subject:"\[MediaWiki\-commits\] \[Gerrit\] operations\/puppet\[production\]\: puppetdb\: refactor to role\/profile"

[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetdb: refactor to role/profile

2018-01-10 Thread Giuseppe Lavagetto (Code Review)

Giuseppe Lavagetto has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/403388 )

Change subject: puppetdb: refactor to role/profile
..


puppetdb: refactor to role/profile

* Split the content of the puppetdb role in two profiles: one for the
  puppetdb application, one for the corresponding postgresql database,
  that can be used separately
* Rework puppetmaster::puppetdb::database, that was a mess.
* Move monitoring to the profile for the database, move db tuning to the
  module class itself
* Added type checking to the parameters of puppetmaster::puppetdb::database

Change-Id: I93b02c19398e4fe16818910dfd3ed6f0653aa3a6
---
D hieradata/common/puppetmaster/puppetdb.yaml
A hieradata/role/common/puppetmaster/puppetdb.yaml
A modules/profile/manifests/puppetdb.pp
A modules/profile/manifests/puppetdb/database.pp
M modules/puppetmaster/manifests/puppetdb/database.pp
R modules/puppetmaster/templates/puppetdb/tuning.conf.erb
M modules/role/manifests/puppetmaster/puppetdb.pp
7 files changed, 152 insertions(+), 114 deletions(-)

Approvals:
  Giuseppe Lavagetto: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/common/puppetmaster/puppetdb.yaml 
b/hieradata/common/puppetmaster/puppetdb.yaml
deleted file mode 100644
index 4de1c15..000
--- a/hieradata/common/puppetmaster/puppetdb.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-puppetmaster::puppetdb::postgres_users:
-  replication@nihal-v4:
-user: replication
-database: all
-password: "%{::puppetmaster::puppetdb::database::replication_pass}"
-cidr: 10.192.16.184/32
-attrs: REPLICATION
-  puppetdb@nihal-v4:
-user: puppetdb
-database: puppetdb
-password: "%{::puppetmaster::puppetdb::database::puppetdb_pass}"
-cidr: 10.192.16.184/32
-puppetmaster::puppetdb::master: nitrogen.eqiad.wmnet
-puppetmaster::puppetdb::slaves: [nihal.codfw.wmnet]
diff --git a/hieradata/role/common/puppetmaster/puppetdb.yaml 
b/hieradata/role/common/puppetmaster/puppetdb.yaml
new file mode 100644
index 000..fd8c9a8
--- /dev/null
+++ b/hieradata/role/common/puppetmaster/puppetdb.yaml
@@ -0,0 +1,12 @@
+profile::puppetdb::database::users:
+  replication@nihal-v4:
+user: replication
+database: all
+cidr: 10.192.16.184/32
+attrs: REPLICATION
+  puppetdb@nihal-v4:
+user: puppetdb
+database: puppetdb
+cidr: 10.192.16.184/32
+profile::puppetdb::master: nitrogen.eqiad.wmnet
+profile::puppetdb::slaves: [nihal.codfw.wmnet]
diff --git a/modules/profile/manifests/puppetdb.pp 
b/modules/profile/manifests/puppetdb.pp
new file mode 100644
index 000..b8717af
--- /dev/null
+++ b/modules/profile/manifests/puppetdb.pp
@@ -0,0 +1,26 @@
+class profile::puppetdb(
+$master = hiera('profile::puppetdb::master'),
+$puppetmasters = hiera('puppetmaster::servers')
+) {
+# The JVM heap size has been raised to 6G for T170740
+class { '::puppetmaster::puppetdb':
+master=> $master,
+heap_size => '6G',
+}
+
+# Only the TLS-terminating nginx proxy will be exposed
+$puppetmasters_ferm = inline_template('<%= 
@puppetmasters.values.flatten(1).map { |p| p[\'worker\'] }.sort.join(\' \')%>')
+
+ferm::service { 'puppetdb':
+proto   => 'tcp',
+port=> 443,
+notrack => true,
+srange  => "@resolve((${puppetmasters_ferm}))",
+}
+
+ferm::service { 'puppetdb-cumin':
+proto  => 'tcp',
+port   => 443,
+srange => '$CUMIN_MASTERS',
+}
+}
diff --git a/modules/profile/manifests/puppetdb/database.pp 
b/modules/profile/manifests/puppetdb/database.pp
new file mode 100644
index 000..81e3af7
--- /dev/null
+++ b/modules/profile/manifests/puppetdb/database.pp
@@ -0,0 +1,53 @@
+# == Class profile::puppetdb::database
+#
+# Sets up a puppetdb postgresql database.
+#
+class profile::puppetdb::database(
+$master = hiera('profile::puppetdb::master'),
+$slaves = hiera('profile::puppetdb::slaves'),
+$shared_buffers = hiera('profile::puppetdb::database::shared_buffers', 
'7680MB'),
+$replication_password = hiera('puppetdb::password::replication'),
+$puppetdb_password =  hiera('puppetdb::password::rw'),
+$users = hiera('profile::puppetdb::database::users', {}),
+) {
+include ::passwords::postgres
+
+$pgversion = $::lsbdistcodename ? {
+'stretch' => '9.6',
+'jessie'  => '9.4',
+}
+$slave_range = join($slaves, ' ')
+
+$role = $master ? {
+$::fqdn => 'master',
+default => 'slave',
+}
+
+class { '::puppetmaster::puppetdb::database':
+master   => $master,
+pgversion=> $pgversion,
+shared_buffers   => $shared_buffers,
+replication_pass => $replication_password,
+puppetdb_pass=> $puppetdb_password,
+puppetdb_users   => $users,
+}
+
+# Monitoring
+class { '::prometheus::postgres_exporter': }
+
+if $role

[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetdb: refactor to role/profile

2018-01-10 Thread Giuseppe Lavagetto (Code Review)

Giuseppe Lavagetto has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/403388 )

Change subject: puppetdb: refactor to role/profile
..

puppetdb: refactor to role/profile

* Split the content of the puppetdb role in two profiles: one for the
  puppetdb application, one for the corresponding postgresql database,
  that can be used separately
* Rework puppetmaster::puppetdb::database, that was a mess.
* Move monitoring to the profile for the database, move db tuning to the
  module class itself
* Added type checking to the parameters of puppetmaster::puppetdb::database

Change-Id: I93b02c19398e4fe16818910dfd3ed6f0653aa3a6
---
R hieradata/role/common/puppetmaster/puppetdb.yaml
A modules/profile/manifests/puppetdb.pp
A modules/profile/manifests/puppetdb/database.pp
M modules/puppetmaster/manifests/puppetdb/database.pp
R modules/puppetmaster/templates/puppetdb/tuning.conf.erb
M modules/role/manifests/puppetmaster/puppetdb.pp
6 files changed, 132 insertions(+), 102 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/88/403388/1

diff --git a/hieradata/common/puppetmaster/puppetdb.yaml 
b/hieradata/role/common/puppetmaster/puppetdb.yaml
similarity index 63%
rename from hieradata/common/puppetmaster/puppetdb.yaml
rename to hieradata/role/common/puppetmaster/puppetdb.yaml
index 4de1c15..6b56a8a 100644
--- a/hieradata/common/puppetmaster/puppetdb.yaml
+++ b/hieradata/role/common/puppetmaster/puppetdb.yaml
@@ -1,14 +1,14 @@
-puppetmaster::puppetdb::postgres_users:
+profile::puppetdb::postgres_users:
   replication@nihal-v4:
 user: replication
 database: all
-password: "%{::puppetmaster::puppetdb::database::replication_pass}"
+password: "%{::profile::puppetdb::database::replication_password}"
 cidr: 10.192.16.184/32
 attrs: REPLICATION
   puppetdb@nihal-v4:
 user: puppetdb
 database: puppetdb
-password: "%{::puppetmaster::puppetdb::database::puppetdb_pass}"
+password: "%{::profile::puppetdb::database::puppetdb_password}"
 cidr: 10.192.16.184/32
 puppetmaster::puppetdb::master: nitrogen.eqiad.wmnet
 puppetmaster::puppetdb::slaves: [nihal.codfw.wmnet]
diff --git a/modules/profile/manifests/puppetdb.pp 
b/modules/profile/manifests/puppetdb.pp
new file mode 100644
index 000..b8717af
--- /dev/null
+++ b/modules/profile/manifests/puppetdb.pp
@@ -0,0 +1,26 @@
+class profile::puppetdb(
+$master = hiera('profile::puppetdb::master'),
+$puppetmasters = hiera('puppetmaster::servers')
+) {
+# The JVM heap size has been raised to 6G for T170740
+class { '::puppetmaster::puppetdb':
+master=> $master,
+heap_size => '6G',
+}
+
+# Only the TLS-terminating nginx proxy will be exposed
+$puppetmasters_ferm = inline_template('<%= 
@puppetmasters.values.flatten(1).map { |p| p[\'worker\'] }.sort.join(\' \')%>')
+
+ferm::service { 'puppetdb':
+proto   => 'tcp',
+port=> 443,
+notrack => true,
+srange  => "@resolve((${puppetmasters_ferm}))",
+}
+
+ferm::service { 'puppetdb-cumin':
+proto  => 'tcp',
+port   => 443,
+srange => '$CUMIN_MASTERS',
+}
+}
diff --git a/modules/profile/manifests/puppetdb/database.pp 
b/modules/profile/manifests/puppetdb/database.pp
new file mode 100644
index 000..13b5407
--- /dev/null
+++ b/modules/profile/manifests/puppetdb/database.pp
@@ -0,0 +1,52 @@
+# == Class profile::puppetdb::database
+#
+# Sets up a puppetdb postgresql database.
+#
+class profile::puppetdb::database(
+$master = hiera('profile::puppetdb::master'),
+$slaves = hiera('profile::puppetdb::slaves'),
+$shared_buffers = hiera('profile::puppetdb::database::shared_buffers', 
'7680MB'),
+$replication_password = hiera('puppetdb::password::replication'),
+$puppetdb_password =  hiera('puppetdb::password::rw'),
+$users = hiera('profile::puppetdb::database::users', {}),
+) {
+include ::passwords::postgres
+
+$pgversion = $::lsbdistcodename ? {
+'stretch' => '9.6',
+'jessie'  => '9.4',
+}
+$slave_range = join($slaves, ' ')
+
+$role = $master ? {
+$::fqdn => 'master',
+default => 'slave',
+}
+
+class { '::puppetmaster::puppetdb::database':
+master   => $master,
+pgversion=> $pgversion,
+replication_pass => $replication_password,
+puppetdb_pass=> $puppetdb_password,
+puppetdb_users   => $users,
+}
+
+# Monitoring
+class { '::prometheus::postgres_exporter': }
+
+if $role == 'slave' {
+class { 'postgresql::slave::monitoring':
+pg_master   => $master,
+pg_user => 'replication',
+pg_password => $replication_password,
+}
+}
+
+# Firewall rules
+# Allow connections from all the slaves
+ferm::service { 'postgresql_puppetdb':
+proto  =>

[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetdb: refactor to role/profile

[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetdb: refactor to role/profile

2 matches

Site Navigation

Mail list logo

Footer information