BBlack has submitted this change and it was merged.
Change subject: move majority of privates/files usage to secret()
......................................................................
move majority of privates/files usage to secret()
This is all of the trivial cases, where a fixed path was hardcoded
as the source attribute of a 'file', 'ssh::userkey', or
'exim4::dkim' definition, all of which are known to handle the
source/content switch ok.
Change-Id: I0db6fdb1c75355b58095e0ec29d6028bbc614649
---
M manifests/mail.pp
M manifests/role/access_new_install.pp
M manifests/role/ci.pp
M manifests/role/designate.pp
M manifests/role/ganeti.pp
M manifests/role/mha.pp
M modules/authdns/manifests/account.pp
M modules/gerrit/manifests/jetty.pp
M modules/icinga/manifests/init.pp
M modules/icinga/manifests/nsca/client.pp
M modules/icinga/manifests/nsca/daemon.pp
M modules/keyholder/manifests/private_key.pp
M modules/labstore/manifests/init.pp
M modules/lvs/manifests/balancer/runcommand.pp
M modules/mailman/manifests/webui.pp
M modules/mw-rc-irc/manifests/ircserver.pp
M modules/openstack/manifests/glance/service.pp
M modules/openstack/manifests/nova/compute.pp
M modules/puppet/manifests/self/gitclone.pp
M modules/puppetmaster/manifests/gitpuppet.pp
M modules/scap/manifests/l10nupdate.pp
M modules/statistics/manifests/sites/stats.pp
22 files changed, 34 insertions(+), 34 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/mail.pp b/manifests/mail.pp
index 22957e4..1bc238e 100644
--- a/manifests/mail.pp
+++ b/manifests/mail.pp
@@ -97,7 +97,7 @@
exim4::dkim { 'wikimedia.org':
domain => 'wikimedia.org',
selector => 'wikimedia',
- source =>
'puppet:///private/dkim/wikimedia.org-wikimedia.key',
+ content => secret('dkim/wikimedia.org-wikimedia.key'),
}
}
@@ -113,7 +113,7 @@
exim4::dkim { 'lists.wikimedia.org':
domain => 'lists.wikimedia.org',
selector => 'wikimedia',
- source =>
'puppet:///private/dkim/lists.wikimedia.org-wikimedia.key',
+ content => secret('dkim/lists.wikimedia.org-wikimedia.key'),
}
}
@@ -121,7 +121,7 @@
exim4::dkim { 'wiki-mail':
domain => 'wikimedia.org',
selector => 'wiki-mail',
- source =>
'puppet:///private/dkim/wikimedia.org-wiki-mail.key',
+ content => secret('dkim/wikimedia.org-wiki-mail.key'),
}
}
diff --git a/manifests/role/access_new_install.pp
b/manifests/role/access_new_install.pp
index ab761dd..d6385de 100644
--- a/manifests/role/access_new_install.pp
+++ b/manifests/role/access_new_install.pp
@@ -6,12 +6,12 @@
owner => 'root',
group => 'root',
mode => '0400',
- source => 'puppet:///private/ssh/new_install/new_install',
+ content => secret('ssh/new_install/new_install'),
}
file { '/root/.ssh/new_install.pub':
owner => 'root',
group => 'root',
mode => '0444',
- source => 'puppet:///private/ssh/new_install/new_install.pub',
+ content => secret('ssh/new_install/new_install.pub'),
}
}
diff --git a/manifests/role/ci.pp b/manifests/role/ci.pp
index 15f5e0b..f476ef4 100644
--- a/manifests/role/ci.pp
+++ b/manifests/role/ci.pp
@@ -104,7 +104,7 @@
owner => 'jenkins',
group => 'jenkins',
mode => '0400',
- source => 'puppet:///private/ssh/ci/jenkins-mwext-sync_id_rsa',
+ content => secret('ssh/ci/jenkins-mwext-sync_id_rsa'),
require => User['jenkins'],
}
@@ -208,7 +208,7 @@
ensure => present,
owner => 'npmtravis',
mode => '0400',
- source => 'puppet:///private/ssh/ci/npmtravis_id_rsa',
+ content => secret('ssh/ci/npmtravis_id_rsa'),
require => File['/home/npmtravis/.ssh'],
}
diff --git a/manifests/role/designate.pp b/manifests/role/designate.pp
index e5ddbef..75de288 100644
--- a/manifests/role/designate.pp
+++ b/manifests/role/designate.pp
@@ -101,6 +101,6 @@
owner => 'designate',
group => 'designate',
mode => '0400',
- source => 'puppet:///private/ssh/puppet_cert_manager/cert_manager'
+ content => secret('ssh/puppet_cert_manager/cert_manager')
}
}
diff --git a/manifests/role/ganeti.pp b/manifests/role/ganeti.pp
index 05bb1c0..afd3221 100644
--- a/manifests/role/ganeti.pp
+++ b/manifests/role/ganeti.pp
@@ -17,7 +17,7 @@
owner => 'root',
group => 'root',
mode => '0400',
- source => 'puppet:///private/ganeti/id_dsa',
+ content => secret('ganeti/id_dsa'),
}
# This is here for completeness
file { '/root/.ssh/id_dsa.pub':
diff --git a/manifests/role/mha.pp b/manifests/role/mha.pp
index 5d7d118..e0ba1e5 100644
--- a/manifests/role/mha.pp
+++ b/manifests/role/mha.pp
@@ -15,7 +15,7 @@
owner => 'mysql',
group => 'mysql',
mode => '0400',
- source => 'puppet:///private/ssh/mysql/mysql.key',
+ content => secret('ssh/mysql/mysql.key'),
}
ssh::userkey { 'mysql':
diff --git a/modules/authdns/manifests/account.pp
b/modules/authdns/manifests/account.pp
index a5e184a..31ddbe4 100644
--- a/modules/authdns/manifests/account.pp
+++ b/modules/authdns/manifests/account.pp
@@ -35,17 +35,17 @@
owner => $user,
group => $group,
mode => '0400',
- source => 'puppet:///private/authdns/id_ed25519',
+ content => secret('authdns/id_ed25519'),
}
file { "${home}/.ssh/id_ed25519.pub":
ensure => 'present',
owner => $user,
group => $group,
mode => '0400',
- source => 'puppet:///private/authdns/id_ed25519.pub',
+ content => secret('authdns/id_ed25519.pub'),
}
ssh::userkey { $user:
- source => 'puppet:///private/authdns/id_ed25519.pub',
+ content => secret('authdns/id_ed25519.pub'),
}
file { "${home}/git-shell-commands":
diff --git a/modules/gerrit/manifests/jetty.pp
b/modules/gerrit/manifests/jetty.pp
index db990f2..6ccdbf9 100644
--- a/modules/gerrit/manifests/jetty.pp
+++ b/modules/gerrit/manifests/jetty.pp
@@ -60,7 +60,7 @@
group => 'gerrit2',
mode => '0600',
require => File['/var/lib/gerrit2/.ssh'],
- source => 'puppet:///private/gerrit/id_rsa',
+ content => secret('gerrit/id_rsa'),
}
file { '/var/lib/gerrit2/review_site':
diff --git a/modules/icinga/manifests/init.pp b/modules/icinga/manifests/init.pp
index a227db1..9c41169 100644
--- a/modules/icinga/manifests/init.pp
+++ b/modules/icinga/manifests/init.pp
@@ -60,7 +60,7 @@
}
file { '/etc/icinga/nsca_frack.cfg':
- source => 'puppet:///private/nagios/nsca_frack.cfg',
+ content => secret('nagios/nsca_frack.cfg'),
owner => 'icinga',
group => 'icinga',
mode => '0644',
diff --git a/modules/icinga/manifests/nsca/client.pp
b/modules/icinga/manifests/nsca/client.pp
index 9754fac..b55343a 100644
--- a/modules/icinga/manifests/nsca/client.pp
+++ b/modules/icinga/manifests/nsca/client.pp
@@ -8,7 +8,7 @@
}
file { '/etc/send_nsca.cfg':
- source => 'puppet:///private/icinga/send_nsca.cfg',
+ content => secret('icinga/send_nsca.cfg'),
owner => 'root',
mode => '0400',
require => Package['nsca-client'],
diff --git a/modules/icinga/manifests/nsca/daemon.pp
b/modules/icinga/manifests/nsca/daemon.pp
index 96a180b..b8f41a9 100644
--- a/modules/icinga/manifests/nsca/daemon.pp
+++ b/modules/icinga/manifests/nsca/daemon.pp
@@ -11,7 +11,7 @@
}
file { '/etc/nsca.cfg':
- source => 'puppet:///private/icinga/nsca.cfg',
+ content => secret('icinga/nsca.cfg'),
owner => 'root',
mode => '0400',
require => Package['nsca'],
diff --git a/modules/keyholder/manifests/private_key.pp
b/modules/keyholder/manifests/private_key.pp
index fec9d50..5c06ebf 100644
--- a/modules/keyholder/manifests/private_key.pp
+++ b/modules/keyholder/manifests/private_key.pp
@@ -20,7 +20,7 @@
#
# keyholder::private_key { 'mwdeploy_rsa':
# ensure => present,
-# source => 'puppet:///private/ssh/tin/mwdeploy_rsa',
+# content => secret('ssh/tin/mwdeploy_rsa'),
# }
#
define keyholder::private_key(
diff --git a/modules/labstore/manifests/init.pp
b/modules/labstore/manifests/init.pp
index ebd33996..243fda6 100644
--- a/modules/labstore/manifests/init.pp
+++ b/modules/labstore/manifests/init.pp
@@ -45,7 +45,7 @@
owner => 'root',
group => 'root',
mode => '0400',
- source => 'puppet:///private/labstore/id_labstore',
+ content => secret('labstore/id_labstore'),
}
file { '/etc/default/nfs-common':
diff --git a/modules/lvs/manifests/balancer/runcommand.pp
b/modules/lvs/manifests/balancer/runcommand.pp
index cd9b97d..353cd95 100644
--- a/modules/lvs/manifests/balancer/runcommand.pp
+++ b/modules/lvs/manifests/balancer/runcommand.pp
@@ -19,6 +19,6 @@
owner => root,
group => root,
mode => '0600',
- source => "puppet:///private/pybal/pybal-check";
+ content => secret('pybal/pybal-check');
}
}
diff --git a/modules/mailman/manifests/webui.pp
b/modules/mailman/manifests/webui.pp
index 2a1f1fd..a653f69 100644
--- a/modules/mailman/manifests/webui.pp
+++ b/modules/mailman/manifests/webui.pp
@@ -17,7 +17,7 @@
# htdigest file for private list archives
file { '/etc/apache2/arbcom-l.htdigest':
- source => 'puppet:///private/mailman/arbcom-l.htdigest',
+ content => secret('mailman/arbcom-l.htdigest'),
owner => 'root',
group => 'www-data',
mode => '0440',
diff --git a/modules/mw-rc-irc/manifests/ircserver.pp
b/modules/mw-rc-irc/manifests/ircserver.pp
index 4196952..6bf8225 100644
--- a/modules/mw-rc-irc/manifests/ircserver.pp
+++ b/modules/mw-rc-irc/manifests/ircserver.pp
@@ -10,7 +10,7 @@
mode => '0444',
owner => 'irc',
group => 'irc',
- source => 'puppet:///private/misc/ircd.conf';
+ content => secret('misc/ircd.conf');
'/usr/etc/ircd.motd':
mode => '0444',
owner => 'irc',
diff --git a/modules/openstack/manifests/glance/service.pp
b/modules/openstack/manifests/glance/service.pp
index 53fb7cc..d3ab79a 100644
--- a/modules/openstack/manifests/glance/service.pp
+++ b/modules/openstack/manifests/glance/service.pp
@@ -83,7 +83,7 @@
ssh::userkey { 'glancesync':
require => user['glancesync'],
ensure => present,
- source => 'puppet:///private/ssh/glancesync/glancesync.pub',
+ content => secret('ssh/glancesync/glancesync.pub'),
}
file { '/home/glancesync/.ssh':
ensure => directory,
@@ -93,7 +93,7 @@
require => user['glancesync'],
}
file { '/home/glancesync/.ssh/id_rsa':
- source => 'puppet:///private/ssh/glancesync/glancesync.key',
+ content => secret('ssh/glancesync/glancesync.key'),
owner => 'glancesync',
group => 'glance',
mode => '0600',
diff --git a/modules/openstack/manifests/nova/compute.pp
b/modules/openstack/manifests/nova/compute.pp
index 073c259..6b0789d 100644
--- a/modules/openstack/manifests/nova/compute.pp
+++ b/modules/openstack/manifests/nova/compute.pp
@@ -43,14 +43,14 @@
require => Package['nova-common'],
}
file { '/var/lib/nova/.ssh/id_rsa':
- source => 'puppet:///private/ssh/nova/nova.key',
+ content => secret('ssh/nova/nova.key'),
owner => 'nova',
group => 'nova',
mode => '0600',
require => File['/var/lib/nova/.ssh'],
}
file { '/var/lib/nova/.ssh/id_rsa.pub':
- source => 'puppet:///private/ssh/nova/nova.pub',
+ content => secret('ssh/nova/nova.pub'),
owner => 'nova',
group => 'nova',
mode => '0600',
@@ -83,7 +83,7 @@
}
ssh::userkey { 'nova':
- source => 'puppet:///private/ssh/nova/nova.pub',
+ content => secret('ssh/nova/nova.pub'),
}
service { 'libvirt-bin':
diff --git a/modules/puppet/manifests/self/gitclone.pp
b/modules/puppet/manifests/self/gitclone.pp
index b78ed1d..aa64807 100644
--- a/modules/puppet/manifests/self/gitclone.pp
+++ b/modules/puppet/manifests/self/gitclone.pp
@@ -37,7 +37,7 @@
owner => 'root',
group => 'root',
mode => '0600',
- source => 'puppet:///private/ssh/labs-puppet-key',
+ content => secret('ssh/labs-puppet-key'),
}
file { $volatiledir:
ensure => directory,
diff --git a/modules/puppetmaster/manifests/gitpuppet.pp
b/modules/puppetmaster/manifests/gitpuppet.pp
index 1f30292..e6ed816 100644
--- a/modules/puppetmaster/manifests/gitpuppet.pp
+++ b/modules/puppetmaster/manifests/gitpuppet.pp
@@ -19,7 +19,7 @@
owner => 'gitpuppet',
group => 'gitpuppet',
mode => '0400',
- source => 'puppet:///private/ssh/gitpuppet/gitpuppet.key',
+ content => secret('ssh/gitpuppet/gitpuppet.key'),
require => File['/home/gitpuppet/.ssh'],
}
file { '/home/gitpuppet/.ssh/gitpuppet-private-repo':
@@ -27,7 +27,7 @@
owner => 'gitpuppet',
group => 'gitpuppet',
mode => '0400',
- source => 'puppet:///private/ssh/gitpuppet/gitpuppet-private.key',
+ content => secret('ssh/gitpuppet/gitpuppet-private.key'),
require => File['/home/gitpuppet/.ssh'],
}
ssh::userkey { 'gitpuppet':
diff --git a/modules/scap/manifests/l10nupdate.pp
b/modules/scap/manifests/l10nupdate.pp
index 57a70bb..d164880 100644
--- a/modules/scap/manifests/l10nupdate.pp
+++ b/modules/scap/manifests/l10nupdate.pp
@@ -36,13 +36,13 @@
owner => 'l10nupdate',
group => 'l10nupdate',
mode => '0400',
- source => 'puppet:///private/ssh/tin/l10nupdate/id_rsa',
+ content => secret('ssh/tin/l10nupdate/id_rsa'),
}
file { '/home/l10nupdate/.ssh/id_rsa.pub':
owner => 'l10nupdate',
group => 'l10nupdate',
mode => '0444',
- source => 'puppet:///private/ssh/tin/l10nupdate/id_rsa.pub',
+ content => secret('ssh/tin/l10nupdate/id_rsa.pub'),
}
# Make sure the log directory exists and has adequate permissions.
diff --git a/modules/statistics/manifests/sites/stats.pp
b/modules/statistics/manifests/sites/stats.pp
index 647b9cc..d31a0a2 100644
--- a/modules/statistics/manifests/sites/stats.pp
+++ b/modules/statistics/manifests/sites/stats.pp
@@ -14,7 +14,7 @@
owner => 'root',
group => 'root',
mode => '0644',
- source => 'puppet:///private/apache/htpasswd.stats',
+ content => secret('apache/htpasswd.stats'),
}
# add htpasswd file for private geowiki data
@@ -22,7 +22,7 @@
owner => 'root',
group => 'www-data',
mode => '0640',
- source => 'puppet:///private/apache/htpasswd.stats-geowiki',
+ content => secret('apache/htpasswd.stats-geowiki'),
}
# link geowiki checkout from docroot
--
To view, visit https://gerrit.wikimedia.org/r/224213
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0db6fdb1c75355b58095e0ec29d6028bbc614649
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Hashar <has...@free.fr>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
