fd3d792c8d
With the move to object storage, we no longer have predictable hosting locations for draft builds of opendev/storyboard-webclient changes. Switch the OAuth and CORS ACLs in the storyboard configuration on storyboard-dev.openstack.org to allow webclient builds hosted anywhere, as there should be nothing sensitive we need to protect in that StoryBoard deployment. While here, tighten up the same ACLs for production StoryBoard to just allow its local webclient deployment, reducing the risk of cross-site scripting attacks. Depends-On: https://review.opendev.org/691034 Change-Id: Ie4f5eb49a864848cfa95a3e956e6dbfa122fbb1d
1266 lines
52 KiB
Puppet
1266 lines
52 KiB
Puppet
#
|
|
# Top-level variables
|
|
#
|
|
# There must not be any whitespace between this comment and the variables or
|
|
# in between any two variables in order for them to be correctly parsed and
|
|
# passed around in test.sh
|
|
#
|
|
# Note we do not do a hiera lookup here as we set $group on a per node basis
|
|
# and that must be set before we can do hiera lookups. Doing a hiera lookup
|
|
# here would fail to find any group specific info.
|
|
$elasticsearch_nodes = [
|
|
"elasticsearch02.openstack.org",
|
|
"elasticsearch03.openstack.org",
|
|
"elasticsearch04.openstack.org",
|
|
"elasticsearch05.openstack.org",
|
|
"elasticsearch06.openstack.org",
|
|
"elasticsearch07.openstack.org",
|
|
]
|
|
|
|
#
|
|
# Default: should at least behave like an openstack server
|
|
#
|
|
node default {
|
|
class { 'openstack_project::server':
|
|
}
|
|
}
|
|
|
|
#
|
|
# Long lived servers:
|
|
#
|
|
# Node-OS: xenial
|
|
node /^review\d*\.open.*\.org$/ {
|
|
$group = "review"
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::review':
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
github_oauth_token => hiera('gerrit_github_token'),
|
|
github_project_username => hiera('github_project_username', 'username'),
|
|
github_project_password => hiera('github_project_password'),
|
|
mysql_host => hiera('gerrit_mysql_host', 'localhost'),
|
|
mysql_password => hiera('gerrit_mysql_password'),
|
|
email_private_key => hiera('gerrit_email_private_key'),
|
|
token_private_key => hiera('gerrit_rest_token_private_key'),
|
|
gerritbot_password => hiera('gerrit_gerritbot_password'),
|
|
gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'),
|
|
gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'),
|
|
ssl_cert_file_contents => hiera('review_opendev_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('review_opendev_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('review_opendev_chain_file_contents'),
|
|
ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
|
|
ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
|
|
ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
|
|
ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
|
|
ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
|
|
ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
|
|
ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
|
|
ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
|
|
ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
|
|
ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
|
|
lp_access_token => hiera('gerrit_lp_access_token'),
|
|
lp_access_secret => hiera('gerrit_lp_access_secret'),
|
|
lp_consumer_key => hiera('gerrit_lp_consumer_key'),
|
|
swift_username => hiera('swift_store_user', 'username'),
|
|
swift_password => hiera('swift_store_key'),
|
|
storyboard_password => hiera('gerrit_storyboard_token'),
|
|
# Compatibility layer vars for the old domain name below here.
|
|
# TODO rename the hiera keys to reduce confusion
|
|
review_openstack_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
|
|
review_openstack_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
|
|
review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^review-dev\d*\.open.*\.org$/ {
|
|
$group = "review-dev"
|
|
|
|
class { 'openstack_project::server':
|
|
afs => true,
|
|
}
|
|
|
|
class { 'openstack_project::review_dev':
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
github_oauth_token => hiera('gerrit_dev_github_token'),
|
|
github_project_username => hiera('github_dev_project_username', 'username'),
|
|
github_project_password => hiera('github_dev_project_password'),
|
|
mysql_host => hiera('gerrit_dev_mysql_host', 'localhost'),
|
|
mysql_password => hiera('gerrit_dev_mysql_password'),
|
|
email_private_key => hiera('gerrit_dev_email_private_key'),
|
|
ssh_dsa_key_contents => hiera('gerrit_dev_ssh_dsa_key_contents'),
|
|
ssh_dsa_pubkey_contents => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),
|
|
ssh_rsa_key_contents => hiera('gerrit_dev_ssh_rsa_key_contents'),
|
|
ssh_rsa_pubkey_contents => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),
|
|
ssh_project_rsa_key_contents => hiera('gerrit_dev_project_ssh_rsa_key_contents'),
|
|
ssh_project_rsa_pubkey_contents => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),
|
|
ssh_replication_rsa_key_contents => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),
|
|
ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),
|
|
lp_access_token => hiera('gerrit_dev_lp_access_token'),
|
|
lp_access_secret => hiera('gerrit_dev_lp_access_secret'),
|
|
lp_consumer_key => hiera('gerrit_dev_lp_consumer_key'),
|
|
storyboard_password => hiera('gerrit_dev_storyboard_token'),
|
|
storyboard_ssl_cert => hiera('gerrit_dev_storyboard_ssl_crt'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
# Puppet-Version: !3
|
|
node /^grafana\d*\.open.*\.org$/ {
|
|
$group = "grafana"
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::grafana':
|
|
admin_password => hiera('grafana_admin_password'),
|
|
admin_user => hiera('grafana_admin_user', 'username'),
|
|
mysql_host => hiera('grafana_mysql_host', 'localhost'),
|
|
mysql_name => hiera('grafana_mysql_name'),
|
|
mysql_password => hiera('grafana_mysql_password'),
|
|
mysql_user => hiera('grafana_mysql_user', 'username'),
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
secret_key => hiera('grafana_secret_key'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^health\d*\.openstack\.org$/ {
|
|
$group = "health"
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::openstack_health_api':
|
|
subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
|
|
hostname => 'health.openstack.org',
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^cacti\d+\.open.*\.org$/ {
|
|
$group = "cacti"
|
|
include openstack_project::ssl_cert_check
|
|
class { 'openstack_project::cacti':
|
|
cacti_hosts => hiera_array('cacti_hosts'),
|
|
vhost_name => 'cacti.openstack.org',
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^graphite\d*\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
|
|
class { '::graphite':
|
|
graphite_admin_user => hiera('graphite_admin_user', 'username'),
|
|
graphite_admin_email => hiera('graphite_admin_email', 'email@example.com'),
|
|
graphite_admin_password => hiera('graphite_admin_password'),
|
|
# NOTE(ianw): installed on the host via ansible
|
|
ssl_cert_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',
|
|
ssl_key_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',
|
|
ssl_chain_file => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',
|
|
}
|
|
}
|
|
|
|
# Node-OS: trusty
|
|
# Node-OS: xenial
|
|
node /^lists\d*\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::lists':
|
|
listpassword => hiera('listpassword'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^lists\d*\.katacontainers\.io$/ {
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::kata_lists':
|
|
listpassword => hiera('listpassword'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^paste\d*\.open.*\.org$/ {
|
|
$group = "paste"
|
|
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::paste':
|
|
db_password => hiera('paste_db_password'),
|
|
db_host => hiera('paste_db_host'),
|
|
vhost_name => 'paste.openstack.org',
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /planet\d*\.open.*\.org$/ {
|
|
class { 'openstack_project::planet':
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^eavesdrop\d*\.open.*\.org$/ {
|
|
$group = "eavesdrop"
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::eavesdrop':
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
nickpass => hiera('openstack_meetbot_password'),
|
|
statusbot_nick => hiera('statusbot_nick', 'username'),
|
|
statusbot_password => hiera('statusbot_nick_password'),
|
|
statusbot_server => 'chat.freenode.net',
|
|
statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
|
|
statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
|
|
statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
|
|
statusbot_wiki_password => hiera('statusbot_wiki_password'),
|
|
statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
|
|
# https://wiki.openstack.org/wiki/Infrastructure_Status
|
|
statusbot_wiki_pageid => '1781',
|
|
statusbot_wiki_successpageid => '7717',
|
|
statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
|
|
statusbot_wiki_thankspageid => '37700',
|
|
statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
|
|
statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
|
|
statusbot_twitter => true,
|
|
statusbot_twitter_key => hiera('statusbot_twitter_key'),
|
|
statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
|
|
statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
|
|
statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
|
|
accessbot_nick => hiera('accessbot_nick', 'username'),
|
|
accessbot_password => hiera('accessbot_nick_password'),
|
|
meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
|
|
ptgbot_nick => hiera('ptgbot_nick', 'username'),
|
|
ptgbot_password => hiera('ptgbot_password'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^ethercalc\d+\.open.*\.org$/ {
|
|
$group = "ethercalc"
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::ethercalc':
|
|
vhost_name => 'ethercalc.openstack.org',
|
|
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^etherpad\d*\.open.*\.org$/ {
|
|
$group = "etherpad"
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::etherpad':
|
|
vhost_name => 'etherpad.openstack.org',
|
|
ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('etherpad_ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
|
|
mysql_host => hiera('etherpad_db_host', 'localhost'),
|
|
mysql_user => hiera('etherpad_db_user', 'username'),
|
|
mysql_password => hiera('etherpad_db_password'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^etherpad-dev\d*\.open.*\.org$/ {
|
|
$group = "etherpad-dev"
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::etherpad_dev':
|
|
vhost_name => 'etherpad-dev.openstack.org',
|
|
mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
|
|
mysql_user => hiera('etherpad-dev_db_user', 'username'),
|
|
mysql_password => hiera('etherpad-dev_db_password'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: trusty
|
|
node /^wiki\d+\.openstack\.org$/ {
|
|
$group = "wiki"
|
|
class { 'openstack_project::wiki':
|
|
bup_user => 'bup-wiki',
|
|
serveradmin => hiera('infra_apache_serveradmin'),
|
|
site_hostname => 'wiki.openstack.org',
|
|
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
|
|
wg_dbserver => hiera('wg_dbserver'),
|
|
wg_dbname => 'openstack_wiki',
|
|
wg_dbuser => 'wikiuser',
|
|
wg_dbpassword => hiera('wg_dbpassword'),
|
|
wg_secretkey => hiera('wg_secretkey'),
|
|
wg_upgradekey => hiera('wg_upgradekey'),
|
|
wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
|
|
wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
|
|
wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: trusty
|
|
node /^wiki-dev\d+\.openstack\.org$/ {
|
|
$group = "wiki-dev"
|
|
class { 'openstack_project::wiki':
|
|
serveradmin => hiera('infra_apache_serveradmin'),
|
|
site_hostname => 'wiki-dev.openstack.org',
|
|
wg_dbserver => hiera('wg_dbserver'),
|
|
wg_dbname => 'openstack_wiki',
|
|
wg_dbuser => 'wikiuser',
|
|
wg_dbpassword => hiera('wg_dbpassword'),
|
|
wg_secretkey => hiera('wg_secretkey'),
|
|
wg_upgradekey => hiera('wg_upgradekey'),
|
|
wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
|
|
wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
|
|
disallow_robots => true,
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^logstash\d*\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::logstash':
|
|
discover_nodes => [
|
|
'elasticsearch03.openstack.org:9200',
|
|
'elasticsearch04.openstack.org:9200',
|
|
'elasticsearch05.openstack.org:9200',
|
|
'elasticsearch06.openstack.org:9200',
|
|
'elasticsearch07.openstack.org:9200',
|
|
'elasticsearch02.openstack.org:9200',
|
|
],
|
|
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
|
|
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^logstash-worker\d+\.open.*\.org$/ {
|
|
$group = 'logstash-worker'
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::logstash_worker':
|
|
discover_node => 'elasticsearch03.openstack.org',
|
|
enable_mqtt => false,
|
|
mqtt_password => hiera('mqtt_service_user_password'),
|
|
mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^subunit-worker\d+\.open.*\.org$/ {
|
|
$group = "subunit-worker"
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::subunit_worker':
|
|
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
|
|
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
|
|
mqtt_pass => hiera('mqtt_service_user_password'),
|
|
mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^elasticsearch\d+\.open.*\.org$/ {
|
|
$group = "elasticsearch"
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::elasticsearch_node':
|
|
discover_nodes => $elasticsearch_nodes,
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^firehose\d+\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::firehose':
|
|
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
|
|
gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
|
|
gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
|
|
mqtt_password => hiera('mqtt_service_user_password'),
|
|
ca_file => hiera('mosquitto_tls_ca_file'),
|
|
cert_file => hiera('mosquitto_tls_server_cert_file'),
|
|
key_file => hiera('mosquitto_tls_server_key_file'),
|
|
imap_hostname => hiera('lpmqtt_imap_server'),
|
|
imap_username => hiera('lpmqtt_imap_username'),
|
|
imap_password => hiera('lpmqtt_imap_password'),
|
|
statsd_host => 'graphite.opendev.org',
|
|
}
|
|
}
|
|
|
|
# A machine to drive AFS mirror updates.
|
|
# Node-OS: xenial
|
|
node /^mirror-update\d*\.open.*\.org$/ {
|
|
$group = "afsadmin"
|
|
|
|
class { 'openstack_project::mirror_update':
|
|
admin_keytab => hiera('afsadmin_keytab'),
|
|
fedora_keytab => hiera('fedora_keytab'),
|
|
opensuse_keytab => hiera('opensuse_keytab'),
|
|
reprepro_keytab => hiera('reprepro_keytab'),
|
|
gem_keytab => hiera('gem_keytab'),
|
|
centos_keytab => hiera('centos_keytab'),
|
|
epel_keytab => hiera('epel_keytab'),
|
|
yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
|
|
}
|
|
}
|
|
|
|
# Machines in each region to serve AFS mirrors.
|
|
# Node-OS: xenial
|
|
node /^mirror\d*\..*\.open.*\.org$/ {
|
|
$group = "mirror"
|
|
|
|
class { 'openstack_project::server':
|
|
afs => true,
|
|
afs_cache_size => 50000000, # 50GB
|
|
}
|
|
|
|
class { 'openstack_project::mirror':
|
|
vhost_name => $::fqdn,
|
|
require => Class['Openstack_project::Server'],
|
|
}
|
|
}
|
|
|
|
# Serve static AFS content for docs and other sites.
|
|
# Node-OS: xenial
|
|
node /^files\d*\.open.*\.org$/ {
|
|
$group = "files"
|
|
class { 'openstack_project::server':
|
|
afs => true,
|
|
afs_cache_size => 10000000, # 10GB
|
|
}
|
|
|
|
class { 'openstack_project::files':
|
|
vhost_name => 'files.openstack.org',
|
|
developer_cert_file_contents => hiera('developer_cert_file_contents'),
|
|
developer_key_file_contents => hiera('developer_key_file_contents'),
|
|
developer_chain_file_contents => hiera('developer_chain_file_contents'),
|
|
docs_cert_file_contents => hiera('docs_cert_file_contents'),
|
|
docs_key_file_contents => hiera('docs_key_file_contents'),
|
|
docs_chain_file_contents => hiera('docs_chain_file_contents'),
|
|
git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
|
|
git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
|
|
git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
|
|
git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
|
|
git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
|
|
git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
|
|
git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
|
|
git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
|
|
git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
|
|
git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
|
|
git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
|
|
git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
|
|
require => Class['Openstack_project::Server'],
|
|
}
|
|
|
|
# Temporary for evaluating htaccess rules
|
|
::httpd::vhost { "git-test.openstack.org":
|
|
port => 80, # Is required despite not being used.
|
|
docroot => "/afs/openstack.org/project/git-test/www",
|
|
priority => '50',
|
|
template => 'openstack_project/git-test.vhost.erb',
|
|
}
|
|
|
|
openstack_project::website { 'docs.starlingx.io':
|
|
volume_name => 'starlingx.io',
|
|
aliases => [],
|
|
ssl_cert => hiera('docs_starlingx_io_ssl_cert'),
|
|
ssl_key => hiera('docs_starlingx_io_ssl_key'),
|
|
ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),
|
|
require => Class['openstack_project::files'],
|
|
}
|
|
|
|
openstack_project::website { 'docs.opendev.org':
|
|
aliases => [],
|
|
docroot => "/afs/openstack.org/project/opendev.org/docs",
|
|
ssl_cert => hiera('docs_opendev_ssl_cert'),
|
|
ssl_key => hiera('docs_opendev_ssl_key'),
|
|
ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),
|
|
require => Class['openstack_project::files'],
|
|
}
|
|
|
|
openstack_project::website { 'tarballs.opendev.org':
|
|
aliases => [],
|
|
docroot => "/afs/openstack.org/project/opendev.org/tarballs",
|
|
ssl_cert_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',
|
|
ssl_key_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',
|
|
ssl_chain_file => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',
|
|
require => Class['openstack_project::files'],
|
|
}
|
|
|
|
openstack_project::website { 'zuul-ci.org':
|
|
aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
|
|
ssl_cert => hiera('zuul-ci_org_ssl_cert'),
|
|
ssl_key => hiera('zuul-ci_org_ssl_key'),
|
|
ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
|
|
require => Class['openstack_project::files'],
|
|
}
|
|
|
|
}
|
|
|
|
# Node-OS: trusty
|
|
# Node-OS: xenial
|
|
node /^refstack\d*\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
class { 'refstack':
|
|
mysql_host => hiera('refstack_mysql_host', 'localhost'),
|
|
mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
|
|
mysql_user => hiera('refstack_mysql_user', 'refstack'),
|
|
mysql_user_password => hiera('refstack_mysql_password'),
|
|
ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
|
|
ssl_cert => '/etc/ssl/certs/refstack.pem',
|
|
ssl_key_content => hiera('refstack_ssl_key_file_contents'),
|
|
ssl_key => '/etc/ssl/private/refstack.key',
|
|
ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
|
|
ssl_ca => '/etc/ssl/certs/refstack.ca.pem',
|
|
protocol => 'https',
|
|
}
|
|
mysql_backup::backup_remote { 'refstack':
|
|
database_host => hiera('refstack_mysql_host', 'localhost'),
|
|
database_user => hiera('refstack_mysql_user', 'refstack'),
|
|
database_password => hiera('refstack_mysql_password'),
|
|
require => Class['::refstack'],
|
|
}
|
|
}
|
|
|
|
# A machine to run Storyboard
|
|
# Node-OS: xenial
|
|
node /^storyboard\d+\.opendev\.org$/ {
|
|
$group = "storyboard"
|
|
class { 'openstack_project::storyboard':
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
mysql_host => hiera('storyboard_db_host', 'localhost'),
|
|
mysql_user => hiera('storyboard_db_user', 'username'),
|
|
mysql_password => hiera('storyboard_db_password'),
|
|
rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
|
|
rabbitmq_password => hiera('storyboard_rabbit_password'),
|
|
ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
|
|
ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
|
|
ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
|
|
ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
|
|
hostname => 'storyboard.openstack.org',
|
|
valid_oauth_clients => ['storyboard.openstack.org',],
|
|
cors_allowed_origins => ['https://storyboard.openstack.org',],
|
|
sender_email_address => 'storyboard@storyboard.openstack.org',
|
|
default_url => 'https://storyboard.openstack.org',
|
|
}
|
|
}
|
|
|
|
# A machine to run Storyboard devel
|
|
# Node-OS: xenial
|
|
node /^storyboard-dev\d+\.opendev\.org$/ {
|
|
$group = "storyboard-dev"
|
|
class { 'openstack_project::storyboard::dev':
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
mysql_host => hiera('storyboard_db_host', 'localhost'),
|
|
mysql_user => hiera('storyboard_db_user', 'username'),
|
|
mysql_password => hiera('storyboard_db_password'),
|
|
rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
|
|
rabbitmq_password => hiera('storyboard_rabbit_password'),
|
|
hostname => 'storyboard-dev.openstack.org',
|
|
valid_oauth_clients => ['^.*',],
|
|
cors_allowed_origins => ['^.*',],
|
|
sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
|
|
default_url => 'https://storyboard-dev.openstack.org',
|
|
}
|
|
|
|
}
|
|
|
|
# A machine to serve static content.
|
|
# Node-OS: trusty
|
|
# Node-OS: xenial
|
|
node /^static\d*\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::static':
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
|
|
swift_user => 'infra-files-ro',
|
|
swift_key => hiera('infra_files_ro_password'),
|
|
swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
|
|
swift_region_name => 'DFW',
|
|
swift_default_container => 'infra-files',
|
|
ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^zk\d+\.open.*\.org$/ {
|
|
# We use IP addresses here so that zk listens on the public facing addresses
|
|
# allowing cluster members to talk to each other. Without this they listen
|
|
# on 127.0.1.1 because that is what we have in /etc/hosts for
|
|
# zk0X.openstack.org.
|
|
$zk_cluster_members = [
|
|
'23.253.236.126', # zk01
|
|
'172.99.117.32', # zk02
|
|
'23.253.90.246', # zk03
|
|
]
|
|
class { 'openstack_project::server': }
|
|
|
|
class { '::zookeeper':
|
|
# ID needs to be numeric, so we use regex to extra numbers from fqdn.
|
|
id => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),
|
|
# The frequency in hours to look for and purge old snapshots,
|
|
# defaults to 0 (disabled). The number of retained snapshots can
|
|
# be separately controlled through snap_retain_count and
|
|
# defaults to the minimum value of 3. This will quickly fill the
|
|
# disk in production if not enabled. Works on ZK >=3.4.
|
|
purge_interval => 6,
|
|
servers => $zk_cluster_members,
|
|
}
|
|
}
|
|
|
|
# A machine to serve various project status updates.
|
|
# Node-OS: trusty
|
|
# Node-OS: xenial
|
|
node /^status\d*\.open.*\.org$/ {
|
|
$group = 'status'
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::status':
|
|
gerrit_host => 'review.opendev.org',
|
|
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
|
|
reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
|
|
reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
|
|
recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
|
|
recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
|
|
recheck_bot_nick => 'openstackrecheck',
|
|
recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^survey\d+\.open.*\.org$/ {
|
|
$group = "survey"
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::survey':
|
|
vhost_name => 'survey.openstack.org',
|
|
auth_openid => true,
|
|
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
|
|
dbpassword => hiera('dbpassword'),
|
|
dbhost => hiera('dbhost'),
|
|
adminuser => hiera('adminuser'),
|
|
adminpass => hiera('adminpass'),
|
|
adminmail => hiera('adminmail'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^nl\d+\.open.*\.org$/ {
|
|
$group = 'nodepool'
|
|
|
|
# NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)
|
|
# the cloud credentials are deployed with ansible via the
|
|
# configure-openstacksdk role and are no longer configured here
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
include openstack_project
|
|
|
|
class { '::openstackci::nodepool_launcher':
|
|
nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
statsd_host => 'graphite.opendev.org',
|
|
revision => 'master',
|
|
python_version => 3,
|
|
enable_webapp => true,
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^nb\d+\.open.*\.org$/ {
|
|
$group = 'nodepool'
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
include openstack_project
|
|
|
|
class { '::openstackci::nodepool_builder':
|
|
nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
|
|
vhost_name => $::fqdn,
|
|
enable_build_log_via_http => true,
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
statsd_host => 'graphite.opendev.org',
|
|
upload_workers => '16',
|
|
revision => 'master',
|
|
python_version => 3,
|
|
zuulv3 => true,
|
|
ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
|
|
ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
|
|
}
|
|
|
|
cron { 'mirror_gitgc':
|
|
user => 'nodepool',
|
|
hour => '20',
|
|
minute => '0',
|
|
command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
|
|
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => Class['::openstackci::nodepool_builder'],
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^ze\d+\.open.*\.org$/ {
|
|
$group = "zuul-executor"
|
|
|
|
$gerrit_server = 'review.opendev.org'
|
|
$gerrit_user = 'zuul'
|
|
$gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
|
|
$gerrit_ssh_private_key = hiera('gerrit_ssh_private_key_contents')
|
|
$zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
|
|
$zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')
|
|
$git_email = 'zuul@openstack.org'
|
|
$git_name = 'OpenStack Zuul'
|
|
$revision = 'master'
|
|
|
|
class { 'openstack_project::server':
|
|
afs => true,
|
|
}
|
|
|
|
class { '::project_config':
|
|
url => 'https://opendev.org/openstack/project-config',
|
|
}
|
|
|
|
# We use later HWE kernels for better memory managment, requiring an
|
|
# updated AFS version which we install from our custom ppa.
|
|
include ::apt
|
|
apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }
|
|
package { 'linux-generic-hwe-16.04':
|
|
ensure => present,
|
|
require => [
|
|
Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],
|
|
Class['apt::update'],
|
|
],
|
|
}
|
|
|
|
# Skopeo is required for pushing/pulling from the intermediate
|
|
# registry, and is available in the projectatomic ppa.
|
|
|
|
apt::ppa { 'ppa:projectatomic/ppa': }
|
|
package { 'skopeo':
|
|
ensure => present,
|
|
require => [
|
|
Apt::Ppa['ppa:projectatomic/ppa'],
|
|
Class['apt::update'],
|
|
],
|
|
}
|
|
|
|
# Socat is also required for pushing/pulling images
|
|
package { 'socat':
|
|
ensure => present,
|
|
require => [
|
|
Class['apt::update'],
|
|
],
|
|
}
|
|
|
|
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
|
|
# settings.
|
|
class { '::zuul':
|
|
gearman_server => 'zuul01.openstack.org',
|
|
gerrit_server => $gerrit_server,
|
|
gerrit_user => $gerrit_user,
|
|
zuul_ssh_private_key => $gerrit_ssh_private_key,
|
|
git_email => $git_email,
|
|
git_name => $git_name,
|
|
worker_private_key_file => '/var/lib/zuul/ssh/nodepool_id_rsa',
|
|
revision => $revision,
|
|
python_version => 3,
|
|
zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
|
|
zuulv3 => true,
|
|
connections => hiera('zuul_connections', []),
|
|
connection_secrets => hiera('zuul_connection_secrets', []),
|
|
gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
|
|
gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
|
|
gearman_ssl_ca => hiera('gearman_ssl_ca'),
|
|
#TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
|
|
# properly. We need to revisting this post Queens PTG.
|
|
trusted_ro_paths => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
|
|
trusted_rw_paths => ['/afs'],
|
|
untrusted_ro_paths => ['/etc/ssl/certs'],
|
|
disk_limit_per_job => 5000, # Megabytes
|
|
site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,
|
|
require => $::project_config::config_dir,
|
|
statsd_host => 'graphite.opendev.org',
|
|
}
|
|
|
|
class { '::zuul::executor': }
|
|
|
|
# This is used by the log job submission playbook which runs under
|
|
# python2
|
|
package { 'gear':
|
|
ensure => latest,
|
|
provider => openstack_pip,
|
|
require => Class['pip'],
|
|
}
|
|
|
|
file { '/var/lib/zuul/ssh/nodepool_id_rsa':
|
|
owner => 'zuul',
|
|
group => 'zuul',
|
|
mode => '0400',
|
|
require => File['/var/lib/zuul/ssh'],
|
|
content => $zuul_ssh_private_key,
|
|
}
|
|
|
|
file { '/var/lib/zuul/ssh/static_id_rsa':
|
|
owner => 'zuul',
|
|
group => 'zuul',
|
|
mode => '0400',
|
|
require => File['/var/lib/zuul/ssh'],
|
|
content => $zuul_static_private_key,
|
|
}
|
|
|
|
class { '::zuul::known_hosts':
|
|
known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^zuul\d+\.open.*\.org$/ {
|
|
$group = "zuul-scheduler"
|
|
$gerrit_server = 'review.opendev.org'
|
|
$gerrit_user = 'zuul'
|
|
$gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
|
|
$zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
|
|
$zuul_url = "http://zuul.openstack.org/p"
|
|
$git_email = 'zuul@openstack.org'
|
|
$git_name = 'OpenStack Zuul'
|
|
$revision = 'master'
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
class { '::project_config':
|
|
url => 'https://opendev.org/openstack/project-config',
|
|
}
|
|
|
|
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
|
|
# settings.
|
|
class { '::zuul':
|
|
gerrit_server => $gerrit_server,
|
|
gerrit_user => $gerrit_user,
|
|
zuul_ssh_private_key => $zuul_ssh_private_key,
|
|
git_email => $git_email,
|
|
git_name => $git_name,
|
|
revision => $revision,
|
|
python_version => 3,
|
|
zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
|
|
zookeeper_session_timeout => 40,
|
|
zuulv3 => true,
|
|
connections => hiera('zuul_connections', []),
|
|
connection_secrets => hiera('zuul_connection_secrets', []),
|
|
vhost_name => 'zuul.openstack.org',
|
|
zuul_status_url => 'http://127.0.0.1:8001/openstack',
|
|
zuul_web_url => 'http://127.0.0.1:9000',
|
|
zuul_tenant_name => 'openstack',
|
|
gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
|
|
gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
|
|
gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
|
|
gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
|
|
gearman_ssl_ca => hiera('gearman_ssl_ca'),
|
|
proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
|
|
proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
|
|
proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
|
|
statsd_host => 'graphite.opendev.org',
|
|
status_url => 'https://zuul.openstack.org',
|
|
relative_priority => true,
|
|
web_root => 'https://zuul.opendev.org',
|
|
}
|
|
|
|
file { "/etc/zuul/github.key":
|
|
ensure => present,
|
|
owner => 'zuul',
|
|
group => 'zuul',
|
|
mode => '0600',
|
|
content => hiera('zuul_github_app_key'),
|
|
require => File['/etc/zuul'],
|
|
}
|
|
|
|
class { '::zuul::scheduler':
|
|
layout_dir => $::project_config::zuul_layout_dir,
|
|
require => $::project_config::config_dir,
|
|
python_version => 3,
|
|
use_mysql => true,
|
|
}
|
|
|
|
class { '::zuul::web':
|
|
# We manage backups below
|
|
enable_status_backups => false,
|
|
vhosts => {
|
|
'zuul.openstack.org' => {
|
|
port => 443,
|
|
docroot => '/opt/zuul-web/content',
|
|
priority => '50',
|
|
ssl => true,
|
|
template => 'zuul/zuulv3.vhost.erb',
|
|
vhost_name => 'zuul.openstack.org',
|
|
},
|
|
'zuul.opendev.org' => {
|
|
port => 443,
|
|
docroot => '/opt/zuul-web/content',
|
|
priority => '40',
|
|
ssl => true,
|
|
template => 'zuul/zuulv3.vhost.erb',
|
|
vhost_name => 'zuul.opendev.org',
|
|
},
|
|
'zuul.openstack.org-http' => {
|
|
port => 80,
|
|
docroot => '/opt/zuul-web/content',
|
|
priority => '50',
|
|
ssl => false,
|
|
template => 'zuul/zuulv3.vhost.erb',
|
|
vhost_name => 'zuul.openstack.org',
|
|
},
|
|
'zuul.opendev.org-http' => {
|
|
port => 80,
|
|
docroot => '/opt/zuul-web/content',
|
|
priority => '40',
|
|
ssl => false,
|
|
template => 'zuul/zuulv3.vhost.erb',
|
|
vhost_name => 'zuul.opendev.org',
|
|
},
|
|
},
|
|
vhosts_flags => {
|
|
'zuul.openstack.org' => {
|
|
tenant_name => 'openstack',
|
|
ssl => true,
|
|
},
|
|
'zuul.opendev.org' => {
|
|
tenant_name => '',
|
|
ssl => true,
|
|
},
|
|
'zuul.openstack.org-http' => {
|
|
tenant_name => 'openstack',
|
|
ssl => false,
|
|
},
|
|
'zuul.opendev.org-http' => {
|
|
tenant_name => '',
|
|
ssl => false,
|
|
},
|
|
},
|
|
vhosts_ssl => {
|
|
'zuul.openstack.org' => {
|
|
ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
|
|
ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
|
|
ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
|
|
},
|
|
'zuul.opendev.org' => {
|
|
ssl_cert_file_contents => hiera('opendev_zuul_ssl_cert_file_contents'),
|
|
ssl_chain_file_contents => hiera('opendev_zuul_ssl_chain_file_contents'),
|
|
ssl_key_file_contents => hiera('opendev_zuul_ssl_key_file_contents'),
|
|
},
|
|
},
|
|
}
|
|
|
|
zuul::status_backups { 'openstack-zuul-tenant':
|
|
tenant_name => 'openstack',
|
|
ssl => true,
|
|
status_uri => 'https://zuul.opendev.org/api/tenant/openstack/status',
|
|
}
|
|
|
|
zuul::status_backups { 'kata-zuul-tenant':
|
|
tenant_name => 'kata-containers',
|
|
ssl => true,
|
|
status_uri => 'https://zuul.opendev.org/api/tenant/kata-containers/status',
|
|
}
|
|
|
|
class { '::zuul::fingergw': }
|
|
|
|
class { '::zuul::known_hosts':
|
|
known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
|
|
}
|
|
|
|
include bup
|
|
bup::site { 'rax.ord':
|
|
backup_user => 'bup-zuulv3',
|
|
backup_server => 'backup01.ord.rax.ci.openstack.org',
|
|
}
|
|
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^zm\d+.open.*\.org$/ {
|
|
$group = "zuul-merger"
|
|
|
|
$gerrit_server = 'review.opendev.org'
|
|
$gerrit_user = 'zuul'
|
|
$gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
|
|
$zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')
|
|
$zuul_url = "http://${::fqdn}/p"
|
|
$git_email = 'zuul@openstack.org'
|
|
$git_name = 'OpenStack Zuul'
|
|
$revision = 'master'
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
|
|
# settings.
|
|
class { '::zuul':
|
|
gearman_server => 'zuul01.openstack.org',
|
|
gerrit_server => $gerrit_server,
|
|
gerrit_user => $gerrit_user,
|
|
zuul_ssh_private_key => $zuul_ssh_private_key,
|
|
git_email => $git_email,
|
|
git_name => $git_name,
|
|
revision => $revision,
|
|
python_version => 3,
|
|
zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
|
|
zuulv3 => true,
|
|
connections => hiera('zuul_connections', []),
|
|
connection_secrets => hiera('zuul_connection_secrets', []),
|
|
gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
|
|
gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
|
|
gearman_ssl_ca => hiera('gearman_ssl_ca'),
|
|
statsd_host => 'graphite.opendev.org',
|
|
}
|
|
|
|
class { 'openstack_project::zuul_merger':
|
|
gerrit_server => $gerrit_server,
|
|
gerrit_user => $gerrit_user,
|
|
gerrit_ssh_host_key => $gerrit_ssh_host_key,
|
|
zuul_ssh_private_key => $zuul_ssh_private_key,
|
|
manage_common_zuul => false,
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^pbx\d*\.open.*\.org$/ {
|
|
$group = "pbx"
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::pbx':
|
|
sip_providers => [
|
|
{
|
|
provider => 'voipms',
|
|
hostname => 'dallas.voip.ms',
|
|
username => hiera('voipms_username', 'username'),
|
|
password => hiera('voipms_password'),
|
|
outgoing => false,
|
|
},
|
|
],
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
# A backup machine. Don't run cron or puppet agent on it.
|
|
node /^backup\d+\..*\.ci\.open.*\.org$/ {
|
|
$group = "ci-backup"
|
|
class { 'openstack_project::server': }
|
|
include openstack_project::backup_server
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^openstackid\d*(\.openstack)?\.org$/ {
|
|
$group = "openstackid"
|
|
class { 'openstack_project::openstackid_prod':
|
|
site_admin_password => hiera('openstackid_site_admin_password'),
|
|
id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
|
|
id_mysql_password => hiera('openstackid_id_mysql_password'),
|
|
id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
|
|
id_db_name => hiera('openstackid_id_db_name'),
|
|
ss_mysql_host => hiera('openstackid_ss_mysql_host', 'localhost'),
|
|
ss_mysql_password => hiera('openstackid_ss_mysql_password'),
|
|
ss_mysql_user => hiera('openstackid_ss_mysql_user', 'username'),
|
|
ss_db_name => hiera('openstackid_ss_db_name', 'username'),
|
|
redis_password => hiera('openstackid_redis_password'),
|
|
ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
|
|
id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
|
|
id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
|
|
vhost_name => 'openstackid.org',
|
|
session_cookie_domain => 'openstackid.org',
|
|
serveradmin => 'webmaster@openstackid.org',
|
|
canonicalweburl => 'https://openstackid.org/',
|
|
app_url => 'https://openstackid.org',
|
|
app_key => hiera('openstackid_app_key'),
|
|
id_log_error_to_email => 'openstack@tipit.net',
|
|
id_log_error_from_email => 'noreply@openstack.org',
|
|
email_driver => 'sendgrid',
|
|
email_send_grid_api_key => hiera('openstackid_send_grid_api_key'),
|
|
php_version => 7,
|
|
mysql_ssl_enabled => true,
|
|
mysql_ssl_ca_file_contents => hiera('openstackid_mysql_ssl_ca_file_contents'),
|
|
mysql_ssl_client_key_file_contents => hiera('openstackid_mysql_ssl_client_key_file_contents'),
|
|
mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),
|
|
lost_password_url => 'https://openstackid.org/lost-password',
|
|
registration_url => 'https://openstackid.org/registration',
|
|
registration_mobile_url => 'https://openstackid.org/registration-mobile',
|
|
resend_verification_url => 'https://openstackid.org/resend-verification',
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^openstackid-dev\d*\.openstack\.org$/ {
|
|
$group = "openstackid-dev"
|
|
class { 'openstack_project::openstackid_dev':
|
|
site_admin_password => hiera('openstackid_dev_site_admin_password'),
|
|
id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
|
|
id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
|
|
id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
|
|
ss_mysql_host => hiera('openstackid_dev_ss_mysql_host', 'localhost'),
|
|
ss_mysql_password => hiera('openstackid_dev_ss_mysql_password'),
|
|
ss_mysql_user => hiera('openstackid_dev_ss_mysql_user', 'username'),
|
|
ss_db_name => hiera('openstackid_dev_ss_db_name', 'username'),
|
|
redis_password => hiera('openstackid_dev_redis_password'),
|
|
ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
|
|
id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
|
|
id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
|
|
vhost_name => 'openstackid-dev.openstack.org',
|
|
session_cookie_domain => 'openstackid-dev.openstack.org',
|
|
serveradmin => 'webmaster@openstackid-dev.openstack.org',
|
|
canonicalweburl => 'https://openstackid-dev.openstack.org/',
|
|
app_url => 'https://openstackid-dev.openstack.org',
|
|
app_key => hiera('openstackid_dev_app_key'),
|
|
id_log_error_to_email => 'openstack@tipit.net',
|
|
id_log_error_from_email => 'noreply@openstack.org',
|
|
email_driver => 'sendgrid',
|
|
email_send_grid_api_key => hiera('openstackid_dev_send_grid_api_key'),
|
|
php_version => 7,
|
|
mysql_ssl_enabled => true,
|
|
mysql_ssl_ca_file_contents => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),
|
|
mysql_ssl_client_key_file_contents => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),
|
|
mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),
|
|
lost_password_url => 'https://openstackid-dev.openstack.org/lost-password',
|
|
registration_url => 'https://openstackid-dev.openstack.org/registration',
|
|
registration_mobile_url => 'https://openstackid-dev.openstack.org/registration-mobile',
|
|
resend_verification_url => 'https://openstackid-dev.openstack.org/resend-verification',
|
|
}
|
|
}
|
|
|
|
# Node-OS: trusty
|
|
# Used for testing all-in-one deployments
|
|
node 'single-node-ci.test.only' {
|
|
include ::openstackci::single_node_ci
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^kdc03\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::kdc': }
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^kdc04\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::kdc':
|
|
slave => true,
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^afsdb01\.open.*\.org$/ {
|
|
$group = "afsdb"
|
|
|
|
class { 'openstack_project::server':
|
|
afs => true,
|
|
}
|
|
|
|
include openstack_project::afsdb
|
|
include openstack_project::afsrelease
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^afsdb.*\.open.*\.org$/ {
|
|
$group = "afsdb"
|
|
|
|
class { 'openstack_project::server':
|
|
afs => true,
|
|
}
|
|
|
|
include openstack_project::afsdb
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^afs.*\..*\.open.*\.org$/ {
|
|
$group = "afs"
|
|
|
|
class { 'openstack_project::server':
|
|
afs => true,
|
|
}
|
|
|
|
include openstack_project::afsfs
|
|
}
|
|
|
|
# Node-OS: trusty
|
|
node /^ask\d*\.open.*\.org$/ {
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::ask':
|
|
db_user => hiera('ask_db_user', 'ask'),
|
|
db_password => hiera('ask_db_password'),
|
|
redis_password => hiera('ask_redis_password'),
|
|
site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
|
|
site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
|
|
site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
|
|
}
|
|
}
|
|
|
|
# Node-OS: trusty
|
|
node /^ask-staging\d*\.open.*\.org$/ {
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::ask_staging':
|
|
db_password => hiera('ask_staging_db_password'),
|
|
redis_password => hiera('ask_staging_redis_password'),
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^translate\d+\.open.*\.org$/ {
|
|
$group = "translate"
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::translate':
|
|
admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
|
|
openid_url => 'https://openstackid.org',
|
|
listeners => ['ajp'],
|
|
from_address => 'noreply@openstack.org',
|
|
mysql_host => hiera('translate_mysql_host', 'localhost'),
|
|
mysql_password => hiera('translate_mysql_password'),
|
|
zanata_server_user => hiera('proposal_zanata_user'),
|
|
zanata_server_api_key => hiera('proposal_zanata_api_key'),
|
|
zanata_wildfly_version => '10.1.0',
|
|
zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
|
|
zanata_main_version => 4,
|
|
zanata_url => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',
|
|
zanata_checksum => 'eaf8bd07401dade758b677007d2358f173193d17',
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
|
|
ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
|
|
ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
|
|
vhost_name => 'translate.openstack.org',
|
|
}
|
|
}
|
|
|
|
# Node-OS: xenial
|
|
node /^translate-dev\d*\.open.*\.org$/ {
|
|
$group = "translate-dev"
|
|
class { 'openstack_project::translate_dev':
|
|
admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
|
|
openid_url => 'https://openstackid-dev.openstack.org',
|
|
listeners => ['ajp'],
|
|
from_address => 'noreply@openstack.org',
|
|
mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
|
|
mysql_password => hiera('translate_dev_mysql_password'),
|
|
zanata_server_user => hiera('proposal_zanata_user'),
|
|
zanata_server_api_key => hiera('proposal_zanata_api_key'),
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
vhost_name => 'translate-dev.openstack.org',
|
|
}
|
|
}
|
|
|
|
|
|
# Node-OS: xenial
|
|
node /^codesearch\d*\.open.*\.org$/ {
|
|
$group = "codesearch"
|
|
class { 'openstack_project::server': }
|
|
class { 'openstack_project::codesearch':
|
|
project_config_repo => 'https://opendev.org/openstack/project-config',
|
|
}
|
|
}
|
|
|
|
# vim:sw=2:ts=2:expandtab:textwidth=79
|