Rush has submitted this change and it was merged. Change subject: openstack: refactor designate role/class for labtest ......................................................................
openstack: refactor designate role/class for labtest Change-Id: I0e9eda122fd3cc009840b7e315257980c234c9be --- M modules/ldap/manifests/client/utils.pp M modules/openstack/manifests/designate/service.pp M modules/openstack/templates/kilo/designate/designate.conf.erb M modules/role/manifests/labs/openstack/designate.pp 4 files changed, 43 insertions(+), 38 deletions(-) Approvals: Rush: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/ldap/manifests/client/utils.pp b/modules/ldap/manifests/client/utils.pp index ed97c6e..368dd82 100644 --- a/modules/ldap/manifests/client/utils.pp +++ b/modules/ldap/manifests/client/utils.pp @@ -2,6 +2,7 @@ # include ldap::client::utils, since some scripts use getent for ldap user info # Remember though, that including ldap::client::nss will mean users in the # ldap database will then be listed as users of the system, so use care. + class ldap::client::utils($ldapconfig) { package { [ 'python-ldap', diff --git a/modules/openstack/manifests/designate/service.pp b/modules/openstack/manifests/designate/service.pp index f7e3fde..d4174fc 100644 --- a/modules/openstack/manifests/designate/service.pp +++ b/modules/openstack/manifests/designate/service.pp @@ -1,11 +1,20 @@ # Designate provides DNSaaS services for OpenStack # https://wiki.openstack.org/wiki/Designate -class openstack::designate::service ($openstack_version=$::openstack::version, $designateconfig) { + +class openstack::designate::service ( + $openstack_version=$::openstack::version, + $active_server, + $nova_controller, + $keystone_host, + $keystoneconfig, + $designateconfig, +) + { require openstack::repo - include passwords::openstack::nova - $ldap_user_pass = $passwords::openstack::nova::nova_ldap_user_pass + $keystone_host_ip = ipresolve($keystone_host,4) + $nova_controller_ip = ipresolve($nova_controller) require_package( 'python-designateclient', @@ -19,10 +28,6 @@ 'python-novaclient', 'python-nova-fixed-multi' ) - - - # This password is to allow designate to write to instance metadata - $wikitech_nova_ldap_user_pass = $passwords::openstack::nova::nova_ldap_user_pass file { '/etc/designate/designate.conf': @@ -72,10 +77,22 @@ mode => '0444', } + file { '/var/lib/designate/.ssh/': + ensure => directory, + owner => 'designate', + group => 'designate', + } + + file { '/var/lib/designate/.ssh/id_rsa': + owner => 'designate', + group => 'designate', + mode => '0400', + content => secret('ssh/puppet_cert_manager/cert_manager') + } # include rootwrap.d entries - if $::fqdn == hiera('labs_designate_hostname') { + if $::fqdn == $active_server { service {'designate-api': ensure => running, require => Package['designate-api']; diff --git a/modules/openstack/templates/kilo/designate/designate.conf.erb b/modules/openstack/templates/kilo/designate/designate.conf.erb index b57efd3..85692fd 100644 --- a/modules/openstack/templates/kilo/designate/designate.conf.erb +++ b/modules/openstack/templates/kilo/designate/designate.conf.erb @@ -100,11 +100,11 @@ # Keystone Middleware #----------------------- [keystone_authtoken] -auth_host = <%= @designateconfig["keystone_auth_host"] %> -auth_port = <%= @designateconfig["keystone_auth_port"] %> -auth_protocol = <%= @designateconfig["keystone_auth_protocol"] %> -admin_token = <%= @designateconfig["keystone_admin_token"] %> -auth_uri = <%= @designateconfig["auth_uri"] %> +auth_host = <%= @keystone_host_ip %> +auth_port = <%= @keystoneconfig["auth_port"] %> +auth_protocol = <%= @keystoneconfig['auth_protocol'] %> +admin_token = <%= @keystoneconfig['admin_token'] %> +auth_uri = http://<%= @nova_controller_ip %>:5000 #----------------------- # Sink Service @@ -220,7 +220,7 @@ reverse_domain_id = '8d114f3c-815b-466c-bdd4-9b91f704ea60' reverse_format = '%(hostname)s.%(project_name)s.%(domain)s' keystone_auth_name = "novaadmin" -keystone_auth_pass = "<%= @wikitech_nova_ldap_user_pass %>" +keystone_auth_pass = "<%= @keystoneconfig['ldap_user_pass'] %>" keystone_auth_project = "testlabs" keystone_auth_url = "http://<%= @designateconfig['controller_hostname'] %>:35357/v3" @@ -237,11 +237,11 @@ ldapusername = uid=novaadmin,ou=people,dc=wikimedia,dc=org ldappassword = <%= @ldap_user_pass %> nova_auth_name = "novaadmin" -nova_auth_pass = "<%= @wikitech_nova_ldap_user_pass %>" +nova_auth_pass = "<%= @keystoneconfig['ldap_user_pass'] %>" nova_auth_project = "testlabs" nova_auth_url = "http://<%= @designateconfig['controller_hostname'] %>:35357/v2.0" keystone_auth_name = "novaadmin" -keystone_auth_pass = "<%= @wikitech_nova_ldap_user_pass %>" +keystone_auth_pass = "<%= @keystoneconfig['ldap_user_pass'] %>" keystone_auth_project = "testlabs" keystone_auth_url = "http://<%= @designateconfig['controller_hostname'] %>:35357/v3" diff --git a/modules/role/manifests/labs/openstack/designate.pp b/modules/role/manifests/labs/openstack/designate.pp index 0d0f7ea..81d7b94 100644 --- a/modules/role/manifests/labs/openstack/designate.pp +++ b/modules/role/manifests/labs/openstack/designate.pp @@ -3,41 +3,28 @@ system::role { $name: } include openstack + $keystone_host = hiera('labs_keystone_host') $nova_controller = hiera('labs_nova_controller') + $designate_host = hiera('labs_designate_hostname') $keystoneconfig = hiera_hash('keystoneconfig', {}) $designateconfig = hiera_hash('designateconfig', {}) - $wikitech_ip = ipresolve('wikitech.wikimedia.org',4) - $horizon_ip = ipresolve('horizon.wikimedia.org',4) - $controller_ip = ipresolve($nova_controller,4) - - $designateconfig['auth_uri'] = "http://${nova_controller}:5000" - $designateconfig['keystone_auth_host'] = ipresolve($keystone_host,4) - $designateconfig['keystone_auth_port'] = $keystoneconfig['auth_port'] - $designateconfig['keystone_admin_token'] = $keystoneconfig['admin_token'] - $designateconfig['keystone_auth_protocol'] = $keystoneconfig['auth_protocol'] + $controller_ip = ipresolve($nova_controller,4) + $horizon_ip = ipresolve('horizon.wikimedia.org',4) + $wikitech_ip = ipresolve('wikitech.wikimedia.org',4) class { 'openstack::designate::service': + active_server => $designate_host, + nova_controller => $nova_controller, + keystone_host => $keystone_host, + keystoneconfig => $keystoneconfig, designateconfig => $designateconfig, } # Poke a firewall hole for the designate api ferm::rule { 'designate-api': rule => "saddr (${wikitech_ip} ${horizon_ip} ${controller_ip}) proto tcp dport (9001) ACCEPT;", - } - - file { '/var/lib/designate/.ssh/': - ensure => directory, - owner => 'designate', - group => 'designate', - } - - file { '/var/lib/designate/.ssh/id_rsa': - owner => 'designate', - group => 'designate', - mode => '0400', - content => secret('ssh/puppet_cert_manager/cert_manager') } } -- To view, visit https://gerrit.wikimedia.org/r/256477 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0e9eda122fd3cc009840b7e315257980c234c9be Gerrit-PatchSet: 4 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Rush <r...@wikimedia.org> Gerrit-Reviewer: Rush <r...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits