You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Portal:Cloud VPS/Admin/Hiera: Difference between revisions
imported>David Caro |
imported>Quiddity (fix heading levels (only 1 <H1> per page), fix image layout) |
||
| Line 2: | Line 2: | ||
This page contains information on how '''hiera''' data is managed in [[Portal:Cloud_VPS|Cloud VPS]], which is a bit different from the [[Puppet_Hiera | main production hiera/puppet workflow]]. | This page contains information on how '''hiera''' data is managed in [[Portal:Cloud_VPS|Cloud VPS]], which is a bit different from the [[Puppet_Hiera | main production hiera/puppet workflow]]. | ||
= Precedence of hiera keys = | == Precedence of hiera keys == | ||
Hiera keys may come from different backends, not only puppet hieradata files. | Hiera keys may come from different backends, not only puppet hieradata files. | ||
| Line 39: | Line 39: | ||
Only users with the ''projectadmin'' role can edit hiera data in Horizon and on Wikitech. Everyone can propose a patch in gerrit to change the hiera data in git, which can then be merged by all of SRE/Ops. | Only users with the ''projectadmin'' role can edit hiera data in Horizon and on Wikitech. Everyone can propose a patch in gerrit to change the hiera data in git, which can then be merged by all of SRE/Ops. | ||
== puppetmaster configuration == | === puppetmaster configuration === | ||
In order to select a backend/source for hiera data, puppetmasters have a '''/etc/pupppet/hiera.yaml''' configuration file with several backends in order, for example: | In order to select a backend/source for hiera data, puppetmasters have a '''/etc/pupppet/hiera.yaml''' configuration file with several backends in order, for example: | ||
| Line 58: | Line 58: | ||
* httpyaml == data that horizon writes on the puppetmaster | * httpyaml == data that horizon writes on the puppetmaster | ||
= Puppet enc system = | == Puppet enc system == | ||
The enc mechanism is a custom made API that serves up hiera config (it's what horizon talks to). See the image | The enc mechanism is a custom made API that serves up hiera config (it's what horizon talks to). See the image below for a quick overview. | ||
[[File:Cloud puppet enc.png|frame|Cloud puppet enc overview (source https://phabricator.wikimedia.org/F34401412)]] | [[File:Cloud puppet enc.png|frame|left|Cloud puppet enc overview (source https://phabricator.wikimedia.org/F34401412)]] | ||
{{clear}} | |||
== Labspuppetbackend == | === Labspuppetbackend === | ||
This web service makes two types of endpoints accessible to different instances, one with read-write permissions and one with only read ones. | This web service makes two types of endpoints accessible to different instances, one with read-write permissions and one with only read ones. | ||
| Line 71: | Line 71: | ||
The code for the service is [https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/openstack/files/puppet/master/encapi/labspuppetbackend.py here]. | The code for the service is [https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/openstack/files/puppet/master/encapi/labspuppetbackend.py here]. | ||
=== Read endpoint === | ==== Read endpoint ==== | ||
The read only endpoint (referred to as labspuppetbackendgetter in many places), is hosted by nginx, on <code>cloud-puppetmaster-03</code> (when writing this), listening on port <code>8100</code> (http) and <code>8143</code> (https). | The read only endpoint (referred to as labspuppetbackendgetter in many places), is hosted by nginx, on <code>cloud-puppetmaster-03</code> (when writing this), listening on port <code>8100</code> (http) and <code>8143</code> (https). | ||
It's ensuring read only by declining any non <code>GET</code> http request. | It's ensuring read only by declining any non <code>GET</code> http request. | ||
=== Read-write endpoint === | ==== Read-write endpoint ==== | ||
The read-write one is hosted directly to uwsgi, open on the same host on port <code>8000</code>. | The read-write one is hosted directly to uwsgi, open on the same host on port <code>8000</code>. | ||
=== Cli === | ==== Cli ==== | ||
There's a small cli that will allow interacting with the enc api installed on all the control nodes (<code>cloudcontrol*</code>): | There's a small cli that will allow interacting with the enc api installed on all the control nodes (<code>cloudcontrol*</code>): | ||
{{Codesample | {{Codesample | ||
| Line 101: | Line 101: | ||
The code for it is hosted [https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/openstack/files/util/wmcs-enc-cli.py here]. | The code for it is hosted [https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/openstack/files/util/wmcs-enc-cli.py here]. | ||
= puppet-enc = | == puppet-enc == | ||
This is a cli that puppet runs to retrieve the actual node ENC data <ref>[https://puppet.com/docs/puppet/5.5/nodes_external.html]Puppet external node classifier docs</ref>. | This is a cli that puppet runs to retrieve the actual node ENC data <ref>[https://puppet.com/docs/puppet/5.5/nodes_external.html]Puppet external node classifier docs</ref>. | ||
It's a wrapper on top of <code>labspuppetbackend</code> that just transforms the output format to something puppet understands. | It's a wrapper on top of <code>labspuppetbackend</code> that just transforms the output format to something puppet understands. | ||
| Line 108: | Line 108: | ||
Note that it uses the configuration file <code>/etc/puppet-enc.yaml</code> to retrieve the host for the <code>labspuppetbackend</code> service. | Note that it uses the configuration file <code>/etc/puppet-enc.yaml</code> to retrieve the host for the <code>labspuppetbackend</code> service. | ||
= Wikitech integration = | == Wikitech integration == | ||
Our intention is to kill the wikitech hiera keys definitions. But wikitech has editing history and Horizon doesn't ([[phab:T153036]]). | Our intention is to kill the wikitech hiera keys definitions. But wikitech has editing history and Horizon doesn't ([[phab:T153036]]). | ||
= See also = | == See also == | ||
* Main article about [[Puppet_Hiera|Puppet/Hiera]]. | * Main article about [[Puppet_Hiera|Puppet/Hiera]]. | ||
= References = | == References == | ||
<references /> | <references /> | ||
Revision as of 23:31, 17 April 2021
 | This page is currently a draft. More information and discussion about changes to this draft on the talk page. |
This page contains information on how hiera data is managed in Cloud VPS, which is a bit different from the main production hiera/puppet workflow.
Precedence of hiera keys
Hiera keys may come from different backends, not only puppet hieradata files.
You can set hiera data by using Horizon or through diverse yaml-files in the operations/puppet and labs/private git repos. You can see the exact, always up-to-date resolution order at [2].
By default the hierarchy is searched using the following list top to bottom with a first match win policy. Also note the following considerations when reading this list
- cloudlib::httpyaml: is a custom backbend to pull data from to Horizon(either at the instance level, prefixes, or project level).
- /etc/puppet/hieradata/: this is a checkout of the operations/puppet git repo
- /etc/puppet/private/hieradata: this is a checkout of the labs/private git repo
- /etc/puppet/secret/hieradata: this is a directory on the stand-alone puppet master which doesn't exist by default
- %{::wmcs_deployment}: This refers to the openstack deployment currently
eqiad1orcodfw1dev - %{::labsproject}: This refers to the openstack project e.g.
deployment-prep - %{::hostname} This refers to the instance name e.g.
tools-mail.
The following is a dump as of 2021-03-24.
hierarchy:
- cloudlib::httpyaml
- "/etc/puppet/hieradata/cloud/%{::wmcs_deployment}/%{::labsproject}/host/%{::hostname}.yaml"
- "/etc/puppet/hieradata/cloud/%{::wmcs_deployment}/%{::labsproject}/common.yaml"
- "/etc/puppet/hieradata/cloud/%{::wmcs_deployment}.yaml"
- "/etc/puppet/secret/hieradata/labs/%{::labsproject}/common.yaml"
- "/etc/puppet/secret/hieradata/%{::labsproject}.yaml"
- "/etc/puppet/secret/hieradata/labs.yaml"
- "/etc/puppet/private/hieradata/labs/%{::labsproject}/common.yaml"
- "/etc/puppet/private/hieradata/%{::labsproject}.yaml"
- "/etc/puppet/private/hieradata/labs.yaml"
- "/etc/puppet/hieradata/common.yaml"
- "/etc/puppet/secret/hieradata/common.yaml"
- "/etc/puppet/private/hieradata/common.yaml"
Note that providing Hiera settings per role is not possible on Cloud Services.
Only users with the projectadmin role can edit hiera data in Horizon and on Wikitech. Everyone can propose a patch in gerrit to change the hiera data in git, which can then be merged by all of SRE/Ops.
puppetmaster configuration
In order to select a backend/source for hiera data, puppetmasters have a /etc/pupppet/hiera.yaml configuration file with several backends in order, for example:
tools-puppetmaster-02:~# cat /etc/puppet/hiera.yaml [...] :backends: - httpyaml - mwyaml - nuyaml [...]
In the example above:
- nuyaml == local config files
- mwyaml == wikitech
- httpyaml == data that horizon writes on the puppetmaster
Puppet enc system
The enc mechanism is a custom made API that serves up hiera config (it's what horizon talks to). See the image below for a quick overview.
Labspuppetbackend
This web service makes two types of endpoints accessible to different instances, one with read-write permissions and one with only read ones.
It uses a database on db01.cloudinfra.equiad.wmflabs to store the hiera and roles information.
The code for the service is here.
Read endpoint
The read only endpoint (referred to as labspuppetbackendgetter in many places), is hosted by nginx, on cloud-puppetmaster-03 (when writing this), listening on port 8100 (http) and 8143 (https).
It's ensuring read only by declining any non GET http request.
Read-write endpoint
The read-write one is hosted directly to uwsgi, open on the same host on port 8000.
Cli
There's a small cli that will allow interacting with the enc api installed on all the control nodes (cloudcontrol*):
root@cloudcontrol1003:~# wmcs-enc-cli --help
usage: wmcs-enc-cli [-h] [--enc-url ENC_URL]
[--openstack-project OPENSTACK_PROJECT]
{get_node_consolidated_info,get_node_info,get_prefix_hiera,get_project_hiera,set_prefix_hiera}
[params [params ...]]
positional arguments:
{get_node_consolidated_info,get_node_info,get_prefix_hiera,get_project_hiera,set_prefix_hiera}
params Any parameters needed for the action chosen.
optional arguments:
-h, --help show this help message and exit
--enc-url ENC_URL Full url to the enc, for example
http://puppetmaster.cloudinfra.wmflabs.org:8101/v1
--openstack-project OPENSTACK_PROJECT
The code for it is hosted here.
puppet-enc
This is a cli that puppet runs to retrieve the actual node ENC data [1].
It's a wrapper on top of labspuppetbackend that just transforms the output format to something puppet understands.
The code for it is hosted here.
Note that it uses the configuration file /etc/puppet-enc.yaml to retrieve the host for the labspuppetbackend service.
Wikitech integration
Our intention is to kill the wikitech hiera keys definitions. But wikitech has editing history and Horizon doesn't (phab:T153036).
See also
- Main article about Puppet/Hiera.