[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetdb: Only allow connection from puppetmasters

[Alexandros Kosiaris (Code Review)]

Alexandros Kosiaris has submitted this change and it was merged.

Change subject: puppetdb: Only allow connection from puppetmasters
......................................................................


puppetdb: Only allow connection from puppetmasters

Only allow connection to puppetDB from the puppetmasters

Note the ugly construct!

Change-Id: I5506f515ec8be612e14a55126598e70fb7e19c94
---
M modules/role/manifests/puppetmaster/puppetdb.pp
1 file changed, 17 insertions(+), 1 deletion(-)

Approvals:
  Giuseppe Lavagetto: Looks good to me, but someone else must approve
  Alexandros Kosiaris: Verified; Looks good to me, approved



diff --git a/modules/role/manifests/puppetmaster/puppetdb.pp 
b/modules/role/manifests/puppetmaster/puppetdb.pp
index 26c4ee3..ac03a10 100644
--- a/modules/role/manifests/puppetmaster/puppetdb.pp
+++ b/modules/role/manifests/puppetmaster/puppetdb.pp
@@ -39,11 +39,27 @@
     }
 
     # Only the TLS-terminating nginx proxy will be exposed
+    # TODO: Use map() once we migrate to the future parser
+    # It should have been
+    #
+    # $puppetmasters = map(values(hiera('puppetmaster::servers')) |p| { 
p['worker'] })
+    #
+    # Instead, we will have to jump through hoops (templates, yaml parsing,
+    # parser functions) for this simple thing. So don't and just hardcode it.
+    #  Does it suck ? Yes it does. But we are not going through all that
+    $puppetmasters = [
+        'puppetmaster1001.eqiad.wmnet',
+        'puppetmaster1002.eqiad.wmnet',
+        'puppetmaster2001.codfw.wmnet',
+        'puppetmaster2002.codfw.wmnet',
+        'rhodium.eqiad.wmnet',
+    ]
+    $puppetmasters_ferm = join($puppetmasters, ' ')
     ferm::service { 'puppetdb':
         proto   => 'tcp',
         port    => 443,
         notrack => true,
-        srange  => '$DOMAIN_NETWORKS',
+        srange  => "@resolve((${puppetmasters_ferm}))",
     }
 
     class { 'postgresql::ganglia':

-- 
To view, visit https://gerrit.wikimedia.org/r/312513
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5506f515ec8be612e14a55126598e70fb7e19c94
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits