From 51949062fb5774dd0879349ad8e771d2f2d85d33 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Tue, 4 Feb 2014 10:03:33 +0100 Subject: [PATCH] Add replication key for gerrit from hiera The ssh key in ~gerrit2/.ssh/id_rsa which is what is used for outbound ssh-based replication is currently just kinda there by hand. Add management of the files there. Change-Id: I5bfea4543d6eb46ba2e9f3c791f4e6b6c5534522 Closes-Bug: 1209464 --- manifests/site.pp | 54 +++++------ modules/gerrit/manifests/init.pp | 31 +++++++ modules/openstack_project/manifests/gerrit.pp | 92 +++++++++--------- modules/openstack_project/manifests/review.pp | 93 ++++++++++--------- 4 files changed, 156 insertions(+), 114 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index b1e712c38c..309a93be48 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -13,32 +13,34 @@ node default { # node 'review.openstack.org' { class { 'openstack_project::review': - github_oauth_token => hiera('gerrit_github_token'), - github_project_username => hiera('github_project_username'), - github_project_password => hiera('github_project_password'), - mysql_password => hiera('gerrit_mysql_password'), - mysql_root_password => hiera('gerrit_mysql_root_password'), - email_private_key => hiera('gerrit_email_private_key'), - gerritbot_password => hiera('gerrit_gerritbot_password'), - ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'), - ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'), - ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'), - ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'), - ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'), - ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'), - ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'), - ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'), - ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'), - ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'), - ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'), - lp_sync_consumer_key => hiera('gerrit_lp_consumer_key'), - lp_sync_token => hiera('gerrit_lp_access_token'), - lp_sync_secret => hiera('gerrit_lp_access_secret'), - contactstore_appsec => hiera('gerrit_contactstore_appsec'), - contactstore_pubkey => hiera('gerrit_contactstore_pubkey'), - sysadmins => hiera('sysadmins'), - swift_username => hiera('swift_store_user'), - swift_password => hiera('swift_store_key'), + github_oauth_token => hiera('gerrit_github_token'), + github_project_username => hiera('github_project_username'), + github_project_password => hiera('github_project_password'), + mysql_password => hiera('gerrit_mysql_password'), + mysql_root_password => hiera('gerrit_mysql_root_password'), + email_private_key => hiera('gerrit_email_private_key'), + gerritbot_password => hiera('gerrit_gerritbot_password'), + ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'), + ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'), + ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'), + ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'), + ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'), + ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'), + ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'), + ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'), + ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'), + ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'), + ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'), + ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'), + ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'), + lp_sync_consumer_key => hiera('gerrit_lp_consumer_key'), + lp_sync_token => hiera('gerrit_lp_access_token'), + lp_sync_secret => hiera('gerrit_lp_access_secret'), + contactstore_appsec => hiera('gerrit_contactstore_appsec'), + contactstore_pubkey => hiera('gerrit_contactstore_pubkey'), + sysadmins => hiera('sysadmins'), + swift_username => hiera('swift_store_user'), + swift_password => hiera('swift_store_key'), } } diff --git a/modules/gerrit/manifests/init.pp b/modules/gerrit/manifests/init.pp index c56117148d..b636024038 100644 --- a/modules/gerrit/manifests/init.pp +++ b/modules/gerrit/manifests/init.pp @@ -95,6 +95,8 @@ class gerrit( $ssh_rsa_pubkey_contents = '', # If left empty puppet will not create file. $ssh_project_rsa_key_contents = '', # If left empty will not create file. $ssh_project_rsa_pubkey_contents = '', # If left empty will not create file. + $ssh_replication_rsa_key_contents = '', # If left emptry will not create files. + $ssh_replication_rsa_pubkey_contents = '', # If left emptry will not create files. $gerrit_auth_type = 'OPENID_SSO', $gerrit_contributor_agreement = true, $openidssourl = 'https://login.launchpad.net/+openid', @@ -188,6 +190,13 @@ class gerrit( require => User['gerrit2'], } + file { '/home/gerrit2/.ssh': + ensure => directory, + owner => 'gerrit2', + mode => '0700', + require => User['gerrit2'], + } + file { '/home/gerrit2/review_site/etc': ensure => directory, owner => 'gerrit2', @@ -425,6 +434,28 @@ class gerrit( } } + if $ssh_replication_rsa_key_contents != '' { + file { '/home/gerrit2/.ssh/id_rsa': + owner => 'gerrit2', + group => 'gerrit2', + mode => '0600', + content => $ssh_replication_rsa_key_contents, + replace => true, + require => File['/home/gerrit2/.ssh'] + } + } + + if $ssh_replication_rsa_pubkey_contents != '' { + file { '/home/gerrit2/id_rsa.pub': + owner => 'gerrit2', + group => 'gerrit2', + mode => '0644', + content => $ssh_replication_rsa_pubkey_contents, + replace => true, + require => File['/home/gerrit2/.ssh'] + } + } + # Install Gerrit itself. # The Gerrit WAR is specified as a url like diff --git a/modules/openstack_project/manifests/gerrit.pp b/modules/openstack_project/manifests/gerrit.pp index ed19c087a6..17130541e5 100644 --- a/modules/openstack_project/manifests/gerrit.pp +++ b/modules/openstack_project/manifests/gerrit.pp @@ -24,6 +24,8 @@ class openstack_project::gerrit ( $ssh_project_rsa_pubkey_contents = '', # If left empty will not create file. $ssh_welcome_rsa_key_contents='', # If left empty will not create file. $ssh_welcome_rsa_pubkey_contents='', # If left empty will not create file. + $ssh_replication_rsa_key_contents='', # If left empty will not create file. + $ssh_replication_rsa_pubkey_contents='', # If left empty will not create file. $email = '', $database_poollimit = '', $container_heaplimit = '', @@ -97,38 +99,40 @@ class openstack_project::gerrit ( } class { '::gerrit': - vhost_name => $vhost_name, - canonicalweburl => $canonicalweburl, + vhost_name => $vhost_name, + canonicalweburl => $canonicalweburl, # opinions - enable_melody => true, - melody_session => true, - robots_txt_source => 'puppet:///modules/openstack_project/gerrit/robots.txt', + enable_melody => true, + melody_session => true, + robots_txt_source => 'puppet:///modules/openstack_project/gerrit/robots.txt', # passthrough - ssl_cert_file => $ssl_cert_file, - ssl_key_file => $ssl_key_file, - ssl_chain_file => $ssl_chain_file, - ssl_cert_file_contents => $ssl_cert_file_contents, - ssl_key_file_contents => $ssl_key_file_contents, - ssl_chain_file_contents => $ssl_chain_file_contents, - ssh_dsa_key_contents => $ssh_dsa_key_contents, - ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents, - ssh_rsa_key_contents => $ssh_rsa_key_contents, - ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents, - ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents, - ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents, - email => $email, - openidssourl => 'https://login.launchpad.net/+openid', - database_poollimit => $database_poollimit, - container_heaplimit => $container_heaplimit, - core_packedgitopenfiles => $core_packedgitopenfiles, - core_packedgitlimit => $core_packedgitlimit, - core_packedgitwindowsize => $core_packedgitwindowsize, - sshd_threads => $sshd_threads, - httpd_acceptorthreads => $httpd_acceptorthreads, - httpd_minthreads => $httpd_minthreads, - httpd_maxthreads => $httpd_maxthreads, - httpd_maxwait => $httpd_maxwait, - commentlinks => [ + ssl_cert_file => $ssl_cert_file, + ssl_key_file => $ssl_key_file, + ssl_chain_file => $ssl_chain_file, + ssl_cert_file_contents => $ssl_cert_file_contents, + ssl_key_file_contents => $ssl_key_file_contents, + ssl_chain_file_contents => $ssl_chain_file_contents, + ssh_dsa_key_contents => $ssh_dsa_key_contents, + ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents, + ssh_rsa_key_contents => $ssh_rsa_key_contents, + ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents, + ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents, + ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents, + ssh_replication_rsa_key_contents => $ssh_replication_rsa_key_contents, + ssh_replication_rsa_pubkey_contents => $ssh_replication_rsa_pubkey_contents, + email => $email, + openidssourl => 'https://login.launchpad.net/+openid', + database_poollimit => $database_poollimit, + container_heaplimit => $container_heaplimit, + core_packedgitopenfiles => $core_packedgitopenfiles, + core_packedgitlimit => $core_packedgitlimit, + core_packedgitwindowsize => $core_packedgitwindowsize, + sshd_threads => $sshd_threads, + httpd_acceptorthreads => $httpd_acceptorthreads, + httpd_minthreads => $httpd_minthreads, + httpd_maxthreads => $httpd_maxthreads, + httpd_maxwait => $httpd_maxwait, + commentlinks => [ { name => 'bugheader', match => '([Cc]loses|[Pp]artial|[Rr]elated)-[Bb]ug:\\s*#?(\\d+)', @@ -165,20 +169,20 @@ class openstack_project::gerrit ( html => '$1$2$3', }, ], - war => $war, - contactstore => $contactstore, - contactstore_appsec => $contactstore_appsec, - contactstore_pubkey => $contactstore_pubkey, - contactstore_url => $contactstore_url, - mysql_password => $mysql_password, - email_private_key => $email_private_key, - replicate_local => $replicate_local, - replication => $replication, - gitweb => $gitweb, - cgit => $cgit, - web_repo_url => $web_repo_url, - testmode => $testmode, - require => Class[openstack_project::server], + war => $war, + contactstore => $contactstore, + contactstore_appsec => $contactstore_appsec, + contactstore_pubkey => $contactstore_pubkey, + contactstore_url => $contactstore_url, + mysql_password => $mysql_password, + email_private_key => $email_private_key, + replicate_local => $replicate_local, + replication => $replication, + gitweb => $gitweb, + cgit => $cgit, + web_repo_url => $web_repo_url, + testmode => $testmode, + require => Class[openstack_project::server], } mysql_backup::backup { 'gerrit': diff --git a/modules/openstack_project/manifests/review.pp b/modules/openstack_project/manifests/review.pp index b41ea18ff2..3856e98264 100644 --- a/modules/openstack_project/manifests/review.pp +++ b/modules/openstack_project/manifests/review.pp @@ -55,6 +55,9 @@ class openstack_project::review ( # manage-projects's user ssh key. $ssh_project_rsa_key_contents='', $ssh_project_rsa_pubkey_contents='', + # SSH key for outbound ssh-based replication. + $ssh_replication_rsa_key_contents='', + $ssh_replication_rsa_pubkey_contents='', # welcome-message's user ssh key. $ssh_welcome_rsa_key_contents='', $ssh_welcome_rsa_pubkey_contents='', @@ -81,56 +84,58 @@ class openstack_project::review ( } class { 'openstack_project::gerrit': - ssl_cert_file => + ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem', - ssl_key_file => + ssl_key_file => '/etc/ssl/private/review.openstack.org.key', - ssl_chain_file => '/etc/ssl/certs/intermediate.pem', - ssl_cert_file_contents => $ssl_cert_file_contents, - ssl_key_file_contents => $ssl_key_file_contents, - ssl_chain_file_contents => $ssl_chain_file_contents, - ssh_dsa_key_contents => $ssh_dsa_key_contents, - ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents, - ssh_rsa_key_contents => $ssh_rsa_key_contents, - ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents, - ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents, - ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents, - ssh_welcome_rsa_key_contents => $ssh_welcome_rsa_key_contents, - ssh_welcome_rsa_pubkey_contents => $ssh_welcome_rsa_pubkey_contents, - email => 'review@openstack.org', - # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up) - database_poollimit => '150', - container_heaplimit => '8g', - core_packedgitopenfiles => '4096', - core_packedgitlimit => '400m', - core_packedgitwindowsize => '16k', - sshd_threads => '100', - httpd_maxwait => '5000min', - war => + ssl_chain_file => '/etc/ssl/certs/intermediate.pem', + ssl_cert_file_contents => $ssl_cert_file_contents, + ssl_key_file_contents => $ssl_key_file_contents, + ssl_chain_file_contents => $ssl_chain_file_contents, + ssh_dsa_key_contents => $ssh_dsa_key_contents, + ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents, + ssh_rsa_key_contents => $ssh_rsa_key_contents, + ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents, + ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents, + ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents, + ssh_replication_rsa_key_contents => $ssh_replication_rsa_key_contents, + ssh_replication_rsa_pubkey_contents => $ssh_replication_rsa_pubkey_contents, + ssh_welcome_rsa_key_contents => $ssh_welcome_rsa_key_contents, + ssh_welcome_rsa_pubkey_contents => $ssh_welcome_rsa_pubkey_contents, + email => 'review@openstack.org', + # 1 + 100 + 9 + 2 + 2 + 25 => 139(rounded up) + database_poollimit => '150', + container_heaplimit => '8g', + core_packedgitopenfiles => '4096', + core_packedgitlimit => '400m', + core_packedgitwindowsize => '16k', + sshd_threads => '100', + httpd_maxwait => '5000min', + war => 'http://tarballs.openstack.org/ci/gerrit-2.4.4-14-gab7f4c1.war', - contactstore => true, - contactstore_appsec => $contactstore_appsec, - contactstore_pubkey => $contactstore_pubkey, - contactstore_url => + contactstore => true, + contactstore_appsec => $contactstore_appsec, + contactstore_pubkey => $contactstore_pubkey, + contactstore_url => 'http://www.openstack.org/verify/member/', - script_user => 'launchpadsync', - script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa', - script_logging_conf => '/home/gerrit2/.sync_logging.conf', - projects_file => + script_user => 'launchpadsync', + script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa', + script_logging_conf => '/home/gerrit2/.sync_logging.conf', + projects_file => 'puppet:///modules/openstack_project/review.projects.yaml', - projects_config => + projects_config => 'openstack_project/review.projects.ini.erb', - github_username => 'openstack-gerrit', - github_oauth_token => $github_oauth_token, - github_project_username => $github_project_username, - github_project_password => $github_project_password, - trivial_rebase_role_id => 'trivial-rebase@review.openstack.org', - mysql_password => $mysql_password, - email_private_key => $email_private_key, - sysadmins => $sysadmins, - swift_username => $swift_username, - swift_password => $swift_password, - replication => [ + github_username => 'openstack-gerrit', + github_oauth_token => $github_oauth_token, + github_project_username => $github_project_username, + github_project_password => $github_project_password, + trivial_rebase_role_id => 'trivial-rebase@review.openstack.org', + mysql_password => $mysql_password, + email_private_key => $email_private_key, + sysadmins => $sysadmins, + swift_username => $swift_username, + swift_password => $swift_password, + replication => [ { name => 'github', url => 'git@github.com:',