Our infrastructure uses puppet with public puppet modules. All our secrets and our installation-spesific parameters are thus placed in hiera.
Data distribution
The hieradata directory contains multiple .yaml files holding our information. When we have multiple puppet masters its important that each of the puppetmasters have an updated version of the hieradata, in addition to an updated list of puppet-modules. As the hiera-data are full of secrets we cannot publish them on github, and have all puppetmasters pull the information from there. What we do instead is to let the hieradata be a local git-repo which each puppetserver is pulling from eachother.
Hiera keys
Depending on what services you are handling with puppet, you might need various keys in hiera. This page tries to list which keys needs to be present to use our role/profile repositories.
Keys in italic are optional
General information
There are quite a bit of data which are not associated to a specific service, but are rather used by various modules, and should thus generally allways be present:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::networking::rpfilter | Before we used multiple routing-tables on our hosts we had to turn off rpfilter to allow asymmetric routing. Now this should be turned on. | true | N/A | Boolean | networking.yaml | All |
profile::networking::management::ipv4::prefixes | A list over IPv4 prefixes for networks where management stations are found. Used to configure the firewall for SSH, stats-pages etc. | - '192.0.2.0/26' | N/A | List of strings | networking.yaml | All |
profile::networking::management::ipv6::prefixes | A list over IPv6 prefixes for networks where management stations are found. Used to configure the firewall for SSH, stats-pages etc. | - '2001:db8:beef:701::/64' | N/A | List of strings | networking.yaml | All |
profile::ntp::servers | A list over ntp servers to use. | - 'ntp.ntnu.no' | N/A | List of strings | common.yaml | All |
profile::keepalived::vrrp_password | A password used to secure the vrrp instances | '724EuvohTGOdlcFnLlDV' | pwgen -s -1 20 | String | common.yaml | |
classes | A list over puppet classes which should be installed on a node. Used when we do not have an ENC, but it is always required. It is thus recommended to have an empty list here if an ENC is used. | [ ] | N/A | List of strings | common.yaml or node-specific file. | All |
profile::productionlevel | Which production-level is this installation? "prod", "test" or "dev"? | 'dev' | N/A | String | common.yaml | All |
profile::baseconfig::smtp_relay | An SMTP relay which the server can use to send mail | 'smtp.example.com' | N/A | String | common.yaml | All |
profile::baseconfig::maildomain | The domain the server sends mail from | 'example.com' | N/A | String | common.yaml | All |
Networks
The networks used in the deployment are all described in hiera to ensure that all configuration retrieves the same values when configuring anything network specific. There are one key in hiera which lists all networks:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::networks | A list over networks in this deployment. The values in this list is used as keys to retrieve the rest of the parameters. | - 'management' | N/A | List of Strings | networking.yaml | role::bootstrap, role::dashboard, role::kvm, role::dhcp |
For each of the neworks listed in "profile::networks" the following keys should exist:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::networks::<networkname>::domain | The network-specific domain-name. | 'management.example.com' | N/A | String | networking.yaml | role::bootstrap, role::dashboard |
profile::networks::<networkname>::ipv4::dynamicrange | (Optional) The range of ip-addresses for dynamic assignment to unregistered hosts. | '192.0.2.230 192.0.2.240' | N/A | String | networking.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::gateway | The IPv4 gateway on the network | '192.0.2.1' | N/A | String | networking.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::id | The IPv4 network ID. | '192.0.2.0' | N/A | String | networking.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::mask | The IPv4 network mask | '255.255.255.0' | N/A | String | networking.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::prefix | The IPv4 CIDR prefix. | '192.0.2.0/24' | N/A | String | networking.yaml | Most roles. Used as a source-net in firewall rules. |
profile::networks::<networkname>::ipv4::reserved | (Optional) list over address-ranges which the dashboard should not assign to hosts. | - '192.0.2.245-192.0.2.248' | N/A | String | networking.yaml | role::bootstrap, role::dashboard |
profile::networks::<networkname>::ipv6::prefix | The IPv6 CIDR prefix | '2001:db8:beef:707::/64' | N/A | String | networking.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::networks::<networkname>::vlanid | The VLAN ID of the network. | 504 | N/A | Integer | networking.yaml | role::kvm |
Legacy keys
As there still are a couple of puppet profiles expecting the management network to be named management, the following keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::networks::management::ipv4::prefix | IPv4 prefix for management network | "%{hiera('profile::networks::infrastructure::ipv4::prefix')}" | N/A | String | networking.yaml | |
profile::networks::management::ipv6::prefix | IPv6 prefix for management network | "%{hiera('profile::networks::infrastructure::ipv6::prefix')}" | N/A | String | networking.yaml |
Users
To create users the following general keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::users | A list over usernames which puppet should configure users for | - 'eigil' | N/A | List of Strings | users.yaml | All machines |
For each username the following keys should be created.
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::user::<username>::uid | The user-id | 801 | N/A | Integer | users.yaml | All machines |
profile::user::<username>::groups | A list over groups the user should belong to. | - 'sudo' | N/A | List of strings | users.yaml | All machines |
profile::user::<username>::hash | The password-hash to be injected into /etc/shadow | String | users.yaml | All machines | ||
profile::user::<username>::keys | List over ssh-keys which should be added to the users authorized_keys |
| N/A | List of strings | users.yaml | All machines |
profile::user::<username>::key::<keyname> | A specific ssh key. Needs one for each key listed in profile::user::<username>::keys | N/A | String | users.yaml | All machines |
Ceph
These keys will be subject to change, when they get to be a part of new roles
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::ceph::fsid | UUID for cluster | '23a2d131-99f7-4ad0-9fb4-1977f59ce530' | uuidgen | String | role::controller, |
profile::ceph::replicas | Amount of replicas in cluster | 3 | N/A | Integer | role::controller, |
profile::ceph::journal::size | Size of journal (not relevant in luminous(?)) in MB | 15800 | N/A | Integer | role::controller, |
profile::ceph::admin_key | Admin key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, |
profile::ceph::monitor_key | ceph-mon key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute |
profile::ceph::mgr_key | ceph-mgr key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller |
profile::ceph::osd_bootstrap_key | ceph-osd bootstrap key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, |
profile::ceph::glance_key | glance key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller (glance hosts) |
profile::ceph::nova_key | nova (and cinder) key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute (nova hosts) (cinder hosts) |
profile::ceph::nova_uuid | UUID for nova/libvrt and cinder | '23a2d131-99f7-4ad0-9fb4-1977f59ce530' | uuidgen | String | role::controller, role::compute (nova and cinder hosts) |
profile::ceph::cluster_network | Ceph frontend network | '172.17.2.0/24' | N/A | String | role::storage |
profile::ceph::public_network | Ceph backend (replication) network | '172.17.3.0/24' | N/A | String | role::storage |
Dashboard
The general configuration of the dashboard are based on the following keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::dashboard::django::secret | A secret key used for misc. security features in the django backend. Should be the same on all dashboard servers NB: The pwgen command lacks -y because some special characters will cause errors | '9tAMGEAEO4ln3t3PEXvN7dJov5SlbKU5AxxkSO50WQH6yIMt8X' | pwgen -s 50 -1 | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::name | The DNS name used to access the dashboard. This name should have an A and AAAA record configured with the address of the dashboard server (or loadbalancer). | 'dashboard.example.com' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::name::v4only | A DNS name wich also points to the dashboard, but this name should only resolve to an IPv4 address. This is because of some processes currently only works over IPv4 (Authorization of the retrieval of PXE preseed files for example) | 'v4dashboard.example.com' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::ldap::url | The url for the LDAP server used for authentication. | 'ldaps://ldap.example.com:636' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::ldap::search_base | LDAP search base | 'OU=Users,DC=ldap,DC=example,DC=com' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::ldap::domain | LDAP domain nam | 'example-com' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
There are also some keys which have a suggested value wich should work for all installations, but are still included in hiera for flexibility:
Key | Description | Suggested value | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|
profile::dashboard::api | A HTTP link used by external clients connecting to the dashboard. | 'http://%{hiera('profile::dashboard::name::v4only')}' | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::datadir | A location where the dashboard can store files. | '/var/lib/shiftleader' | String | common.yaml | role::bootstrap, role::dashboard |
Database
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::dashboard::database::type | The database type. | 'mysql' or 'sqlite' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::database::name | The database name (for mysql) or location (for sqlite) | 'dashboard' or '/var/dashboard.sqlite' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::database::user | The database username | 'dashboard' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::database::pass | The database password | 'x&1/7LjWbz:i<:W&p+PG' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::database::host | The database host. Could be a static string, or a hiera lookup. | 'mysql.example.com', '192.0.2.38' or "%{hiera('profile::haproxy::management::ip')}" | N/A | String | common.yaml | role::bootstrap, role::dashboard |
DHCP configuration:
The dashboard needs the keys listed at the section DHCP server in addition to the following keys to configure the DHCP servers:
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|---|---|---|---|---|---|
profile::dhcp::servers | A list of hashes describing the dhcp servers. Key=DHCP-Server-name and value=DHCP-IPv4 | 'dhcp1': '192.0.2.21' | N/A | List of hashes | common.yaml | role::bootstrap, role::dashboard |
DNS configuration:
The Dashboard requires some keys listed under the section DNS-Server, in addition to the following keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::dns::<shortname>::key | The TSIG key used for updates sent to this server. It can be useful to let this be a hiera-lookup for the zones managed by our own DNS servers. | 'UvetjoX5zMiw/NbQr3biug==' "%{hiera('profile::dns::key::update')}" | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml | role::bootstrap, role::dashboard |
PXE-Booting
The dashboard and the DHCP servers are together providing a pxeboot environment where we boot and install operatingsystem images.
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::pxe::images | A list over image short-names (ID's used to identify images later). | - '1604amd64' | N/A | List of strings | common.yaml | role::bootstrap, role::dhcp |
profile::pxe::<shortname>::name | A descriptive name of the specific image | 'Ubuntu 16.04 Server amd64' | N/A | String | common.yaml | role::bootstrap, role::dhcp |
profile::pxe::<shortname>::kernel | A URL to the kernel of the specific OS | 'http://archive.ubuntu.com/ubuntu/dists/xenial-proposed/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/linux' | N/A | String | common.yaml | role::bootstrap, role::dhcp |
profile::pxe::<shortname>::initrd | A URL to the initrd image of the specific OS | 'http://archive.ubuntu.com/ubuntu/dists/xenial-proposed/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/initrd.gz' | N/A | String | common.yaml | role::bootstrap, role::dhcp |
DHCP server
When running DHCP servers, the following keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::dhcp::omapi::key | The omapi key used to update the DHCP servers | 'omapi_key==' | dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST key_name | String | common.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::dhcp::omapi::name | The omapi key name | 'key_name' | ↑ | String | common.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::dhcp::searchdomain | The default search-domain handed to DHCP clients | 'cloud.domain.com' | N/A | String | common.yaml | role::bootstrap, role::dhcp |
profile::dns::resolvers | The DNS resolvers for clients to use | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | List of strings | common.yaml | role::bootstrap, role::dhcp |
DNS server
If you are hosting a DNS server the following keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::dns::forwarders | Which DNS servers your DNS server should use to resolve domainnames where it is not an authorative DNS | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | List of strings | common.yaml | role::bootstrap, role::dns::master |
profile::dns::key::transfer | The TSIG keys used for zone-transfers | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml | role::bootstrap, role::dns::master, role::dns::slave |
profile::dns::key::update | The TSIG keys used for DNS updates | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml | role::bootstrap, role::dns::master, role::dns::slave |
profile::dns::slaves | A list over DNS slave-servers which replicates the zone-files from the main DNS server. The hash is structured as key=Servername and value=DNS-IPv4 | 'ns2.example.com': '192.0.2.130' | N/A | List of Hashes | common.yaml | role::bootstrap, role::dns::master, role::dns::slave |
profile::dns::zones | A list over DNS zones managed by our DNS servers, or used by our dashboard. The hash is structured as key=DNS-zone and value=DNS-server-shortname. | 'zone.example.com': 'ns1' | N/A | List of Hashes | common.yaml | role::bootstrap, role::dashboard, role::dns::master, role::dns::slave |
I addition there are a set of keys which are needed for each DNS server managing a DNS zone used by us. Shortname is here the name used in "profile::dns::zones".
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::dns::<shortname>::ipv4 | The IPv4 address of a specific DNS server. | '192.0.2.129' | N/A | String | common.yaml | role::bootstrap, role::dashboard, role::dns::master, role::dns::slave |
profile::dns::<shortname>::name | The fqdn of a specific DNS server | 'ns1.example.com' | N/A | String | common.yaml | role::bootstrap, role::dns::master, role::dns::slave |
KVM / Libvirt
Networks
The class role::kvm makes use of the following general purpose keys to auto create OVS bridges, which the VMs can connect to:
- profile::networks
- profile::networks::${network}::vlanid
In addition every KVM host needs to specify which physical interface(s) that carries the networks specified in the profile::networks key
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::kvm::interfaces::<networkname> Example: profile::kvm::interfaces::management | Name of the physical interfaces that carries the given networkname. Multiple networks can have the same physical interface, which will be the case if the NIC is connected to a VLAN trunk port. | 'eno2' | N/A | String | role::kvm |
Haproxy
We use haproxy to loadbalance multiple of our services. It needs the following keys present in hiera to work:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|---|---|---|---|---|---|
profile::haproxy::web::profile | Which web profile should this haproxy node have | 'management' | N/A | String | node-specific | role::bootstrap, role::balancer::* |
profile::haproxy::${profile}::ipv4 | The IPv4 address used in front og the loadbalancer used for managemnet services | '192.0.2.151' | N/A | String | networking.yaml | role::bootstrap, role::puppet::db, role::puppet::server, role::mysql, role::balancer::management |
profile::haproxy::${profile}::ipv4::id | The VRRP id used by the IPv4 VRRP instance. | 11 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::${profile}::ipv4::priority | The VRRP priority used by the IPv4 VRRP instance. | 10 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::${profile}::ipv6 | The IPv4 address used in front og the loadbalancer used for managemnet services | '2001:db8:beef:707::7b1' | N/A | String | networking.yaml | role::bootstrap, role::puppet::db, role::puppet::server, role::mysql, role::balancer::management |
profile::haproxy::${profile}::ipv6::id | The VRRP id used by the IPv6 VRRP instance. | 12 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::${profile}::ipv6::priority | The VRRP priority used by the IPv6 VRRP instance. | 10 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::${profile}::domains | Which domains haproxy should forward for in frontend "ft_web" for given profile | -'foo.com' -'bar.foo.com' | N/A | List of strings | common.yaml | role::balancer::* |
profile::haproxy::management::apicert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative | Multiline string | certs.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::services::apicert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative | Multiline string | certs.yaml | role::bootstrap, role::balancer::services |
profile::haproxy::${profile}::webcert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative | Multiline string | certs.yaml | role::balancer::*
|
profile::haproxy::management::apicert::certfile | Filepath and name for the apicert bundle | '/etc/ssl/private/haproxy_web.pem' | N/A | String | certs.yaml | role::balancer::web |
Munin
Key | Description | Example | Created by | Data-type | Datafile | Used by |
---|---|---|---|---|---|---|
profile::munin::urls | List of FQDNs the munin server should create a vhost in apache for. Typically - set the "world reachable" FQDN in common.yaml Each node will get a vhost with their FQDN automaticly, through the apache class. Only set a munin url in node specific file if it's different from the servers hostname. | - 'munin.exaxmple.com' - 'munin1.example.com' | N/A | List of Strings | common.yaml Node specific | role::munin |
MySQL
Our mysql cluster uses the following hiera-keys:
Key | Description | Example | Created by | Data-type | Datafile | Used by |
---|---|---|---|---|---|---|
profile::mysqlcluster::servers | This is a list over IPv4 addresses used by servers in the cluster. This list are used when a server starts up, to discover at least one of the machines already in the cluster. | - '192.0.2.201' | N/A | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::master | The fqdn of one of the mysql-servers. This are in theory used by the puppet-galera module to start one server in case all servers are down. | 'mysql1.example.com' | N/A | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::root_password | This is the password of the mysql root user | 'OwT$Etc$=|;h(=upip#3' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::status_password | This is the password of the mysql status user | ';^8P"M,Oem6le\T"am!0' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::haproxy_password | This is the password of the mysql haproxy user. This user is so that haproxy can create more robust checks than just see if port 3306 is open. | '4g36-&jHNFF?J-7yQZHa' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
Openstack
General keys, shared amongst various Openstack services
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::openstack::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Cinder
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::cinder::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Glance
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::glance::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Heat
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::heat::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Horizon
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::horizon::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Keystone
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::keystone::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Neutron
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::neutron::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Nova
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::nova::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Postgres
Our postgres servers uses the following hiera keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::postgres::ipv4 | The IPv4 address to use in front of the postgres servers. | '192.0.2.204' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave, role::puppet::db |
profile::postgres::ipv4::id | The VRRP id to use for the VRRP instance negotiating for postgres's IPv4 address | 13 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv4::priority | The VRRP priority to use for the VRRP instance negotiating for postgres's IPv4 address | 10 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv6 | The IPv6 address to use in front of the postgres servers. | '2001:db8:beef:707::9:6591' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave, role::puppet::db |
profile::postgres::ipv6::id | The VRRP id to use for the VRRP instance negotiating for postgres's IPv6 address | 14 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv6::priority | The VRRP priority to use for the VRRP instance negotiating for postgres's IPv6 address | 10 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::masterserver | A fqdn identifying the postgres server which is supposed to be the master. This affects which servers are going to create databases and users. | 'pgsql1.example.com' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::password | The password for the "postgres" postgresql user. | 'd4Cwfl)W}onosE~Y[]G,' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::replicatorpassword | The password used for the "replicator" postgresql user. | 'Gz,j*>Qt'dF{-\Sr4N-_' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
Puppet
These are our puppet-related hiera keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|---|---|---|---|---|---|
profile::puppet::aptkey | The gpg key used to authenticate the puppetlabs apt repository | '6F6B15509CF8E59E6E469F327F438280EF8D349F' | puppetlabs | String | common.yaml | All |
profile::puppet::caserver | The fqdn of the puppetca server | 'puppetca.example.com' | N/A | String | common.yaml | All |
profile::puppet::environment | The puppet environment a certain host should be configured to use. This needs to be a valid puppet environment, but it will also be owerridden by the ENC, so it is not important exactly which environment are listed her as long as it exists. If you do not use an ENC, this is the puppet environment a client will retrieve config from. | 'production' | N/A | String | common.yaml | All |
profile::puppet::hostname | This is the fqdn the clients use to contact the puppetmasters. | 'puppet.example.com' | N/A | String | common.yaml | All |
profile::puppet::r10k::repo | The path to the git-repository which r10k uses to retrieve environments and modules. | 'https://github.com/myorg/r10k.git' | N/A | String | common.yaml | role::bootstrap, role::puppet::server, role::puppet::ca |
profile::puppet::runinterval | How often the puppet client should run. Given as a string consisting of a number and a prefix (h, m). | '60m' | N/A | String | common.yaml | All |
profile::puppetdb::database::name | The name of the postgres database used by puppetdb | 'puppetdb' | N/A | String | common.yaml | role::bootstrap, role::puppet::db, role::postgres::master |
profile::puppetdb::database::user | The username of the postgres database used by puppetdb | 'puppetdb' | N/A | String | common.yaml | role::bootstrap, role::puppet::db, role::postgres::master |
profile::puppetdb::database::pass | The password of the postgres database used by puppetdb NB: The pwgen command lacks -y because some special characters will cause errors | 'ys0c85FlLhhfqeteFIfx' | pwgen -s 20 -1 | String | common.yaml | role::bootstrap, role::puppet::db, role::postgres::master |
profile::puppetdb::hostname | The hostname which the puppetservers use to contact the puppetdb service | 'puppetdb.example.com' | N/A | String | common.yaml | role::bootstrap, role::puppet::server role::puppet::ca |
Rabbitmq
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|---|---|---|---|---|---|
profile::rabbitmq::ip | IP address for rabbitmq keepalived VIP | '10.212.132.11' | N/A | String | networking.yaml | role::rabbitmq, |
profile::rabbitmq::vrrp::id | The VRRP id to use for the VRRP instance negotiating for rabbitmq's IPv4 address | 12 | N/A | Integer | networking.yaml | role::rabbitmq |
profile::rabbitmq::vrrp::priority | The VRRP priority to use for the VRRP instance negotiating for rabbitmq's IPv4 address | 100 | N/A | Integer | networking.yaml or node-specific | role::rabbitmq |
profile::rabbitmq::rabbituser | Default user to create in rabbitmq | 'rabbit' | N/A | String | common.yaml | role::rabbitmq, role::compute |
profile::rabbitmq::rabbitpass | Password for default vhost / | pwgen -s -y 20 -1 | String | role::rabbitmq, role::compute | ||
profile::rabbitmq::rabbitsecret | rabbitmq master secret | pwgen -s -y 20 -1 | String | role::rabbitmq |
Redis
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|---|---|---|---|---|---|
profile::redis::master | Name or IP address of initial redis master | 'redis1.cloud.domain.com' or '192.168.100.12' WARNING: If you use DNS name, ensure that the name DOESN'T resolve to 127.0.0.1 at the given redis host, or else this node will not add itself to the redis-sentinel cluster | N/A | String | common.yaml | role::redis |
profile::redis::masterauth | Password for master communitcation | 'teY.>&3@Ub$X-OGxOFQ7' | pwgen -s -y 20 -1 | String | common.yaml | role::redis role::balancer::management role::sensuserver role::bootstrap |
profile::redis::nodetype | Defined on each redis-node. Only valid values are 'master' or 'slave' | 'master' | N/A | String | node specific file | role::redis |
profile::redis::ip | The IP redis clients should contact redis on. Typically the haproxy ip | '192.168.100.10' or "%{hiera('profile::haproxy::management::ipv4')}" or redis.cloud.domain.com | N/A | String | common.yaml | roles::sensuserver |
Sensu
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|---|---|---|---|---|---|
profile::sensu::install | Opt-out for installing sensu. If not set to false, sensu-clients will be installed everywhere | false | N/A | Boolean | sensu.yaml or node-specific | All |
profile::sensu::uchiwa::private_key | Private key for uchiwa JWT creation | Content of generated file | openssl genrsa -out uchiwa.rsa 2048 | String | sensu.yaml | role::sensuserver |
profile::sensu::uchiwa::public_key | Public key for uchiwa JWT creation | Content of generated file | openssl rsa -in uchiwa.rsa -pubout > uchiwa.rsa.pub | String | sensu.yaml | role::sensuserver |
profile::sensu::uchiwa::password | Password for default (and only) user 'sensu' in Uchiwa | 'g00dp@$$w0rd' | pwgen -s -y 20 1 | String | sensu.yaml | role::sensuserver |
profile::sensu::uchiwa::fqdn | FQDN for uchiwa web frontend (not FQDN for the server running an instance of it) | 'sensu.cloud.domain.com' | N/A | String | sensu.yaml | role::sensuserver, role::bootstrap, role::balancer::mangement |
profile::sensu::rabbit_password | Password for sensu user at the /sensu rabbitmq vhost. Needed for rabbitmq servers, sensu servers AND all sensu clients. | 'g00dp@$$w0rd' | pwgen -s -y 20 1 | String | sensu.yaml | All |
profile::sensu::mailer::url | URL to Uchiwa web frontend, that will appear in e-mails from Sensu | "http://%{hiera('profile::sensu::uchiwa::fqdn')}" | N/A | String | sensu.yaml | role::sensuserver |
profile::sensu::mailer::mail_from | The address sensu will send e-mail alerts from | 'sensu@sensu.domain.com' | N/A | String | sensu.yaml | role::sensuserver |
profile::sensu::mailer::mail_to | List of addresses that sensu will send e-mail alerts to | - 'sysadmin1@cloud.domain.com' - 'sysadmin2@cloud.domain.com' | N/A | List of strings | sensu.yaml | role::sensuserver |
profile::sensu::mailer::smtp_address | Outgoing SMTP server mail alerts | 'smtp.cloud.domain.com' | N/A | String | sensu.yaml | role::sensuserver |
profile::sensu::mailer::smtp_port | TCP port used for connections to the given SMTP server | 25 | N/A | Integer | sensu.yaml | role::sensuserver |
profile::sensu::mailer::smtp_domain | SMTP domain | 'cloud.domain.com' | N/A | String | sensu.yaml | role::sensuserver |
profile::sensu::plugins | The plugins listed here will be installed on all clients. OBS: The example value is actually mandatory, because the checks tagged with 'all' in profile::sensu::checks rely on them. Puppet will not fail without defining this key, but none of the cheks will make any sense... | - 'sensu-plugins-disk-checks' | N/A | List of strings | sensu.yaml | All |
sensu::redact | Values that match the patterns in this list will be redacted in all output from sensu | - 'password' | N/A | List of strings | sensu.yaml | All |
sensu::subscriptions | Which checks a sensu-client should subscribe to. This is typically set per node. By default, a sensu-client will subscribe to checks tagged with 'all', and if the client is a physical server, it will also subscribe to 'physical-servers' | - 'mysql' - 'rabbitmq' - 'roundrobin:ceph' | N/A | List of strings | node-specific | All |
sensu::client_custom | If you want to override parameters for check command. I.e thresholds, specifying passowrd etc. This where you do that. Should only be set per node | 'load': warning: "8,4,2" critical: "16,8,4" 'mysql': password: "%{hiera('profile::mysqlcluster::status_password')}" 'disk': mountpoints: '/,/home,/var' | N/A | List of hashes | node-specific or really anywhere if you configure lookup_options to deep merge | All (or, more precise, just the client you add this key to) |
profile::sensu::checks::tlsexpiry | A hash of 'fqdn[:port]' : 'shortname' which should be checked for TLS Expiry | 'www.foo.com' : 'foo' 'api.foo.com:8080' : 'api' 'munin.foo.com' : 'munin' | N/A | Hash | sensu.yaml | role::sensuserver |
lookup_options: | You might wanna set this in sensu.yaml to allow client_custom settings to be set in multple hiera files without overwriting them with the settings in the top of the hierarchy | sensu::client_custom: merge: strategy: 'deep' merge_hash_arrays: true | N/A | List of hashes | sensu.yaml | All |