Use puppetmaster for slaves.

Use puppet agent --test for puppet cron.

We don't need the private ssh or gpg key on the slaves anymore.
We do need the glance testing stuff, so stick that into hiera.

Change-Id: If94fc3f150bf569efe9461f80d3565f9825eebce
Reviewed-on: https://review.openstack.org/10851
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins

manifests/site.pp

@@ -120,7 +120,17 @@ node /^ci-backup-.*\.openstack\.org$/ {
 # Rollout cgroups to precise slaves.
 node /^precise.*\.slave\.openstack\.org$/ {
   include openstack_project::puppet_cron
-  include openstack_project::slave
+  class { 'openstack_project::slave':
+    certname => 'precise.slave.openstack.org',
+  }
+  class { 'openstack_project::glancetest':
+    s3_store_access_key => hiera('s3_store_access_key'),
+    s3_store_secret_key => hiera('s3_store_secret_key'),
+    s3_store_secret_key => hiera('s3_store_bucket'),
+    swift_store_user => hiera('swift_store_user'),
+    swift_store_key => hiera('swift_store_key'),
+    swift_store_container => hiera('swift_store_container'),
+  }
 
   include ulimit
   ulimit::conf { 'limit_jenkins_procs':
@@ -132,11 +142,23 @@ node /^precise.*\.slave\.openstack\.org$/ {
   include jenkins::cgroups
 }
 
-node /^.*\.slave\.openstack\.org$/ {
+node /^oneiric.*\.slave\.openstack\.org$/ {
   include openstack_project::puppet_cron
-  include openstack_project::slave
+  class { 'openstack_project::slave':
+    certname => 'oneiric.slave.openstack.org',
+  }
+  class { 'openstack_project::glancetest':
+    s3_store_access_key => hiera('s3_store_access_key'),
+    s3_store_secret_key => hiera('s3_store_secret_key'),
+    s3_store_secret_key => hiera('s3_store_bucket'),
+    swift_store_user => hiera('swift_store_user'),
+    swift_store_key => hiera('swift_store_key'),
+    swift_store_container => hiera('swift_store_container'),
+  }
 }
 
 node /^.*\.jclouds\.openstack\.org$/ {
-  include openstack_project::bare_slave
+  class { 'openstack_project::bare_slave':
+    certname => 'jclouds.openstack.org',
+  }
 } 

modules/jenkins/manifests/jenkinsuser.pp

@@ -125,18 +125,6 @@ class jenkins::jenkinsuser($ensure = present, $sudo = false, $ssh_key) {
               ],
   }
 
-  file { 'jenkinssshkey':
-    name => '/home/jenkins/.ssh/id_rsa',
-    owner => 'jenkins',
-    group => 'jenkins',
-    mode => 600,
-    ensure => 'present',
-    require => File['jenkinssshdir'],
-    source => [
-                "puppet:///modules/jenkins/slave_private_key",
-              ],
-  }
-
   file { 'jenkinsgpgdir':
     name => '/home/jenkins/.gnupg',
     owner => 'jenkins',
@@ -158,18 +146,6 @@ class jenkins::jenkinsuser($ensure = present, $sudo = false, $ssh_key) {
               ],
   }
 
-  file { 'jenkinssecring':
-    name => '/home/jenkins/.gnupg/secring.gpg',
-    owner => 'jenkins',
-    group => 'jenkins',
-    mode => 600,
-    ensure => 'present',
-    require => File['jenkinsgpgdir'],
-    source => [
-                "puppet:///modules/jenkins/slave_gpg_key",
-              ],
-  }
-
   file { 'jenkinsconfigdir':
     name => '/home/jenkins/.config',
     owner => 'jenkins',
@@ -179,39 +155,6 @@ class jenkins::jenkinsuser($ensure = present, $sudo = false, $ssh_key) {
     require => File['jenkinshome'],
   }
 
-  file { 'jenkinsglanceconfigdir':
-    name => '/home/jenkins/.config/glance',
-    owner => 'jenkins',
-    group => 'jenkins',
-    mode => 700,
-    ensure => 'directory',
-    require => File['jenkinsconfigdir'],
-  }
-
-  file { 'glances3conf':
-    name => '/home/jenkins/.config/glance/s3.conf',
-    owner => 'jenkins',
-    group => 'jenkins',
-    mode => 400,
-    ensure => 'present',
-    require => File['jenkinsglanceconfigdir'],
-    source => [
-                "puppet:///modules/jenkins/glance_s3.conf",
-              ],
-  }
-
-  file { 'glanceswiftconf':
-    name => '/home/jenkins/.config/glance/swift.conf',
-    owner => 'jenkins',
-    group => 'jenkins',
-    mode => 400,
-    ensure => 'present',
-    require => File['jenkinsglanceconfigdir'],
-    source => [
-                "puppet:///modules/jenkins/glance_swift.conf",
-              ],
-  }
-
 
 
 }

modules/openstack_project/manifests/bare_slave.pp

@@ -1,8 +1,11 @@
 # bare-bones slaves spun up by jclouds. Specifically need to not set ssh
 # login limits, because it screws up jclouds provisioning
-class openstack_project::bare_slave($install_users=true) {
+class openstack_project::bare_slave(
+  $install_users=true,
+  $certname=$fqdn) {
   class { 'openstack_project::base':
-    install_users => $install_users
+    install_users => $install_users,
+    certname => $certname,
   }
 
   class { 'jenkins::slave':

modules/openstack_project/manifests/base.pp

@@ -1,4 +1,4 @@
-class openstack_project::base($install_users=true) {
+class openstack_project::base($install_users=true, $certname=$fqdn) {
   include openstack_project::users
   include sudoers
 

modules/openstack_project/manifests/glancetest.pp

@@ -0,0 +1,41 @@
+class openstack_project::glancetest(
+  $s3_store_host="s3.amazonaws.com",
+  $s3_store_access_key,
+  $s3_store_secret_key,
+  $s3_store_bucket,
+  $swift_store_auth_address="auth.api.rackspacecloud.com/v1.0/",
+  $swift_store_user,
+  $swift_store_key,
+  $swift_store_container,
+  ) {
+
+  file { 'jenkinsglanceconfigdir':
+    name => '/home/jenkins/.config/glance',
+    owner => 'jenkins',
+    group => 'jenkins',
+    mode => 700,
+    ensure => 'directory',
+    require => Class['::jenkins::jenkinsuser'],
+  }
+
+  file { 'glances3conf':
+    name => '/home/jenkins/.config/glance/s3.conf',
+    owner => 'jenkins',
+    group => 'jenkins',
+    mode => 400,
+    ensure => 'present',
+    require => File['jenkinsglanceconfigdir'],
+    content => template('jenkins/glance_s3.conf.erb'),
+  }
+
+  file { 'glanceswiftconf':
+    name => '/home/jenkins/.config/glance/swift.conf',
+    owner => 'jenkins',
+    group => 'jenkins',
+    mode => 400,
+    ensure => 'present',
+    require => File['jenkinsglanceconfigdir'],
+    content => template('jenkins/glance_swift.conf.erb'),
+  }
+
+}

modules/openstack_project/manifests/puppet_cron.pp

@@ -8,7 +8,7 @@ class openstack_project::puppet_cron($ensure=present) {
     ensure => $ensure,
     user => root,
     minute => "*/15",
-    command => 'apt-get update >/dev/null 2>&1 ; sleep $((RANDOM\%600)) && /bin/bash /root/openstack-ci-puppet/run_puppet.sh /root/openstack-ci-puppet',
+    command => 'apt-get update >/dev/null 2>&1 ; sleep $((RANDOM\%600)) && puppet agent --test --logdest /var/log/manifest.log',
     environment => "PATH=/var/lib/gems/1.8/bin:/usr/bin:/bin:/usr/sbin:/sbin",
   }
   logrotate::file { 'updatepuppet':

modules/openstack_project/manifests/server.pp

@@ -1,8 +1,12 @@
 # A server that we expect to run for some time
-class openstack_project::server ($iptables_public_tcp_ports = []) {
+class openstack_project::server (
+  $iptables_public_tcp_ports = [],
+  $certname=$fqdn
+  ) {
   include openstack_project
   class { 'openstack_project::template':
-    iptables_public_tcp_ports => $iptables_public_tcp_ports
+    iptables_public_tcp_ports => $iptables_public_tcp_ports,
+    certname => $certname,
   }
   class { 'exim':
     sysadmin => $openstack_project::sysadmins

modules/openstack_project/manifests/slave.pp

@@ -1,9 +1,12 @@
-class openstack_project::slave {
+class openstack_project::slave(
+  $certname=$fqdn
+  ) {
   include openstack_project
   include tmpreaper
   include unattended_upgrades
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => []
+    iptables_public_tcp_ports => [],
+    certname => $cername,
   }
   class { 'jenkins::slave':
     ssh_key => $openstack_project::jenkins_ssh_key

modules/openstack_project/manifests/template.pp

@@ -1,7 +1,8 @@
 # A template host with no running services
 class openstack_project::template (
   $iptables_public_tcp_ports,
-  $install_users = true
+  $install_users = true,
+  $certname = $fqdn
   ) {
   include ntp
   include ssh
@@ -12,6 +13,7 @@ class openstack_project::template (
     public_tcp_ports => $iptables_public_tcp_ports,
   }
   class { 'openstack_project::base':
-    install_users => $install_users
+    install_users => $install_users,
+    certname => $certname,
   }
 }

modules/openstack_project/templates/glance_s3.conf.erb

@@ -0,0 +1,49 @@
+[DEFAULT]
+# Which backend store should Glance use by default is not specified
+# in a request to add a new image to Glance? Default: 'file'
+# Available choices are 'file', 'swift', and 's3'
+default_store = s3
+
+# ============ S3 Store Options =============================
+
+# Address where the S3 authentication service lives
+s3_store_host = <%= s3_store_host %>
+
+# User to authenticate against the S3 authentication service
+s3_store_access_key = <%= s3_store_access_key %>
+
+# Auth key for the user authenticating against the
+# S3 authentication service
+s3_store_secret_key = <%= s3_store_secret_key %>
+
+# Container within the account that the account should use
+# for storing images in S3. Note that S3 has a flat namespace,
+# so you need a unique bucket name for your glance images. An
+# easy way to do this is append your AWS access key to "glance".
+# S3 buckets in AWS *must* be lowercased, so remember to lowercase
+# your AWS access key if you use it in your bucket name below!
+s3_store_bucket = <%= s3_store_bucket %>
+
+# Do we create the bucket if it does not exist?
+s3_store_create_bucket_on_put = True
+
+[pipeline:glance-api]
+pipeline = versionnegotiation context apiv1app
+
+[pipeline:versions]
+pipeline = versionsapp
+
+[app:versionsapp]
+paste.app_factory = glance.api.versions:app_factory
+
+[app:apiv1app]
+paste.app_factory = glance.api.v1:app_factory
+
+[filter:versionnegotiation]
+paste.filter_factory = glance.api.middleware.version_negotiation:filter_factory
+
+[filter:imagecache]
+paste.filter_factory = glance.api.middleware.image_cache:filter_factory
+
+[filter:context]
+paste.filter_factory = glance.common.context:filter_factory

modules/openstack_project/templates/glance_swift.conf.erb

@@ -0,0 +1,45 @@
+[DEFAULT]
+# Which backend store should Glance use by default is not specified
+# in a request to add a new image to Glance? Default: 'file'
+# Available choices are 'file', 'swift', and 's3'
+default_store = swift
+
+# ============ Swift Store Options =============================
+
+# Address where the Swift authentication service lives
+swift_store_auth_address = <%= swift_store_auth_address %>
+
+# User to authenticate against the Swift authentication service
+swift_store_user = <%= swift_store_user %>
+
+# Auth key for the user authenticating against the
+# Swift authentication service
+swift_store_key = <%= swift_store_key %>
+
+# Container within the account that the account should use
+# for storing images in Swift
+swift_store_container = <%= swift_store_container %>
+
+# Do we create the container if it does not exist?
+swift_store_create_container_on_put = False
+
+[pipeline:glance-api]
+pipeline = versionnegotiation context apiv1app
+
+[pipeline:versions]
+pipeline = versionsapp
+
+[app:versionsapp]
+paste.app_factory = glance.api.versions:app_factory
+
+[app:apiv1app]
+paste.app_factory = glance.api.v1:app_factory
+
+[filter:versionnegotiation]
+paste.filter_factory = glance.api.middleware.version_negotiation:filter_factory
+
+[filter:imagecache]
+paste.filter_factory = glance.api.middleware.image_cache:filter_factory
+
+[filter:context]
+paste.filter_factory = glance.common.context:filter_factory

modules/openstack_project/templates/puppet.conf.erb

@@ -6,7 +6,7 @@ rundir=/var/run/puppet
 factpath=$vardir/lib/facter
 templatedir=$confdir/templates
 server=ci-puppetmaster.openstack.org
-certname=<%= fqdn %>
+certname=<%= certname %>
 pluginsync=true
 
 [master]