "elasticsearch02.openstack.org",
  13. "elasticsearch03.openstack.org",
  14. "elasticsearch04.openstack.org",
  15. "elasticsearch05.openstack.org",
  16. "elasticsearch06.openstack.org",
  17. "elasticsearch07.openstack.org",
  18. ]
  19. #
  20. # Default: should at least behave like an openstack server
  21. #
  22. node default {
  23. class { 'openstack_project::server':
  24. }
  25. }
  26. # Node-OS: xenial
  27. # Puppet-Version: !3
  28. node /^grafana\d*\.open.*\.org$/ {
  29. $group = "grafana"
  30. class { 'openstack_project::server': }
  31. class { 'openstack_project::grafana':
  32. admin_password => hiera('grafana_admin_password'),
  33. admin_user => hiera('grafana_admin_user', 'username'),
  34. mysql_host => hiera('grafana_mysql_host', 'localhost'),
  35. mysql_name => hiera('grafana_mysql_name'),
  36. mysql_password => hiera('grafana_mysql_password'),
  37. mysql_user => hiera('grafana_mysql_user', 'username'),
  38. project_config_repo => 'https://opendev.org/openstack/project-config',
  39. secret_key => hiera('grafana_secret_key'),
  40. }
  41. }
  42. # Node-OS: xenial
  43. node /^health\d*\.openstack\.org$/ {
  44. $group = "health"
  45. class { 'openstack_project::server': }
  46. class { 'openstack_project::openstack_health_api':
  47. subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
  48. hostname => 'health.openstack.org',
  49. }
  50. }
  51. # Node-OS: xenial
  52. node /^cacti\d+\.open.*\.org$/ {
  53. $group = "cacti"
  54. include openstack_project::ssl_cert_check
  55. class { 'openstack_project::cacti':
  56. cacti_hosts => hiera_array('cacti_hosts'),
  57. vhost_name => 'cacti.openstack.org',
  58. }
  59. }
  60. # Node-OS: xenial
  61. node /^graphite\d*\.open.*\.org$/ {
  62. class { 'openstack_project::server': }
  63. class { '::graphite':
  64. graphite_admin_user => hiera('graphite_admin_user', 'username'),
  65. graphite_admin_email => hiera('graphite_admin_email', 'email@example.com'),
  66. graphite_admin_password => hiera('graphite_admin_password'),
  67. # NOTE(ianw): installed on the host via ansible
  68. ssl_cert_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',
  69. ssl_key_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',
  70. ssl_chain_file => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',
  71. }
  72. }
  73. # Node-OS: xenial
  74. node /^lists\d*\.open.*\.org$/ {
  75. class { 'openstack_project::server': }
  76. class { 'openstack_project::lists':
  77. listpassword => hiera('listpassword'),
  78. }
  79. }
  80. # Node-OS: xenial
  81. node /^lists\d*\.katacontainers\.io$/ {
  82. class { 'openstack_project::server': }
  83. class { 'openstack_project::kata_lists':
  84. listpassword => hiera('listpassword'),
  85. }
  86. }
  87. # Node-OS: xenial
  88. node /^paste\d*\.open.*\.org$/ {
  89. $group = "paste"
  90. class { 'openstack_project::server': }
  91. class { 'openstack_project::paste':
  92. db_password => hiera('paste_db_password'),
  93. db_host => hiera('paste_db_host'),
  94. vhost_name => 'paste.openstack.org',
  95. }
  96. }
  97. # Node-OS: xenial
  98. node /planet\d*\.open.*\.org$/ {
  99. class { 'openstack_project::planet':
  100. }
  101. }
  102. # Node-OS: xenial
  103. node /^eavesdrop\d*\.open.*\.org$/ {
  104. $group = "eavesdrop"
  105. class { 'openstack_project::server': }
  106. class { 'openstack_project::eavesdrop':
  107. project_config_repo => 'https://opendev.org/openstack/project-config',
  108. nickpass => hiera('openstack_meetbot_password'),
  109. statusbot_nick => hiera('statusbot_nick', 'username'),
  110. statusbot_password => hiera('statusbot_nick_password'),
  111. statusbot_server => 'chat.freenode.net',
  112. statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
  113. statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
  114. statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
  115. statusbot_wiki_password => hiera('statusbot_wiki_password'),
  116. statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
  117. # https://wiki.openstack.org/wiki/Infrastructure_Status
  118. statusbot_wiki_pageid => '1781',
  119. statusbot_wiki_successpageid => '7717',
  120. statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
  121. statusbot_wiki_thankspageid => '37700',
  122. statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
  123. statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
  124. statusbot_twitter => true,
  125. statusbot_twitter_key => hiera('statusbot_twitter_key'),
  126. statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
  127. statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
  128. statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
  129. accessbot_nick => hiera('accessbot_nick', 'username'),
  130. accessbot_password => hiera('accessbot_nick_password'),
  131. meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
  132. ptgbot_nick => hiera('ptgbot_nick', 'username'),
  133. ptgbot_password => hiera('ptgbot_password'),
  134. }
  135. }
  136. # Node-OS: xenial
  137. node /^ethercalc\d+\.open.*\.org$/ {
  138. $group = "ethercalc"
  139. class { 'openstack_project::server': }
  140. class { 'openstack_project::ethercalc':
  141. vhost_name => 'ethercalc.openstack.org',
  142. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  143. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  144. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  145. }
  146. }
  147. # Node-OS: xenial
  148. node /^etherpad\d*\.open.*\.org$/ {
  149. $group = "etherpad"
  150. class { 'openstack_project::server': }
  151. class { 'openstack_project::etherpad':
  152. vhost_name => 'etherpad.openstack.org',
  153. ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
  154. ssl_key_file_contents => hiera('etherpad_ssl_key_file_contents'),
  155. ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
  156. mysql_host => hiera('etherpad_db_host', 'localhost'),
  157. mysql_user => hiera('etherpad_db_user', 'username'),
  158. mysql_password => hiera('etherpad_db_password'),
  159. }
  160. }
  161. # Node-OS: xenial
  162. node /^etherpad-dev\d*\.open.*\.org$/ {
  163. $group = "etherpad-dev"
  164. class { 'openstack_project::server': }
  165. class { 'openstack_project::etherpad_dev':
  166. vhost_name => 'etherpad-dev.openstack.org',
  167. mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
  168. mysql_user => hiera('etherpad-dev_db_user', 'username'),
  169. mysql_password => hiera('etherpad-dev_db_password'),
  170. }
  171. }
  172. # Node-OS: xenial
  173. node /^wiki\d+\.openstack\.org$/ {
  174. $group = "wiki"
  175. class { 'openstack_project::wiki':
  176. bup_user => 'bup-wiki',
  177. serveradmin => hiera('infra_apache_serveradmin'),
  178. site_hostname => 'wiki.openstack.org',
  179. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  180. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  181. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  182. wg_dbserver => hiera('wg_dbserver'),
  183. wg_dbname => 'openstack_wiki',
  184. wg_dbuser => 'wikiuser',
  185. wg_dbpassword => hiera('wg_dbpassword'),
  186. wg_secretkey => hiera('wg_secretkey'),
  187. wg_upgradekey => hiera('wg_upgradekey'),
  188. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  189. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  190. wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
  191. }
  192. }
  193. # Node-OS: xenial
  194. node /^wiki-dev\d+\.openstack\.org$/ {
  195. $group = "wiki-dev"
  196. class { 'openstack_project::wiki':
  197. serveradmin => hiera('infra_apache_serveradmin'),
  198. site_hostname => 'wiki-dev.openstack.org',
  199. wg_dbserver => hiera('wg_dbserver'),
  200. wg_dbname => 'openstack_wiki',
  201. wg_dbuser => 'wikiuser',
  202. wg_dbpassword => hiera('wg_dbpassword'),
  203. wg_secretkey => hiera('wg_secretkey'),
  204. wg_upgradekey => hiera('wg_upgradekey'),
  205. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  206. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  207. disallow_robots => true,
  208. }
  209. }
  210. # Node-OS: xenial
  211. node /^logstash\d*\.open.*\.org$/ {
  212. class { 'openstack_project::server': }
  213. class { 'openstack_project::logstash':
  214. discover_nodes => [
  215. 'elasticsearch03.openstack.org:9200',
  216. 'elasticsearch04.openstack.org:9200',
  217. 'elasticsearch05.openstack.org:9200',
  218. 'elasticsearch06.openstack.org:9200',
  219. 'elasticsearch07.openstack.org:9200',
  220. 'elasticsearch02.openstack.org:9200',
  221. ],
  222. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  223. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  224. }
  225. }
  226. # Node-OS: xenial
  227. node /^logstash-worker\d+\.open.*\.org$/ {
  228. $group = 'logstash-worker'
  229. class { 'openstack_project::server': }
  230. class { 'openstack_project::logstash_worker':
  231. discover_node => 'elasticsearch03.openstack.org',
  232. enable_mqtt => false,
  233. mqtt_password => hiera('mqtt_service_user_password'),
  234. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  235. }
  236. }
  237. # Node-OS: xenial
  238. node /^subunit-worker\d+\.open.*\.org$/ {
  239. $group = "subunit-worker"
  240. class { 'openstack_project::server': }
  241. class { 'openstack_project::subunit_worker':
  242. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  243. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  244. mqtt_pass => hiera('mqtt_service_user_password'),
  245. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  246. }
  247. }
  248. # Node-OS: xenial
  249. node /^elasticsearch\d+\.open.*\.org$/ {
  250. $group = "elasticsearch"
  251. class { 'openstack_project::server': }
  252. class { 'openstack_project::elasticsearch_node':
  253. discover_nodes => $elasticsearch_nodes,
  254. }
  255. }
  256. # Node-OS: xenial
  257. node /^firehose\d+\.open.*\.org$/ {
  258. class { 'openstack_project::server': }
  259. class { 'openstack_project::firehose':
  260. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  261. gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
  262. gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
  263. mqtt_password => hiera('mqtt_service_user_password'),
  264. ca_file => hiera('mosquitto_tls_ca_file'),
  265. cert_file => hiera('mosquitto_tls_server_cert_file'),
  266. key_file => hiera('mosquitto_tls_server_key_file'),
  267. imap_hostname => hiera('lpmqtt_imap_server'),
  268. imap_username => hiera('lpmqtt_imap_username'),
  269. imap_password => hiera('lpmqtt_imap_password'),
  270. statsd_host => 'graphite.opendev.org',
  271. }
  272. }
  273. # A machine to drive AFS mirror updates.
  274. # Node-OS: xenial
  275. node /^mirror-update\d*\.open.*\.org$/ {
  276. $group = "afsadmin"
  277. class { 'openstack_project::mirror_update':
  278. admin_keytab => hiera('afsadmin_keytab'),
  279. fedora_keytab => hiera('fedora_keytab'),
  280. opensuse_keytab => hiera('opensuse_keytab'),
  281. reprepro_keytab => hiera('reprepro_keytab'),
  282. gem_keytab => hiera('gem_keytab'),
  283. centos_keytab => hiera('centos_keytab'),
  284. epel_keytab => hiera('epel_keytab'),
  285. yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
  286. }
  287. }
  288. # Machines in each region to serve AFS mirrors.
  289. # Node-OS: xenial
  290. node /^mirror\d*\..*\.open.*\.org$/ {
  291. $group = "mirror"
  292. class { 'openstack_project::server':
  293. afs => true,
  294. afs_cache_size => 50000000, # 50GB
  295. }
  296. class { 'openstack_project::mirror':
  297. vhost_name => $::fqdn,
  298. require => Class['Openstack_project::Server'],
  299. }
  300. }
  301. # Node-OS: trusty
  302. # Node-OS: xenial
  303. node /^refstack\d*\.open.*\.org$/ {
  304. class { 'openstack_project::server': }
  305. class { 'refstack':
  306. mysql_host => hiera('refstack_mysql_host', 'localhost'),
  307. mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
  308. mysql_user => hiera('refstack_mysql_user', 'refstack'),
  309. mysql_user_password => hiera('refstack_mysql_password'),
  310. ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
  311. ssl_cert => '/etc/ssl/certs/refstack.pem',
  312. ssl_key_content => hiera('refstack_ssl_key_file_contents'),
  313. ssl_key => '/etc/ssl/private/refstack.key',
  314. ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
  315. ssl_ca => '/etc/ssl/certs/refstack.ca.pem',
  316. protocol => 'https',
  317. }
  318. mysql_backup::backup_remote { 'refstack':
  319. database_host => hiera('refstack_mysql_host', 'localhost'),
  320. database_user => hiera('refstack_mysql_user', 'refstack'),
  321. database_password => hiera('refstack_mysql_password'),
  322. require => Class['::refstack'],
  323. }
  324. }
  325. # A machine to run Storyboard
  326. # Node-OS: xenial
  327. node /^storyboard\d+\.opendev\.org$/ {
  328. $group = "storyboard"
  329. class { 'openstack_project::storyboard':
  330. project_config_repo => 'https://opendev.org/openstack/project-config',
  331. mysql_host => hiera('storyboard_db_host', 'localhost'),
  332. mysql_user => hiera('storyboard_db_user', 'username'),
  333. mysql_password => hiera('storyboard_db_password'),
  334. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  335. rabbitmq_password => hiera('storyboard_rabbit_password'),
  336. ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
  337. ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
  338. ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
  339. ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
  340. ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
  341. hostname => 'storyboard.openstack.org',
  342. valid_oauth_clients => ['storyboard.openstack.org',],
  343. cors_allowed_origins => ['https://storyboard.openstack.org',],
  344. sender_email_address => 'storyboard@storyboard.openstack.org',
  345. default_url => 'https://storyboard.openstack.org',
  346. }
  347. }
  348. # A machine to run Storyboard devel
  349. # Node-OS: xenial
  350. node /^storyboard-dev\d+\.opendev\.org$/ {
  351. $group = "storyboard-dev"
  352. class { 'openstack_project::storyboard::dev':
  353. project_config_repo => 'https://opendev.org/openstack/project-config',
  354. mysql_host => hiera('storyboard_db_host', 'localhost'),
  355. mysql_user => hiera('storyboard_db_user', 'username'),
  356. mysql_password => hiera('storyboard_db_password'),
  357. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  358. rabbitmq_password => hiera('storyboard_rabbit_password'),
  359. hostname => 'storyboard-dev.openstack.org',
  360. valid_oauth_clients => ['^.*',],
  361. cors_allowed_origins => ['^.*',],
  362. sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
  363. default_url => 'https://storyboard-dev.openstack.org',
  364. }
  365. }
  366. # Node-OS: xenial
  367. node /^zk\d+\.open.*\.org$/ {
  368. # We use IP addresses here so that zk listens on the public facing addresses
  369. # allowing cluster members to talk to each other. Without this they listen
  370. # on 127.0.1.1 because that is what we have in /etc/hosts for
  371. # zk0X.openstack.org.
  372. $zk_cluster_members = [
  373. '23.253.236.126', # zk01
  374. '172.99.117.32', # zk02
  375. '23.253.90.246', # zk03
  376. ]
  377. class { 'openstack_project::server': }
  378. class { '::zookeeper':
  379. # ID needs to be numeric, so we use regex to extra numbers from fqdn.
  380. id => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),
  381. # The frequency in hours to look for and purge old snapshots,
  382. # defaults to 0 (disabled). The number of retained snapshots can
  383. # be separately controlled through snap_retain_count and
  384. # defaults to the minimum value of 3. This will quickly fill the
  385. # disk in production if not enabled. Works on ZK >=3.4.
  386. purge_interval => 6,
  387. servers => $zk_cluster_members,
  388. }
  389. }
  390. # A machine to serve various project status updates.
  391. # Node-OS: xenial
  392. node /^status\d*\.open.*\.org$/ {
  393. $group = 'status'
  394. class { 'openstack_project::server': }
  395. class { 'openstack_project::status':
  396. gerrit_host => 'review.opendev.org',
  397. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  398. reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
  399. reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
  400. recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
  401. recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
  402. recheck_bot_nick => 'openstackrecheck',
  403. recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
  404. }
  405. }
  406. # Node-OS: xenial
  407. node /^survey\d+\.open.*\.org$/ {
  408. $group = "survey"
  409. class { 'openstack_project::server': }
  410. class { 'openstack_project::survey':
  411. vhost_name => 'survey.openstack.org',
  412. auth_openid => true,
  413. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  414. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  415. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  416. dbpassword => hiera('dbpassword'),
  417. dbhost => hiera('dbhost'),
  418. adminuser => hiera('adminuser'),
  419. adminpass => hiera('adminpass'),
  420. adminmail => hiera('adminmail'),
  421. }
  422. }
  423. # Node-OS: xenial
  424. node /^nl\d+\.open.*\.org$/ {
  425. $group = 'nodepool'
  426. # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)
  427. # the cloud credentials are deployed with ansible via the
  428. # configure-openstacksdk role and are no longer configured here
  429. class { 'openstack_project::server': }
  430. include openstack_project
  431. class { '::openstackci::nodepool_launcher':
  432. nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),
  433. project_config_repo => 'https://opendev.org/openstack/project-config',
  434. statsd_host => 'graphite.opendev.org',
  435. revision => 'master',
  436. python_version => 3,
  437. enable_webapp => true,
  438. }
  439. }
  440. # Node-OS: xenial
  441. node /^nb\d+\.open.*\.org$/ {
  442. $group = 'nodepool'
  443. class { 'openstack_project::server': }
  444. include openstack_project
  445. class { '::openstackci::nodepool_builder':
  446. nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
  447. vhost_name => $::fqdn,
  448. enable_build_log_via_http => true,
  449. project_config_repo => 'https://opendev.org/openstack/project-config',
  450. statsd_host => 'graphite.opendev.org',
  451. upload_workers => '16',
  452. revision => 'master',
  453. python_version => 3,
  454. zuulv3 => true,
  455. ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
  456. ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
  457. }
  458. cron { 'mirror_gitgc':
  459. user => 'nodepool',
  460. hour => '20',
  461. minute => '0',
  462. command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
  463. environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
  464. require => Class['::openstackci::nodepool_builder'],
  465. }
  466. }
  467. # Node-OS: xenial
  468. node /^ze\d+\.open.*\.org$/ {
  469. $group = "zuul-executor"
  470. $gerrit_server = 'review.opendev.org'
  471. $gerrit_user = 'zuul'
  472. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  473. $gerrit_ssh_private_key = hiera('gerrit_ssh_private_key_contents')
  474. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  475. $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')
  476. $git_email = 'zuul@openstack.org'
  477. $git_name = 'OpenStack Zuul'
  478. $revision = 'master'
  479. class { 'openstack_project::server':
  480. afs => true,
  481. }
  482. class { '::project_config':
  483. url => 'https://opendev.org/openstack/project-config',
  484. }
  485. # We use later HWE kernels for better memory managment, requiring an
  486. # updated AFS version which we install from our custom ppa.
  487. include ::apt
  488. apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }
  489. package { 'linux-generic-hwe-16.04':
  490. ensure => present,
  491. require => [
  492. Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],
  493. Class['apt::update'],
  494. ],
  495. }
  496. # Skopeo is required for pushing/pulling from the intermediate
  497. # registry, and is available in the projectatomic ppa.
  498. apt::ppa { 'ppa:projectatomic/ppa': }
  499. package { 'skopeo':
  500. ensure => present,
  501. require => [
  502. Apt::Ppa['ppa:projectatomic/ppa'],
  503. Class['apt::update'],
  504. ],
  505. }
  506. # Socat is also required for pushing/pulling images
  507. package { 'socat':
  508. ensure => present,
  509. require => [
  510. Class['apt::update'],
  511. ],
  512. }
  513. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  514. # settings.
  515. class { '::zuul':
  516. gearman_server => 'zuul01.openstack.org',
  517. gerrit_server => $gerrit_server,
  518. gerrit_user => $gerrit_user,
  519. zuul_ssh_private_key => $gerrit_ssh_private_key,
  520. git_email => $git_email,
  521. git_name => $git_name,
  522. worker_private_key_file => '/var/lib/zuul/ssh/nodepool_id_rsa',
  523. revision => $revision,
  524. python_version => 3,
  525. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  526. zuulv3 => true,
  527. connections => hiera('zuul_connections', []),
  528. connection_secrets => hiera('zuul_connection_secrets', []),
  529. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  530. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  531. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  532. #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
  533. # properly. We need to revisting this post Queens PTG.
  534. trusted_ro_paths => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
  535. trusted_rw_paths => ['/afs'],
  536. untrusted_ro_paths => ['/etc/ssl/certs'],
  537. disk_limit_per_job => 5000, # Megabytes
  538. site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,
  539. require => $::project_config::config_dir,
  540. statsd_host => 'graphite.opendev.org',
  541. }
  542. class { '::zuul::executor': }
  543. # This is used by the log job submission playbook which runs under
  544. # python2
  545. package { 'gear':
  546. ensure => latest,
  547. provider => openstack_pip,
  548. require => Class['pip'],
  549. }
  550. file { '/var/lib/zuul/ssh/nodepool_id_rsa':
  551. owner => 'zuul',
  552. group => 'zuul',
  553. mode => '0400',
  554. require => File['/var/lib/zuul/ssh'],
  555. content => $zuul_ssh_private_key,
  556. }
  557. file { '/var/lib/zuul/ssh/static_id_rsa':
  558. owner => 'zuul',
  559. group => 'zuul',
  560. mode => '0400',
  561. require => File['/var/lib/zuul/ssh'],
  562. content => $zuul_static_private_key,
  563. }
  564. class { '::zuul::known_hosts':
  565. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  566. }
  567. }
  568. # Node-OS: xenial
  569. node /^zuul\d+\.open.*\.org$/ {
  570. $group = "zuul-scheduler"
  571. $gerrit_server = 'review.opendev.org'
  572. $gerrit_user = 'zuul'
  573. $gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
  574. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  575. $zuul_url = "http://zuul.openstack.org/p"
  576. $git_email = 'zuul@openstack.org'
  577. $git_name = 'OpenStack Zuul'
  578. $revision = 'master'
  579. class { 'openstack_project::server': }
  580. class { '::project_config':
  581. url => 'https://opendev.org/openstack/project-config',
  582. }
  583. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  584. # settings.
  585. class { '::zuul':
  586. gerrit_server => $gerrit_server,
  587. gerrit_user => $gerrit_user,
  588. zuul_ssh_private_key => $zuul_ssh_private_key,
  589. git_email => $git_email,
  590. git_name => $git_name,
  591. revision => $revision,
  592. python_version => 3,
  593. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  594. zookeeper_session_timeout => 40,
  595. zuulv3 => true,
  596. connections => hiera('zuul_connections', []),
  597. connection_secrets => hiera('zuul_connection_secrets', []),
  598. vhost_name => 'zuul.openstack.org',
  599. zuul_status_url => 'http://127.0.0.1:8001/openstack',
  600. zuul_web_url => 'http://127.0.0.1:9000',
  601. zuul_tenant_name => 'openstack',
  602. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  603. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  604. gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
  605. gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
  606. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  607. proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  608. proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  609. proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  610. statsd_host => 'graphite.opendev.org',
  611. status_url => 'https://zuul.openstack.org',
  612. relative_priority => true,
  613. web_root => 'https://zuul.opendev.org',
  614. }
  615. file { "/etc/zuul/github.key":
  616. ensure => present,
  617. owner => 'zuul',
  618. group => 'zuul',
  619. mode => '0600',
  620. content => hiera('zuul_github_app_key'),
  621. require => File['/etc/zuul'],
  622. }
  623. class { '::zuul::scheduler':
  624. layout_dir => $::project_config::zuul_layout_dir,
  625. require => $::project_config::config_dir,
  626. python_version => 3,
  627. use_mysql => true,
  628. }
  629. class { '::zuul::web':
  630. # We manage backups below
  631. enable_status_backups => false,
  632. vhosts => {
  633. 'zuul.openstack.org' => {
  634. port => 443,
  635. docroot => '/opt/zuul-web/content',
  636. priority => '50',
  637. ssl => true,
  638. template => 'zuul/zuulv3.vhost.erb',
  639. vhost_name => 'zuul.openstack.org',
  640. },
  641. 'zuul.opendev.org' => {
  642. port => 443,
  643. docroot => '/opt/zuul-web/content',
  644. priority => '40',
  645. ssl => true,
  646. template => 'zuul/zuulv3.vhost.erb',
  647. vhost_name => 'zuul.opendev.org',
  648. },
  649. 'zuul.openstack.org-http' => {
  650. port => 80,
  651. docroot => '/opt/zuul-web/content',
  652. priority => '50',
  653. ssl => false,
  654. template => 'zuul/zuulv3.vhost.erb',
  655. vhost_name => 'zuul.openstack.org',
  656. },
  657. 'zuul.opendev.org-http' => {
  658. port => 80,
  659. docroot => '/opt/zuul-web/content',
  660. priority => '40',
  661. ssl => false,
  662. template => 'zuul/zuulv3.vhost.erb',
  663. vhost_name => 'zuul.opendev.org',
  664. },
  665. },
  666. vhosts_flags => {
  667. 'zuul.openstack.org' => {
  668. tenant_name => 'openstack',
  669. ssl => true,
  670. use_le => false,
  671. },
  672. 'zuul.opendev.org' => {
  673. tenant_name => '',
  674. ssl => true,
  675. use_le => true,
  676. },
  677. 'zuul.openstack.org-http' => {
  678. tenant_name => 'openstack',
  679. ssl => false,
  680. use_le => false,
  681. },
  682. 'zuul.opendev.org-http' => {
  683. tenant_name => '',
  684. ssl => false,
  685. use_le => false,
  686. },
  687. },
  688. vhosts_ssl => {
  689. 'zuul.openstack.org' => {
  690. ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  691. ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  692. ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  693. },
  694. },
  695. }
  696. zuul::status_backups { 'openstack-zuul-tenant':
  697. tenant_name => 'openstack',
  698. ssl => true,
  699. status_uri => 'https://zuul.opendev.org/api/tenant/openstack/status',
  700. }
  701. zuul::status_backups { 'kata-zuul-tenant':
  702. tenant_name => 'kata-containers',
  703. ssl => true,
  704. status_uri => 'https://zuul.opendev.org/api/tenant/kata-containers/status',
  705. }
  706. class { '::zuul::fingergw': }
  707. class { '::zuul::known_hosts':
  708. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  709. }
  710. include bup
  711. bup::site { 'rax.ord':
  712. backup_user => 'bup-zuulv3',
  713. backup_server => 'backup01.ord.rax.ci.openstack.org',
  714. }
  715. }
  716. # Node-OS: xenial
  717. node /^zm\d+.open.*\.org$/ {
  718. $group = "zuul-merger"
  719. $gerrit_server = 'review.opendev.org'
  720. $gerrit_user = 'zuul'
  721. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  722. $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')
  723. $zuul_url = "http://${::fqdn}/p"
  724. $git_email = 'zuul@openstack.org'
  725. $git_name = 'OpenStack Zuul'
  726. $revision = 'master'
  727. class { 'openstack_project::server': }
  728. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  729. # settings.
  730. class { '::zuul':
  731. gearman_server => 'zuul01.openstack.org',
  732. gerrit_server => $gerrit_server,
  733. gerrit_user => $gerrit_user,
  734. zuul_ssh_private_key => $zuul_ssh_private_key,
  735. git_email => $git_email,
  736. git_name => $git_name,
  737. revision => $revision,
  738. python_version => 3,
  739. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  740. zuulv3 => true,
  741. connections => hiera('zuul_connections', []),
  742. connection_secrets => hiera('zuul_connection_secrets', []),
  743. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  744. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  745. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  746. statsd_host => 'graphite.opendev.org',
  747. }
  748. class { 'openstack_project::zuul_merger':
  749. gerrit_server => $gerrit_server,
  750. gerrit_user => $gerrit_user,
  751. gerrit_ssh_host_key => $gerrit_ssh_host_key,
  752. zuul_ssh_private_key => $zuul_ssh_private_key,
  753. manage_common_zuul => false,
  754. }
  755. }
  756. # Node-OS: xenial
  757. node /^pbx\d*\.open.*\.org$/ {
  758. $group = "pbx"
  759. class { 'openstack_project::server': }
  760. class { 'openstack_project::pbx':
  761. sip_providers => [
  762. {
  763. provider => 'voipms',
  764. hostname => 'dallas.voip.ms',
  765. username => hiera('voipms_username', 'username'),
  766. password => hiera('voipms_password'),
  767. outgoing => false,
  768. },
  769. ],
  770. }
  771. }
  772. # Node-OS: xenial
  773. # A backup machine. Don't run cron or puppet agent on it.
  774. node /^backup\d+\..*\.ci\.open.*\.org$/ {
  775. $group = "ci-backup"
  776. class { 'openstack_project::server': }
  777. include openstack_project::backup_server
  778. }
  779. # Node-OS: xenial
  780. node /^openstackid\d*(\.openstack)?\.org$/ {
  781. $group = "openstackid"
  782. class { 'openstack_project::openstackid_prod':
  783. site_admin_password => hiera('openstackid_site_admin_password'),
  784. id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
  785. id_mysql_password => hiera('openstackid_id_mysql_password'),
  786. id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
  787. id_db_name => hiera('openstackid_id_db_name'),
  788. redis_password => hiera('openstackid_redis_password'),
  789. ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
  790. ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
  791. ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
  792. id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
  793. id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
  794. vhost_name => 'openstackid.org',
  795. session_cookie_domain => 'openstackid.org',
  796. serveradmin => 'webmaster@openstackid.org',
  797. canonicalweburl => 'https://openstackid.org/',
  798. app_url => 'https://openstackid.org',
  799. app_key => hiera('openstackid_app_key'),
  800. id_log_error_to_email => 'openstack@tipit.net',
  801. id_log_error_from_email => 'noreply@openstack.org',
  802. email_driver => 'sendgrid',
  803. email_send_grid_api_key => hiera('openstackid_send_grid_api_key'),
  804. php_version => 7,
  805. mysql_ssl_enabled => true,
  806. mysql_ssl_ca_file_contents => hiera('openstackid_mysql_ssl_ca_file_contents'),
  807. mysql_ssl_client_key_file_contents => hiera('openstackid_mysql_ssl_client_key_file_contents'),
  808. mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),
  809. user_spam_processor_to => hiera('openstackid_user_spam_processor_to'),
  810. }
  811. }
  812. # Node-OS: xenial
  813. node /^openstackid-dev\d*\.openstack\.org$/ {
  814. $group = "openstackid-dev"
  815. class { 'openstack_project::openstackid_dev':
  816. site_admin_password => hiera('openstackid_dev_site_admin_password'),
  817. id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
  818. id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
  819. id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
  820. redis_password => hiera('openstackid_dev_redis_password'),
  821. ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
  822. ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
  823. ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
  824. id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
  825. id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
  826. vhost_name => 'openstackid-dev.openstack.org',
  827. session_cookie_domain => 'openstackid-dev.openstack.org',
  828. serveradmin => 'webmaster@openstackid-dev.openstack.org',
  829. canonicalweburl => 'https://openstackid-dev.openstack.org/',
  830. app_url => 'https://openstackid-dev.openstack.org',
  831. app_key => hiera('openstackid_dev_app_key'),
  832. id_log_error_to_email => 'openstack@tipit.net',
  833. id_log_error_from_email => 'noreply@openstack.org',
  834. email_driver => 'sendgrid',
  835. email_send_grid_api_key => hiera('openstackid_dev_send_grid_api_key'),
  836. php_version => 7,
  837. mysql_ssl_enabled => true,
  838. mysql_ssl_ca_file_contents => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),
  839. mysql_ssl_client_key_file_contents => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),
  840. mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),
  841. user_spam_processor_to => hiera('openstackid_dev_user_spam_processor_to'),
  842. }
  843. }
  844. # Node-OS: xenial
  845. # Used for testing all-in-one deployments
  846. node 'single-node-ci.test.only' {
  847. include ::openstackci::single_node_ci
  848. }
  849. # Node-OS: xenial
  850. node /^kdc03\.open.*\.org$/ {
  851. class { 'openstack_project::server': }
  852. class { 'openstack_project::kdc': }
  853. }
  854. # Node-OS: xenial
  855. node /^kdc04\.open.*\.org$/ {
  856. class { 'openstack_project::server': }
  857. class { 'openstack_project::kdc':
  858. slave => true,
  859. }
  860. }
  861. # Node-OS: xenial
  862. node /^afsdb01\.open.*\.org$/ {
  863. $group = "afsdb"
  864. class { 'openstack_project::server':
  865. afs => true,
  866. }
  867. include openstack_project::afsdb
  868. include openstack_project::afsrelease
  869. }
  870. # Node-OS: xenial
  871. node /^afsdb.*\.open.*\.org$/ {
  872. $group = "afsdb"
  873. class { 'openstack_project::server':
  874. afs => true,
  875. }
  876. include openstack_project::afsdb
  877. }
  878. # Node-OS: xenial
  879. node /^afs.*\..*\.open.*\.org$/ {
  880. $group = "afs"
  881. class { 'openstack_project::server':
  882. afs => true,
  883. }
  884. include openstack_project::afsfs
  885. }
  886. # Node-OS: xenial
  887. node /^ask\d*\.open.*\.org$/ {
  888. class { 'openstack_project::server': }
  889. class { 'openstack_project::ask':
  890. db_user => hiera('ask_db_user', 'ask'),
  891. db_password => hiera('ask_db_password'),
  892. redis_password => hiera('ask_redis_password'),
  893. site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
  894. site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
  895. site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
  896. }
  897. }
  898. # Node-OS: xenial
  899. node /^ask-staging\d*\.open.*\.org$/ {
  900. class { 'openstack_project::server': }
  901. class { 'openstack_project::ask_staging':
  902. db_password => hiera('ask_staging_db_password'),
  903. redis_password => hiera('ask_staging_redis_password'),
  904. }
  905. }
  906. # Node-OS: xenial
  907. node /^translate\d+\.open.*\.org$/ {
  908. $group = "translate"
  909. class { 'openstack_project::server': }
  910. class { 'openstack_project::translate':
  911. admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  912. openid_url => 'https://openstackid.org',
  913. listeners => ['ajp'],
  914. from_address => 'noreply@openstack.org',
  915. mysql_host => hiera('translate_mysql_host', 'localhost'),
  916. mysql_password => hiera('translate_mysql_password'),
  917. zanata_server_user => hiera('proposal_zanata_user'),
  918. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  919. zanata_wildfly_version => '10.1.0',
  920. zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
  921. zanata_main_version => 4,
  922. zanata_url => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',
  923. zanata_checksum => 'eaf8bd07401dade758b677007d2358f173193d17',
  924. project_config_repo => 'https://opendev.org/openstack/project-config',
  925. ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
  926. ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
  927. ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
  928. vhost_name => 'translate.openstack.org',
  929. }
  930. }
  931. # Node-OS: xenial
  932. node /^translate-dev\d*\.open.*\.org$/ {
  933. $group = "translate-dev"
  934. class { 'openstack_project::translate_dev':
  935. admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  936. openid_url => 'https://openstackid-dev.openstack.org',
  937. listeners => ['ajp'],
  938. from_address => 'noreply@openstack.org',
  939. mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
  940. mysql_password => hiera('translate_dev_mysql_password'),
  941. zanata_server_user => hiera('proposal_zanata_user'),
  942. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  943. project_config_repo => 'https://opendev.org/openstack/project-config',
  944. vhost_name => 'translate-dev.openstack.org',
  945. }
  946. }
  947. # Node-OS: xenial
  948. node /^codesearch\d*\.open.*\.org$/ {
  949. $group = "codesearch"
  950. class { 'openstack_project::server': }
  951. class { 'openstack_project::codesearch':
  952. project_config_repo => 'https://opendev.org/openstack/project-config',
  953. }
  954. }
  955. # vim:sw=2:ts=2:expandtab:textwidth=79