From a77153dac35e1cff12334d56a4c9fcd53586e58f Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Mon, 30 Sep 2019 10:02:06 +0200 Subject: [PATCH] manage bmdb1/main pg_hba --- data/common.yaml | 14 +++++++++ data/nodes/bmdb1.debian.org.yaml | 2 +- modules/ferm/manifests/per_host.pp | 14 --------- modules/roles/manifests/buildd_master.pp | 12 ++++++++ modules/roles/manifests/debtags.pp | 17 ++++++++++- modules/roles/manifests/pet.pp | 17 ++++++++++- modules/roles/manifests/qamaster.pp | 37 +++++++++++++++++++++++- modules/roles/manifests/release.pp | 16 ++++++++-- modules/roles/manifests/udd.pp | 1 + 9 files changed, 110 insertions(+), 20 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 30bbca0e5..6842ec253 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -51,6 +51,8 @@ bacula::client::storage_server: storace.debian.org roles::buildd_master::params::db_address: danzi.debian.org roles::buildd_master::params::db_port: 5436 +roles::buildd_master::qa_buildlogchecks_db_address: bmdb1.debian.org +roles::buildd_master::qa_buildlogchecks_db_port: 5435 roles::debconf_wafer::db_address: danzi.debian.org roles::debconf_wafer::db_port: 5434 @@ -58,11 +60,23 @@ roles::debconf_wafer::db_port: 5434 roles::debsources::db_address: bmdb1.debian.org roles::debsources::db_port: 5440 +roles::debtags::db_address: bmdb1.debian.org +roles::debtags::db_port: 5435 + roles::ftp_master::db_port: 5433 roles::nm::db_address: danzi.debian.org roles::nm::db_port: 5433 +roles::pet::params::db_address: bmdb1.debian.org +roles::pet::params::db_port: 5435 + +roles::qamaster::db_address: bmdb1.debian.org +roles::qamaster::db_port: 5435 + +roles::release::db_address: bmdb1.debian.org +roles::release::db_port: 5435 + roles::rtmaster::db_address: danzi.debian.org roles::rtmaster::db_port: 5433 diff --git a/data/nodes/bmdb1.debian.org.yaml b/data/nodes/bmdb1.debian.org.yaml index 63dac30bc..9155331e7 100644 --- a/data/nodes/bmdb1.debian.org.yaml +++ b/data/nodes/bmdb1.debian.org.yaml @@ -4,4 +4,4 @@ classes: - roles::postgresql::ftp_master_dak_replica postgres::backup_server::register_backup_clienthost::allow_read_hosts: ['fasolo'] -roles::postgresql::server::manage_clusters_hba: [5440] +roles::postgresql::server::manage_clusters_hba: [5440, 5435] diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp index 970ff2b91..50fe60741 100644 --- a/modules/ferm/manifests/per_host.pp +++ b/modules/ferm/manifests/per_host.pp @@ -56,20 +56,6 @@ class ferm::per_host { # postgres stuff case $::hostname { bmdb1: { - ferm::rule { 'dsa-postgres-main': - description => 'Allow postgress access to cluster: main', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5435, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'petrova.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'tate.debian.org', 'ipHostNumber'), " ") } - )) - | EOF - } ferm::rule { 'dsa-postgres-dak': description => 'Allow postgress access to cluster: dak', domain => '(ip ip6)', diff --git a/modules/roles/manifests/buildd_master.pp b/modules/roles/manifests/buildd_master.pp index 3d4d449c9..6c6f4be21 100644 --- a/modules/roles/manifests/buildd_master.pp +++ b/modules/roles/manifests/buildd_master.pp @@ -2,7 +2,11 @@ # # @param db_address hostname of the postgres server for this service # @param db_port port of the postgres server for this service +# @param qa_buildlogchecks_db_address hostname of the postgres server for this service +# @param qa_buildlogchecks_db_port port of the postgres server for this service class roles::buildd_master ( + String $qa_buildlogchecks_db_address, + Integer $qa_buildlogchecks_db_port, String $db_address = $roles::buildd_master::params::db_address, Integer $db_port = $roles::buildd_master::params::db_port, ) inherits roles::buildd_master::params { @@ -37,4 +41,12 @@ class roles::buildd_master ( } include roles::udd::db_guest_access + + @@postgres::cluster::hba_entry { "qa-buildlogchecks-${::fqdn}": + tag => "postgres::cluster::${qa_buildlogchecks_db_port}::hba::${qa_buildlogchecks_db_address}", + pg_port => $qa_buildlogchecks_db_port, + database => 'qa-buildlogchecks', + user => 'qa-buildlogchecks', + address => $base::public_addresses, + } } diff --git a/modules/roles/manifests/debtags.pp b/modules/roles/manifests/debtags.pp index 263de7c4e..53147ebec 100644 --- a/modules/roles/manifests/debtags.pp +++ b/modules/roles/manifests/debtags.pp @@ -1,4 +1,11 @@ -class roles::debtags { +# debtags.debian.org role +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +class roles::debtags ( + String $db_address, + Integer $db_port, +) { include apache2 include apache2::ssl include roles::sso_rp @@ -15,4 +22,12 @@ class roles::debtags { site => 'debtags.debian.org', source => 'puppet:///modules/roles/debtags/debtags.debian.org', } + + @@postgres::cluster::hba_entry { "debtags-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => 'debtags', + user => 'debtags', + address => $base::public_addresses, + } } diff --git a/modules/roles/manifests/pet.pp b/modules/roles/manifests/pet.pp index c3828089d..27a264af4 100644 --- a/modules/roles/manifests/pet.pp +++ b/modules/roles/manifests/pet.pp @@ -1,5 +1,20 @@ -class roles::pet { +# pet.debian.org role +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +class roles::pet ( + String $db_address = $roles::pet::params::db_address, + Integer $db_port = $roles::pet::params::db_port, +) { include apache2 ssl::service { 'pet.debian.net': notify => Exec['service apache2 reload'], key => true, } ssl::service { 'pet-devel.debian.net': notify => Exec['service apache2 reload'], key => true, } + + @@postgres::cluster::hba_entry { "pet-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => ['pet', 'pet-devel'], + user => 'pet', + address => $base::public_addresses, + } } diff --git a/modules/roles/manifests/qamaster.pp b/modules/roles/manifests/qamaster.pp index 66ba8381b..e0c897153 100644 --- a/modules/roles/manifests/qamaster.pp +++ b/modules/roles/manifests/qamaster.pp @@ -1,4 +1,15 @@ -class roles::qamaster { +# qa.debian.org role +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +# @param qa_buildlogchecks_db_address hostname of the postgres server for this service +# @param qa_buildlogchecks_db_port port of the postgres server for this service +class roles::qamaster ( + String $db_address, + Integer $db_port, + String $qa_buildlogchecks_db_address = lookup('roles::buildd_master::qa_buildlogchecks_db_address'), + Integer $qa_buildlogchecks_db_port = lookup('roles::buildd_master::qa_buildlogchecks_db_port'), +) { include apache2 include roles::sso_rp @@ -10,4 +21,28 @@ class roles::qamaster { } include roles::udd::db_guest_access + + @@postgres::cluster::hba_entry { "qa-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => 'qa', + user => ['qa', 'qaweb'], + address => $base::public_addresses, + } + @@postgres::cluster::hba_entry { "qa-guest-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => 'qa', + user => 'guest', + address => $base::public_addresses, + method => 'trust', + } + @@postgres::cluster::hba_entry { "qa-buildlogchecks-guest-${::fqdn}": + tag => "postgres::cluster::${qa_buildlogchecks_db_port}::hba::${qa_buildlogchecks_db_address}", + pg_port => $qa_buildlogchecks_db_port, + database => 'qa-buildlogchecks', + user => 'guest', + address => $base::public_addresses, + method => 'trust', + } } diff --git a/modules/roles/manifests/release.pp b/modules/roles/manifests/release.pp index 14015ee86..72b6b9946 100644 --- a/modules/roles/manifests/release.pp +++ b/modules/roles/manifests/release.pp @@ -1,7 +1,19 @@ # release.debian.org role # -class roles::release { - +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +class roles::release ( + String $db_address, + Integer $db_port, +) { include roles::buildd_master::db_guest_access include roles::udd::db_guest_access + + @@postgres::cluster::hba_entry { "release-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => 'release', + user => 'release', + address => $base::public_addresses, + } } diff --git a/modules/roles/manifests/udd.pp b/modules/roles/manifests/udd.pp index 7aebd398e..a6f4c2dbe 100644 --- a/modules/roles/manifests/udd.pp +++ b/modules/roles/manifests/udd.pp @@ -10,6 +10,7 @@ class roles::udd { } include roles::buildd_master::db_guest_access + include roles::pet::db_guest_access class { 'roles::udd::db_guest_access': database => ['udd', 'udd-dev'], -- 2.20.1