You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Portal:Cloud VPS/Admin/Hiera: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Alex Monk
m (puppetmaster++)
imported>David Caro
Line 6: Line 6:
Hiera keys may come from different backends, not only puppet hieradata files.
Hiera keys may come from different backends, not only puppet hieradata files.


You can set hiera data by creating/editing a wiki page on wikitech, by using [[Horizon]] or through diverse yaml-files in the operations/puppet and labs/private git repos. You can see the exact, always up-to-date resolution order at [https://github.com/wikimedia/operations-puppet/blob/production/modules/puppetmaster/files/labs.hiera.yaml].
You can set hiera data by using [[Horizon]] or through diverse yaml-files in the operations/puppet and labs/private git repos. You can see the exact, always up-to-date resolution order at [https://github.com/wikimedia/operations-puppet/blob/production/modules/puppetmaster/files/labs.hiera.yaml].


The following is a dump as of 2018-03-31:
The following is a dump as of 2018-03-31:


* [[Horizon]] (either at the instance level, prefixes, or project level)
* [[Horizon]] (either at the instance level, prefixes, or project level)
* Wikitech page <tt>Hiera:%{::labsproject}/host/%{::hostname}</tt> ('''deprecated''' in favor of [[Horizon]])
* Wikitech page <tt>Hiera:%{::labsproject}</tt> ('''deprecated''' in favor of [[Horizon]])
* operations/puppet git repo, path "hieradata/labs/%{::labsproject}/host/%{::hostname}.yaml"
* operations/puppet git repo, path "hieradata/labs/%{::labsproject}/host/%{::hostname}.yaml"
* operations/puppet git repo, path "hieradata/labs/%{::labsproject}/common.yaml"
* operations/puppet git repo, path "hieradata/labs/%{::labsproject}/common.yaml"
Line 52: Line 50:
The enc mechanism is a custom made API that serves up hiera config (it's what horizon talks to).
The enc mechanism is a custom made API that serves up hiera config (it's what horizon talks to).


'''TODO:''' elaborate
This web service makes two types of endpoints accessible to different instances, one with read-write permissions and one with only read ones.
 
The code for the service is [https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/openstack/files/puppet/master/encapi/labspuppetbackend.py here]
 
===== Read endpoint =====
The read only endpoint (referred to as labspuppetbackendgetter in many places), is hosted by nginx, on cloud-puppetmaster-03 (when writing this), listening on http on port 8001 and https on port 8143.
 
It's ensuring read only by declining any non GET http request.
 
===== Read-write endpoint =====
The read-write one is hosted directly to uwsgi, open on the same host on port 8000.
 
====== Cli ======
There's a small cli that will allow interacting with the enc api installed on all the control nodes (cloudcontrol*):
{{Codesample
| code =
root@cloudcontrol1003:~# wmcs-enc-cli --help
usage: wmcs-enc-cli [-h] [--enc-url ENC_URL]
                    [--openstack-project OPENSTACK_PROJECT]
                    {get_node_consolidated_info,get_node_info,get_prefix_hiera,get_project_hiera,set_prefix_hiera}
                    [params [params ...]]
positional arguments:
  {get_node_consolidated_info,get_node_info,get_prefix_hiera,get_project_hiera,set_prefix_hiera}
  params                Any parameters needed for the action chosen.
optional arguments:
  -h, --help            show this help message and exit
  --enc-url ENC_URL    Full url to the enc, for example
                        <nowiki>http://puppetmaster.cloudinfra.wmflabs.org:8101/v1</nowiki>
  --openstack-project OPENSTACK_PROJECT
| line = yes
}}
 
The code for it is hosted [https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/openstack/files/util/wmcs-enc-cli.py here]


= Wikitech integration =
= Wikitech integration =

Revision as of 13:52, 29 January 2021

This page contains information on how hiera data is managed in Cloud VPS, which is a bit different from the main production hiera/puppet workflow.

Precedence of hiera keys

Hiera keys may come from different backends, not only puppet hieradata files.

You can set hiera data by using Horizon or through diverse yaml-files in the operations/puppet and labs/private git repos. You can see the exact, always up-to-date resolution order at [1].

The following is a dump as of 2018-03-31:

  • Horizon (either at the instance level, prefixes, or project level)
  • operations/puppet git repo, path "hieradata/labs/%{::labsproject}/host/%{::hostname}.yaml"
  • operations/puppet git repo, path "hieradata/labs/%{::labsproject}/common.yaml"
  • operations/puppet git repo, path "hieradata/labs.yaml"
  • locally on puppetmasters at "/etc/puppet/secret/hieradata/%{::labsproject}.yaml"
  • labs/private git repo, path "hieradata/labs/%{::labsproject}/common.yaml"
  • labs/private git repo, path "hieradata/%{::labsproject}.yaml"
  • labs/private git repo, path "hieradata/labs.yaml"
  • operations/puppet git repo, path "hieradata/common.yaml"
  • locally on puppetmasters at "/etc/puppet/secret/hieradata/common.yaml"
  • labs/private git repo, path "hieradata/common.yaml"

Where %{::labsproject} is the project (e.g. 'tools') and %{::hostname} the instance name (e.g. 'tools-mail'). Note that providing Hiera settings per role is not possible on Cloud Services.

Only users with the projectadmin role can edit hiera data in Horizon and on Wikitech. Everyone can propose a patch in gerrit to change the hiera data in git, which can then be merged by all of SRE/Ops.

puppetmaster configuration

In order to select a backend/source for hiera data, puppetmasters have a /etc/pupppet/hiera.yaml configuration file with several backends in order, for example:

tools-puppetmaster-02:~# cat /etc/puppet/hiera.yaml
[...]
:backends:
  - httpyaml
  - mwyaml
  - nuyaml
[...]

In the example above:

  • nuyaml == local config files
  • mwyaml == wikitech
  • httpyaml == data that horizon writes on the puppetmaster

enc mechanism

The enc mechanism is a custom made API that serves up hiera config (it's what horizon talks to).

This web service makes two types of endpoints accessible to different instances, one with read-write permissions and one with only read ones.

The code for the service is here

Read endpoint

The read only endpoint (referred to as labspuppetbackendgetter in many places), is hosted by nginx, on cloud-puppetmaster-03 (when writing this), listening on http on port 8001 and https on port 8143.

It's ensuring read only by declining any non GET http request.

Read-write endpoint

The read-write one is hosted directly to uwsgi, open on the same host on port 8000.

Cli

There's a small cli that will allow interacting with the enc api installed on all the control nodes (cloudcontrol*):


root@cloudcontrol1003:~# wmcs-enc-cli --help
 usage: wmcs-enc-cli [-h] [--enc-url ENC_URL]
                     [--openstack-project OPENSTACK_PROJECT]
                     {get_node_consolidated_info,get_node_info,get_prefix_hiera,get_project_hiera,set_prefix_hiera}
                     [params [params ...]]
 positional arguments:
   {get_node_consolidated_info,get_node_info,get_prefix_hiera,get_project_hiera,set_prefix_hiera}
   params                Any parameters needed for the action chosen.
 optional arguments:
   -h, --help            show this help message and exit
   --enc-url ENC_URL     Full url to the enc, for example
                         http://puppetmaster.cloudinfra.wmflabs.org:8101/v1
   --openstack-project OPENSTACK_PROJECT

The code for it is hosted here

Wikitech integration

Our intention is to kill the wikitech hiera keys definitions. But wikitech has editing history and Horizon doesn't (phab:T153036).

See also