System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

site.pp 52KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275
  1. #
  2. # Top-level variables
  3. #
  4. # There must not be any whitespace between this comment and the variables or
  5. # in between any two variables in order for them to be correctly parsed and
  6. # passed around in test.sh
  7. #
  8. # Note we do not do a hiera lookup here as we set $group on a per node basis
  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup
  10. # here would fail to find any group specific info.
  11. $elasticsearch_nodes = [
  12. "elasticsearch02.openstack.org",
  13. "elasticsearch03.openstack.org",
  14. "elasticsearch04.openstack.org",
  15. "elasticsearch05.openstack.org",
  16. "elasticsearch06.openstack.org",
  17. "elasticsearch07.openstack.org",
  18. ]
  19. #
  20. # Default: should at least behave like an openstack server
  21. #
  22. node default {
  23. class { 'openstack_project::server':
  24. }
  25. }
  26. #
  27. # Long lived servers:
  28. #
  29. # Node-OS: xenial
  30. node /^review\d*\.open.*\.org$/ {
  31. $group = "review"
  32. class { 'openstack_project::server': }
  33. class { 'openstack_project::review':
  34. project_config_repo => 'https://opendev.org/openstack/project-config',
  35. github_oauth_token => hiera('gerrit_github_token'),
  36. github_project_username => hiera('github_project_username', 'username'),
  37. github_project_password => hiera('github_project_password'),
  38. mysql_host => hiera('gerrit_mysql_host', 'localhost'),
  39. mysql_password => hiera('gerrit_mysql_password'),
  40. email_private_key => hiera('gerrit_email_private_key'),
  41. token_private_key => hiera('gerrit_rest_token_private_key'),
  42. gerritbot_password => hiera('gerrit_gerritbot_password'),
  43. gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'),
  44. gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'),
  45. ssl_cert_file_contents => hiera('review_opendev_cert_file_contents'),
  46. ssl_key_file_contents => hiera('review_opendev_key_file_contents'),
  47. ssl_chain_file_contents => hiera('review_opendev_chain_file_contents'),
  48. ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
  49. ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
  50. ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
  51. ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
  52. ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
  53. ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
  54. ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
  55. ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
  56. ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
  57. ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
  58. lp_access_token => hiera('gerrit_lp_access_token'),
  59. lp_access_secret => hiera('gerrit_lp_access_secret'),
  60. lp_consumer_key => hiera('gerrit_lp_consumer_key'),
  61. swift_username => hiera('swift_store_user', 'username'),
  62. swift_password => hiera('swift_store_key'),
  63. storyboard_password => hiera('gerrit_storyboard_token'),
  64. # Compatibility layer vars for the old domain name below here.
  65. # TODO rename the hiera keys to reduce confusion
  66. review_openstack_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
  67. review_openstack_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
  68. review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
  69. }
  70. }
  71. # Node-OS: xenial
  72. node /^review-dev\d*\.open.*\.org$/ {
  73. $group = "review-dev"
  74. class { 'openstack_project::server':
  75. afs => true,
  76. }
  77. class { 'openstack_project::review_dev':
  78. project_config_repo => 'https://opendev.org/openstack/project-config',
  79. github_oauth_token => hiera('gerrit_dev_github_token'),
  80. github_project_username => hiera('github_dev_project_username', 'username'),
  81. github_project_password => hiera('github_dev_project_password'),
  82. mysql_host => hiera('gerrit_dev_mysql_host', 'localhost'),
  83. mysql_password => hiera('gerrit_dev_mysql_password'),
  84. email_private_key => hiera('gerrit_dev_email_private_key'),
  85. ssh_dsa_key_contents => hiera('gerrit_dev_ssh_dsa_key_contents'),
  86. ssh_dsa_pubkey_contents => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),
  87. ssh_rsa_key_contents => hiera('gerrit_dev_ssh_rsa_key_contents'),
  88. ssh_rsa_pubkey_contents => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),
  89. ssh_project_rsa_key_contents => hiera('gerrit_dev_project_ssh_rsa_key_contents'),
  90. ssh_project_rsa_pubkey_contents => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),
  91. ssh_replication_rsa_key_contents => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),
  92. ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),
  93. lp_access_token => hiera('gerrit_dev_lp_access_token'),
  94. lp_access_secret => hiera('gerrit_dev_lp_access_secret'),
  95. lp_consumer_key => hiera('gerrit_dev_lp_consumer_key'),
  96. storyboard_password => hiera('gerrit_dev_storyboard_token'),
  97. storyboard_ssl_cert => hiera('gerrit_dev_storyboard_ssl_crt'),
  98. }
  99. }
  100. # Node-OS: xenial
  101. # Puppet-Version: !3
  102. node /^grafana\d*\.open.*\.org$/ {
  103. $group = "grafana"
  104. class { 'openstack_project::server': }
  105. class { 'openstack_project::grafana':
  106. admin_password => hiera('grafana_admin_password'),
  107. admin_user => hiera('grafana_admin_user', 'username'),
  108. mysql_host => hiera('grafana_mysql_host', 'localhost'),
  109. mysql_name => hiera('grafana_mysql_name'),
  110. mysql_password => hiera('grafana_mysql_password'),
  111. mysql_user => hiera('grafana_mysql_user', 'username'),
  112. project_config_repo => 'https://opendev.org/openstack/project-config',
  113. secret_key => hiera('grafana_secret_key'),
  114. }
  115. }
  116. # Node-OS: xenial
  117. node /^health\d*\.openstack\.org$/ {
  118. $group = "health"
  119. class { 'openstack_project::server': }
  120. class { 'openstack_project::openstack_health_api':
  121. subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
  122. hostname => 'health.openstack.org',
  123. }
  124. }
  125. # Node-OS: xenial
  126. node /^cacti\d+\.open.*\.org$/ {
  127. $group = "cacti"
  128. include openstack_project::ssl_cert_check
  129. class { 'openstack_project::cacti':
  130. cacti_hosts => hiera_array('cacti_hosts'),
  131. vhost_name => 'cacti.openstack.org',
  132. }
  133. }
  134. # Node-OS: xenial
  135. node /^graphite\d*\.open.*\.org$/ {
  136. class { 'openstack_project::server': }
  137. class { '::graphite':
  138. graphite_admin_user => hiera('graphite_admin_user', 'username'),
  139. graphite_admin_email => hiera('graphite_admin_email', 'email@example.com'),
  140. graphite_admin_password => hiera('graphite_admin_password'),
  141. # NOTE(ianw): installed on the host via ansible
  142. ssl_cert_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',
  143. ssl_key_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',
  144. ssl_chain_file => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',
  145. }
  146. }
  147. # Node-OS: trusty
  148. # Node-OS: xenial
  149. node /^lists\d*\.open.*\.org$/ {
  150. class { 'openstack_project::server': }
  151. class { 'openstack_project::lists':
  152. listpassword => hiera('listpassword'),
  153. }
  154. }
  155. # Node-OS: xenial
  156. node /^lists\d*\.katacontainers\.io$/ {
  157. class { 'openstack_project::server': }
  158. class { 'openstack_project::kata_lists':
  159. listpassword => hiera('listpassword'),
  160. }
  161. }
  162. # Node-OS: xenial
  163. node /^paste\d*\.open.*\.org$/ {
  164. $group = "paste"
  165. class { 'openstack_project::server': }
  166. class { 'openstack_project::paste':
  167. db_password => hiera('paste_db_password'),
  168. db_host => hiera('paste_db_host'),
  169. vhost_name => 'paste.openstack.org',
  170. }
  171. }
  172. # Node-OS: xenial
  173. node /planet\d*\.open.*\.org$/ {
  174. class { 'openstack_project::planet':
  175. }
  176. }
  177. # Node-OS: xenial
  178. node /^eavesdrop\d*\.open.*\.org$/ {
  179. $group = "eavesdrop"
  180. class { 'openstack_project::server': }
  181. class { 'openstack_project::eavesdrop':
  182. project_config_repo => 'https://opendev.org/openstack/project-config',
  183. nickpass => hiera('openstack_meetbot_password'),
  184. statusbot_nick => hiera('statusbot_nick', 'username'),
  185. statusbot_password => hiera('statusbot_nick_password'),
  186. statusbot_server => 'chat.freenode.net',
  187. statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
  188. statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
  189. statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
  190. statusbot_wiki_password => hiera('statusbot_wiki_password'),
  191. statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
  192. # https://wiki.openstack.org/wiki/Infrastructure_Status
  193. statusbot_wiki_pageid => '1781',
  194. statusbot_wiki_successpageid => '7717',
  195. statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
  196. statusbot_wiki_thankspageid => '37700',
  197. statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
  198. statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
  199. statusbot_twitter => true,
  200. statusbot_twitter_key => hiera('statusbot_twitter_key'),
  201. statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
  202. statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
  203. statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
  204. accessbot_nick => hiera('accessbot_nick', 'username'),
  205. accessbot_password => hiera('accessbot_nick_password'),
  206. meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
  207. ptgbot_nick => hiera('ptgbot_nick', 'username'),
  208. ptgbot_password => hiera('ptgbot_password'),
  209. }
  210. }
  211. # Node-OS: xenial
  212. node /^ethercalc\d+\.open.*\.org$/ {
  213. $group = "ethercalc"
  214. class { 'openstack_project::server': }
  215. class { 'openstack_project::ethercalc':
  216. vhost_name => 'ethercalc.openstack.org',
  217. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  218. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  219. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  220. }
  221. }
  222. # Node-OS: xenial
  223. node /^etherpad\d*\.open.*\.org$/ {
  224. $group = "etherpad"
  225. class { 'openstack_project::server': }
  226. class { 'openstack_project::etherpad':
  227. vhost_name => 'etherpad.openstack.org',
  228. ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
  229. ssl_key_file_contents => hiera('etherpad_ssl_key_file_contents'),
  230. ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
  231. mysql_host => hiera('etherpad_db_host', 'localhost'),
  232. mysql_user => hiera('etherpad_db_user', 'username'),
  233. mysql_password => hiera('etherpad_db_password'),
  234. }
  235. }
  236. # Node-OS: xenial
  237. node /^etherpad-dev\d*\.open.*\.org$/ {
  238. $group = "etherpad-dev"
  239. class { 'openstack_project::server': }
  240. class { 'openstack_project::etherpad_dev':
  241. vhost_name => 'etherpad-dev.openstack.org',
  242. mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
  243. mysql_user => hiera('etherpad-dev_db_user', 'username'),
  244. mysql_password => hiera('etherpad-dev_db_password'),
  245. }
  246. }
  247. # Node-OS: trusty
  248. node /^wiki\d+\.openstack\.org$/ {
  249. $group = "wiki"
  250. class { 'openstack_project::wiki':
  251. bup_user => 'bup-wiki',
  252. serveradmin => hiera('infra_apache_serveradmin'),
  253. site_hostname => 'wiki.openstack.org',
  254. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  255. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  256. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  257. wg_dbserver => hiera('wg_dbserver'),
  258. wg_dbname => 'openstack_wiki',
  259. wg_dbuser => 'wikiuser',
  260. wg_dbpassword => hiera('wg_dbpassword'),
  261. wg_secretkey => hiera('wg_secretkey'),
  262. wg_upgradekey => hiera('wg_upgradekey'),
  263. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  264. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  265. wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
  266. }
  267. }
  268. # Node-OS: trusty
  269. node /^wiki-dev\d+\.openstack\.org$/ {
  270. $group = "wiki-dev"
  271. class { 'openstack_project::wiki':
  272. serveradmin => hiera('infra_apache_serveradmin'),
  273. site_hostname => 'wiki-dev.openstack.org',
  274. wg_dbserver => hiera('wg_dbserver'),
  275. wg_dbname => 'openstack_wiki',
  276. wg_dbuser => 'wikiuser',
  277. wg_dbpassword => hiera('wg_dbpassword'),
  278. wg_secretkey => hiera('wg_secretkey'),
  279. wg_upgradekey => hiera('wg_upgradekey'),
  280. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  281. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  282. disallow_robots => true,
  283. }
  284. }
  285. # Node-OS: xenial
  286. node /^logstash\d*\.open.*\.org$/ {
  287. class { 'openstack_project::server': }
  288. class { 'openstack_project::logstash':
  289. discover_nodes => [
  290. 'elasticsearch03.openstack.org:9200',
  291. 'elasticsearch04.openstack.org:9200',
  292. 'elasticsearch05.openstack.org:9200',
  293. 'elasticsearch06.openstack.org:9200',
  294. 'elasticsearch07.openstack.org:9200',
  295. 'elasticsearch02.openstack.org:9200',
  296. ],
  297. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  298. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  299. }
  300. }
  301. # Node-OS: xenial
  302. node /^logstash-worker\d+\.open.*\.org$/ {
  303. $group = 'logstash-worker'
  304. class { 'openstack_project::server': }
  305. class { 'openstack_project::logstash_worker':
  306. discover_node => 'elasticsearch03.openstack.org',
  307. enable_mqtt => false,
  308. mqtt_password => hiera('mqtt_service_user_password'),
  309. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  310. }
  311. }
  312. # Node-OS: xenial
  313. node /^subunit-worker\d+\.open.*\.org$/ {
  314. $group = "subunit-worker"
  315. class { 'openstack_project::server': }
  316. class { 'openstack_project::subunit_worker':
  317. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  318. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  319. mqtt_pass => hiera('mqtt_service_user_password'),
  320. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  321. }
  322. }
  323. # Node-OS: xenial
  324. node /^elasticsearch\d+\.open.*\.org$/ {
  325. $group = "elasticsearch"
  326. class { 'openstack_project::server': }
  327. class { 'openstack_project::elasticsearch_node':
  328. discover_nodes => $elasticsearch_nodes,
  329. }
  330. }
  331. # Node-OS: xenial
  332. node /^firehose\d+\.open.*\.org$/ {
  333. class { 'openstack_project::server': }
  334. class { 'openstack_project::firehose':
  335. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  336. gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
  337. gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
  338. mqtt_password => hiera('mqtt_service_user_password'),
  339. ca_file => hiera('mosquitto_tls_ca_file'),
  340. cert_file => hiera('mosquitto_tls_server_cert_file'),
  341. key_file => hiera('mosquitto_tls_server_key_file'),
  342. imap_hostname => hiera('lpmqtt_imap_server'),
  343. imap_username => hiera('lpmqtt_imap_username'),
  344. imap_password => hiera('lpmqtt_imap_password'),
  345. statsd_host => 'graphite.opendev.org',
  346. }
  347. }
  348. # A machine to drive AFS mirror updates.
  349. # Node-OS: xenial
  350. node /^mirror-update\d*\.open.*\.org$/ {
  351. $group = "afsadmin"
  352. class { 'openstack_project::mirror_update':
  353. admin_keytab => hiera('afsadmin_keytab'),
  354. fedora_keytab => hiera('fedora_keytab'),
  355. opensuse_keytab => hiera('opensuse_keytab'),
  356. reprepro_keytab => hiera('reprepro_keytab'),
  357. gem_keytab => hiera('gem_keytab'),
  358. centos_keytab => hiera('centos_keytab'),
  359. epel_keytab => hiera('epel_keytab'),
  360. yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
  361. }
  362. }
  363. # Machines in each region to serve AFS mirrors.
  364. # Node-OS: xenial
  365. node /^mirror\d*\..*\.open.*\.org$/ {
  366. $group = "mirror"
  367. class { 'openstack_project::server':
  368. afs => true,
  369. afs_cache_size => 50000000, # 50GB
  370. }
  371. class { 'openstack_project::mirror':
  372. vhost_name => $::fqdn,
  373. require => Class['Openstack_project::Server'],
  374. }
  375. }
  376. # Serve static AFS content for docs and other sites.
  377. # Node-OS: xenial
  378. node /^files\d*\.open.*\.org$/ {
  379. $group = "files"
  380. class { 'openstack_project::server':
  381. afs => true,
  382. afs_cache_size => 10000000, # 10GB
  383. }
  384. class { 'openstack_project::files':
  385. vhost_name => 'files.openstack.org',
  386. developer_cert_file_contents => hiera('developer_cert_file_contents'),
  387. developer_key_file_contents => hiera('developer_key_file_contents'),
  388. developer_chain_file_contents => hiera('developer_chain_file_contents'),
  389. docs_cert_file_contents => hiera('docs_cert_file_contents'),
  390. docs_key_file_contents => hiera('docs_key_file_contents'),
  391. docs_chain_file_contents => hiera('docs_chain_file_contents'),
  392. git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
  393. git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
  394. git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
  395. git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
  396. git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
  397. git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
  398. git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
  399. git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
  400. git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
  401. git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
  402. git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
  403. git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
  404. require => Class['Openstack_project::Server'],
  405. }
  406. # Temporary for evaluating htaccess rules
  407. ::httpd::vhost { "git-test.openstack.org":
  408. port => 80, # Is required despite not being used.
  409. docroot => "/afs/openstack.org/project/git-test/www",
  410. priority => '50',
  411. template => 'openstack_project/git-test.vhost.erb',
  412. }
  413. openstack_project::website { 'docs.starlingx.io':
  414. volume_name => 'starlingx.io',
  415. aliases => [],
  416. ssl_cert => hiera('docs_starlingx_io_ssl_cert'),
  417. ssl_key => hiera('docs_starlingx_io_ssl_key'),
  418. ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),
  419. require => Class['openstack_project::files'],
  420. }
  421. openstack_project::website { 'docs.opendev.org':
  422. aliases => [],
  423. docroot => "/afs/openstack.org/project/opendev.org/docs",
  424. ssl_cert => hiera('docs_opendev_ssl_cert'),
  425. ssl_key => hiera('docs_opendev_ssl_key'),
  426. ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),
  427. require => Class['openstack_project::files'],
  428. }
  429. openstack_project::website { 'tarballs.opendev.org':
  430. aliases => [],
  431. docroot => "/afs/openstack.org/project/opendev.org/tarballs",
  432. ssl_cert_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',
  433. ssl_key_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',
  434. ssl_chain_file => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',
  435. require => Class['openstack_project::files'],
  436. }
  437. openstack_project::website { 'zuul-ci.org':
  438. aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
  439. ssl_cert => hiera('zuul-ci_org_ssl_cert'),
  440. ssl_key => hiera('zuul-ci_org_ssl_key'),
  441. ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
  442. require => Class['openstack_project::files'],
  443. }
  444. }
  445. # Node-OS: trusty
  446. # Node-OS: xenial
  447. node /^refstack\d*\.open.*\.org$/ {
  448. class { 'openstack_project::server': }
  449. class { 'refstack':
  450. mysql_host => hiera('refstack_mysql_host', 'localhost'),
  451. mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
  452. mysql_user => hiera('refstack_mysql_user', 'refstack'),
  453. mysql_user_password => hiera('refstack_mysql_password'),
  454. ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
  455. ssl_cert => '/etc/ssl/certs/refstack.pem',
  456. ssl_key_content => hiera('refstack_ssl_key_file_contents'),
  457. ssl_key => '/etc/ssl/private/refstack.key',
  458. ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
  459. ssl_ca => '/etc/ssl/certs/refstack.ca.pem',
  460. protocol => 'https',
  461. }
  462. mysql_backup::backup_remote { 'refstack':
  463. database_host => hiera('refstack_mysql_host', 'localhost'),
  464. database_user => hiera('refstack_mysql_user', 'refstack'),
  465. database_password => hiera('refstack_mysql_password'),
  466. require => Class['::refstack'],
  467. }
  468. }
  469. # A machine to run Storyboard
  470. # Node-OS: xenial
  471. node /^storyboard\d+\.opendev\.org$/ {
  472. $group = "storyboard"
  473. class { 'openstack_project::storyboard':
  474. project_config_repo => 'https://opendev.org/openstack/project-config',
  475. mysql_host => hiera('storyboard_db_host', 'localhost'),
  476. mysql_user => hiera('storyboard_db_user', 'username'),
  477. mysql_password => hiera('storyboard_db_password'),
  478. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  479. rabbitmq_password => hiera('storyboard_rabbit_password'),
  480. ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
  481. ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
  482. ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
  483. ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
  484. ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
  485. hostname => 'storyboard.openstack.org',
  486. valid_oauth_clients => [
  487. 'storyboard.openstack.org',
  488. 'logs.openstack.org',
  489. ],
  490. cors_allowed_origins => [
  491. 'https://storyboard.openstack.org',
  492. 'http://logs.openstack.org',
  493. ],
  494. sender_email_address => 'storyboard@storyboard.openstack.org',
  495. default_url => 'https://storyboard.openstack.org',
  496. }
  497. }
  498. # A machine to run Storyboard devel
  499. # Node-OS: xenial
  500. node /^storyboard-dev\d+\.opendev\.org$/ {
  501. $group = "storyboard-dev"
  502. class { 'openstack_project::storyboard::dev':
  503. project_config_repo => 'https://opendev.org/openstack/project-config',
  504. mysql_host => hiera('storyboard_db_host', 'localhost'),
  505. mysql_user => hiera('storyboard_db_user', 'username'),
  506. mysql_password => hiera('storyboard_db_password'),
  507. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  508. rabbitmq_password => hiera('storyboard_rabbit_password'),
  509. hostname => 'storyboard-dev.openstack.org',
  510. valid_oauth_clients => [
  511. 'storyboard-dev.openstack.org',
  512. 'logs.openstack.org',
  513. ],
  514. cors_allowed_origins => [
  515. 'https://storyboard-dev.openstack.org',
  516. 'http://logs.openstack.org',
  517. ],
  518. sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
  519. default_url => 'https://storyboard-dev.openstack.org',
  520. }
  521. }
  522. # A machine to serve static content.
  523. # Node-OS: trusty
  524. # Node-OS: xenial
  525. node /^static\d*\.open.*\.org$/ {
  526. class { 'openstack_project::server': }
  527. class { 'openstack_project::static':
  528. project_config_repo => 'https://opendev.org/openstack/project-config',
  529. swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
  530. swift_user => 'infra-files-ro',
  531. swift_key => hiera('infra_files_ro_password'),
  532. swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
  533. swift_region_name => 'DFW',
  534. swift_default_container => 'infra-files',
  535. ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
  536. ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
  537. ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
  538. }
  539. }
  540. # Node-OS: xenial
  541. node /^zk\d+\.open.*\.org$/ {
  542. # We use IP addresses here so that zk listens on the public facing addresses
  543. # allowing cluster members to talk to each other. Without this they listen
  544. # on 127.0.1.1 because that is what we have in /etc/hosts for
  545. # zk0X.openstack.org.
  546. $zk_cluster_members = [
  547. '23.253.236.126', # zk01
  548. '172.99.117.32', # zk02
  549. '23.253.90.246', # zk03
  550. ]
  551. class { 'openstack_project::server': }
  552. class { '::zookeeper':
  553. # ID needs to be numeric, so we use regex to extra numbers from fqdn.
  554. id => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),
  555. # The frequency in hours to look for and purge old snapshots,
  556. # defaults to 0 (disabled). The number of retained snapshots can
  557. # be separately controlled through snap_retain_count and
  558. # defaults to the minimum value of 3. This will quickly fill the
  559. # disk in production if not enabled. Works on ZK >=3.4.
  560. purge_interval => 6,
  561. servers => $zk_cluster_members,
  562. }
  563. }
  564. # A machine to serve various project status updates.
  565. # Node-OS: trusty
  566. # Node-OS: xenial
  567. node /^status\d*\.open.*\.org$/ {
  568. $group = 'status'
  569. class { 'openstack_project::server': }
  570. class { 'openstack_project::status':
  571. gerrit_host => 'review.opendev.org',
  572. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  573. reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
  574. reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
  575. recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
  576. recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
  577. recheck_bot_nick => 'openstackrecheck',
  578. recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
  579. }
  580. }
  581. # Node-OS: xenial
  582. node /^survey\d+\.open.*\.org$/ {
  583. $group = "survey"
  584. class { 'openstack_project::server': }
  585. class { 'openstack_project::survey':
  586. vhost_name => 'survey.openstack.org',
  587. auth_openid => true,
  588. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  589. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  590. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  591. dbpassword => hiera('dbpassword'),
  592. dbhost => hiera('dbhost'),
  593. adminuser => hiera('adminuser'),
  594. adminpass => hiera('adminpass'),
  595. adminmail => hiera('adminmail'),
  596. }
  597. }
  598. # Node-OS: xenial
  599. node /^nl\d+\.open.*\.org$/ {
  600. $group = 'nodepool'
  601. # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)
  602. # the cloud credentials are deployed with ansible via the
  603. # configure-openstacksdk role and are no longer configured here
  604. class { 'openstack_project::server': }
  605. include openstack_project
  606. class { '::openstackci::nodepool_launcher':
  607. nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),
  608. project_config_repo => 'https://opendev.org/openstack/project-config',
  609. statsd_host => 'graphite.opendev.org',
  610. revision => 'master',
  611. python_version => 3,
  612. enable_webapp => true,
  613. }
  614. }
  615. # Node-OS: xenial
  616. node /^nb\d+\.open.*\.org$/ {
  617. $group = 'nodepool'
  618. class { 'openstack_project::server': }
  619. include openstack_project
  620. class { '::openstackci::nodepool_builder':
  621. nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
  622. vhost_name => $::fqdn,
  623. enable_build_log_via_http => true,
  624. project_config_repo => 'https://opendev.org/openstack/project-config',
  625. statsd_host => 'graphite.opendev.org',
  626. upload_workers => '16',
  627. revision => 'master',
  628. python_version => 3,
  629. zuulv3 => true,
  630. ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
  631. ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
  632. }
  633. cron { 'mirror_gitgc':
  634. user => 'nodepool',
  635. hour => '20',
  636. minute => '0',
  637. command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
  638. environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
  639. require => Class['::openstackci::nodepool_builder'],
  640. }
  641. }
  642. # Node-OS: xenial
  643. node /^ze\d+\.open.*\.org$/ {
  644. $group = "zuul-executor"
  645. $gerrit_server = 'review.opendev.org'
  646. $gerrit_user = 'zuul'
  647. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  648. $gerrit_ssh_private_key = hiera('gerrit_ssh_private_key_contents')
  649. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  650. $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')
  651. $git_email = 'zuul@openstack.org'
  652. $git_name = 'OpenStack Zuul'
  653. $revision = 'master'
  654. class { 'openstack_project::server':
  655. afs => true,
  656. }
  657. class { '::project_config':
  658. url => 'https://opendev.org/openstack/project-config',
  659. }
  660. # We use later HWE kernels for better memory managment, requiring an
  661. # updated AFS version which we install from our custom ppa.
  662. include ::apt
  663. apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }
  664. package { 'linux-generic-hwe-16.04':
  665. ensure => present,
  666. require => [
  667. Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],
  668. Class['apt::update'],
  669. ],
  670. }
  671. # Skopeo is required for pushing/pulling from the intermediate
  672. # registry, and is available in the projectatomic ppa.
  673. apt::ppa { 'ppa:projectatomic/ppa': }
  674. package { 'skopeo':
  675. ensure => present,
  676. require => [
  677. Apt::Ppa['ppa:projectatomic/ppa'],
  678. Class['apt::update'],
  679. ],
  680. }
  681. # Socat is also required for pushing/pulling images
  682. package { 'socat':
  683. ensure => present,
  684. require => [
  685. Class['apt::update'],
  686. ],
  687. }
  688. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  689. # settings.
  690. class { '::zuul':
  691. gearman_server => 'zuul01.openstack.org',
  692. gerrit_server => $gerrit_server,
  693. gerrit_user => $gerrit_user,
  694. zuul_ssh_private_key => $gerrit_ssh_private_key,
  695. git_email => $git_email,
  696. git_name => $git_name,
  697. worker_private_key_file => '/var/lib/zuul/ssh/nodepool_id_rsa',
  698. revision => $revision,
  699. python_version => 3,
  700. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  701. zuulv3 => true,
  702. connections => hiera('zuul_connections', []),
  703. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  704. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  705. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  706. #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
  707. # properly. We need to revisting this post Queens PTG.
  708. trusted_ro_paths => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
  709. trusted_rw_paths => ['/afs'],
  710. untrusted_ro_paths => ['/etc/ssl/certs'],
  711. disk_limit_per_job => 5000, # Megabytes
  712. site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,
  713. require => $::project_config::config_dir,
  714. statsd_host => 'graphite.opendev.org',
  715. }
  716. class { '::zuul::executor': }
  717. # This is used by the log job submission playbook which runs under
  718. # python2
  719. package { 'gear':
  720. ensure => latest,
  721. provider => openstack_pip,
  722. require => Class['pip'],
  723. }
  724. file { '/var/lib/zuul/ssh/nodepool_id_rsa':
  725. owner => 'zuul',
  726. group => 'zuul',
  727. mode => '0400',
  728. require => File['/var/lib/zuul/ssh'],
  729. content => $zuul_ssh_private_key,
  730. }
  731. file { '/var/lib/zuul/ssh/static_id_rsa':
  732. owner => 'zuul',
  733. group => 'zuul',
  734. mode => '0400',
  735. require => File['/var/lib/zuul/ssh'],
  736. content => $zuul_static_private_key,
  737. }
  738. class { '::zuul::known_hosts':
  739. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  740. }
  741. }
  742. # Node-OS: xenial
  743. node /^zuul\d+\.open.*\.org$/ {
  744. $group = "zuul-scheduler"
  745. $gerrit_server = 'review.opendev.org'
  746. $gerrit_user = 'zuul'
  747. $gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
  748. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  749. $zuul_url = "http://zuul.openstack.org/p"
  750. $git_email = 'zuul@openstack.org'
  751. $git_name = 'OpenStack Zuul'
  752. $revision = 'master'
  753. class { 'openstack_project::server': }
  754. class { '::project_config':
  755. url => 'https://opendev.org/openstack/project-config',
  756. }
  757. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  758. # settings.
  759. class { '::zuul':
  760. gerrit_server => $gerrit_server,
  761. gerrit_user => $gerrit_user,
  762. zuul_ssh_private_key => $zuul_ssh_private_key,
  763. git_email => $git_email,
  764. git_name => $git_name,
  765. revision => $revision,
  766. python_version => 3,
  767. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  768. zookeeper_session_timeout => 40,
  769. zuulv3 => true,
  770. connections => hiera('zuul_connections', []),
  771. connection_secrets => hiera('zuul_connection_secrets', []),
  772. vhost_name => 'zuul.openstack.org',
  773. zuul_status_url => 'http://127.0.0.1:8001/openstack',
  774. zuul_web_url => 'http://127.0.0.1:9000',
  775. zuul_tenant_name => 'openstack',
  776. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  777. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  778. gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
  779. gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
  780. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  781. proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  782. proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  783. proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  784. statsd_host => 'graphite.opendev.org',
  785. status_url => 'https://zuul.openstack.org',
  786. relative_priority => true,
  787. web_root => 'https://zuul.opendev.org',
  788. }
  789. file { "/etc/zuul/github.key":
  790. ensure => present,
  791. owner => 'zuul',
  792. group => 'zuul',
  793. mode => '0600',
  794. content => hiera('zuul_github_app_key'),
  795. require => File['/etc/zuul'],
  796. }
  797. class { '::zuul::scheduler':
  798. layout_dir => $::project_config::zuul_layout_dir,
  799. require => $::project_config::config_dir,
  800. python_version => 3,
  801. use_mysql => true,
  802. }
  803. class { '::zuul::web':
  804. # We manage backups below
  805. enable_status_backups => false,
  806. vhosts => {
  807. 'zuul.openstack.org' => {
  808. port => 443,
  809. docroot => '/opt/zuul-web/content',
  810. priority => '50',
  811. ssl => true,
  812. template => 'zuul/zuulv3.vhost.erb',
  813. vhost_name => 'zuul.openstack.org',
  814. },
  815. 'zuul.opendev.org' => {
  816. port => 443,
  817. docroot => '/opt/zuul-web/content',
  818. priority => '40',
  819. ssl => true,
  820. template => 'zuul/zuulv3.vhost.erb',
  821. vhost_name => 'zuul.opendev.org',
  822. },
  823. 'zuul.openstack.org-http' => {
  824. port => 80,
  825. docroot => '/opt/zuul-web/content',
  826. priority => '50',
  827. ssl => false,
  828. template => 'zuul/zuulv3.vhost.erb',
  829. vhost_name => 'zuul.openstack.org',
  830. },
  831. 'zuul.opendev.org-http' => {
  832. port => 80,
  833. docroot => '/opt/zuul-web/content',
  834. priority => '40',
  835. ssl => false,
  836. template => 'zuul/zuulv3.vhost.erb',
  837. vhost_name => 'zuul.opendev.org',
  838. },
  839. },
  840. vhosts_flags => {
  841. 'zuul.openstack.org' => {
  842. tenant_name => 'openstack',
  843. ssl => true,
  844. },
  845. 'zuul.opendev.org' => {
  846. tenant_name => '',
  847. ssl => true,
  848. },
  849. 'zuul.openstack.org-http' => {
  850. tenant_name => 'openstack',
  851. ssl => false,
  852. },
  853. 'zuul.opendev.org-http' => {
  854. tenant_name => '',
  855. ssl => false,
  856. },
  857. },
  858. vhosts_ssl => {
  859. 'zuul.openstack.org' => {
  860. ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  861. ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  862. ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  863. },
  864. 'zuul.opendev.org' => {
  865. ssl_cert_file_contents => hiera('opendev_zuul_ssl_cert_file_contents'),
  866. ssl_chain_file_contents => hiera('opendev_zuul_ssl_chain_file_contents'),
  867. ssl_key_file_contents => hiera('opendev_zuul_ssl_key_file_contents'),
  868. },
  869. },
  870. }
  871. zuul::status_backups { 'openstack-zuul-tenant':
  872. tenant_name => 'openstack',
  873. ssl => true,
  874. status_uri => 'https://zuul.opendev.org/api/tenant/openstack/status',
  875. }
  876. zuul::status_backups { 'kata-zuul-tenant':
  877. tenant_name => 'kata-containers',
  878. ssl => true,
  879. status_uri => 'https://zuul.opendev.org/api/tenant/kata-containers/status',
  880. }
  881. class { '::zuul::fingergw': }
  882. class { '::zuul::known_hosts':
  883. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  884. }
  885. include bup
  886. bup::site { 'rax.ord':
  887. backup_user => 'bup-zuulv3',
  888. backup_server => 'backup01.ord.rax.ci.openstack.org',
  889. }
  890. }
  891. # Node-OS: xenial
  892. node /^zm\d+.open.*\.org$/ {
  893. $group = "zuul-merger"
  894. $gerrit_server = 'review.opendev.org'
  895. $gerrit_user = 'zuul'
  896. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  897. $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')
  898. $zuul_url = "http://${::fqdn}/p"
  899. $git_email = 'zuul@openstack.org'
  900. $git_name = 'OpenStack Zuul'
  901. $revision = 'master'
  902. class { 'openstack_project::server': }
  903. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  904. # settings.
  905. class { '::zuul':
  906. gearman_server => 'zuul01.openstack.org',
  907. gerrit_server => $gerrit_server,
  908. gerrit_user => $gerrit_user,
  909. zuul_ssh_private_key => $zuul_ssh_private_key,
  910. git_email => $git_email,
  911. git_name => $git_name,
  912. revision => $revision,
  913. python_version => 3,
  914. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  915. zuulv3 => true,
  916. connections => hiera('zuul_connections', []),
  917. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  918. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  919. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  920. statsd_host => 'graphite.opendev.org',
  921. }
  922. class { 'openstack_project::zuul_merger':
  923. gerrit_server => $gerrit_server,
  924. gerrit_user => $gerrit_user,
  925. gerrit_ssh_host_key => $gerrit_ssh_host_key,
  926. zuul_ssh_private_key => $zuul_ssh_private_key,
  927. manage_common_zuul => false,
  928. }
  929. }
  930. # Node-OS: xenial
  931. node /^pbx\d*\.open.*\.org$/ {
  932. $group = "pbx"
  933. class { 'openstack_project::server': }
  934. class { 'openstack_project::pbx':
  935. sip_providers => [
  936. {
  937. provider => 'voipms',
  938. hostname => 'dallas.voip.ms',
  939. username => hiera('voipms_username', 'username'),
  940. password => hiera('voipms_password'),
  941. outgoing => false,
  942. },
  943. ],
  944. }
  945. }
  946. # Node-OS: xenial
  947. # A backup machine. Don't run cron or puppet agent on it.
  948. node /^backup\d+\..*\.ci\.open.*\.org$/ {
  949. $group = "ci-backup"
  950. class { 'openstack_project::server': }
  951. include openstack_project::backup_server
  952. }
  953. # Node-OS: xenial
  954. node /^openstackid\d*(\.openstack)?\.org$/ {
  955. $group = "openstackid"
  956. class { 'openstack_project::openstackid_prod':
  957. site_admin_password => hiera('openstackid_site_admin_password'),
  958. id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
  959. id_mysql_password => hiera('openstackid_id_mysql_password'),
  960. id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
  961. id_db_name => hiera('openstackid_id_db_name'),
  962. ss_mysql_host => hiera('openstackid_ss_mysql_host', 'localhost'),
  963. ss_mysql_password => hiera('openstackid_ss_mysql_password'),
  964. ss_mysql_user => hiera('openstackid_ss_mysql_user', 'username'),
  965. ss_db_name => hiera('openstackid_ss_db_name', 'username'),
  966. redis_password => hiera('openstackid_redis_password'),
  967. ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
  968. ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
  969. ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
  970. id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
  971. id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
  972. vhost_name => 'openstackid.org',
  973. session_cookie_domain => 'openstackid.org',
  974. serveradmin => 'webmaster@openstackid.org',
  975. canonicalweburl => 'https://openstackid.org/',
  976. app_url => 'https://openstackid.org',
  977. app_key => hiera('openstackid_app_key'),
  978. id_log_error_to_email => 'openstack@tipit.net',
  979. id_log_error_from_email => 'noreply@openstack.org',
  980. email_driver => 'sendgrid',
  981. email_send_grid_api_key => hiera('openstackid_send_grid_api_key'),
  982. php_version => 7,
  983. mysql_ssl_enabled => true,
  984. mysql_ssl_ca_file_contents => hiera('openstackid_mysql_ssl_ca_file_contents'),
  985. mysql_ssl_client_key_file_contents => hiera('openstackid_mysql_ssl_client_key_file_contents'),
  986. mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),
  987. lost_password_url => 'https://openstackid.org/lost-password',
  988. registration_url => 'https://openstackid.org/registration',
  989. registration_mobile_url => 'https://openstackid.org/registration-mobile',
  990. resend_verification_url => 'https://openstackid.org/resend-verification',
  991. }
  992. }
  993. # Node-OS: xenial
  994. node /^openstackid-dev\d*\.openstack\.org$/ {
  995. $group = "openstackid-dev"
  996. class { 'openstack_project::openstackid_dev':
  997. site_admin_password => hiera('openstackid_dev_site_admin_password'),
  998. id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
  999. id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
  1000. id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
  1001. ss_mysql_host => hiera('openstackid_dev_ss_mysql_host', 'localhost'),
  1002. ss_mysql_password => hiera('openstackid_dev_ss_mysql_password'),
  1003. ss_mysql_user => hiera('openstackid_dev_ss_mysql_user', 'username'),
  1004. ss_db_name => hiera('openstackid_dev_ss_db_name', 'username'),
  1005. redis_password => hiera('openstackid_dev_redis_password'),
  1006. ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
  1007. ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
  1008. ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
  1009. id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
  1010. id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
  1011. vhost_name => 'openstackid-dev.openstack.org',
  1012. session_cookie_domain => 'openstackid-dev.openstack.org',
  1013. serveradmin => 'webmaster@openstackid-dev.openstack.org',
  1014. canonicalweburl => 'https://openstackid-dev.openstack.org/',
  1015. app_url => 'https://openstackid-dev.openstack.org',
  1016. app_key => hiera('openstackid_dev_app_key'),
  1017. id_log_error_to_email => 'openstack@tipit.net',
  1018. id_log_error_from_email => 'noreply@openstack.org',
  1019. email_driver => 'sendgrid',
  1020. email_send_grid_api_key => hiera('openstackid_dev_send_grid_api_key'),
  1021. php_version => 7,
  1022. mysql_ssl_enabled => true,
  1023. mysql_ssl_ca_file_contents => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),
  1024. mysql_ssl_client_key_file_contents => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),
  1025. mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),
  1026. lost_password_url => 'https://openstackid-dev.openstack.org/lost-password',
  1027. registration_url => 'https://openstackid-dev.openstack.org/registration',
  1028. registration_mobile_url => 'https://openstackid-dev.openstack.org/registration-mobile',
  1029. resend_verification_url => 'https://openstackid-dev.openstack.org/resend-verification',
  1030. }
  1031. }
  1032. # Node-OS: trusty
  1033. # Used for testing all-in-one deployments
  1034. node 'single-node-ci.test.only' {
  1035. include ::openstackci::single_node_ci
  1036. }
  1037. # Node-OS: xenial
  1038. node /^kdc03\.open.*\.org$/ {
  1039. class { 'openstack_project::server': }
  1040. class { 'openstack_project::kdc': }
  1041. }
  1042. # Node-OS: xenial
  1043. node /^kdc04\.open.*\.org$/ {
  1044. class { 'openstack_project::server': }
  1045. class { 'openstack_project::kdc':
  1046. slave => true,
  1047. }
  1048. }
  1049. # Node-OS: xenial
  1050. node /^afsdb01\.open.*\.org$/ {
  1051. $group = "afsdb"
  1052. class { 'openstack_project::server':
  1053. afs => true,
  1054. }
  1055. include openstack_project::afsdb
  1056. include openstack_project::afsrelease
  1057. }
  1058. # Node-OS: xenial
  1059. node /^afsdb.*\.open.*\.org$/ {
  1060. $group = "afsdb"
  1061. class { 'openstack_project::server':
  1062. afs => true,
  1063. }
  1064. include openstack_project::afsdb
  1065. }
  1066. # Node-OS: xenial
  1067. node /^afs.*\..*\.open.*\.org$/ {
  1068. $group = "afs"
  1069. class { 'openstack_project::server':
  1070. afs => true,
  1071. }
  1072. include openstack_project::afsfs
  1073. }
  1074. # Node-OS: trusty
  1075. node /^ask\d*\.open.*\.org$/ {
  1076. class { 'openstack_project::server': }
  1077. class { 'openstack_project::ask':
  1078. db_user => hiera('ask_db_user', 'ask'),
  1079. db_password => hiera('ask_db_password'),
  1080. redis_password => hiera('ask_redis_password'),
  1081. site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
  1082. site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
  1083. site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
  1084. }
  1085. }
  1086. # Node-OS: trusty
  1087. node /^ask-staging\d*\.open.*\.org$/ {
  1088. class { 'openstack_project::server': }
  1089. class { 'openstack_project::ask_staging':
  1090. db_password => hiera('ask_staging_db_password'),
  1091. redis_password => hiera('ask_staging_redis_password'),
  1092. }
  1093. }
  1094. # Node-OS: xenial
  1095. node /^translate\d+\.open.*\.org$/ {
  1096. $group = "translate"
  1097. class { 'openstack_project::server': }
  1098. class { 'openstack_project::translate':
  1099. admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1100. openid_url => 'https://openstackid.org',
  1101. listeners => ['ajp'],
  1102. from_address => 'noreply@openstack.org',
  1103. mysql_host => hiera('translate_mysql_host', 'localhost'),
  1104. mysql_password => hiera('translate_mysql_password'),
  1105. zanata_server_user => hiera('proposal_zanata_user'),
  1106. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1107. zanata_wildfly_version => '10.1.0',
  1108. zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
  1109. zanata_main_version => 4,
  1110. zanata_url => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',
  1111. zanata_checksum => 'eaf8bd07401dade758b677007d2358f173193d17',
  1112. project_config_repo => 'https://opendev.org/openstack/project-config',
  1113. ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
  1114. ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
  1115. ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
  1116. vhost_name => 'translate.openstack.org',
  1117. }
  1118. }
  1119. # Node-OS: xenial
  1120. node /^translate-dev\d*\.open.*\.org$/ {
  1121. $group = "translate-dev"
  1122. class { 'openstack_project::translate_dev':
  1123. admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1124. openid_url => 'https://openstackid-dev.openstack.org',
  1125. listeners => ['ajp'],
  1126. from_address => 'noreply@openstack.org',
  1127. mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
  1128. mysql_password => hiera('translate_dev_mysql_password'),
  1129. zanata_server_user => hiera('proposal_zanata_user'),
  1130. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1131. project_config_repo => 'https://opendev.org/openstack/project-config',
  1132. vhost_name => 'translate-dev.openstack.org',
  1133. }
  1134. }
  1135. # Node-OS: xenial
  1136. node /^codesearch\d*\.open.*\.org$/ {
  1137. $group = "codesearch"
  1138. class { 'openstack_project::server': }
  1139. class { 'openstack_project::codesearch':
  1140. project_config_repo => 'https://opendev.org/openstack/project-config',
  1141. }
  1142. }
  1143. # vim:sw=2:ts=2:expandtab:textwidth=79