Rush has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/392062 )
Change subject: openstack: move ferm rules out of site.pp
......................................................................
openstack: move ferm rules out of site.pp
These were previously shimmed into the node level here
because our multi-site reasoning was lacking.
Bug: T171494
Change-Id: I3a276e87635796cc250eb875a5ed9e4e8ad69fff
---
M manifests/site.pp
M modules/profile/manifests/openstack/base/keystone/db.pp
M modules/profile/manifests/openstack/labtest/keystone/service.pp
M modules/profile/manifests/openstack/labtestn/keystone/service.pp
4 files changed, 42 insertions(+), 29 deletions(-)
Approvals:
Rush: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/site.pp b/manifests/site.pp
index 77d6119..24dc4f7 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1064,32 +1064,6 @@
include ::standard
include ::base::firewall
role(wmcs::openstack::labtest::control)
-
- # Labtest is weird; the mysql server is on labtestcontrol2001. So
- # we need some special fw rules to allow that
- $designate = ipresolve(hiera('labs_designate_hostname'),4)
- $horizon = ipresolve(hiera('labs_horizon_host'),4)
- $wikitech = ipresolve(hiera('labs_osm_host'),4)
- $puppetmaster = ipresolve('labtestpuppetmaster2001.wikimedia.org',4)
- $fwrules = {
- mysql_designate => {
- rule => "saddr ${designate} proto tcp dport (3306) ACCEPT;",
- },
- mysql_puppetmaster => {
- rule => "saddr ${puppetmaster} proto tcp dport (3306) ACCEPT;",
- },
- mysql_horizon => {
- rule => "saddr ${horizon} proto tcp dport (3306) ACCEPT;",
- },
- mysql_wikitech => {
- rule => "saddr ${wikitech} proto tcp dport (3306) ACCEPT;",
- },
- labspuppetbackend_horizon => {
- rule => "saddr ${horizon} proto tcp dport (8100) ACCEPT;",
- },
- }
- create_resources (ferm::rule, $fwrules)
-
}
node 'labtestcontrol2003.wikimedia.org' {
diff --git a/modules/profile/manifests/openstack/base/keystone/db.pp
b/modules/profile/manifests/openstack/base/keystone/db.pp
index 5adfb59..c5a1daf 100644
--- a/modules/profile/manifests/openstack/base/keystone/db.pp
+++ b/modules/profile/manifests/openstack/base/keystone/db.pp
@@ -1,5 +1,9 @@
class profile::openstack::base::keystone::db(
$labs_hosts_range = hiera('profile::openstack::base::labs_hosts_range'),
+ $puppetmaster_hostname =
hiera('profile::openstack::base::puppetmaster_hostname'),
+ $designate_host = hiera('profile::openstack::base::designate_host'),
+ $horizon_host = hiera('profile::openstack::base::horizon_host'),
+ $osm_host = hiera('profile::openstack::base::osm_host'),
) {
package {'mysql-server':
@@ -24,4 +28,30 @@
ensure => 'present',
rule => "saddr ${labs_hosts_range} proto tcp dport (3306) ACCEPT;",
}
+
+ ferm::rule{'mysql_designate':
+ ensure => 'present',
+ rule => "saddr @resolve(${designate_host}) proto tcp dport (3306)
ACCEPT;",
+ }
+
+ ferm::rule{'mysql_puppetmaster':
+ ensure => 'present',
+ rule => "saddr @resolve(${puppetmaster_hostname}) proto tcp dport
(3306) ACCEPT;",
+ }
+
+ ferm::rule{'mysql_horizon':
+ ensure => 'present',
+ rule => "saddr @resolve(${horizon_host}) proto tcp dport (3306)
ACCEPT;",
+ }
+
+ ferm::rule{'mysql_wikitech':
+ ensure => 'present',
+ rule => "saddr @resolve(${osm_host}) proto tcp dport (3306) ACCEPT;",
+ }
+
+ # XXX: still needed?
+ ferm::rule{'labspuppetbackend_horizon':
+ ensure => 'present',
+ rule => "saddr @resolve(${horizon_host}) proto tcp dport (8100)
ACCEPT;",
+ }
}
diff --git a/modules/profile/manifests/openstack/labtest/keystone/service.pp
b/modules/profile/manifests/openstack/labtest/keystone/service.pp
index ef38e7e..de51b91 100644
--- a/modules/profile/manifests/openstack/labtest/keystone/service.pp
+++ b/modules/profile/manifests/openstack/labtest/keystone/service.pp
@@ -25,10 +25,15 @@
$designate_host = hiera('profile::openstack::labtest::designate_host'),
$designate_host_standby =
hiera('profile::openstack::labtest::designate_host_standby'),
$horizon_host = hiera('profile::openstack::labtest::horizon_host'),
+ $puppetmaster_hostname =
hiera('profile::openstack::labtest::puppetmaster_hostname'),
) {
class{'::profile::openstack::base::keystone::db':
- labs_hosts_range => $labs_hosts_range,
+ labs_hosts_range => $labs_hosts_range,
+ puppetmaster_hostname => $puppetmaster_hostname,
+ designate_host => $designate_host,
+ horizon_host => $horizon_host,
+ osm_host => $osm_host,
}
require ::profile::openstack::labtest::clientlib
diff --git a/modules/profile/manifests/openstack/labtestn/keystone/service.pp
b/modules/profile/manifests/openstack/labtestn/keystone/service.pp
index 40f303c..f968ded 100644
--- a/modules/profile/manifests/openstack/labtestn/keystone/service.pp
+++ b/modules/profile/manifests/openstack/labtestn/keystone/service.pp
@@ -25,11 +25,15 @@
$designate_host = hiera('profile::openstack::labtestn::designate_host'),
$designate_host_standby =
hiera('profile::openstack::labtestn::designate_host_standby'),
$horizon_host = hiera('profile::openstack::labtestn::horizon_host'),
+ $puppetmaster_hostname =
hiera('profile::openstack::labtestn::puppetmaster_hostname'),
) {
-
class{'::profile::openstack::base::keystone::db':
- labs_hosts_range => $labs_hosts_range,
+ labs_hosts_range => $labs_hosts_range,
+ puppetmaster_hostname => $puppetmaster_hostname,
+ designate_host => $designate_host,
+ horizon_host => $horizon_host,
+ osm_host => $osm_host,
}
require ::profile::openstack::labtestn::clientlib
--
To view, visit https://gerrit.wikimedia.org/r/392062
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I3a276e87635796cc250eb875a5ed9e4e8ad69fff
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
