From 94a7768dc3e58c833f087832e85c2c93e6241ae4 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Thu, 6 Sep 2012 10:32:48 -0700 Subject: [PATCH] Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair Approved: Monty Taylor Reviewed-by: Monty Taylor Tested-by: Jenkins --- manifests/site.pp | 47 ++++++++++++++----- .../openstack_project/manifests/community.pp | 7 ++- .../openstack_project/manifests/dashboard.pp | 31 ++++++------ .../openstack_project/manifests/eavesdrop.pp | 9 ++-- .../openstack_project/manifests/etherpad.pp | 9 ++-- modules/openstack_project/manifests/gerrit.pp | 4 +- modules/openstack_project/manifests/init.pp | 7 --- .../openstack_project/manifests/jenkins.pp | 8 +++- .../manifests/jenkins_dev.pp | 9 ++-- modules/openstack_project/manifests/paste.pp | 7 ++- modules/openstack_project/manifests/planet.pp | 7 ++- .../manifests/puppetmaster.pp | 7 ++- modules/openstack_project/manifests/pypi.pp | 8 ++-- modules/openstack_project/manifests/review.pp | 8 ++-- .../openstack_project/manifests/review_dev.pp | 7 ++- modules/openstack_project/manifests/server.pp | 8 ++-- modules/openstack_project/manifests/slave.pp | 10 ++-- modules/openstack_project/manifests/static.pp | 7 ++- modules/openstack_project/manifests/wiki.pp | 8 +++- test.sh | 1 + 20 files changed, 136 insertions(+), 73 deletions(-) mode change 100644 => 100755 test.sh diff --git a/manifests/site.pp b/manifests/site.pp index 3c55443e99..0cd6934035 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -3,7 +3,9 @@ # node default { include openstack_project::puppet_cron - include openstack_project::server + class { 'openstack_project::server': + sysadmins => hiera('sysadmins'), + } } # @@ -16,6 +18,7 @@ node "review.openstack.org" { mysql_root_password => hiera('gerrit_mysql_root_password'), email_private_key => hiera('gerrit_email_private_key'), gerritbot_password => hiera('gerrit_gerritbot_password'), + sysadmins => hiera('sysadmins'), } } @@ -24,7 +27,8 @@ node "gerrit-dev.openstack.org", "review-dev.openstack.org" { github_oauth_token => hiera('gerrit_dev_github_token'), mysql_password => hiera('gerrit_dev_mysql_password'), mysql_root_password => hiera('gerrit_dev_mysql_root_password'), - email_private_key => hiera('gerrit_dev_email_private_key') + email_private_key => hiera('gerrit_dev_email_private_key'), + sysadmins => hiera('sysadmins'), } } @@ -38,20 +42,27 @@ node "jenkins.openstack.org" { jenkins_apikey => hiera('zuul_jenkins_apikey'), gerrit_server => 'review.openstack.org', gerrit_user => 'jenkins', - url_pattern => 'http://logs.openstack.org/{change.number}/{change.patchset}/{pipeline.name}/{job.name}/{build.number}' + url_pattern => 'http://logs.openstack.org/{change.number}/{change.patchset}/{pipeline.name}/{job.name}/{build.number}', + sysadmins => hiera('sysadmins'), } } node "jenkins-dev.openstack.org" { - include openstack_project::jenkins_dev + class { 'openstack_project::jenkins_dev': + sysadmins => hiera('sysadmins'), + } } node "community.openstack.org" { - include openstack_project::community + class { 'openstack_project::community': + sysadmins => hiera('sysadmins'), + } } node "ci-puppetmaster.openstack.org" { - include openstack_project::puppetmaster + class { 'openstack_project::puppetmaster': + sysadmins => hiera('sysadmins'), + } } node "lists.openstack.org" { @@ -61,21 +72,28 @@ node "lists.openstack.org" { } node "paste.openstack.org" { - include openstack_project::paste + class { 'openstack_project::paste': + sysadmins => hiera('sysadmins'), + } } node "planet.openstack.org" { - include openstack_project::planet + class { 'openstack_project::planet': + sysadmins => hiera('sysadmins'), + } } node "eavesdrop.openstack.org" { class { 'openstack_project::eavesdrop': nickpass => hiera('openstack_meetbot_password'), + sysadmins => hiera('sysadmins'), } } node "pypi.openstack.org" { - include openstack_project::pypi + class { 'openstack_project::pypi': + sysadmins => hiera('sysadmins'), + } } node 'etherpad.openstack.org' { @@ -83,12 +101,14 @@ node 'etherpad.openstack.org' { etherpad_crt => hiera('etherpad_crt'), etherpad_key => hiera('etherpad_key'), database_password => hiera('etherpad_db_password'), + sysadmins => hiera('sysadmins'), } } node 'wiki.openstack.org' { class { 'openstack_project::wiki': mysql_root_password => hiera('wiki_db_password'), + sysadmins => hiera('sysadmins'), } } @@ -96,12 +116,15 @@ node 'puppet-dashboard.openstack.org' { class { 'openstack_project::dashboard': password => hiera('dashboard_password'), mysql_password => hiera('dashboard_mysql_password'), + sysadmins => hiera('sysadmins'), } } # A machine to serve static content. node 'static.openstack.org' { - include openstack_project::static + class { 'openstack_project::static': + sysadmins => hiera('sysadmins'), + } } # A bare machine, but with a jenkins user @@ -123,6 +146,7 @@ node /^precise.*\.slave\.openstack\.org$/ { include openstack_project::puppet_cron class { 'openstack_project::slave': certname => 'precise.slave.openstack.org', + sysadmins => hiera('sysadmins'), } class { 'openstack_project::glancetest': s3_store_access_key => hiera('s3_store_access_key'), @@ -147,6 +171,7 @@ node /^oneiric.*\.slave\.openstack\.org$/ { include openstack_project::puppet_cron class { 'openstack_project::slave': certname => 'oneiric.slave.openstack.org', + sysadmins => hiera('sysadmins'), } class { 'openstack_project::glancetest': s3_store_access_key => hiera('s3_store_access_key'), @@ -162,4 +187,4 @@ node /^.*\.jclouds\.openstack\.org$/ { class { 'openstack_project::bare_slave': certname => 'jclouds.openstack.org', } -} +} diff --git a/modules/openstack_project/manifests/community.pp b/modules/openstack_project/manifests/community.pp index 1df63e4a7b..e5c0aac9ef 100644 --- a/modules/openstack_project/manifests/community.pp +++ b/modules/openstack_project/manifests/community.pp @@ -1,6 +1,9 @@ -class openstack_project::community { +class openstack_project::community ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 8099, 8080] + iptables_public_tcp_ports => [80, 443, 8099, 8080], + sysadmins => $sysadmins } realize ( diff --git a/modules/openstack_project/manifests/dashboard.pp b/modules/openstack_project/manifests/dashboard.pp index b69abbb832..0fbabb323a 100644 --- a/modules/openstack_project/manifests/dashboard.pp +++ b/modules/openstack_project/manifests/dashboard.pp @@ -1,21 +1,24 @@ -class openstack_project::dashboard( +class openstack_project::dashboard ( $password, - $mysql_password) { + $mysql_password, + $sysadmins = [] +) { - class { 'openstack_project::template': - iptables_public_tcp_ports => [80, 443, 3000] + class { 'openstack_project::server': + iptables_public_tcp_ports => [80, 443, 3000], + sysadmins => $sysadmins } class {'::dashboard': - dashboard_ensure => 'present', - dashboard_user => 'www-data', - dashboard_group => 'www-data', - dashboard_password => $password, - dashboard_db => 'dashboard_prod', - dashboard_charset => 'utf8', - dashboard_site => $fqdn, - dashboard_port => '3000', - mysql_root_pw => $mysql_password, - passenger => true, + dashboard_ensure => 'present', + dashboard_user => 'www-data', + dashboard_group => 'www-data', + dashboard_password => $password, + dashboard_db => 'dashboard_prod', + dashboard_charset => 'utf8', + dashboard_site => $fqdn, + dashboard_port => '3000', + mysql_root_pw => $mysql_password, + passenger => true, } } diff --git a/modules/openstack_project/manifests/eavesdrop.pp b/modules/openstack_project/manifests/eavesdrop.pp index 3143bd8c36..2b9efd8926 100644 --- a/modules/openstack_project/manifests/eavesdrop.pp +++ b/modules/openstack_project/manifests/eavesdrop.pp @@ -1,7 +1,10 @@ -class openstack_project::eavesdrop($nickpass) { +class openstack_project::eavesdrop ( + $nickpass, + $sysadmins = [] +) { class { 'openstack_project::server': - - iptables_public_tcp_ports => [80] + iptables_public_tcp_ports => [80], + sysadmins => $sysadmins } include meetbot diff --git a/modules/openstack_project/manifests/etherpad.pp b/modules/openstack_project/manifests/etherpad.pp index f407b227b4..fbc3981f55 100644 --- a/modules/openstack_project/manifests/etherpad.pp +++ b/modules/openstack_project/manifests/etherpad.pp @@ -1,9 +1,12 @@ -class openstack_project::etherpad( +class openstack_project::etherpad ( $etherpad_crt, $etherpad_key, - $database_password) { + $database_password, + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443] + iptables_public_tcp_ports => [22, 80, 443], + sysadmins => $sysadmins } include etherpad_lite diff --git a/modules/openstack_project/manifests/gerrit.pp b/modules/openstack_project/manifests/gerrit.pp index a5dd906dc1..d9a7dbd314 100644 --- a/modules/openstack_project/manifests/gerrit.pp +++ b/modules/openstack_project/manifests/gerrit.pp @@ -32,9 +32,11 @@ class openstack_project::gerrit ( $mysql_root_password, $email_private_key, $testmode=false, + $sysadmins=[] ) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 29418] + iptables_public_tcp_ports => [80, 443, 29418], + sysadmins => $sysadmins } class { '::gerrit': diff --git a/modules/openstack_project/manifests/init.pp b/modules/openstack_project/manifests/init.pp index d99ebdec63..97268ddf61 100644 --- a/modules/openstack_project/manifests/init.pp +++ b/modules/openstack_project/manifests/init.pp @@ -2,11 +2,4 @@ class openstack_project { $jenkins_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtioTW2wh3mBRuj+R0Jyb/mLt5sjJ8dEvYyA8zfur1dnqEt5uQNLacW4fHBDFWJoLHfhdfbvray5wWMAcIuGEiAA2WEH23YzgIbyArCSI+z7gB3SET8zgff25ukXlN+1mBSrKWxIza+tB3NU62WbtO6hmelwvSkZ3d7SDfHxrc4zEpmHDuMhxALl8e1idqYzNA+1EhZpbcaf720mX+KD3oszmY2lqD1OkKMquRSD0USXPGlH3HK11MTeCArKRHMgTdIlVeqvYH0v0Wd1w/8mbXgHxfGzMYS1Ej0fzzJ0PC5z5rOqsMqY1X2aC1KlHIFLAeSf4Cx0JNlSpYSrlZ/RoiQ== hudson@hudson\n" - $sysadmins = [ - 'corvus@inaugust.com', - 'mordred@inaugust.com', - 'andrew@linuxjedi.co.uk', - 'devananda.vdv@gmail.com', - 'clark.boylan@gmail.com' - ] } diff --git a/modules/openstack_project/manifests/jenkins.pp b/modules/openstack_project/manifests/jenkins.pp index 690e28f2bb..1313066599 100644 --- a/modules/openstack_project/manifests/jenkins.pp +++ b/modules/openstack_project/manifests/jenkins.pp @@ -1,7 +1,11 @@ -class openstack_project::jenkins($jenkins_jobs_password) { +class openstack_project::jenkins ( + $jenkins_jobs_password, + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 4155] + iptables_public_tcp_ports => [80, 443, 4155], + sysadmins => $sysadmins } class { '::jenkins::master': diff --git a/modules/openstack_project/manifests/jenkins_dev.pp b/modules/openstack_project/manifests/jenkins_dev.pp index 776f4c7781..0a231144c8 100644 --- a/modules/openstack_project/manifests/jenkins_dev.pp +++ b/modules/openstack_project/manifests/jenkins_dev.pp @@ -1,7 +1,10 @@ -class openstack_project::jenkins_dev { +class openstack_project::jenkins_dev ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 4155] - } + iptables_public_tcp_ports => [80, 443, 4155], + sysadmins => $sysadmins + } include bup bup::site { 'rs-ord': backup_user => 'bup-jenkins-dev', diff --git a/modules/openstack_project/manifests/paste.pp b/modules/openstack_project/manifests/paste.pp index 43f7534f30..9f7786cd01 100644 --- a/modules/openstack_project/manifests/paste.pp +++ b/modules/openstack_project/manifests/paste.pp @@ -1,6 +1,9 @@ -class openstack_project::paste { +class openstack_project::paste ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80] + iptables_public_tcp_ports => [80], + sysadmins => $sysadmins } include lodgeit lodgeit::site { "openstack": diff --git a/modules/openstack_project/manifests/planet.pp b/modules/openstack_project/manifests/planet.pp index 0ab42191fc..5d2c4acabc 100644 --- a/modules/openstack_project/manifests/planet.pp +++ b/modules/openstack_project/manifests/planet.pp @@ -1,6 +1,9 @@ -class openstack_project::planet { +class openstack_project::planet ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80] + iptables_public_tcp_ports => [80], + sysadmins => $sysadmins } include ::planet diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp index ee48ee15ae..bf87f76edd 100644 --- a/modules/openstack_project/manifests/puppetmaster.pp +++ b/modules/openstack_project/manifests/puppetmaster.pp @@ -1,6 +1,9 @@ -class openstack_project::puppetmaster { +class openstack_project::puppetmaster ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [8140] + iptables_public_tcp_ports => [8140], + sysadmins => $sysadmins } cron { "updatepuppetmaster": user => root, diff --git a/modules/openstack_project/manifests/pypi.pp b/modules/openstack_project/manifests/pypi.pp index bbebaf9835..1e63a50af8 100644 --- a/modules/openstack_project/manifests/pypi.pp +++ b/modules/openstack_project/manifests/pypi.pp @@ -1,7 +1,8 @@ -class openstack_project::pypi { +class openstack_project::pypi ( + $sysadmins = [] +) { include tmpreaper include unattended_upgrades - include openstack_project # include jenkins slave so that build deps are there for the pip download class { 'jenkins::slave': @@ -10,7 +11,8 @@ class openstack_project::pypi { } class { 'openstack_project::server': - iptables_public_tcp_ports => [80] + iptables_public_tcp_ports => [80], + sysadmins => $sysadmins } class { "pypimirror": diff --git a/modules/openstack_project/manifests/review.pp b/modules/openstack_project/manifests/review.pp index d2e41df047..3b13b506d9 100644 --- a/modules/openstack_project/manifests/review.pp +++ b/modules/openstack_project/manifests/review.pp @@ -24,13 +24,14 @@ # 12:08 <@spearce> to a method that accepts milliseconds # 12:09 <@spearce> so. you get 5 milliseconds before aborting # thus, set it to 5000minutes until the bug is fixed. -class openstack_project::review( +class openstack_project::review ( $github_oauth_token, $mysql_password, $mysql_root_password, $email_private_key, - $gerritbot_password) { - include openstack_project + $gerritbot_password, + $sysadmins = [] +) { class { 'openstack_project::gerrit': ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem', ssl_key_file => '/etc/ssl/private/review.openstack.org.key', @@ -53,6 +54,7 @@ class openstack_project::review( mysql_password => $mysql_password, mysql_root_password => $mysql_root_password, email_private_key => $email_private_key, + sysadmins => $sysadmins } class { 'gerritbot': nick => 'openstackgerrit', diff --git a/modules/openstack_project/manifests/review_dev.pp b/modules/openstack_project/manifests/review_dev.pp index 9a323a292d..aa34df4231 100644 --- a/modules/openstack_project/manifests/review_dev.pp +++ b/modules/openstack_project/manifests/review_dev.pp @@ -1,8 +1,10 @@ -class openstack_project::review_dev( +class openstack_project::review_dev ( $github_oauth_token, $mysql_password, $mysql_root_password, - $email_private_key) { + $email_private_key, + $sysadmins = [] +) { class { 'openstack_project::gerrit': vhost_name => 'review-dev.openstack.org', canonicalweburl => "https://review-dev.openstack.org/", @@ -20,6 +22,7 @@ class openstack_project::review_dev( mysql_password => $mysql_password, mysql_root_password => $mysql_root_password, email_private_key => $email_private_key, + sysadmins => $sysadmins } file { '/var/log/gerrit_user_sync': diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp index 3c5e1e944a..a23ccbc60f 100644 --- a/modules/openstack_project/manifests/server.pp +++ b/modules/openstack_project/manifests/server.pp @@ -1,14 +1,14 @@ # A server that we expect to run for some time class openstack_project::server ( $iptables_public_tcp_ports = [], - $certname=$fqdn - ) { - include openstack_project + $sysadmins = [], + $certname = $fqdn +) { class { 'openstack_project::template': iptables_public_tcp_ports => $iptables_public_tcp_ports, certname => $certname, } class { 'exim': - sysadmin => $openstack_project::sysadmins + sysadmin => $sysadmins } } diff --git a/modules/openstack_project/manifests/slave.pp b/modules/openstack_project/manifests/slave.pp index 6d52be842c..71a41def0d 100644 --- a/modules/openstack_project/manifests/slave.pp +++ b/modules/openstack_project/manifests/slave.pp @@ -1,16 +1,16 @@ -class openstack_project::slave( - $certname=$fqdn - ) { +class openstack_project::slave ( + $certname=$fqdn, + $sysadmins=[] +) { include openstack_project include tmpreaper include unattended_upgrades class { 'openstack_project::server': iptables_public_tcp_ports => [], certname => $certname, + sysadmins => $sysadmins } class { 'jenkins::slave': ssh_key => $openstack_project::jenkins_ssh_key } } - - diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp index c78feca129..c4fbb40561 100644 --- a/modules/openstack_project/manifests/static.pp +++ b/modules/openstack_project/manifests/static.pp @@ -1,7 +1,10 @@ -class openstack_project::static() { +class openstack_project::static ( + $sysadmins = [] +) { class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443] + iptables_public_tcp_ports => [22, 80, 443], + sysadmins => $sysadmins } class { 'jenkins::jenkinsuser': diff --git a/modules/openstack_project/manifests/wiki.pp b/modules/openstack_project/manifests/wiki.pp index 56fad1067d..dcfeea9f10 100644 --- a/modules/openstack_project/manifests/wiki.pp +++ b/modules/openstack_project/manifests/wiki.pp @@ -1,10 +1,14 @@ -class openstack_project::wiki($mysql_root_password) { +class openstack_project::wiki ( + $mysql_root_password, + $sysadmins = [] +) { include openssl include subversion class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443] + iptables_public_tcp_ports => [80, 443], + sysadmins => $sysadmins } realize ( diff --git a/test.sh b/test.sh old mode 100644 new mode 100755 index 4f4e091099..4b2990dbbf --- a/test.sh +++ b/test.sh @@ -9,6 +9,7 @@ fi csplit -sf applytest/puppetapplytest manifests/site.pp '/^$/' {*} sed -i -e 's/^[^[:space:]]/#&/g' applytest/puppetapplytest* +sed -i -e 's/hiera..sysadmins../["admin"]/' applytest/puppetapplytest* sed -i -e 's/hiera..listadmins../["admin"]/' applytest/puppetapplytest* sed -i -e 's/hiera.*/PASSWORD,/' applytest/puppetapplytest* for f in `find applytest -name 'puppetapplytest*' -print` ; do