[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetdb: Only allow connection from puppetmasters

Fri, 23 Sep 2016 06:35:33 -0700 

Alexandros Kosiaris has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/312513

Change subject: puppetdb: Only allow connection from puppetmasters
......................................................................

puppetdb: Only allow connection from puppetmasters

Only allow connection to puppetDB from the puppetmasters

Note the ugly construct!

Change-Id: I5506f515ec8be612e14a55126598e70fb7e19c94
---
M modules/role/manifests/puppetmaster/puppetdb.pp
1 file changed, 17 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/13/312513/1

diff --git a/modules/role/manifests/puppetmaster/puppetdb.pp 
b/modules/role/manifests/puppetmaster/puppetdb.pp
index 26c4ee3..73178e1 100644
--- a/modules/role/manifests/puppetmaster/puppetdb.pp
+++ b/modules/role/manifests/puppetmaster/puppetdb.pp
@@ -39,11 +39,27 @@
     }
 
     # Only the TLS-terminating nginx proxy will be exposed
+    # TODO: Use map() once we migrate to the future parser
+    # It should have been
+    #
+    # $puppetmasters = map(values(hiera('puppetmaster::servers')) |p| { 
p['worker'] })
+    #
+    # Instead, we will have to jump through hoops (templates, yaml parsing,
+    # parser functions) for this simple thing. So don't and just hardcode it.
+    #  Does it suck ? Yes it does. But we are not going through all that
+    $puppetmasters = [
+        'puppetmaster1001.eqiad.wmnet',
+        'puppetmaster1002.eqiad.wmnet',
+        'puppetmaster2001.codfw.wmnet',
+        'puppetmaster2002.codfw.wmnet',
+        'rhodium.eqiad.wmnet',
+    ]
+    $puppetmasters_ferm = join($puppetmasters, ' ')
     ferm::service { 'puppetdb':
         proto   => 'tcp',
         port    => 443,
         notrack => true,
-        srange  => '$DOMAIN_NETWORKS',
+        srange  => "@resolve(($puppetmasters_ferm))",
     }
 
     class { 'postgresql::ganglia':

-- 
To view, visit https://gerrit.wikimedia.org/r/312513
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5506f515ec8be612e14a55126598e70fb7e19c94
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to