...
Depending on what services you are handling with puppet, you might need various keys in hiera. This page tries to list which keys needs to be present to use our role/profile repositories.
Note |
---|
Keys in italic are optional |
General information
There are quite a bit of data which are not associated to a specific service, but are rather used by various modules, and should thus generally allways be present:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::networking::rpfilter | Before we used multiple routing-tables on our hosts we had to turn off rpfilter to allow asymmetric routing. Now this should be turned on. | true | N/A | Boolean | networking.yaml | All |
profile::networking::management::ipv4::prefixes | A list over IPv4 prefixes for networks where management stations are found. Used to configure the firewall for SSH, stats-pages etc. | - '192.0.2.0/26' | N/A | List of strings | networking.yaml | All |
profile::networking::management::ipv6::prefixes | A list over IPv6 prefixes for networks where management stations are found. Used to configure the firewall for SSH, stats-pages etc. | - '2001:db8:beef:701::/64' | N/A | List of strings | networking.yaml | All |
Networks
The networks used in the deployment are all described in hiera to ensure that all configuration retrieves the same values when configuring anything network specific. There are one key in hiera which lists all networks:
profile::ntp::servers | A list over ntp servers to use. | - 'ntp.ntnu.no |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::networks | A list over networks in this deployment. The values in this list is used as keys to retrieve the rest of the parameters. | - 'management Stringsrole::bootstrap, role::dashboard, role::kvm, role::dhcp | For each of the neworks listed in "profile::networks" the following keys should exist:
strings | common.yaml | All |
profile::keepalived::vrrp_password | A password used to secure the vrrp instances | '724EuvohTGOdlcFnLlDV' | pwgen -s -1 20 | String | common.yaml | |
classes | A list over puppet classes which should be installed on a node. Used when we do not have an ENC, but it is always required. It is thus recommended to have an empty list here if an ENC is used. | [ ] | N/A | List of strings | common.yaml or node-specific file. | All |
profile::productionlevel | Which production-level is this installation? "prod", "test" or "dev"? | 'dev |
Key | Description | Example | Created by | Data-type | Used by |
---|
profile::networks::<networkname>::domain | The network-specific domain-name. | 'management.example.com' | N/A | String | role::bootstrap, role::dashboard |
profile::networks::<networkname>::ipv4::dynamicrange | (Optional) The range of ip-addresses for dynamic assignment to unregistered hosts. | '192.0.2.230 192.0.2.240role::bootstrap, role::dashboard, role::dhcpnetworks<networkname>::ipv4::gatewayThe IPv4 gateway on the network | '192.0.2.1smtp_relay | An SMTP relay which the server can use to send mail | 'smtp.example.com' | N/A | String |
role::bootstrap, role::dashboard, role::dhcpnetworks<networkname>::ipv4::idmaildomain | The domain the server sends mail from | 'example.com |
The IPv4 network ID. | '192.0.2.0role::bootstrap, role::dashboard, role::dhcp | profile::networks::<networkname>::ipv4::mask | The IPv4 network mask | '255.255.255.0Networks
The networks used in the deployment are all described in hiera to ensure that all configuration retrieves the same values when configuring anything network specific. There are one key in hiera which lists all networks:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::networks | A list over networks in this deployment. The values in this list is used as keys to retrieve the rest of the parameters. | - 'management' | N/A |
StringList of Strings | networking.yaml | role::bootstrap, role::dashboard, role::kvm, role::dhcp |
For each of the neworks listed in "profile::networks" the following keys should exist:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
::<networkname>::ipv4::prefixThe IPv4 CIDR prefix. | '192.0.2.0/24' | N/A | String | Most roles. Used as a source-net in firewall rules. |
---|
profile::networks::<networkname>:: |
ipv4::reserved(Optional) list over address-ranges which the dashboard should not assign to hosts. | domain | The network-specific domain-name. | 'management.example.com |
- '192.0.2.245-192.0.2.248' | N/A | String | networking.yaml | role::bootstrap, role::dashboard |
profile::networks::<networkname>:: |
ipv6prefixThe IPv6 CIDR prefix | (Optional) The range of ip-addresses for dynamic assignment to unregistered hosts. | '192.0.2.230 192.0.2.240 |
'2001:db8:beef:707::/64' | N/A | String | networking.yaml | role::bootstrap, role:: |
postgres::masterpostgres::slavedhcp |
profile::networks::<networkname>::ipv4:: |
vlanid VLAN ID of 504 | IPv4 gateway on the network | '192. |
IntegerString | networking.yaml | role:: |
kvmDashboard
The general configuration of the dashboard are based on the following keys:
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::dashboard::django::secret | A secret key used for misc. security features in the django backend. Should be the same on all dashboard servers | 'pM[`SiZd'=+ycXOAKm`srXY?@8DRw=BVdQXg$blHD"RD\2iv97' | pwgen -s -y 50 -1 | String | bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::id | The IPv4 network ID. | '192.0.2.0' | N/A | String | networking.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::mask | The IPv4 network mask | '255.255.255.0' | N/A | String | networking.yaml |
role::bootstrap, role::dashboard, role::dhcp |
profile:: |
dashboardnetworks::<networkname>::ipv4:: |
nameThe DNS name used to access the dashboard. This name should have an A and AAAA record configured with the address of the dashboard server (or loadbalancer). | 'dashboard.example.com' | N/A | String | role::bootstrap, role::dashboard | profile::dashboard::name::v4only | A DNS name wich also points to the dashboard, but this name should only resolve to an IPv4 address. This is because of some processes currently only works over IPv4 (Authorization of the retrieval of PXE preseed files for example) | 'v4dashboard.example.com' | N/A | prefix | The IPv4 CIDR prefix. | '192.0.2.0/24' | N/A | String | networking.yaml | Most roles. Used as a source-net in firewall rules. |
profile::networks::<networkname>::ipv4::reserved | (Optional) list over address-ranges which the dashboard should not assign to hosts. | - '192.0.2.245-192.0.2.248' | N/A | String | networking.yaml |
String | role::bootstrap, role::dashboard |
profile:: |
dashboardnetworks::<networkname>:: |
ldapurl url for the LDAP server used for authentication.IPv6 CIDR prefix | '2001:db8:beef:707::/64 |
'ldaps://ldap.example.com:636' | N/A | String | networking.yaml | role::bootstrap, role::postgres::master, role::postgres:: |
dashboarddashboardldapsearch_baseLDAP search base | vlanid | The VLAN ID of the network. | 504 |
'OU=Users,DC=ldap,DC=example,DC=com'StringInteger | networking.yaml | role:: |
bootstrap, role::dashboardprofile::dashboard::ldap::domain | LDAP domain nam | 'example-com' | N/A | String | role::bootstrap, role::dashboard |
Legacy keys
As there still are a couple of puppet profiles expecting the management network to be named management, the following keys are neededThere are also some keys which have a suggested value wich should work for all installations, but are still included in hiera for flexibility:
Suggested valueExample | Created by | Data-type | Datafile: | Used by |
---|
:dashboardnetworks::management::ipv4:: |
apiA HTTP link used by external clients connecting to the dashboard. | prefix | IPv4 prefix for management network | " |
'http://%{hiera('profile::networks:: |
dashboardnamev4only'rolenetworking.yaml | |
profile:: |
bootstrap, roledashboardprofiledashboarddatadirA location where the dashboard can store files. | '/var/lib/machineadmin' | String | role::bootstrap, role::dashboard | Database
prefix | IPv6 prefix for management network | "%{hiera('profile::networks::infrastructure::ipv6::prefix')}" | N/A | String | networking.yaml | |
Users
To create users the following general keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile:: |
dashboard::database::typeThe database type. | 'mysql' or 'sqliteusers | A list over usernames which puppet should configure users for | - 'eigil' | N/A |
String | role::bootstrap, role::dashboardList of Strings | users.yaml | All machines |
For each username the following keys should be created.
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile:: |
dashboarddatabasename database name (for mysql) or location (for sqlite)'dashboard' or '/var/dashboard.sqlite'String | role::bootstrap, role::dashboardInteger | users.yaml | All machines |
profile:: |
dashboarddatabase<username>::groups | A list over groups the user |
The database username | 'dashboardshould belong to. | - 'sudo' | N/A |
| List of strings | users.yaml | All machines |
String | role::bootstrap, role::dashboarddashboarddatabasepass database password'x&1/7LjWbz:i<:W&p+PG' | pwgen -s -y 20 -1 | String | role::bootstrap, role::dashboard | password-hash to be injected into /etc/shadow | | | String | users.yaml | All machines |
profile::user::<username>::keys | List over ssh-keys which should be added to the users authorized_keys | | N/A | List of strings | users.yaml | All machines |
profile::user::<username>::key::<keyname> | A specific ssh key. Needs one for each key listed in profile::user::<username>::keys | | N/A | String | users.yaml | All machines |
Ceph
These keys will be subject to change, when they get to be a part of new roles
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::ceph::fsid | UUID for cluster | '23a2d131-99f7-4ad0-9fb4-1977f59ce530' | uuidgen |
profile::dashboard::database::host | The database host. Could be a static string, or a hiera lookup. | 'mysql.example.com', '192.0.2.38' or "%{hiera('profile::haproxy::management::ip')}" | N/AbootstrapdashboardDHCP configuration:
The dashboard needs the keys listed at the section DHCP server in addition to the following keys to configure the DHCP servers:
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::dhcp::servers | A list of hashes describing the dhcp servers. Key=DHCP-Server-name and value=DHCP-IPv4 | 'dhcp1': '192.0.2.21' | N/A | List of hashes | role::bootstrap, role::dashboard |
DNS configuration:
The Dashboard requires some keys listed under the section DNS-Server, in addition to the following keys:
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::dns::<shortname>::key | The TSIG key used for updates sent to this server. It can be useful to let this be a hiera-lookup for the zones managed by our own DNS servers. | 'UvetjoX5zMiw/NbQr3biug==' "%{hiera('profile::dns::key::update')}" | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | role::bootstrap, role::dashboard |
PXE-Booting
The dashboard and the DHCP servers are together providing a pxeboot environment where we boot and install operatingsystem images.
DHCP server
When running DHCP servers, the following keys are needed:
compute, role::storage |
profile::ceph::replicas | Amount of replicas in cluster | 3 | N/A | Integer | role::controller, role::compute, role::storage |
profile::ceph::journal::size | Size of journal (not relevant in luminous(?)) in MB | 15800 | N/A | Integer | role::controller, role::compute, role::storage |
profile::ceph::admin_key | Admin key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute, role::storage |
profile::ceph::monitor_key | ceph-mon key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute |
profile::ceph::mgr_key | ceph-mgr key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller |
profile::ceph::osd_bootstrap_key | ceph-osd bootstrap key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::storage |
profile::ceph::glance_key | glance key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller (glance hosts) |
profile::ceph::nova_key | nova (and cinder) key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute (nova hosts) (cinder hosts) |
profile::ceph::nova_uuid | UUID for nova/libvrt and cinder | '23a2d131-99f7-4ad0-9fb4-1977f59ce530' | uuidgen | String | role::controller, role::compute (nova and cinder hosts) |
profile::ceph::cluster_network | Ceph frontend network | '172.17.2.0/24' | N/A | String | role::storage |
profile::ceph::public_network | Ceph backend (replication) network | '172.17.3.0/24' | N/A | String | role::storage |
Dashboard
The general configuration of the dashboard are based on the following keys:
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::dhcp::omapi::key | The omapi key used to update the DHCP servers | 'omapi_key==' | dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST key_name | String | role::bootstrap, role::dashboard, role::dhcp |
profile::dhcp::omapi::name | The omapi key name | 'key_name' | ↑ | String | Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::dashboard::django::secret | A secret key used for misc. security features in the django backend. Should be the same on all dashboard servers NB: The pwgen command lacks -y because some special characters will cause errors | '9tAMGEAEO4ln3t3PEXvN7dJov5SlbKU5AxxkSO50WQH6yIMt8X' | pwgen -s 50 -1 | String | common.yaml |
role::bootstrap, role::dashboard |
, role::dhcpdhcpsearchdomain default search-domain handed to DHCP clientsDNS name used to access the dashboard. This name should have an A and AAAA record configured with the address of the dashboard server (or loadbalancer). | 'dashboard.example.com' | N/A | String | common.yaml |
'cloud.domain.com' | N/A | StringdhcpdnsresolversThe DNS resolvers for clients to use | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | List of stringsA DNS name wich also points to the dashboard, but this name should only resolve to an IPv4 address. This is because of some processes currently only works over IPv4 (Authorization of the retrieval of PXE preseed files for example) | 'v4dashboard.example.com' | N/A | String | common.yaml | role::bootstrap, role:: |
dhcpDNS server
If you are hosting a DNS server the following keys are needed:
dashboard |
profile::dashboard::ldap::url | The url for the LDAP server used for authentication. | 'ldaps://ldap.example.com:636' | N/A | String | common.yaml |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::dns::forwarders | Which DNS servers your DNS server should use to resolve domainnames where it is not an authorative DNS | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | List of stringsdns::masterdnskeytransferThe TSIG keys used for zone-transfers | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | search_base | LDAP search base | 'OU=Users,DC=ldap,DC=example,DC=com' | N/A | String | common.yaml |
Stringdns::master, role::dns::slavednskeyupdatedomain | LDAP domain nam | 'example-com' | N/A | String | common.yaml | role |
The TSIG keys used for DNS updates | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | roledns::master, role::dns::slaveThere are also some keys which have a suggested value wich should work for all installations, but are still included in hiera for flexibility:
Key | Description | Suggested value | Data-type | Datafile: | Used by: |
---|
profile:: |
dnsslavesA list over DNS slave-servers which replicates the zone-files from the main DNS server. The hash is structured as key=Servername and value=DNS-IPv4 | 'ns2.example.com': '192.0.2.130' | N/A | List of Hashesdns::master, role::dns::slavednszonesdatadir | A location where the dashboard can store files. | '/var/lib/shiftleader' | String | common.yaml |
A list over DNS zones managed by our DNS servers, or used by our dashboard. The hash is structured as key=DNS-zone and value=DNS-server-shortname. | 'zone.example.com': 'ns1' | N/A | List of Hashes | role::bootstrap, role::dashboard |
, role::dns::master, role::dns::slaveI addition there are a set of keys which are needed for each DNS server managing a DNS zone used by us. Shortname is here the name used in "profile::dns::zones".
Database
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::dashboard::database::type | The database type. | 'mysql' or 'sqlite' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::database::name | The database name (for mysql) or location (for sqlite) | 'dashboard' or '/var/dashboard.sqlite |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::dns::<shortname>::ipv4 | The IPv4 address of a specific DNS server. | '192.0.2.129' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
, role::dns::master, role::dns::slavedns<shortname>name fqdn of a specific DNS serverns1.example.comdashboard' | N/A | String | common.yaml | role::bootstrap, role:: |
dnsmaster, rolednsslaveHaproxy
We use haproxy to loadbalance multiple of our services. It needs the following keys present in hiera to work:
The database password | 'x&1/7LjWbz:i<:W&p+PG' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::database::host | The database host. Could be a static string, or a hiera lookup. | 'mysql.example.com', |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::haproxy::management::ipv4 | The IPv4 address used in front og the loadbalancer used for managemnet services | 151' 38' or "%{hiera('profile::haproxy::management::ip')}" | N/A | String | common.yaml | role::bootstrap, role:: |
puppet::db, role::puppet::server, role::mysql, role::balancer::managementDHCP configuration:
The dashboard needs the keys listed at the section DHCP server in addition to the following keys to configure the DHCP servers:
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|
profile:: |
haproxymanagement::ipv4::idThe VRRP id used by the IPv4 VRRP instance. | 11servers | A list of hashes describing the dhcp servers. Key=DHCP-Server-name and value=DHCP-IPv4 | 'dhcp1': '192.0.2.21' | N/A |
Integer | List of hashes | common.yaml | role::bootstrap, role:: |
balancer::managementprofile::haproxy::management::ipv4::priority | The VRRP priority used by the IPv4 VRRP instance. | 10 | N/A | Integer | role::bootstrap, role::balancer::management |
DNS configuration:
The Dashboard requires some keys listed under the section DNS-Server, in addition to the following keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::dns::<shortname>::key | The TSIG key used for updates sent to this server. It can be useful to let this be a hiera-lookup for the zones managed by our own DNS servers. | 'UvetjoX5zMiw/NbQr3biug==' "%{hiera('profile::dns::key::update')}" | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml |
profile::haproxy::management::ipv6 | The IPv4 address used in front og the loadbalancer used for managemnet services | '2001:db8:beef:707::7b1' | N/A | Stringpuppet::db, role::puppet::server, role::mysql, role::balancer::management profile::haproxy::management::ipv6::id | The VRRP id used by the IPv6 VRRP instance. | 12 | N/A | Integer | role::bootstrap, role::balancer::management |
profile::haproxy::management::ipv6::priority | The VRRP priority used by the IPv6 VRRP instance. | 10 | N/A | IntegerPXE-Booting
The dashboard and the DHCP servers are together providing a pxeboot environment where we boot and install operatingsystem images.
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::pxe::images | A list over image short-names (ID's used to identify images later). | - '1604amd64' | N/A | List of strings | common.yaml | role::bootstrap, role::dhcp |
profile:: |
balancermanagementMySQL
Our mysql cluster uses the following hiera-keys:
name | A descriptive name of the specific image | 'Ubuntu 16.04 Server amd64' |
Key | Description | Example | Created by | Data-type | Used by |
---|
profile::mysqlcluster::servers | This is a list over IPv4 addresses used by servers in the cluster. This list are used when a server starts up, to discover at least one of the machines already in the cluster. | - '192.0.2.201' | N/A | String | common.yaml | role::bootstrap, role:: |
mysqlmysqlclustermasterThe fqdn of one of the mysql-servers. This are in theory used by the puppet-galera module to start one server in case all servers are down. | 'mysql1.example.com' | N/A | String | common.yaml | role::bootstrap, role:: |
mysqlmysqlclusterroot_passwordThis is the password of the mysql root user | 'OwT$Etc$=|;h(=upip#3' | pwgen -s -y 20 -1 | String | mysqlprofile::mysqlcluster::status_password | This is the password of the mysql status user | ';^8P"M,Oem6le\T"am!0' | pwgen -s -y 20 -1 | String | role::bootstrap, role::mysql |
DHCP server
When running DHCP servers, the following keys are needed:
profile::mysqlcluster::haproxy_password | This is the password of the mysql haproxy user. This user is so that haproxy can create more robust checks than just see if port 3306 is open. | '4g36-&jHNFF?J-7yQZHa' | pwgen -s -y 20 -1 | String | Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::dhcp::omapi::key | The omapi key used to update the DHCP servers | 'omapi_key==' | dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST key_name | String | common.yaml |
mysqlPostgres
Our postgres servers uses the following hiera keys:
Key | Description | Example | Created by | Data-type | Used by |
---|
profile::postgres::ipv4 | The IPv4 address to use in front of the postgres servers. | '192.0.2.204' | N/A | String | dashboard, role::dhcp |
profile::dhcp::omapi::name | The omapi key name | 'key_name' | ↑ | String | common.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::dhcp::searchdomain | The default search-domain handed to DHCP clients | 'cloud.domain.com' | N/A | String | common.yaml |
postgres::master, role::postgres::slave, role::puppet::dbpostgresipv4::id VRRP id to use for the VRRP instance negotiating for postgres's IPv4 address13DNS resolvers for clients to use | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A |
IntegerList of strings | common.yaml | role::bootstrap, role:: |
postgres::master, role::postgres::slaveprofile::postgres::ipv4::priority | The VRRP priority to use for the VRRP instance negotiating for postgres's IPv4 address | 10 | N/A | Integer | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv6 | The IPv6 address to use in front of the postgres servers. | DNS server
If you are hosting a DNS server the following keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::dns::forwarders | Which DNS servers your DNS server should use to resolve domainnames where it is not an authorative DNS | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | List of strings | common.yaml |
'2001:db8:beef:707::9:6591' | N/A | Stringpostgres, role::postgres::slave, role::puppet::dbpostgresipv6id VRRP id to use for the VRRP instance negotiating for postgres's IPv6 addressTSIG keys used for zone-transfers | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml |
14 | N/A | Integerpostgrespostgrespostgresipv6priority VRRP priority to use for the VRRP instance negotiating for postgres's IPv6 address10 | N/A | Integer | TSIG keys used for DNS updates | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml | role:: |
role::postgrespostgrespostgresmasterserver fqdn identifying the postgres server which is supposed to be the master. This affects which servers are going to create databases and users.list over DNS slave-servers which replicates the zone-files from the main DNS server. The hash is structured as key=Servername and value=DNS-IPv4 | 'ns2.example.com': '192.0.2.130' | N/A | List of Hashes | common.yaml |
'pgsql1.example.com' | N/A | StringpostgrespostgrespostgrespasswordThe password for the "postgres" postgresql user. | 'd4Cwfl)W}onosE~Y[]G,' | pwgen -s -y 20 -1 | zones | A list over DNS zones managed by our DNS servers, or used by our dashboard. The hash is structured as key=DNS-zone and value=DNS-server-shortname. | 'zone.example.com': 'ns1' | N/A | List of Hashes | common.yaml |
String | role::bootstrap, role::dashboard, role:: |
postgrespostgresI addition there are a set of keys which are needed for each DNS server managing a DNS zone used by us. Shortname is here the name used in "profile::
...
dns::zones".
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::dns::<shortname>::ipv4 | The IPv4 address of a specific DNS server. | '192.0.2.129' | N/A | String | common.yaml |
replicatorpasswordThe password used for the "replicator" postgresql user. | 'Gz,j*>Qt'dF{-\Sr4N-_' | pwgen -s -y 20 -1 | Stringpostgresdashboard, role::dns::master, role:: |
postgresPuppet
These are our puppet-related hiera keys:
profile::dns::<shortname>::name | The fqdn of a specific DNS server | 'ns1 |
Key | Description | Example | Created by | Data-type | Used by |
---|
profile::puppet::aptkey | The gpg key used to authenticate the puppetlabs apt repository | '6F6B15509CF8E59E6E469F327F438280EF8D349F' | puppetlabs | String | All |
profile::puppet::caserver | The fqdn of the puppetca server | 'puppetcaAll | profile::puppet::environment | The puppet environment a certain host should be configured to use. This needs to be a valid puppet environment, but it will also be owerridden by the ENC, so it is not important exactly which environment are listed her as long as it exists. If you do not use an ENC, this is the puppet environment a client will retrieve config from. | 'production' | N/A | String | All |
profile::puppet::hostname | This is the fqdn the clients use to contact the puppetmasters. | common.yaml | role::bootstrap, role::dns::master, role::dns::slave |
KVM / Libvirt
Networks
The class role::kvm makes use of the following general purpose keys to auto create OVS bridges, which the VMs can connect to:
- profile::networks
- profile::networks::${network}::vlanid
In addition every KVM host needs to specify which physical interface(s) that carries the networks specified in the profile::networks key
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::kvm::interfaces::<networkname> Example: profile::kvm::interfaces::management | Name of the physical interfaces that carries the given networkname. Multiple networks can have the same physical interface, which will be the case if the NIC is connected to a VLAN trunk port. | 'eno2' | N/A | String | role::kvm |
Haproxy
We use haproxy to loadbalance multiple of our services. It needs the following keys present in hiera to work:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::haproxy::web::profile | Which web profile should this haproxy node have | 'management' | N/A | String | node-specific | role::bootstrap, role::balancer::* |
profile::haproxy::${profile}::ipv4 | The IPv4 address used in front og the loadbalancer used for managemnet services | '192.0.2.151' | N/A | String | networking.yaml | role::bootstrap, role::puppet::db, role::puppet::server, role::mysql, role::balancer::management |
profile::haproxy::${profile}::ipv4::id | The VRRP id used by the IPv4 VRRP instance. | 11 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::${profile}::ipv4::priority | The VRRP priority used by the IPv4 VRRP instance. | 10 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::${profile}::ipv6 | The IPv4 address used in front og the loadbalancer used for managemnet services | '2001:db8:beef:707::7b1' | N/A | String | networking.yaml | role::bootstrap, role::puppet::db, role::puppet::server, role::mysql, role::balancer::management |
profile::haproxy::${profile}::ipv6::id | The VRRP id used by the IPv6 VRRP instance. | 12 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::${profile}::ipv6::priority | The VRRP priority used by the IPv6 VRRP instance. | 10 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::${profile}::domains | Which domains haproxy should forward for in frontend "ft_web" for given profile | -'foo.com' -'bar.foo.com' | N/A | List of strings | common.yaml | role::balancer::* |
profile::haproxy::management::apicert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative
| Multiline string | certs.yaml | role::bootstrap, role::balancer::management |
profile::haproxy::services::apicert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative
| Multiline string | certs.yaml | role::bootstrap, role::balancer::services |
profile::haproxy::${profile}::webcert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative
| Multiline string | certs.yaml | role::balancer::* |
profile::haproxy::management::apicert::certfile | Filepath and name for the apicert bundle | '/etc/ssl/private/haproxy_web.pem' | N/A | String | certs.yaml | role::balancer::web |
Munin
Key | Description | Example | Created by | Data-type | Datafile | Used by |
---|
profile::munin::urls | List of FQDNs the munin server should create a vhost in apache for. Typically - set the "world reachable" FQDN in common.yaml Each node will get a vhost with their FQDN automaticly, through the apache class. Only set a munin url in node specific file if it's different from the servers hostname. | - 'munin.exaxmple.com' - 'munin1.example.com' | N/A | List of Strings | common.yaml Node specific | role::munin |
MySQL
Our mysql cluster uses the following hiera-keys:
Key | Description | Example | Created by | Data-type | Datafile | Used by |
---|
profile::mysqlcluster::servers | This is a list over IPv4 addresses used by servers in the cluster. This list are used when a server starts up, to discover at least one of the machines already in the cluster. | - '192.0.2.201' | N/A | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::master | The fqdn of one of the mysql-servers. This are in theory used by the puppet-galera module to start one server in case all servers are down. | 'mysql1.example.com' | N/A | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::root_password | This is the password of the mysql root user | 'OwT$Etc$=|;h(=upip#3' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::status_password | This is the password of the mysql status user | ';^8P"M,Oem6le\T"am!0' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::haproxy_password | This is the password of the mysql haproxy user. This user is so that haproxy can create more robust checks than just see if port 3306 is open. | '4g36-&jHNFF?J-7yQZHa' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
Openstack
General keys, shared amongst various Openstack services
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::openstack::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Cinder
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::cinder::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Glance
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::glance::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Heat
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::heat::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Horizon
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::horizon::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Keystone
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::keystone::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Neutron
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::neutron::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Nova
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::nova::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Postgres
Our postgres servers uses the following hiera keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::postgres::ipv4 | The IPv4 address to use in front of the postgres servers. | '192.0.2.204' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave, role::puppet::db |
profile::postgres::ipv4::id | The VRRP id to use for the VRRP instance negotiating for postgres's IPv4 address | 13 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv4::priority | The VRRP priority to use for the VRRP instance negotiating for postgres's IPv4 address | 10 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv6 | The IPv6 address to use in front of the postgres servers. | '2001:db8:beef:707::9:6591' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave, role::puppet::db |
profile::postgres::ipv6::id | The VRRP id to use for the VRRP instance negotiating for postgres's IPv6 address | 14 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv6::priority | The VRRP priority to use for the VRRP instance negotiating for postgres's IPv6 address | 10 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::masterserver | A fqdn identifying the postgres server which is supposed to be the master. This affects which servers are going to create databases and users. | 'pgsql1.example.com' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::password | The password for the "postgres" postgresql user. | 'd4Cwfl)W}onosE~Y[]G,' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::replicatorpassword | The password used for the "replicator" postgresql user. | 'Gz,j*>Qt'dF{-\Sr4N-_' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
Puppet
These are our puppet-related hiera keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::puppet::aptkey | The gpg key used to authenticate the puppetlabs apt repository | '6F6B15509CF8E59E6E469F327F438280EF8D349F' | puppetlabs | String | common.yaml | All |
profile::puppet::caserver | The fqdn of the puppetca server | 'puppetca.example.com' | N/A | String | common.yaml | All |
profile::puppet::environment | The puppet environment a certain host should be configured to use. This needs to be a valid puppet environment, but it will also be owerridden by the ENC, so it is not important exactly which environment are listed her as long as it exists. If you do not use an ENC, this is the puppet environment a client will retrieve config from. | 'production' | N/A | String | common.yaml | All |
profile::puppet::hostname | This is the fqdn the clients use to contact the puppetmasters. | 'puppet.example.com' | N/A | String | common.yaml | All |
profile::puppet::r10k::repo | The path to the git-repository which r10k uses to retrieve environments and modules. | 'https://github.com/myorg/r10k.git' | N/A | String | common.yaml | role::bootstrap, role::puppet::server, role::puppet::ca |
profile::puppet::runinterval | How often the puppet client should run. Given as a string consisting of a number and a prefix (h, m). | '60m' | N/A | String | common.yaml | All |
profile::puppetdb::database::name | The name of the postgres database used by puppetdb | 'puppetdb' | N/A | String | common.yaml | role::bootstrap, role::puppet::db, role::postgres::master |
profile::puppetdb::database::user | The username of the postgres database used by puppetdb | 'puppetdb' | N/A | String | common.yaml | role::bootstrap, role::puppet::db, role::postgres::master |
profile::puppetdb::database::pass | The password of the postgres database used by puppetdb NB: The pwgen command lacks -y because some special characters will cause errors
| 'ys0c85FlLhhfqeteFIfx' | pwgen -s 20 -1 | String | common.yaml | role::bootstrap, role::puppet::db, role::postgres::master |
profile::puppetdb::hostname | The hostname which the puppetservers use to contact the puppetdb service | 'puppetdb.example.com' | N/A | String | common.yaml | role::bootstrap, role::puppet::server role::puppet::ca |
Rabbitmq
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|
profile::rabbitmq::ip | IP address for rabbitmq keepalived VIP | '10.212.132.11' | N/A | String | networking.yaml | role::rabbitmq, role::compute |
profile::rabbitmq::vrrp::id | The VRRP id to use for the VRRP instance negotiating for rabbitmq's IPv4 address | 12 | N/A | Integer | networking.yaml | role::rabbitmq |
profile::rabbitmq::vrrp::priority | The VRRP priority to use for the VRRP instance negotiating for rabbitmq's IPv4 address | 100 | N/A | Integer | networking.yaml or node-specific | role::rabbitmq |
profile::rabbitmq::rabbituser | Default user to create in rabbitmq | 'rabbit' | N/A | String | common.yaml | role::rabbitmq, role::compute |
profile::rabbitmq::rabbitpass | Password for default vhost / | | pwgen -s -y 20 -1 | String | | role::rabbitmq, role::compute |
profile::rabbitmq::rabbitsecret | rabbitmq master secret | | pwgen -s -y 20 -1 | String | | role::rabbitmq |
Redis
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|
profile::redis::master | Name or IP address of initial redis master | 'redis1.cloud.domain.com' or '192.168.100.12' WARNING: If you use DNS name, ensure that the name DOESN'T resolve to 127.0.0.1 at the given redis host, or else this node will not add itself to the redis-sentinel cluster | N/A | String | common.yaml | role::redis |
profile::redis::masterauth | Password for master communitcation | 'teY.>&3@Ub$X-OGxOFQ7' | pwgen -s -y 20 -1 | String | common.yaml | role::redis role::balancer::management role::sensuserver role::bootstrap |
profile::redis::nodetype | Defined on each redis-node. Only valid values are 'master' or 'slave' | 'master' | N/A | String | node specific file | role::redis |
profile::redis::ip | The IP redis clients should contact redis on. Typically the haproxy ip | '192.168.100.10' or "%{hiera('profile::haproxy::management::ipv4')}" or redis.cloud.domain.com | N/A | String | common.yaml | roles::sensuserver |
Sensu
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|
profile::sensu::install | Opt-out for installing sensu. If not set to false, sensu-clients will be installed everywhere | false | N/A | Boolean | sensu.yaml or node-specific | All |
profile::sensu::uchiwa::private_key | Private key for uchiwa JWT creation | Content of generated file | openssl genrsa -out uchiwa.rsa 2048 | String | sensu.yaml | role::sensuserver |
profile::sensu::uchiwa::public_key | Public key for uchiwa JWT creation | Content of generated file | openssl rsa -in uchiwa.rsa -pubout > uchiwa.rsa.pub | String | sensu.yaml | role::sensuserver |
profile::sensu::uchiwa::password | Password for default (and only) user 'sensu' in Uchiwa | 'g00dp@$$w0rd' | pwgen -s -y 20 1 | String | sensu.yaml | role::sensuserver |
profile::sensu::uchiwa::fqdn | FQDN for uchiwa web frontend (not FQDN for the server running an instance of it) | 'sensu.cloud.domain.com' | N/A | String | sensu.yaml | role::sensuserver, role::bootstrap, role::balancer::mangement |
profile::sensu::rabbit_password | Password for sensu user at the /sensu rabbitmq vhost. Needed for rabbitmq servers, sensu servers AND all sensu clients. | 'g00dp@$$w0rd' | pwgen -s -y 20 1 | String | sensu.yaml | All |
profile::sensu::mailer::url | URL to Uchiwa web frontend, that will appear in e-mails from Sensu | "http://%{hiera('profile::sensu::uchiwa::fqdn')}" | N/A | String | sensu.yaml | role::sensuserver |
profile::sensu::mailer::mail_from | The address sensu will send e-mail alerts from | 'sensu@sensu.domain |
'puppet.exampleAllsensu.yaml | role::sensuserver |
profile:: |
puppetr10krepoThe path to the git-repository which r10k uses to retrieve environments and modules. | mail_to | List of addresses that sensu will send e-mail alerts to | - 'sysadmin1@cloud.domain.com' - 'sysadmin2@cloud.domain.com |
'https://github.com/myorg/r10k.gitString | role::bootstrap, role::puppet::server, | List of strings | sensu.yaml |
puppetcaprofilepuppetrunintervalHow often the puppet client should run. Given as a string consisting of a number and a prefix (h, m). | smtp_address | Outgoing SMTP server mail alerts | 'smtp.cloud.domain.com' |
'60m' | sensu.yaml | role::sensuserver |
AllpuppetdbdatabasenameThe name of the postgres database used by puppetdb | smtp_port | TCP port used for connections to the given SMTP server | 25 |
'puppetdb'Stringbootstrap, role::puppet::db, role::postgres::masterpuppetdbdatabaseuserThe username of the postgres database used by puppetdb | smtp_domain | SMTP domain | 'cloud.domain.com |
'puppetdb' | N/A | String | sensu.yaml | role:: |
bootstrap, rolepuppet::db, role::postgres::masterprofile::puppetdb::database::pass | The password of the postgres database used by puppetdb | 'teY.>&3@Ub$X-OGxOFQ7' | pwgen -s -y 20 -1 | String | role::bootstrap, role::puppet::db, role::postgres::master |
profile::puppetdb::hostname | The hostname which the puppetservers use to contact the puppetdb service | 'puppetdb.example.com' | N/A | String | role::bootstrap, role::puppet::server role::puppet::ca |
Redis
sensu::plugins | The plugins listed here will be installed on all clients. OBS: The example value is actually mandatory, because the checks tagged with 'all' in profile::sensu::checks rely on them. Puppet will not fail without defining this key, but none of the cheks will make any sense... | - 'sensu-plugins-disk-checks' - 'sensu-plugins-load-checks' - 'sensu-plugins-memory-checks' - 'sensu-plugins-process-checks' - 'sensu-plugins-hardware' - 'sensu-plugins-puppet' - 'sensu-plugins-dns' - 'sensu-plugins-ntp' | N/A | List of strings | sensu.yaml | All |
sensu::redact | Values that match the patterns in this list will be redacted in all output from sensu | - 'password' - 'pass' - 'pw' | N/A | List of strings | sensu.yaml | All |
sensu::subscriptions | Which checks a sensu-client should subscribe to. This is typically set per node. By default, a sensu-client will subscribe to checks tagged with 'all', and if the client is a physical server, it will also subscribe to 'physical-servers' | - 'mysql' - 'rabbitmq' - 'roundrobin:ceph' | N/A | List of strings | node-specific | All |
sensu::client_custom | If you want to override parameters for check command. I.e thresholds, specifying passowrd etc. This where you do that. Should only be set per node | 'load': warning: "8,4,2" critical: "16,8,4" 'mysql': password: |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::redis::master | Name or IP address of initial redis master | 'redis1.cloud.domain.com' | N/A | String | role::redis |
profile::redis::nodetype | Defined on each redis-node. Only valid values are 'master' or 'slave' | 'master' | N/A | String | role::redis |
profile::redis::ip | The IP redis clients should contact redis on. Typically the haproxy ip | '192.168.100.10'
or
haproxymanagement::ipor
'disk': mountpoints: '/,/home,/var' |
redis.cloud.domain.comString | roles::sensuserver | Sensu
List of hashes | node-specific or really anywhere if you configure lookup_options to deep merge | All (or, more precise, just the client you add this key to) |
Key | Description | Example | Created by | Data-type | Used by:installOpt-out for installing sensu. If not set to false, sensu-clients will be installed everywhere | falsetlsexpiry | A hash of 'fqdn[:port]' : 'shortname' which should be checked for TLS Expiry | 'www.foo.com' : 'foo' 'api.foo.com:8080' : 'api' 'munin.foo.com' : 'munin' | N/A |
BooleanAllprofilesensu::uchiwa::private_keyPrivate key for uchiwa JWT creation | Content of generated file | openssl genrsa -out uchiwa.rsa 2048 | String | role::sensuserver | profile::sensu::uchiwa::public_key | Public key for uchiwa JWT creation | Content of generated file | openssl rsa -in uchiwa.rsa -pubout > uchiwa.rsa.pub | String | role::sensuserversensuserver |
lookup_options: | You might wanna set this in sensu.yaml to allow client_custom settings to be set in multple hiera files without overwriting them with the settings in the top of the hierarchy | sensu::client_custom: merge: strategy: 'deep' merge_hash_arrays: true | N/A | List of hashes | sensu.yaml | All |