[MediaWiki-commits] [Gerrit] operations/puppet[production]: Migrate contint::firewall to a profile

Fri, 03 Nov 2017 06:51:31 -0700 

Dzahn has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/385472 )

Change subject: Migrate contint::firewall to a profile
......................................................................


Migrate contint::firewall to a profile

Rename some hiera variables in the process.

Resolved violations:

modules/contint/manifests/firewall.pp
 Found hiera call in class 'contint::firewall'
 Found hiera call in class 'contint::firewall'
 includes base::firewall from another module
 includes network::constants from another module

modules/profile/manifests/ci/firewall.pp
 profile 'profile::ci::firewall' includes non-profile class
 contint::firewall

Change-Id: Ib2a4b057195c56a85640746b2f69646062f6e9d1
---
R hieradata/common/profile/ci/firewall.yaml
D modules/contint/manifests/firewall.pp
M modules/profile/manifests/ci/firewall.pp
3 files changed, 73 insertions(+), 68 deletions(-)

Approvals:
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/hieradata/common/contint.yaml 
b/hieradata/common/profile/ci/firewall.yaml
similarity index 74%
rename from hieradata/common/contint.yaml
rename to hieradata/common/profile/ci/firewall.yaml
index dddce3a..e72d071 100644
--- a/hieradata/common/contint.yaml
+++ b/hieradata/common/profile/ci/firewall.yaml
@@ -2,12 +2,12 @@
 #
 # Use ip address since the value is injected in an iptables rule and ferm
 # @resolve has undefined behavior.
-contint::nodepool_host: '10.64.20.18'  # labnodepool1001.eqiad.wmnet
+profile::ci::firewall::nodepool_host: '10.64.20.18'  # 
labnodepool1001.eqiad.wmnet
 
 # Hosts running zuul-merger process
 #
 # Use ip addresses since the values are injected in iptables rules.
 #
-contint::zuul_merger_hosts:
+profile::ci::firewall::zuul_merger_hosts:
     - 208.80.154.17 # contint1001.wikimedia.org T150936, T140297
     - 208.80.153.15 # contint2001.wikimedia.org
diff --git a/modules/contint/manifests/firewall.pp 
b/modules/contint/manifests/firewall.pp
deleted file mode 100644
index 2de84bf..0000000
--- a/modules/contint/manifests/firewall.pp
+++ /dev/null
@@ -1,64 +0,0 @@
-# vim: set ts=4 sw=4 et:
-class contint::firewall {
-
-    include ::base::firewall
-    include ::network::constants
-
-    # Restrict some services to be only reacheable from localhost over both
-    # IPv4 and IPv6 (to be safe)
-
-    # Jenkins on port 8080, reacheable via Apache proxying the requests
-    ferm::rule { 'jenkins_localhost_only':
-        rule => 'proto tcp dport 8080 { saddr (127.0.0.1 ::1) ACCEPT; }',
-    }
-    # Zuul status page on port 8001, reacheable via Apache proxying the 
requests
-    ferm::rule { 'zuul_localhost_only':
-        rule => 'proto tcp dport 8001 { saddr (127.0.0.1 ::1) ACCEPT; }',
-    }
-
-    # Gearman is used between Zuul and the Jenkin master, both on the same
-    # server and communicating over localhost.
-    # It is also used by Zuul merger daemons.
-    $zuul_merger_hosts = hiera('contint::zuul_merger_hosts')
-    $zuul_merger_hosts_ferm = join($zuul_merger_hosts, ' ')
-
-    ferm::service { 'gearman_from_zuul_mergers':
-        proto  => 'tcp',
-        port   => '4730',
-        srange => "(${zuul_merger_hosts_ferm})",
-    }
-
-    # Nodepool related
-    $nodepool_host = hiera('contint::nodepool_host')
-    ferm::service { 'gearman_from_nodepool':
-        proto  => 'tcp',
-        port   => '4730',
-        srange => $nodepool_host,
-    }
-    ferm::service { 'jenkins_zeromq_from_nodepool':
-        proto  => 'tcp',
-        port   => '8888',
-        srange => $nodepool_host,
-    }
-
-    ferm::service { 'jenkins_restapi_from_nodepool':
-        proto  => 'tcp',
-        port   => '443',
-        srange => $nodepool_host,
-    }
-
-    ferm::service { 'gerrit_ssh':
-        proto  => 'tcp',
-        port   => '29418',
-        srange => '@resolve((gerrit2001.wikimedia.org cobalt.wikimedia.org 
gerrit.wikimedia.org))',
-    }
-
-    # ALLOWS:
-
-    # web access
-    ferm::service { 'allow_http':
-        proto  => 'tcp',
-        port   => '80',
-        srange => '$PRODUCTION_NETWORKS',
-    }
-}
diff --git a/modules/profile/manifests/ci/firewall.pp 
b/modules/profile/manifests/ci/firewall.pp
index 9616732..1c164e4 100644
--- a/modules/profile/manifests/ci/firewall.pp
+++ b/modules/profile/manifests/ci/firewall.pp
@@ -1,3 +1,72 @@
-class profile::ci::firewall {
-    include ::contint::firewall
+# == class contint::firewall
+#
+# === Parameters
+#
+# Several bricks communicate with the Zuul Gearman server:
+#
+# [$nodepool_host] The Nodepool server
+# [$zuul_merger_hosts] List of zuul-mergers
+#
+class profile::ci::firewall (
+    $nodepool_host = hiera('profile::ci::firewall::nodepool_host'),
+    $zuul_merger_hosts = hiera('profile::ci::firewall::zuul_merger_hosts'),
+) {
+    class { '::base::firewall': }
+    include ::network::constants
+
+    # Restrict some services to be only reacheable from localhost over both
+    # IPv4 and IPv6 (to be safe)
+
+    # Jenkins on port 8080, reacheable via Apache proxying the requests
+    ferm::rule { 'jenkins_localhost_only':
+        rule => 'proto tcp dport 8080 { saddr (127.0.0.1 ::1) ACCEPT; }',
+    }
+    # Zuul status page on port 8001, reacheable via Apache proxying the 
requests
+    ferm::rule { 'zuul_localhost_only':
+        rule => 'proto tcp dport 8001 { saddr (127.0.0.1 ::1) ACCEPT; }',
+    }
+
+    # Gearman is used between Zuul and the Jenkin master, both on the same
+    # server and communicating over localhost.
+    # It is also used by Zuul merger daemons.
+    $zuul_merger_hosts_ferm = join($zuul_merger_hosts, ' ')
+
+    ferm::service { 'gearman_from_zuul_mergers':
+        proto  => 'tcp',
+        port   => '4730',
+        srange => "(${zuul_merger_hosts_ferm})",
+    }
+
+    # Nodepool related
+    ferm::service { 'gearman_from_nodepool':
+        proto  => 'tcp',
+        port   => '4730',
+        srange => $nodepool_host,
+    }
+    ferm::service { 'jenkins_zeromq_from_nodepool':
+        proto  => 'tcp',
+        port   => '8888',
+        srange => $nodepool_host,
+    }
+
+    ferm::service { 'jenkins_restapi_from_nodepool':
+        proto  => 'tcp',
+        port   => '443',
+        srange => $nodepool_host,
+    }
+
+    ferm::service { 'gerrit_ssh':
+        proto  => 'tcp',
+        port   => '29418',
+        srange => '@resolve((gerrit2001.wikimedia.org cobalt.wikimedia.org 
gerrit.wikimedia.org))',
+    }
+
+    # ALLOWS:
+
+    # web access
+    ferm::service { 'allow_http':
+        proto  => 'tcp',
+        port   => '80',
+        srange => '$PRODUCTION_NETWORKS',
+    }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/385472
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ib2a4b057195c56a85640746b2f69646062f6e9d1
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Hashar <has...@free.fr>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to