diff --git a/manifests/site.pp b/manifests/site.pp index 3c55443e99..0cd6934035 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -3,7 +3,9 @@ # node default { include openstack_project::puppet_cron - include openstack_project::server + class { 'openstack_project::server': + sysadmins => hiera('sysadmins'), + } } # @@ -16,6 +18,7 @@ node "review.openstack.org" { mysql_root_password => hiera('gerrit_mysql_root_password'), email_private_key => hiera('gerrit_email_private_key'), gerritbot_password => hiera('gerrit_gerritbot_password'), + sysadmins => hiera('sysadmins'), } } @@ -24,7 +27,8 @@ node "gerrit-dev.openstack.org", "review-dev.openstack.org" { github_oauth_token => hiera('gerrit_dev_github_token'), mysql_password => hiera('gerrit_dev_mysql_password'), mysql_root_password => hiera('gerrit_dev_mysql_root_password'), - email_private_key => hiera('gerrit_dev_email_private_key') + email_private_key => hiera('gerrit_dev_email_private_key'), + sysadmins => hiera('sysadmins'), } } @@ -38,20 +42,27 @@ node "jenkins.openstack.org" { jenkins_apikey => hiera('zuul_jenkins_apikey'), gerrit_server => 'review.openstack.org', gerrit_user => 'jenkins', - url_pattern => 'http://logs.openstack.org/{change.number}/{change.patchset}/{pipeline.name}/{job.name}/{build.number}' + url_pattern => 'http://logs.openstack.org/{change.number}/{change.patchset}/{pipeline.name}/{job.name}/{build.number}', + sysadmins => hiera('sysadmins'), } } node "jenkins-dev.openstack.org" { - include openstack_project::jenkins_dev + class { 'openstack_project::jenkins_dev': + sysadmins => hiera('sysadmins'), + } } node "community.openstack.org" { - include openstack_project::community + class { 'openstack_project::community': + sysadmins => hiera('sysadmins'), + } } node "ci-puppetmaster.openstack.org" { - include openstack_project::puppetmaster + class { 'openstack_project::puppetmaster': + sysadmins => hiera('sysadmins'), + } } node "lists.openstack.org" { @@ -61,21 +72,28 @@ node "lists.openstack.org" { } node "paste.openstack.org" { - include openstack_project::paste + class { 'openstack_project::paste': + sysadmins => hiera('sysadmins'), + } } node "planet.openstack.org" { - include openstack_project::planet + class { 'openstack_project::planet': + sysadmins => hiera('sysadmins'), + } } node "eavesdrop.openstack.org" { class { 'openstack_project::eavesdrop': nickpass => hiera('openstack_meetbot_password'), + sysadmins => hiera('sysadmins'), } } node "pypi.openstack.org" { - include openstack_project::pypi + class { 'openstack_project::pypi': + sysadmins => hiera('sysadmins'), + } } node 'etherpad.openstack.org' { @@ -83,12 +101,14 @@ node 'etherpad.openstack.org' { etherpad_crt => hiera('etherpad_crt'), etherpad_key => hiera('etherpad_key'), database_password => hiera('etherpad_db_password'), + sysadmins => hiera('sysadmins'), } } node 'wiki.openstack.org' { class { 'openstack_project::wiki': mysql_root_password => hiera('wiki_db_password'), + sysadmins => hiera('sysadmins'), } } @@ -96,12 +116,15 @@ node 'puppet-dashboard.openstack.org' { class { 'openstack_project::dashboard': password => hiera('dashboard_password'), mysql_password => hiera('dashboard_mysql_password'), + sysadmins => hiera('sysadmins'), } } # A machine to serve static content. node 'static.openstack.org' { - include openstack_project::static + class { 'openstack_project::static': + sysadmins => hiera('sysadmins'), + } } # A bare machine, but with a jenkins user @@ -123,6 +146,7 @@ node /^precise.*\.slave\.openstack\.org$/ { include openstack_project::puppet_cron class { 'openstack_project::slave': certname => 'precise.slave.openstack.org', + sysadmins => hiera('sysadmins'), } class { 'openstack_project::glancetest': s3_store_access_key => hiera('s3_store_access_key'), @@ -147,6 +171,7 @@ node /^oneiric.*\.slave\.openstack\.org$/ { include openstack_project::puppet_cron class { 'openstack_project::slave': certname => 'oneiric.slave.openstack.org', + sysadmins => hiera('sysadmins'), } class { 'openstack_project::glancetest': s3_store_access_key => hiera('s3_store_access_key'), @@ -162,4 +187,4 @@ node /^.*\.jclouds\.openstack\.org$/ { class { 'openstack_project::bare_slave': certname => 'jclouds.openstack.org', } -} +} diff --git a/modules/openstack_project/manifests/community.pp b/modules/openstack_project/manifests/community.pp index 1df63e4a7b..e5c0aac9ef 100644 --- a/modules/openstack_project/manifests/community.pp +++ b/modules/openstack_project/manifests/community.pp @@ -1,6 +1,9 @@ -class openstack_project::community { +class openstack_project::community ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 8099, 8080] + iptables_public_tcp_ports => [80, 443, 8099, 8080], + sysadmins => $sysadmins } realize ( diff --git a/modules/openstack_project/manifests/dashboard.pp b/modules/openstack_project/manifests/dashboard.pp index b69abbb832..0fbabb323a 100644 --- a/modules/openstack_project/manifests/dashboard.pp +++ b/modules/openstack_project/manifests/dashboard.pp @@ -1,21 +1,24 @@ -class openstack_project::dashboard( +class openstack_project::dashboard ( $password, - $mysql_password) { + $mysql_password, + $sysadmins = [] +) { - class { 'openstack_project::template': - iptables_public_tcp_ports => [80, 443, 3000] + class { 'openstack_project::server': + iptables_public_tcp_ports => [80, 443, 3000], + sysadmins => $sysadmins } class {'::dashboard': - dashboard_ensure => 'present', - dashboard_user => 'www-data', - dashboard_group => 'www-data', - dashboard_password => $password, - dashboard_db => 'dashboard_prod', - dashboard_charset => 'utf8', - dashboard_site => $fqdn, - dashboard_port => '3000', - mysql_root_pw => $mysql_password, - passenger => true, + dashboard_ensure => 'present', + dashboard_user => 'www-data', + dashboard_group => 'www-data', + dashboard_password => $password, + dashboard_db => 'dashboard_prod', + dashboard_charset => 'utf8', + dashboard_site => $fqdn, + dashboard_port => '3000', + mysql_root_pw => $mysql_password, + passenger => true, } } diff --git a/modules/openstack_project/manifests/eavesdrop.pp b/modules/openstack_project/manifests/eavesdrop.pp index 3143bd8c36..2b9efd8926 100644 --- a/modules/openstack_project/manifests/eavesdrop.pp +++ b/modules/openstack_project/manifests/eavesdrop.pp @@ -1,7 +1,10 @@ -class openstack_project::eavesdrop($nickpass) { +class openstack_project::eavesdrop ( + $nickpass, + $sysadmins = [] +) { class { 'openstack_project::server': - - iptables_public_tcp_ports => [80] + iptables_public_tcp_ports => [80], + sysadmins => $sysadmins } include meetbot diff --git a/modules/openstack_project/manifests/etherpad.pp b/modules/openstack_project/manifests/etherpad.pp index f407b227b4..fbc3981f55 100644 --- a/modules/openstack_project/manifests/etherpad.pp +++ b/modules/openstack_project/manifests/etherpad.pp @@ -1,9 +1,12 @@ -class openstack_project::etherpad( +class openstack_project::etherpad ( $etherpad_crt, $etherpad_key, - $database_password) { + $database_password, + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443] + iptables_public_tcp_ports => [22, 80, 443], + sysadmins => $sysadmins } include etherpad_lite diff --git a/modules/openstack_project/manifests/gerrit.pp b/modules/openstack_project/manifests/gerrit.pp index a5dd906dc1..d9a7dbd314 100644 --- a/modules/openstack_project/manifests/gerrit.pp +++ b/modules/openstack_project/manifests/gerrit.pp @@ -32,9 +32,11 @@ class openstack_project::gerrit ( $mysql_root_password, $email_private_key, $testmode=false, + $sysadmins=[] ) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 29418] + iptables_public_tcp_ports => [80, 443, 29418], + sysadmins => $sysadmins } class { '::gerrit': diff --git a/modules/openstack_project/manifests/init.pp b/modules/openstack_project/manifests/init.pp index d99ebdec63..97268ddf61 100644 --- a/modules/openstack_project/manifests/init.pp +++ b/modules/openstack_project/manifests/init.pp @@ -2,11 +2,4 @@ class openstack_project { $jenkins_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtioTW2wh3mBRuj+R0Jyb/mLt5sjJ8dEvYyA8zfur1dnqEt5uQNLacW4fHBDFWJoLHfhdfbvray5wWMAcIuGEiAA2WEH23YzgIbyArCSI+z7gB3SET8zgff25ukXlN+1mBSrKWxIza+tB3NU62WbtO6hmelwvSkZ3d7SDfHxrc4zEpmHDuMhxALl8e1idqYzNA+1EhZpbcaf720mX+KD3oszmY2lqD1OkKMquRSD0USXPGlH3HK11MTeCArKRHMgTdIlVeqvYH0v0Wd1w/8mbXgHxfGzMYS1Ej0fzzJ0PC5z5rOqsMqY1X2aC1KlHIFLAeSf4Cx0JNlSpYSrlZ/RoiQ== hudson@hudson\n" - $sysadmins = [ - 'corvus@inaugust.com', - 'mordred@inaugust.com', - 'andrew@linuxjedi.co.uk', - 'devananda.vdv@gmail.com', - 'clark.boylan@gmail.com' - ] } diff --git a/modules/openstack_project/manifests/jenkins.pp b/modules/openstack_project/manifests/jenkins.pp index 690e28f2bb..1313066599 100644 --- a/modules/openstack_project/manifests/jenkins.pp +++ b/modules/openstack_project/manifests/jenkins.pp @@ -1,7 +1,11 @@ -class openstack_project::jenkins($jenkins_jobs_password) { +class openstack_project::jenkins ( + $jenkins_jobs_password, + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 4155] + iptables_public_tcp_ports => [80, 443, 4155], + sysadmins => $sysadmins } class { '::jenkins::master': diff --git a/modules/openstack_project/manifests/jenkins_dev.pp b/modules/openstack_project/manifests/jenkins_dev.pp index 776f4c7781..0a231144c8 100644 --- a/modules/openstack_project/manifests/jenkins_dev.pp +++ b/modules/openstack_project/manifests/jenkins_dev.pp @@ -1,7 +1,10 @@ -class openstack_project::jenkins_dev { +class openstack_project::jenkins_dev ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 4155] - } + iptables_public_tcp_ports => [80, 443, 4155], + sysadmins => $sysadmins + } include bup bup::site { 'rs-ord': backup_user => 'bup-jenkins-dev', diff --git a/modules/openstack_project/manifests/paste.pp b/modules/openstack_project/manifests/paste.pp index 43f7534f30..9f7786cd01 100644 --- a/modules/openstack_project/manifests/paste.pp +++ b/modules/openstack_project/manifests/paste.pp @@ -1,6 +1,9 @@ -class openstack_project::paste { +class openstack_project::paste ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80] + iptables_public_tcp_ports => [80], + sysadmins => $sysadmins } include lodgeit lodgeit::site { "openstack": diff --git a/modules/openstack_project/manifests/planet.pp b/modules/openstack_project/manifests/planet.pp index 0ab42191fc..5d2c4acabc 100644 --- a/modules/openstack_project/manifests/planet.pp +++ b/modules/openstack_project/manifests/planet.pp @@ -1,6 +1,9 @@ -class openstack_project::planet { +class openstack_project::planet ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80] + iptables_public_tcp_ports => [80], + sysadmins => $sysadmins } include ::planet diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp index ee48ee15ae..bf87f76edd 100644 --- a/modules/openstack_project/manifests/puppetmaster.pp +++ b/modules/openstack_project/manifests/puppetmaster.pp @@ -1,6 +1,9 @@ -class openstack_project::puppetmaster { +class openstack_project::puppetmaster ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [8140] + iptables_public_tcp_ports => [8140], + sysadmins => $sysadmins } cron { "updatepuppetmaster": user => root, diff --git a/modules/openstack_project/manifests/pypi.pp b/modules/openstack_project/manifests/pypi.pp index bbebaf9835..1e63a50af8 100644 --- a/modules/openstack_project/manifests/pypi.pp +++ b/modules/openstack_project/manifests/pypi.pp @@ -1,7 +1,8 @@ -class openstack_project::pypi { +class openstack_project::pypi ( + $sysadmins = [] +) { include tmpreaper include unattended_upgrades - include openstack_project # include jenkins slave so that build deps are there for the pip download class { 'jenkins::slave': @@ -10,7 +11,8 @@ class openstack_project::pypi { } class { 'openstack_project::server': - iptables_public_tcp_ports => [80] + iptables_public_tcp_ports => [80], + sysadmins => $sysadmins } class { "pypimirror": diff --git a/modules/openstack_project/manifests/review.pp b/modules/openstack_project/manifests/review.pp index d2e41df047..3b13b506d9 100644 --- a/modules/openstack_project/manifests/review.pp +++ b/modules/openstack_project/manifests/review.pp @@ -24,13 +24,14 @@ # 12:08 <@spearce> to a method that accepts milliseconds # 12:09 <@spearce> so. you get 5 milliseconds before aborting # thus, set it to 5000minutes until the bug is fixed. -class openstack_project::review( +class openstack_project::review ( $github_oauth_token, $mysql_password, $mysql_root_password, $email_private_key, - $gerritbot_password) { - include openstack_project + $gerritbot_password, + $sysadmins = [] +) { class { 'openstack_project::gerrit': ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem', ssl_key_file => '/etc/ssl/private/review.openstack.org.key', @@ -53,6 +54,7 @@ class openstack_project::review( mysql_password => $mysql_password, mysql_root_password => $mysql_root_password, email_private_key => $email_private_key, + sysadmins => $sysadmins } class { 'gerritbot': nick => 'openstackgerrit', diff --git a/modules/openstack_project/manifests/review_dev.pp b/modules/openstack_project/manifests/review_dev.pp index 9a323a292d..aa34df4231 100644 --- a/modules/openstack_project/manifests/review_dev.pp +++ b/modules/openstack_project/manifests/review_dev.pp @@ -1,8 +1,10 @@ -class openstack_project::review_dev( +class openstack_project::review_dev ( $github_oauth_token, $mysql_password, $mysql_root_password, - $email_private_key) { + $email_private_key, + $sysadmins = [] +) { class { 'openstack_project::gerrit': vhost_name => 'review-dev.openstack.org', canonicalweburl => "https://review-dev.openstack.org/", @@ -20,6 +22,7 @@ class openstack_project::review_dev( mysql_password => $mysql_password, mysql_root_password => $mysql_root_password, email_private_key => $email_private_key, + sysadmins => $sysadmins } file { '/var/log/gerrit_user_sync': diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp index 3c5e1e944a..a23ccbc60f 100644 --- a/modules/openstack_project/manifests/server.pp +++ b/modules/openstack_project/manifests/server.pp @@ -1,14 +1,14 @@ # A server that we expect to run for some time class openstack_project::server ( $iptables_public_tcp_ports = [], - $certname=$fqdn - ) { - include openstack_project + $sysadmins = [], + $certname = $fqdn +) { class { 'openstack_project::template': iptables_public_tcp_ports => $iptables_public_tcp_ports, certname => $certname, } class { 'exim': - sysadmin => $openstack_project::sysadmins + sysadmin => $sysadmins } } diff --git a/modules/openstack_project/manifests/slave.pp b/modules/openstack_project/manifests/slave.pp index 6d52be842c..71a41def0d 100644 --- a/modules/openstack_project/manifests/slave.pp +++ b/modules/openstack_project/manifests/slave.pp @@ -1,16 +1,16 @@ -class openstack_project::slave( - $certname=$fqdn - ) { +class openstack_project::slave ( + $certname=$fqdn, + $sysadmins=[] +) { include openstack_project include tmpreaper include unattended_upgrades class { 'openstack_project::server': iptables_public_tcp_ports => [], certname => $certname, + sysadmins => $sysadmins } class { 'jenkins::slave': ssh_key => $openstack_project::jenkins_ssh_key } } - - diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp index c78feca129..c4fbb40561 100644 --- a/modules/openstack_project/manifests/static.pp +++ b/modules/openstack_project/manifests/static.pp @@ -1,7 +1,10 @@ -class openstack_project::static() { +class openstack_project::static ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443] + iptables_public_tcp_ports => [22, 80, 443], + sysadmins => $sysadmins } class { 'jenkins::jenkinsuser': diff --git a/modules/openstack_project/manifests/wiki.pp b/modules/openstack_project/manifests/wiki.pp index 56fad1067d..dcfeea9f10 100644 --- a/modules/openstack_project/manifests/wiki.pp +++ b/modules/openstack_project/manifests/wiki.pp @@ -1,10 +1,14 @@ -class openstack_project::wiki($mysql_root_password) { +class openstack_project::wiki ( + $mysql_root_password, + $sysadmins = [] +) { include openssl include subversion class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443] + iptables_public_tcp_ports => [80, 443], + sysadmins => $sysadmins } realize ( diff --git a/test.sh b/test.sh old mode 100644 new mode 100755 index 4f4e091099..4b2990dbbf --- a/test.sh +++ b/test.sh @@ -9,6 +9,7 @@ fi csplit -sf applytest/puppetapplytest manifests/site.pp '/^$/' {*} sed -i -e 's/^[^[:space:]]/#&/g' applytest/puppetapplytest* +sed -i -e 's/hiera..sysadmins../["admin"]/' applytest/puppetapplytest* sed -i -e 's/hiera..listadmins../["admin"]/' applytest/puppetapplytest* sed -i -e 's/hiera.*/PASSWORD,/' applytest/puppetapplytest* for f in `find applytest -name 'puppetapplytest*' -print` ; do