[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetdb: refactor to role/profile
Giuseppe Lavagetto has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/403388 ) Change subject: puppetdb: refactor to role/profile .. puppetdb: refactor to role/profile * Split the content of the puppetdb role in two profiles: one for the puppetdb application, one for the corresponding postgresql database, that can be used separately * Rework puppetmaster::puppetdb::database, that was a mess. * Move monitoring to the profile for the database, move db tuning to the module class itself * Added type checking to the parameters of puppetmaster::puppetdb::database Change-Id: I93b02c19398e4fe16818910dfd3ed6f0653aa3a6 --- D hieradata/common/puppetmaster/puppetdb.yaml A hieradata/role/common/puppetmaster/puppetdb.yaml A modules/profile/manifests/puppetdb.pp A modules/profile/manifests/puppetdb/database.pp M modules/puppetmaster/manifests/puppetdb/database.pp R modules/puppetmaster/templates/puppetdb/tuning.conf.erb M modules/role/manifests/puppetmaster/puppetdb.pp 7 files changed, 152 insertions(+), 114 deletions(-) Approvals: Giuseppe Lavagetto: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/common/puppetmaster/puppetdb.yaml b/hieradata/common/puppetmaster/puppetdb.yaml deleted file mode 100644 index 4de1c15..000 --- a/hieradata/common/puppetmaster/puppetdb.yaml +++ /dev/null @@ -1,14 +0,0 @@ -puppetmaster::puppetdb::postgres_users: - replication@nihal-v4: -user: replication -database: all -password: "%{::puppetmaster::puppetdb::database::replication_pass}" -cidr: 10.192.16.184/32 -attrs: REPLICATION - puppetdb@nihal-v4: -user: puppetdb -database: puppetdb -password: "%{::puppetmaster::puppetdb::database::puppetdb_pass}" -cidr: 10.192.16.184/32 -puppetmaster::puppetdb::master: nitrogen.eqiad.wmnet -puppetmaster::puppetdb::slaves: [nihal.codfw.wmnet] diff --git a/hieradata/role/common/puppetmaster/puppetdb.yaml b/hieradata/role/common/puppetmaster/puppetdb.yaml new file mode 100644 index 000..fd8c9a8 --- /dev/null +++ b/hieradata/role/common/puppetmaster/puppetdb.yaml @@ -0,0 +1,12 @@ +profile::puppetdb::database::users: + replication@nihal-v4: +user: replication +database: all +cidr: 10.192.16.184/32 +attrs: REPLICATION + puppetdb@nihal-v4: +user: puppetdb +database: puppetdb +cidr: 10.192.16.184/32 +profile::puppetdb::master: nitrogen.eqiad.wmnet +profile::puppetdb::slaves: [nihal.codfw.wmnet] diff --git a/modules/profile/manifests/puppetdb.pp b/modules/profile/manifests/puppetdb.pp new file mode 100644 index 000..b8717af --- /dev/null +++ b/modules/profile/manifests/puppetdb.pp @@ -0,0 +1,26 @@ +class profile::puppetdb( +$master = hiera('profile::puppetdb::master'), +$puppetmasters = hiera('puppetmaster::servers') +) { +# The JVM heap size has been raised to 6G for T170740 +class { '::puppetmaster::puppetdb': +master=> $master, +heap_size => '6G', +} + +# Only the TLS-terminating nginx proxy will be exposed +$puppetmasters_ferm = inline_template('<%= @puppetmasters.values.flatten(1).map { |p| p[\'worker\'] }.sort.join(\' \')%>') + +ferm::service { 'puppetdb': +proto => 'tcp', +port=> 443, +notrack => true, +srange => "@resolve((${puppetmasters_ferm}))", +} + +ferm::service { 'puppetdb-cumin': +proto => 'tcp', +port => 443, +srange => '$CUMIN_MASTERS', +} +} diff --git a/modules/profile/manifests/puppetdb/database.pp b/modules/profile/manifests/puppetdb/database.pp new file mode 100644 index 000..81e3af7 --- /dev/null +++ b/modules/profile/manifests/puppetdb/database.pp @@ -0,0 +1,53 @@ +# == Class profile::puppetdb::database +# +# Sets up a puppetdb postgresql database. +# +class profile::puppetdb::database( +$master = hiera('profile::puppetdb::master'), +$slaves = hiera('profile::puppetdb::slaves'), +$shared_buffers = hiera('profile::puppetdb::database::shared_buffers', '7680MB'), +$replication_password = hiera('puppetdb::password::replication'), +$puppetdb_password = hiera('puppetdb::password::rw'), +$users = hiera('profile::puppetdb::database::users', {}), +) { +include ::passwords::postgres + +$pgversion = $::lsbdistcodename ? { +'stretch' => '9.6', +'jessie' => '9.4', +} +$slave_range = join($slaves, ' ') + +$role = $master ? { +$::fqdn => 'master', +default => 'slave', +} + +class { '::puppetmaster::puppetdb::database': +master => $master, +pgversion=> $pgversion, +shared_buffers => $shared_buffers, +replication_pass => $replication_password, +puppetdb_pass=> $puppetdb_password, +puppetdb_users => $users, +} + +# Monitoring +class { '::prometheus::postgres_exporter': } + +if $role
[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetdb: refactor to role/profile
Giuseppe Lavagetto has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/403388 ) Change subject: puppetdb: refactor to role/profile .. puppetdb: refactor to role/profile * Split the content of the puppetdb role in two profiles: one for the puppetdb application, one for the corresponding postgresql database, that can be used separately * Rework puppetmaster::puppetdb::database, that was a mess. * Move monitoring to the profile for the database, move db tuning to the module class itself * Added type checking to the parameters of puppetmaster::puppetdb::database Change-Id: I93b02c19398e4fe16818910dfd3ed6f0653aa3a6 --- R hieradata/role/common/puppetmaster/puppetdb.yaml A modules/profile/manifests/puppetdb.pp A modules/profile/manifests/puppetdb/database.pp M modules/puppetmaster/manifests/puppetdb/database.pp R modules/puppetmaster/templates/puppetdb/tuning.conf.erb M modules/role/manifests/puppetmaster/puppetdb.pp 6 files changed, 132 insertions(+), 102 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/88/403388/1 diff --git a/hieradata/common/puppetmaster/puppetdb.yaml b/hieradata/role/common/puppetmaster/puppetdb.yaml similarity index 63% rename from hieradata/common/puppetmaster/puppetdb.yaml rename to hieradata/role/common/puppetmaster/puppetdb.yaml index 4de1c15..6b56a8a 100644 --- a/hieradata/common/puppetmaster/puppetdb.yaml +++ b/hieradata/role/common/puppetmaster/puppetdb.yaml @@ -1,14 +1,14 @@ -puppetmaster::puppetdb::postgres_users: +profile::puppetdb::postgres_users: replication@nihal-v4: user: replication database: all -password: "%{::puppetmaster::puppetdb::database::replication_pass}" +password: "%{::profile::puppetdb::database::replication_password}" cidr: 10.192.16.184/32 attrs: REPLICATION puppetdb@nihal-v4: user: puppetdb database: puppetdb -password: "%{::puppetmaster::puppetdb::database::puppetdb_pass}" +password: "%{::profile::puppetdb::database::puppetdb_password}" cidr: 10.192.16.184/32 puppetmaster::puppetdb::master: nitrogen.eqiad.wmnet puppetmaster::puppetdb::slaves: [nihal.codfw.wmnet] diff --git a/modules/profile/manifests/puppetdb.pp b/modules/profile/manifests/puppetdb.pp new file mode 100644 index 000..b8717af --- /dev/null +++ b/modules/profile/manifests/puppetdb.pp @@ -0,0 +1,26 @@ +class profile::puppetdb( +$master = hiera('profile::puppetdb::master'), +$puppetmasters = hiera('puppetmaster::servers') +) { +# The JVM heap size has been raised to 6G for T170740 +class { '::puppetmaster::puppetdb': +master=> $master, +heap_size => '6G', +} + +# Only the TLS-terminating nginx proxy will be exposed +$puppetmasters_ferm = inline_template('<%= @puppetmasters.values.flatten(1).map { |p| p[\'worker\'] }.sort.join(\' \')%>') + +ferm::service { 'puppetdb': +proto => 'tcp', +port=> 443, +notrack => true, +srange => "@resolve((${puppetmasters_ferm}))", +} + +ferm::service { 'puppetdb-cumin': +proto => 'tcp', +port => 443, +srange => '$CUMIN_MASTERS', +} +} diff --git a/modules/profile/manifests/puppetdb/database.pp b/modules/profile/manifests/puppetdb/database.pp new file mode 100644 index 000..13b5407 --- /dev/null +++ b/modules/profile/manifests/puppetdb/database.pp @@ -0,0 +1,52 @@ +# == Class profile::puppetdb::database +# +# Sets up a puppetdb postgresql database. +# +class profile::puppetdb::database( +$master = hiera('profile::puppetdb::master'), +$slaves = hiera('profile::puppetdb::slaves'), +$shared_buffers = hiera('profile::puppetdb::database::shared_buffers', '7680MB'), +$replication_password = hiera('puppetdb::password::replication'), +$puppetdb_password = hiera('puppetdb::password::rw'), +$users = hiera('profile::puppetdb::database::users', {}), +) { +include ::passwords::postgres + +$pgversion = $::lsbdistcodename ? { +'stretch' => '9.6', +'jessie' => '9.4', +} +$slave_range = join($slaves, ' ') + +$role = $master ? { +$::fqdn => 'master', +default => 'slave', +} + +class { '::puppetmaster::puppetdb::database': +master => $master, +pgversion=> $pgversion, +replication_pass => $replication_password, +puppetdb_pass=> $puppetdb_password, +puppetdb_users => $users, +} + +# Monitoring +class { '::prometheus::postgres_exporter': } + +if $role == 'slave' { +class { 'postgresql::slave::monitoring': +pg_master => $master, +pg_user => 'replication', +pg_password => $replication_password, +} +} + +# Firewall rules +# Allow connections from all the slaves +ferm::service { 'postgresql_puppetdb': +proto =>