[MediaWiki-commits] [Gerrit] Don't clean the puppetcert for the puppetmaster service name. - change (operations/puppet)

Andrew Bogott (Code Review) Thu, 28 May 2015 15:18:23 -0700

Andrew Bogott has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/214499


Change subject: Don't clean the puppetcert for the puppetmaster service name.
......................................................................

Don't clean the puppetcert for the puppetmaster service name.

Change-Id: I545bbd1fad879218d89048c65a5c4d69533f5247
---
M modules/puppetmaster/manifests/autosigner.pp
R modules/puppetmaster/templates/puppetsigner.py.erb
2 files changed, 12 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/99/214499/1

diff --git a/modules/puppetmaster/manifests/autosigner.pp 
b/modules/puppetmaster/manifests/autosigner.pp
index 6ce6a56..f9e2018 100644
--- a/modules/puppetmaster/manifests/autosigner.pp
+++ b/modules/puppetmaster/manifests/autosigner.pp
@@ -1,12 +1,15 @@
 # = Class: puppetmaster::autosigner
 # Automatically signs new puppet & salt certificate requests
 class puppetmaster::autosigner {
+
+    $puppetmaster_service_name = hiera('labs_puppet_master')
+
     file { '/usr/local/sbin/puppetsigner.py':
-        ensure => present,
-        source => 'puppet:///modules/puppetmaster/puppetsigner.py',
-        mode   => '0550',
-        owner  => 'root',
-        group  => 'root'
+        ensure  => present,
+        content => template('puppetmaster/puppetsigner.py.erb'),
+        mode    => '0550',
+        owner   => 'root',
+        group   => 'root'
     }
 
     cron { 'puppet_certificate_signer':
diff --git a/modules/puppetmaster/files/puppetsigner.py 
b/modules/puppetmaster/templates/puppetsigner.py.erb
similarity index 96%
rename from modules/puppetmaster/files/puppetsigner.py
rename to modules/puppetmaster/templates/puppetsigner.py.erb
index e9b2b2e..8664ffa 100755
--- a/modules/puppetmaster/files/puppetsigner.py
+++ b/modules/puppetmaster/templates/puppetsigner.py.erb
@@ -57,6 +57,10 @@
             # Ourselves!
             continue
 
+        if hostname == "<%= @puppetmaster_service_name %>"
+            # Ourselves!
+            continue
+
         # Skip pathological hostnames -- possible attack vector.
         if not re.match(r'^[\.a-zA-Z0-9_-]+\.eqiad\.wmflabs$', hostname):
             sys.stderr.write('Invalid hostname %s\n' % hostname)

-- 
To view, visit https://gerrit.wikimedia.org/r/214499
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I545bbd1fad879218d89048c65a5c4d69533f5247
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Don't clean the puppetcert for the puppetmaster service name. - change (operations/puppet)

Reply via email to