opendev/system-config
Code Issues Proposed changes

Add replication key for gerrit from hiera

Browse Source 
The ssh key in ~gerrit2/.ssh/id_rsa which is what is used for outbound
ssh-based replication is currently just kinda there by hand. Add management
of the files there.

Change-Id: I5bfea4543d6eb46ba2e9f3c791f4e6b6c5534522
Closes-Bug: 1209464
This commit is contained in:
Monty Taylor 2014-02-04 10:03:33 +01:00
parent 084f24b3fc
commit 51949062fb
4 changed files with 156 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
manifests/site.pp
View File

@ -13,32 +13,34 @@ node default {
# #
node 'review.openstack.org' { node 'review.openstack.org' {
class { 'openstack_project::review': class { 'openstack_project::review':
github_oauth_token => hiera('gerrit_github_token'), github_oauth_token => hiera('gerrit_github_token'),
github_project_username => hiera('github_project_username'), github_project_username => hiera('github_project_username'),
github_project_password => hiera('github_project_password'), github_project_password => hiera('github_project_password'),
mysql_password => hiera('gerrit_mysql_password'), mysql_password => hiera('gerrit_mysql_password'),
mysql_root_password => hiera('gerrit_mysql_root_password'), mysql_root_password => hiera('gerrit_mysql_root_password'),
email_private_key => hiera('gerrit_email_private_key'), email_private_key => hiera('gerrit_email_private_key'),
gerritbot_password => hiera('gerrit_gerritbot_password'), gerritbot_password => hiera('gerrit_gerritbot_password'),
ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'), ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'), ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'), ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'), ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'), ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'), ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'), ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'), ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'), ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'), ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'), ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
lp_sync_consumer_key => hiera('gerrit_lp_consumer_key'), ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
lp_sync_token => hiera('gerrit_lp_access_token'), ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
lp_sync_secret => hiera('gerrit_lp_access_secret'), lp_sync_consumer_key => hiera('gerrit_lp_consumer_key'),
contactstore_appsec => hiera('gerrit_contactstore_appsec'), lp_sync_token => hiera('gerrit_lp_access_token'),
contactstore_pubkey => hiera('gerrit_contactstore_pubkey'), lp_sync_secret => hiera('gerrit_lp_access_secret'),
sysadmins => hiera('sysadmins'), contactstore_appsec => hiera('gerrit_contactstore_appsec'),
swift_username => hiera('swift_store_user'), contactstore_pubkey => hiera('gerrit_contactstore_pubkey'),
swift_password => hiera('swift_store_key'), sysadmins => hiera('sysadmins'),
swift_username => hiera('swift_store_user'),
swift_password => hiera('swift_store_key'),
} }
} }

31
modules/gerrit/manifests/init.pp
View File

@ -95,6 +95,8 @@ class gerrit(
$ssh_rsa_pubkey_contents = '', # If left empty puppet will not create file. $ssh_rsa_pubkey_contents = '', # If left empty puppet will not create file.
$ssh_project_rsa_key_contents = '', # If left empty will not create file. $ssh_project_rsa_key_contents = '', # If left empty will not create file.
$ssh_project_rsa_pubkey_contents = '', # If left empty will not create file. $ssh_project_rsa_pubkey_contents = '', # If left empty will not create file.
$ssh_replication_rsa_key_contents = '', # If left emptry will not create files.
$ssh_replication_rsa_pubkey_contents = '', # If left emptry will not create files.
$gerrit_auth_type = 'OPENID_SSO', $gerrit_auth_type = 'OPENID_SSO',
$gerrit_contributor_agreement = true, $gerrit_contributor_agreement = true,
$openidssourl = 'https://login.launchpad.net/+openid', $openidssourl = 'https://login.launchpad.net/+openid',
@ -188,6 +190,13 @@ class gerrit(
require => User['gerrit2'], require => User['gerrit2'],
} }
file { '/home/gerrit2/.ssh':
ensure => directory,
owner => 'gerrit2',
mode => '0700',
require => User['gerrit2'],
}
file { '/home/gerrit2/review_site/etc': file { '/home/gerrit2/review_site/etc':
ensure => directory, ensure => directory,
owner => 'gerrit2', owner => 'gerrit2',
@ -425,6 +434,28 @@ class gerrit(
} }
} }
if $ssh_replication_rsa_key_contents != '' {
file { '/home/gerrit2/.ssh/id_rsa':
owner => 'gerrit2',
group => 'gerrit2',
mode => '0600',
content => $ssh_replication_rsa_key_contents,
replace => true,
require => File['/home/gerrit2/.ssh']
}
}
if $ssh_replication_rsa_pubkey_contents != '' {
file { '/home/gerrit2/id_rsa.pub':
owner => 'gerrit2',
group => 'gerrit2',
mode => '0644',
content => $ssh_replication_rsa_pubkey_contents,
replace => true,
require => File['/home/gerrit2/.ssh']
}
}
# Install Gerrit itself. # Install Gerrit itself.
# The Gerrit WAR is specified as a url like # The Gerrit WAR is specified as a url like

92
modules/openstack_project/manifests/gerrit.pp
View File

@ -24,6 +24,8 @@ class openstack_project::gerrit (
$ssh_project_rsa_pubkey_contents = '', # If left empty will not create file. $ssh_project_rsa_pubkey_contents = '', # If left empty will not create file.
$ssh_welcome_rsa_key_contents='', # If left empty will not create file. $ssh_welcome_rsa_key_contents='', # If left empty will not create file.
$ssh_welcome_rsa_pubkey_contents='', # If left empty will not create file. $ssh_welcome_rsa_pubkey_contents='', # If left empty will not create file.
$ssh_replication_rsa_key_contents='', # If left empty will not create file.
$ssh_replication_rsa_pubkey_contents='', # If left empty will not create file.
$email = '', $email = '',
$database_poollimit = '', $database_poollimit = '',
$container_heaplimit = '', $container_heaplimit = '',
@ -97,38 +99,40 @@ class openstack_project::gerrit (
} }
class { '::gerrit': class { '::gerrit':
vhost_name => $vhost_name, vhost_name => $vhost_name,
canonicalweburl => $canonicalweburl, canonicalweburl => $canonicalweburl,
# opinions # opinions
enable_melody => true, enable_melody => true,
melody_session => true, melody_session => true,
robots_txt_source => 'puppet:///modules/openstack_project/gerrit/robots.txt', robots_txt_source => 'puppet:///modules/openstack_project/gerrit/robots.txt',
# passthrough # passthrough
ssl_cert_file => $ssl_cert_file, ssl_cert_file => $ssl_cert_file,
ssl_key_file => $ssl_key_file, ssl_key_file => $ssl_key_file,
ssl_chain_file => $ssl_chain_file, ssl_chain_file => $ssl_chain_file,
ssl_cert_file_contents => $ssl_cert_file_contents, ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents, ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents, ssl_chain_file_contents => $ssl_chain_file_contents,
ssh_dsa_key_contents => $ssh_dsa_key_contents, ssh_dsa_key_contents => $ssh_dsa_key_contents,
ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents, ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents,
ssh_rsa_key_contents => $ssh_rsa_key_contents, ssh_rsa_key_contents => $ssh_rsa_key_contents,
ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents, ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents,
ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents, ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents,
ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents, ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents,
email => $email, ssh_replication_rsa_key_contents => $ssh_replication_rsa_key_contents,
openidssourl => 'https://login.launchpad.net/+openid', ssh_replication_rsa_pubkey_contents => $ssh_replication_rsa_pubkey_contents,
database_poollimit => $database_poollimit, email => $email,
container_heaplimit => $container_heaplimit, openidssourl => 'https://login.launchpad.net/+openid',
core_packedgitopenfiles => $core_packedgitopenfiles, database_poollimit => $database_poollimit,
core_packedgitlimit => $core_packedgitlimit, container_heaplimit => $container_heaplimit,
core_packedgitwindowsize => $core_packedgitwindowsize, core_packedgitopenfiles => $core_packedgitopenfiles,
sshd_threads => $sshd_threads, core_packedgitlimit => $core_packedgitlimit,
httpd_acceptorthreads => $httpd_acceptorthreads, core_packedgitwindowsize => $core_packedgitwindowsize,
httpd_minthreads => $httpd_minthreads, sshd_threads => $sshd_threads,
httpd_maxthreads => $httpd_maxthreads, httpd_acceptorthreads => $httpd_acceptorthreads,
httpd_maxwait => $httpd_maxwait, httpd_minthreads => $httpd_minthreads,
commentlinks => [ httpd_maxthreads => $httpd_maxthreads,
httpd_maxwait => $httpd_maxwait,
commentlinks => [
{ {
name => 'bugheader', name => 'bugheader',
match => '([Cc]loses|[Pp]artial|[Rr]elated)-[Bb]ug:\\s*#?(\\d+)', match => '([Cc]loses|[Pp]artial|[Rr]elated)-[Bb]ug:\\s*#?(\\d+)',
@ -165,20 +169,20 @@ class openstack_project::gerrit (
html => '$1<a href=\"#q,$2,n,z\">$2</a>$3', html => '$1<a href=\"#q,$2,n,z\">$2</a>$3',
}, },
], ],
war => $war, war => $war,
contactstore => $contactstore, contactstore => $contactstore,
contactstore_appsec => $contactstore_appsec, contactstore_appsec => $contactstore_appsec,
contactstore_pubkey => $contactstore_pubkey, contactstore_pubkey => $contactstore_pubkey,
contactstore_url => $contactstore_url, contactstore_url => $contactstore_url,
mysql_password => $mysql_password, mysql_password => $mysql_password,
email_private_key => $email_private_key, email_private_key => $email_private_key,
replicate_local => $replicate_local, replicate_local => $replicate_local,
replication => $replication, replication => $replication,
gitweb => $gitweb, gitweb => $gitweb,
cgit => $cgit, cgit => $cgit,
web_repo_url => $web_repo_url, web_repo_url => $web_repo_url,
testmode => $testmode, testmode => $testmode,
require => Class[openstack_project::server], require => Class[openstack_project::server],
} }
mysql_backup::backup { 'gerrit': mysql_backup::backup { 'gerrit':

93
modules/openstack_project/manifests/review.pp
View File

@ -55,6 +55,9 @@ class openstack_project::review (
# manage-projects's user ssh key. # manage-projects's user ssh key.
$ssh_project_rsa_key_contents='', $ssh_project_rsa_key_contents='',
$ssh_project_rsa_pubkey_contents='', $ssh_project_rsa_pubkey_contents='',
# SSH key for outbound ssh-based replication.
$ssh_replication_rsa_key_contents='',
$ssh_replication_rsa_pubkey_contents='',
# welcome-message's user ssh key. # welcome-message's user ssh key.
$ssh_welcome_rsa_key_contents='', $ssh_welcome_rsa_key_contents='',
$ssh_welcome_rsa_pubkey_contents='', $ssh_welcome_rsa_pubkey_contents='',
@ -81,56 +84,58 @@ class openstack_project::review (
} }
class { 'openstack_project::gerrit': class { 'openstack_project::gerrit':
ssl_cert_file => ssl_cert_file =>
'/etc/ssl/certs/review.openstack.org.pem', '/etc/ssl/certs/review.openstack.org.pem',
ssl_key_file => ssl_key_file =>
'/etc/ssl/private/review.openstack.org.key', '/etc/ssl/private/review.openstack.org.key',
ssl_chain_file => '/etc/ssl/certs/intermediate.pem', ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
ssl_cert_file_contents => $ssl_cert_file_contents, ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents, ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents, ssl_chain_file_contents => $ssl_chain_file_contents,
ssh_dsa_key_contents => $ssh_dsa_key_contents, ssh_dsa_key_contents => $ssh_dsa_key_contents,
ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents, ssh_dsa_pubkey_contents => $ssh_dsa_pubkey_contents,
ssh_rsa_key_contents => $ssh_rsa_key_contents, ssh_rsa_key_contents => $ssh_rsa_key_contents,
ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents, ssh_rsa_pubkey_contents => $ssh_rsa_pubkey_contents,
ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents, ssh_project_rsa_key_contents => $ssh_project_rsa_key_contents,
ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents, ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents,
ssh_welcome_rsa_key_contents => $ssh_welcome_rsa_key_contents, ssh_replication_rsa_key_contents => $ssh_replication_rsa_key_contents,
ssh_welcome_rsa_pubkey_contents => $ssh_welcome_rsa_pubkey_contents, ssh_replication_rsa_pubkey_contents => $ssh_replication_rsa_pubkey_contents,
email => 'review@openstack.org', ssh_welcome_rsa_key_contents => $ssh_welcome_rsa_key_contents,
# 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up) ssh_welcome_rsa_pubkey_contents => $ssh_welcome_rsa_pubkey_contents,
database_poollimit => '150', email => 'review@openstack.org',
container_heaplimit => '8g', # 1 + 100 + 9 + 2 + 2 + 25 => 139(rounded up)
core_packedgitopenfiles => '4096', database_poollimit => '150',
core_packedgitlimit => '400m', container_heaplimit => '8g',
core_packedgitwindowsize => '16k', core_packedgitopenfiles => '4096',
sshd_threads => '100', core_packedgitlimit => '400m',
httpd_maxwait => '5000min', core_packedgitwindowsize => '16k',
war => sshd_threads => '100',
httpd_maxwait => '5000min',
war =>
'http://tarballs.openstack.org/ci/gerrit-2.4.4-14-gab7f4c1.war', 'http://tarballs.openstack.org/ci/gerrit-2.4.4-14-gab7f4c1.war',
contactstore => true, contactstore => true,
contactstore_appsec => $contactstore_appsec, contactstore_appsec => $contactstore_appsec,
contactstore_pubkey => $contactstore_pubkey, contactstore_pubkey => $contactstore_pubkey,
contactstore_url => contactstore_url =>
'http://www.openstack.org/verify/member/', 'http://www.openstack.org/verify/member/',
script_user => 'launchpadsync', script_user => 'launchpadsync',
script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa', script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
script_logging_conf => '/home/gerrit2/.sync_logging.conf', script_logging_conf => '/home/gerrit2/.sync_logging.conf',
projects_file => projects_file =>
'puppet:///modules/openstack_project/review.projects.yaml', 'puppet:///modules/openstack_project/review.projects.yaml',
projects_config => projects_config =>
'openstack_project/review.projects.ini.erb', 'openstack_project/review.projects.ini.erb',
github_username => 'openstack-gerrit', github_username => 'openstack-gerrit',
github_oauth_token => $github_oauth_token, github_oauth_token => $github_oauth_token,
github_project_username => $github_project_username, github_project_username => $github_project_username,
github_project_password => $github_project_password, github_project_password => $github_project_password,
trivial_rebase_role_id => 'trivial-rebase@review.openstack.org', trivial_rebase_role_id => 'trivial-rebase@review.openstack.org',
mysql_password => $mysql_password, mysql_password => $mysql_password,
email_private_key => $email_private_key, email_private_key => $email_private_key,
sysadmins => $sysadmins, sysadmins => $sysadmins,
swift_username => $swift_username, swift_username => $swift_username,
swift_password => $swift_password, swift_password => $swift_password,
replication => [ replication => [
{ {
name => 'github', name => 'github',
url => 'git@github.com:', url => 'git@github.com:',