From 53b0e624e0d1d0374588ce43acf3addbde74bd23 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Sun, 2 Apr 2017 19:03:08 +0200 Subject: [PATCH] Clean up puppetmaster cruft Now that we are running puppet in masterless mode, we don't need to tell nodes where the puppetmaster is, or what their certname is, nor do we need to keep running the puppetmaster in Apache. This patch cleans those things up. Change-Id: I663af0d9948f2ce3a47cc22ada47c3bbbbf316fa --- doc/source/running-your-own.rst | 6 +- manifests/site.pp | 2 - .../manifests/puppetmaster.pp | 18 +----- modules/openstack_project/manifests/server.pp | 2 - modules/openstack_project/manifests/slave.pp | 2 - .../puppetmaster/puppetmaster_vhost.conf.erb | 60 ------------------- 6 files changed, 4 insertions(+), 86 deletions(-) delete mode 100644 modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb diff --git a/doc/source/running-your-own.rst b/doc/source/running-your-own.rst index 2962b4c6c5..d6385cbff7 100644 --- a/doc/source/running-your-own.rst +++ b/doc/source/running-your-own.rst @@ -376,9 +376,7 @@ to bring up initially, so that's our next step. The platform specific slaves are named $platform-serial.slave.$PROJECT in site.pp. For instance, Python2.6 is not widely available now, so it runs on -centos6-xx.slave.$platform nodes. There can be multiple slaves, and each -gets their own puppet cert. The openstack/site.pp has a legacy setting for -``certname`` that you should remove. +centos6-xx.slave.$platform nodes. #. Migrate modules/openstack_project/manifests/slave.pp We reuse tmpcleanup as-is. @@ -386,8 +384,6 @@ gets their own puppet cert. The openstack/site.pp has a legacy setting for #. Convert a slave definition in site.pp. Lets say ``/^centos6-?\d+\.slave\.openstack\.org$/`` -#. Remove the certname override - upstream are dropping this gradually. - #. Launch a node, passing in --image and --flavor to get a node that you want :). e.g:: diff --git a/manifests/site.pp b/manifests/site.pp index 3334d2ee81..ab3da120a7 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1186,7 +1186,6 @@ node /^zlstatic\d+\.openstack\.org$/ { iptables_rules6 => $iptables_rule, iptables_rules4 => $iptables_rule, sysadmins => hiera('sysadmins', []), - puppetmaster_server => 'puppetmaster.openstack.org', afs => true, } class { 'openstack_project::zuul_launcher': @@ -1215,7 +1214,6 @@ node /^zl\d+\.openstack\.org$/ { iptables_rules6 => $iptables_rule, iptables_rules4 => $iptables_rule, sysadmins => hiera('sysadmins', []), - puppetmaster_server => 'puppetmaster.openstack.org', afs => true, } class { 'openstack_project::zuul_launcher': diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp index 7b928978ee..b096bda8a1 100644 --- a/modules/openstack_project/manifests/puppetmaster.pp +++ b/modules/openstack_project/manifests/puppetmaster.pp @@ -194,27 +194,15 @@ class openstack_project::puppetmaster ( # For puppet master apache serving. package { 'puppetmaster-passenger': - ensure => present, + ensure => absent, } file { '/etc/apache2/sites-available/puppetmaster.conf': - ensure => present, - owner => 'root', - group => 'root', - mode => '0600', - content => template('openstack_project/puppetmaster/puppetmaster_vhost.conf.erb'), - require => Package['puppetmaster-passenger'], + ensure => absent, } -# To set LANG to utf8, otherwise we get charset errors on manifests -# with non-ascii chars file { '/etc/apache2/envvars': - ensure => present, - owner => 'root', - group => 'root', - mode => '0444', - source => 'puppet:///modules/openstack_project/puppetmaster/envvars.debian', - require => Package['puppetmaster-passenger'], + ensure => absent, } # For launch/launch-node.py. diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp index cc6509037d..ea4d0312cb 100644 --- a/modules/openstack_project/manifests/server.pp +++ b/modules/openstack_project/manifests/server.pp @@ -7,13 +7,11 @@ class openstack_project::server ( $iptables_rules4 = [], $iptables_rules6 = [], $sysadmins = [], - $certname = $::fqdn, $pin_puppet = '3.', $ca_server = undef, $enable_unbound = true, $afs = false, $afs_cache_size = 500000, - $puppetmaster_server = 'puppetmaster.openstack.org', $manage_exim = true, $pypi_index_url = 'https://pypi.python.org/simple', $purge_apt_sources = true, diff --git a/modules/openstack_project/manifests/slave.pp b/modules/openstack_project/manifests/slave.pp index 474a848149..19bc3bc927 100644 --- a/modules/openstack_project/manifests/slave.pp +++ b/modules/openstack_project/manifests/slave.pp @@ -2,7 +2,6 @@ # class openstack_project::slave ( $thin = false, - $certname = $::fqdn, $ssh_key = '', $sysadmins = [], $jenkins_gitfullname = 'OpenStack Jenkins', @@ -20,7 +19,6 @@ class openstack_project::slave ( class { 'openstack_project::server': iptables_public_tcp_ports => [19885], iptables_public_udp_ports => [], - certname => $certname, sysadmins => $sysadmins, afs => $afs } diff --git a/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb b/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb deleted file mode 100644 index dab50901da..0000000000 --- a/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb +++ /dev/null @@ -1,60 +0,0 @@ -# This Apache 2 virtual host config shows how to use Puppet as a Rack -# application via Passenger. See -# http://docs.puppetlabs.com/guides/passenger.html for more information. - -# You can also use the included config.ru file to run Puppet with other Rack -# servers instead of Passenger. - -# This file is basically the one shipped by puppet with changes annotated -# below. - -# you probably want to tune these settings -PassengerHighPerformance on -PassengerMaxPoolSize 12 -PassengerPoolIdleTime 1500 -# This line is commented out by puppet and uncommented here to avoid a -# memory leak. -PassengerMaxRequests 1000 -PassengerStatThrottleRate 120 - -Listen 8140 - - - SSLEngine on - # This replaces puppet's default SSLProtocol spec to prevent POODLE - SSLProtocol ALL -SSLv2 -SSLv3 - SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP - SSLHonorCipherOrder on - - SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem - SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem - SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem - SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem - # If Apache complains about invalid signatures on the CRL, you can try disabling - # CRL checking by commenting the next line, but this is not recommended. - SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem - # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none - # which effectively disables CRL checking; if you are using Apache 2.4+ you must - # specify 'SSLCARevocationCheck chain' to actually use the CRL. - SSLCARevocationCheck chain - SSLVerifyClient optional - SSLVerifyDepth 1 - # The `ExportCertData` option is needed for agent certificate expiration warnings - SSLOptions +StdEnvVars +ExportCertData - - # This header needs to be set if using a loadbalancer or proxy - RequestHeader unset X-Forwarded-For - - RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e - RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e - RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e - - DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ - RackBaseURI / - - Options None - AllowOverride None - Order allow,deny - allow from all - -