opendev/system-config
Code Issues Proposed changes

Add replication key for gerrit from hiera

Browse Source 
The ssh key in ~gerrit2/.ssh/id_rsa which is what is used for outbound
ssh-based replication is currently just kinda there by hand. Add management
of the files there.

Change-Id: I5bfea4543d6eb46ba2e9f3c791f4e6b6c5534522
Closes-Bug: 1209464
This commit is contained in:
Monty Taylor 2014-02-04 10:03:33 +01:00
parent 084f24b3fc
commit 51949062fb
4 changed files with 156 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
manifests/site.pp
View File

@ -13,32 +13,34 @@ node default {
#
node 'review.openstack.org' {
class { 'openstack_project::review':
github_oauth_token => hiera('gerrit_github_token'),
github_project_username => hiera('github_project_username'),
github_project_password => hiera('github_project_password'),
mysql_password => hiera('gerrit_mysql_password'),
mysql_root_password => hiera('gerrit_mysql_root_password'),
email_private_key => hiera('gerrit_email_private_key'),
gerritbot_password => hiera('gerrit_gerritbot_password'),
ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
lp_sync_consumer_key => hiera('gerrit_lp_consumer_key'),
lp_sync_token => hiera('gerrit_lp_access_token'),
lp_sync_secret => hiera('gerrit_lp_access_secret'),
contactstore_appsec => hiera('gerrit_contactstore_appsec'),
contactstore_pubkey => hiera('gerrit_contactstore_pubkey'),
sysadmins => hiera('sysadmins'),
swift_username => hiera('swift_store_user'),
swift_password => hiera('swift_store_key'),
github_oauth_token => hiera('gerrit_github_token'),
github_project_username => hiera('github_project_username'),
github_project_password => hiera('github_project_password'),
mysql_password => hiera('gerrit_mysql_password'),
mysql_root_password => hiera('gerrit_mysql_root_password'),
email_private_key => hiera('gerrit_email_private_key'),
gerritbot_password => hiera('gerrit_gerritbot_password'),
ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
lp_sync_consumer_key => hiera('gerrit_lp_consumer_key'),
lp_sync_token => hiera('gerrit_lp_access_token'),
lp_sync_secret => hiera('gerrit_lp_access_secret'),
contactstore_appsec => hiera('gerrit_contactstore_appsec'),
contactstore_pubkey => hiera('gerrit_contactstore_pubkey'),
sysadmins => hiera('sysadmins'),
swift_username => hiera('swift_store_user'),
swift_password => hiera('swift_store_key'),
}
}

31
modules/gerrit/manifests/init.pp
View File

@ -95,6 +95,8 @@ class gerrit(
$ssh_rsa_pubkey_contents = '', # If left empty puppet will not create file.
$ssh_project_rsa_key_contents = '', # If left empty will not create file.
$ssh_project_rsa_pubkey_contents = '', # If left empty will not create file.
$ssh_replication_rsa_key_contents = '', # If left emptry will not create files.
$ssh_replication_rsa_pubkey_contents = '', # If left emptry will not create files.
$gerrit_auth_type = 'OPENID_SSO',
$gerrit_contributor_agreement = true,
$openidssourl = 'https://login.launchpad.net/+openid',
@ -188,6 +190,13 @@ class gerrit(
require => User['gerrit2'],
}
file { '/home/gerrit2/.ssh':
ensure => directory,
owner => 'gerrit2',
mode => '0700',
require => User['gerrit2'],
}
file { '/home/gerrit2/review_site/etc':
ensure => directory,
owner => 'gerrit2',
@ -425,6 +434,28 @@ class gerrit(
}
}
if $ssh_replication_rsa_key_contents != '' {
file { '/home/gerrit2/.ssh/id_rsa':
owner => 'gerrit2',
group => 'gerrit2',
mode => '0600',
content => $ssh_replication_rsa_key_contents,
replace => true,
require => File['/home/gerrit2/.ssh']
}
}
if $ssh_replication_rsa_pubkey_contents != '' {
file { '/home/gerrit2/id_rsa.pub':
owner => 'gerrit2',
group => 'gerrit2',
mode => '0644',
content => $ssh_replication_rsa_pubkey_contents,
replace => true,
require => File['/home/gerrit2/.ssh']
}
}
# Install Gerrit itself.
# The Gerrit WAR is specified as a url like

92
modules/openstack_project/manifests/gerrit.pp
View File

@ -24,6 +24,8 @@ class openstack_project::gerrit (
$ssh_project_rsa_pubkey_contents = '', # If left empty will not create file.
$ssh_welcome_rsa_key_contents='', # If left empty will not create file.
$ssh_welcome_rsa_pubkey_contents='', # If left empty will not create file.
$ssh_replication_rsa_key_contents='', # If left empty will not create file.
$ssh_replication_rsa_pubkey_contents='', # If left empty will not create file.
$email = '',
$database_poollimit = '',
$container_heaplimit = '',
@ -97,38 +99,40 @@ class openstack_project::gerrit (
}
class { '::gerrit':
vhost_name => $vhost_name,
canonicalweburl => $canonicalweburl,
vhost_name => $vhost_name,
canonicalweburl => $canonicalweburl,
# opinions
enable_melody => true,
melody_session => true,
robots_txt_source => 'puppet:///modules/openstack_project/gerrit/robots.txt',
enable_melody => true,
melody_session => true,
robots_txt_source => 'puppet:///modules/openstack_project/gerrit/robots.txt',
# passthrough
ssl_cert_file => $ssl_cert_file,
ssl_key_file => $ssl_key_file,
ssl_chain_file => $ssl_chain_file,
ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents,
ssh_dsa_key_contents => $ssh_dsa_key_contents,
ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents,
ssh_rsa_key_contents => $ssh_rsa_key_contents,
ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents,
ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents,
ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents,
email => $email,
openidssourl => 'https://login.launchpad.net/+openid',
database_poollimit => $database_poollimit,
container_heaplimit => $container_heaplimit,
core_packedgitopenfiles => $core_packedgitopenfiles,
core_packedgitlimit => $core_packedgitlimit,
core_packedgitwindowsize => $core_packedgitwindowsize,
sshd_threads => $sshd_threads,
httpd_acceptorthreads => $httpd_acceptorthreads,
httpd_minthreads => $httpd_minthreads,
httpd_maxthreads => $httpd_maxthreads,
httpd_maxwait => $httpd_maxwait,
commentlinks => [
ssl_cert_file => $ssl_cert_file,
ssl_key_file => $ssl_key_file,
ssl_chain_file => $ssl_chain_file,
ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents,
ssh_dsa_key_contents => $ssh_dsa_key_contents,
ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents,
ssh_rsa_key_contents => $ssh_rsa_key_contents,
ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents,
ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents,
ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents,
ssh_replication_rsa_key_contents => $ssh_replication_rsa_key_contents,
ssh_replication_rsa_pubkey_contents => $ssh_replication_rsa_pubkey_contents,
email => $email,
openidssourl => 'https://login.launchpad.net/+openid',
database_poollimit => $database_poollimit,
container_heaplimit => $container_heaplimit,
core_packedgitopenfiles => $core_packedgitopenfiles,
core_packedgitlimit => $core_packedgitlimit,
core_packedgitwindowsize => $core_packedgitwindowsize,
sshd_threads => $sshd_threads,
httpd_acceptorthreads => $httpd_acceptorthreads,
httpd_minthreads => $httpd_minthreads,
httpd_maxthreads => $httpd_maxthreads,
httpd_maxwait => $httpd_maxwait,
commentlinks => [
{
name => 'bugheader',
match => '([Cc]loses|[Pp]artial|[Rr]elated)-[Bb]ug:\\s*#?(\\d+)',
@ -165,20 +169,20 @@ class openstack_project::gerrit (
html => '$1<a href=\"#q,$2,n,z\">$2</a>$3',
},
],
war => $war,
contactstore => $contactstore,
contactstore_appsec => $contactstore_appsec,
contactstore_pubkey => $contactstore_pubkey,
contactstore_url => $contactstore_url,
mysql_password => $mysql_password,
email_private_key => $email_private_key,
replicate_local => $replicate_local,
replication => $replication,
gitweb => $gitweb,
cgit => $cgit,
web_repo_url => $web_repo_url,
testmode => $testmode,
require => Class[openstack_project::server],
war => $war,
contactstore => $contactstore,
contactstore_appsec => $contactstore_appsec,
contactstore_pubkey => $contactstore_pubkey,
contactstore_url => $contactstore_url,
mysql_password => $mysql_password,
email_private_key => $email_private_key,
replicate_local => $replicate_local,
replication => $replication,
gitweb => $gitweb,
cgit => $cgit,
web_repo_url => $web_repo_url,
testmode => $testmode,
require => Class[openstack_project::server],
}
mysql_backup::backup { 'gerrit':

93
modules/openstack_project/manifests/review.pp
View File

@ -55,6 +55,9 @@ class openstack_project::review (
# manage-projects's user ssh key.
$ssh_project_rsa_key_contents='',
$ssh_project_rsa_pubkey_contents='',
# SSH key for outbound ssh-based replication.
$ssh_replication_rsa_key_contents='',
$ssh_replication_rsa_pubkey_contents='',
# welcome-message's user ssh key.
$ssh_welcome_rsa_key_contents='',
$ssh_welcome_rsa_pubkey_contents='',
@ -81,56 +84,58 @@ class openstack_project::review (
}
class { 'openstack_project::gerrit':
ssl_cert_file =>
ssl_cert_file =>
'/etc/ssl/certs/review.openstack.org.pem',
ssl_key_file =>
ssl_key_file =>
'/etc/ssl/private/review.openstack.org.key',
ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents,
ssh_dsa_key_contents => $ssh_dsa_key_contents,
ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents,
ssh_rsa_key_contents => $ssh_rsa_key_contents,
ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents,
ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents,
ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents,
ssh_welcome_rsa_key_contents => $ssh_welcome_rsa_key_contents,
ssh_welcome_rsa_pubkey_contents => $ssh_welcome_rsa_pubkey_contents,
email => 'review@openstack.org',
# 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
database_poollimit => '150',
container_heaplimit => '8g',
core_packedgitopenfiles => '4096',
core_packedgitlimit => '400m',
core_packedgitwindowsize => '16k',
sshd_threads => '100',
httpd_maxwait => '5000min',
war =>
ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents,
ssh_dsa_key_contents => $ssh_dsa_key_contents,
ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents,
ssh_rsa_key_contents => $ssh_rsa_key_contents,
ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents,
ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents,
ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents,
ssh_replication_rsa_key_contents => $ssh_replication_rsa_key_contents,
ssh_replication_rsa_pubkey_contents => $ssh_replication_rsa_pubkey_contents,
ssh_welcome_rsa_key_contents => $ssh_welcome_rsa_key_contents,
ssh_welcome_rsa_pubkey_contents => $ssh_welcome_rsa_pubkey_contents,
email => 'review@openstack.org',
# 1 + 100 + 9 + 2 + 2 + 25 => 139(rounded up)
database_poollimit => '150',
container_heaplimit => '8g',
core_packedgitopenfiles => '4096',
core_packedgitlimit => '400m',
core_packedgitwindowsize => '16k',
sshd_threads => '100',
httpd_maxwait => '5000min',
war =>
'http://tarballs.openstack.org/ci/gerrit-2.4.4-14-gab7f4c1.war',
contactstore => true,
contactstore_appsec => $contactstore_appsec,
contactstore_pubkey => $contactstore_pubkey,
contactstore_url =>
contactstore => true,
contactstore_appsec => $contactstore_appsec,
contactstore_pubkey => $contactstore_pubkey,
contactstore_url =>
'http://www.openstack.org/verify/member/',
script_user => 'launchpadsync',
script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
script_logging_conf => '/home/gerrit2/.sync_logging.conf',
projects_file =>
script_user => 'launchpadsync',
script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
script_logging_conf => '/home/gerrit2/.sync_logging.conf',
projects_file =>
'puppet:///modules/openstack_project/review.projects.yaml',
projects_config =>
projects_config =>
'openstack_project/review.projects.ini.erb',
github_username => 'openstack-gerrit',
github_oauth_token => $github_oauth_token,
github_project_username => $github_project_username,
github_project_password => $github_project_password,
trivial_rebase_role_id => 'trivial-rebase@review.openstack.org',
mysql_password => $mysql_password,
email_private_key => $email_private_key,
sysadmins => $sysadmins,
swift_username => $swift_username,
swift_password => $swift_password,
replication => [
github_username => 'openstack-gerrit',
github_oauth_token => $github_oauth_token,
github_project_username => $github_project_username,
github_project_password => $github_project_password,
trivial_rebase_role_id => 'trivial-rebase@review.openstack.org',
mysql_password => $mysql_password,
email_private_key => $email_private_key,
sysadmins => $sysadmins,
swift_username => $swift_username,
swift_password => $swift_password,
replication => [
{
name => 'github',
url => 'git@github.com:',