...
There are quite a bit of data which are not associated to a specific service, but are rather used by various modules, and should thus generally allways be present:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::networking::rpfilter | Before we used multiple routing-tables on our hosts we had to turn off rpfilter to allow asymmetric routing. Now this should be turned on. | true | N/A | Boolean | networking.yaml | All |
profile::networking::management::ipv4::prefixes | A list over IPv4 prefixes for networks where management stations are found. Used to configure the firewall for SSH, stats-pages etc. | - '192.0.2.0/26' | N/A | List of strings | networking.yaml | All |
profile::networking::management::ipv6::prefixes | A list over IPv6 prefixes for networks where management stations are found. Used to configure the firewall for SSH, stats-pages etc. | - '2001:db8:beef:701::/64' | N/A | List of strings |
All | Networks
The networks used in the deployment are all described in hiera to ensure that all configuration retrieves the same values when configuring anything network specific. There are one key in hiera which lists all networks:
networking.yaml | All |
profile::ntp::servers | A list over ntp servers to use. | - 'ntp.ntnu.no' |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::networks | A list over networks in this deployment. The values in this list is used as keys to retrieve the rest of the parameters. | - 'management' Stringsrole::bootstrap, role::dashboard, role::kvm, role::dhcp | For each of the neworks listed in "profile::networks" the following keys should exist:
strings | common.yaml | All |
profile::keepalived::vrrp_password | A password used to secure the vrrp instances | '724EuvohTGOdlcFnLlDV' | pwgen -s -1 20 | String | common.yaml | |
classes | A list over puppet classes which should be installed on a node. Used when we do not have an ENC, but it is always required. It is thus recommended to have an empty list here if an ENC is used. | [ ] | N/A | List of strings | common.yaml or node-specific file. | All |
profile::productionlevel | Which production-level is this installation? "prod", "test" or "dev"? | 'dev' | N/A | String | common.yaml | All |
profile::baseconfig::smtp_relay | An SMTP relay which the server can use to send mail | 'smtp.example.com |
Key | Description | Example | Created by | Data-type | Used by |
---|
profile::networks::<networkname>::domain | The network-specific domain-name. | 'management.example.com' | N/A | String | role::bootstrap, role::dashboard |
profile::networks::<networkname>::ipv4::dynamicrange | (Optional) The range of ip-addresses for dynamic assignment to unregistered hosts. | '192.0.2.230 192.0.2.240role::bootstrap, role::dashboard, role::dhcpnetworks<networkname>::ipv4::gateway IPv4 gateway on the networkdomain the server sends mail from | ' |
192.0.2.1role::bootstrap, role::dashboard, role::dhcp | profile::networks::<networkname>::ipv4::id | The IPv4 network ID. | '192.0.2.0' | N/A | String | role::bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::mask | The IPv4 network mask | '255.255.255.0' | Networks
The networks used in the deployment are all described in hiera to ensure that all configuration retrieves the same values when configuring anything network specific. There are one key in hiera which lists all networks:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::networks | A list over networks in this deployment. The values in this list is used as keys to retrieve the rest of the parameters. | - 'management' | N/A | List of Strings | networking.yaml |
N/A | String | role::bootstrap, role::dashboard, role::kvm, role::dhcp |
For each of the neworks listed in "profile::networks" the following keys should exist:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile:: |
<networkname>ipv4prefix IPv4 CIDR prefixnetwork-specific domain-name. | ' |
1920.2.0/24'Most roles. Used as a source-net in firewall rules.networking.yaml | role::bootstrap, role::dashboard |
profile::networks::<networkname>::ipv4:: |
reserved list over address-ranges which the dashboard should not assign to The range of ip-addresses for dynamic assignment to unregistered hosts. |
- 245-248240' | N/A | String | networking.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>:: |
ipv6prefix IPv6 CIDR prefixIPv4 gateway on the network | '192.0.2.1 |
'2001:db8:beef:707::/64' | N/A | String | networking.yaml | role::bootstrap, role:: |
postgres::masterpostgres::slavedhcp |
profile::networks::<networkname>:: |
vlanid VLAN of the network504IntegerString | networking.yaml | role:: |
:kvmUsers
To create users the following general keys are needed:
bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::mask | The IPv4 network mask | '255.255.255.0 |
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::users | A list over usernames which puppet should configure users for | - 'eigilList of Stringsusers.yaml | All machines | For each username the following keys should be created.
networking.yaml | role::bootstrap, role::dashboard, role::dhcp |
profile::networks::<networkname>::ipv4::prefix | The IPv4 CIDR prefix. | '192.0.2.0/24' |
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::user::<username>::uid | The user-id | 801IntegerusersAll machinesMost roles. Used as a source-net in firewall rules. |
profile::networks: |
user<username>groupsA groups the user should belong toaddress-ranges which the dashboard should not assign to hosts. | - ' |
sudo192.0.2.245-192.0.2.248' | N/A |
List of stringsusersAll machinesrole::bootstrap, role::dashboard |
profile:: |
user<username>hashThe password-hash to be injected into /etc/shadow | | | String | users.yaml | All machines | prefix | The IPv6 CIDR prefix | '2001:db8:beef:707::/64' | N/A | String | networking.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::networks::<networkname>::vlanid | The VLAN ID of the network. | 504 | N/A | Integer | networking.yaml | role::kvm |
Legacy keys
As there still are a couple of puppet profiles expecting the management network to be named management, the following keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::networks::management::ipv4::prefix | IPv4 prefix for management network | "%{hiera('profile::networks::infrastructure::ipv4::prefix')}" |
profile::user::<username>::keys | List over ssh-keys which should be added to the users authorized_keys | | N/A | List of strings | users.yaml | All machines |
profile::user::<username>::key::<keyname> | A specific ssh key. Needs one for each key listed in profile::user::<username>::keys | usersAll machines | Ceph
These keys will be subject to change, when they get to be a part of new roles
|
profile::networks::management::ipv6::prefix | IPv6 prefix for management network | "%{hiera('profile::networks::infrastructure::ipv6::prefix')}" | N/A | String | networking.yaml | |
Users
To create users the following general keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::users | A list over usernames which puppet should configure users for | - 'eigil' | N/A | List of Strings | users.yaml | All machines |
For each username the following keys should be created.
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::user::<username>::uid | The user-id | 801 | N/A | Integer | users.yaml | All machines |
profile::user::<username>::groups | A list over groups the user should belong to. | - 'sudo' | N/A | List of strings | users.yaml | All machines |
profile::user::<username>::hash | The password-hash to be injected into /etc/shadow | | | String | users.yaml | All machines |
profile::user::<username>::keys | List over ssh-keys which should be added to the users authorized_keys | | N/A | List of strings | users.yaml | All machines |
profile::user::<username>::key::<keyname> | A specific ssh key. Needs one for each key listed in profile::user::<username>::keys | | N/A | String | users.yaml | All machines |
Ceph
These keys will be subject to change, when they get to be a part of new roles
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::ceph::fsid | UUID for cluster | '23a2d131-99f7-4ad0-9fb4-1977f59ce530' | uuidgen |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::ceph::fsid | UUID for cluster | '23a2d131-99f7-4ad0-9fb4-1977f59ce530' | uuidgen | String | role::controller, role::compute, role::storage |
profile::ceph::replicas | Amount of replicas in cluster | 3 | N/A | Integer | role::controller, role::compute, role::storage |
profile::ceph::journal::size | Size of journal (not relevant in luminous(?)) in MB | 15800 | N/A | Integer | role::controller, role::compute, role::storage |
profile::ceph::admin_key | Admin key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute, role::storage |
profile::ceph::monitor_key | ceph-mon key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute |
profile::ceph::mgr_key | ceph-mgr key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller |
profile::ceph::osd_bootstrap_key | ceph-osd bootstrap key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::storage |
profile::ceph::glance_key | glance key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller (glance hosts) |
profile::ceph::nova_key | nova (and cinder) key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute |
(nova hosts)(cinder hosts), role::storage |
profile::ceph:: |
nova_uuidUUID for nova/libvrt and cinder | '23a2d131-99f7-4ad0-9fb4-1977f59ce530' | uuidgen | replicas | Amount of replicas in cluster | 3 | N/A | Integer |
String | role::controller, role::compute |
(nova and cinder hosts), role::storage |
profile::ceph::journal:: |
cluster_networkCeph frontend network | size | Size of journal (not relevant in luminous(?)) in MB | 15800 |
'172.17.2.0/24'Stringstoragecontroller, role::compute, role::storage |
profile::ceph:: |
publicnetworkCeph backend (replication) network | '172.17.3.0/24' | N/Akey | Admin key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role:: |
storageDashboard
The general configuration of the dashboard are based on the following keys:
Key | Description | Example | Created by | Data-type | Used by:controller, role::compute, role::storage |
profile:: |
dashboarddjango::secretA secret key used for misc. security features in the django backend. Should be the same on all dashboard servers | 'pM[`SiZd'=+ycXOAKm`srXY?@8DRw=BVdQXg$blHD"RD\2iv97' | monitor_key | ceph-mon key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key |
pwgen -s -y 50 -1bootstrapdashboarddashboardnameThe DNS name used to access the dashboard. This name should have an A and AAAA record configured with the address of the dashboard server (or loadbalancer). | 'dashboard.example.com' | N/A | String | role::bootstrap, role::dashboard | mgr_key | ceph-mgr key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller |
profile::ceph::osd_bootstrap_key | ceph-osd bootstrap key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::storage |
profile::ceph::glance_key | glance key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller (glance hosts) |
profile::ceph::nova_key | nova (and cinder) key | 'AQCIhy9a9ozCKhAApX5UoAnjad+KZ4VzWxBYJQ==' | ceph-authtool --gen-print-key | String | role::controller, role::compute (nova hosts) (cinder hosts) |
profile::ceph::nova_uuid | UUID for nova/libvrt and cinder | '23a2d131-99f7-4ad0-9fb4-1977f59ce530' | uuidgen | String | role::controller, role::compute (nova and cinder hosts) |
profile::ceph::cluster_network | Ceph frontend network | '172.17.2.0/24 |
profile::dashboard::name::v4only | A DNS name wich also points to the dashboard, but this name should only resolve to an IPv4 address. This is because of some processes currently only works over IPv4 (Authorization of the retrieval of PXE preseed files for example) | 'v4dashboard.example.com' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::ldap::url | The url for the LDAP server used for authentication. | 'ldaps://ldap.example.com:636' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::ldap::search_base | LDAP search base | 'OU=Users,DC=ldap,DC=example,DC=com' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::ldap::domain | LDAP domain nam | 'example-combootstrap, role::dashboardstorage |
profile::ceph::public_network | Ceph backend (replication) network | '172.17.3.0/24' | N/A | String | role::storage |
Dashboard
The general configuration of the dashboard are based on the following keysThere are also some keys which have a suggested value wich should work for all installations, but are still included in hiera for flexibility:
Suggested valueCreated by | Data-type | Datafile: | Used by: |
---|
profile::dashboard:: |
api'http://%{hiera('profile::dashboard::name::v4only')}' | String | HTTP link used by external clients connecting to the dashboard.secret key used for misc. security features in the django backend. Should be the same on all dashboard servers NB: The pwgen command lacks -y because some special characters will cause errors | '9tAMGEAEO4ln3t3PEXvN7dJov5SlbKU5AxxkSO50WQH6yIMt8X' | pwgen -s 50 -1 | String | common.yaml |
role::bootstrap, role::dashboard |
profile::dashboard:: |
datadirA location where the dashboard can store files. | '/var/lib/machineadmin' | name | The DNS name used to access the dashboard. This name should have an A and AAAA record configured with the address of the dashboard server (or loadbalancer). | 'dashboard.example.com' | N/A | String | common.yaml |
String | role::bootstrap, role::dashboard |
Database
Key | Description | Example | Created by | Data-type | Used by:databasetypev4only | A DNS name wich also points to the dashboard, but this name should only resolve to an IPv4 address. This is because of some processes currently only works over IPv4 (Authorization of the retrieval of PXE preseed files for example) | 'v4dashboard.example.com' | N/A | String | common.yaml |
The database type. | 'mysql' or 'sqlite' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard:: |
databasename database name (for mysql) or location (for sqlite)'dashboard' or '/var/dashboard.sqlite' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard:: |
databaseusersearch_base | LDAP search base | 'OU=Users,DC=ldap,DC=example,DC=com |
The database username | 'dashboard' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard:: |
databasepassThe database password | 'x&1/7LjWbz:i<:W&p+PG' | pwgen -s -y 20 -1 | domain | LDAP domain nam | 'example-com' | N/A | String | common.yaml |
String | role::bootstrap, role::dashboard |
There are also some keys which have a suggested value wich should work for all installations, but are still included in hiera for flexibility:
Key | Description | Suggested value | Data-type | Datafile: | Used by: |
---|
profile::dashboard:: |
database::hostThe database host. Could be a static string, or a hiera lookup. | 'mysql.example.com', '192.0.2.38' or "haproxymanagementip"N/A | StringString | common.yaml | role::bootstrap, role::dashboard |
...
...
dashboard::datadir | A location where the dashboard can store files. | '/var/lib/shiftleader' | String | common.yaml | role::bootstrap, role::dashboard |
Database
The dashboard needs the keys listed at the section DHCP server in addition to the following keys to configure the DHCP servers:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile:: |
dhcpserversA list of hashes describing the dhcp servers. Key=DHCP-Server-name and value=DHCP-IPv4 | type | The database type. | 'mysql' or 'sqlite |
'dhcp1': '192.0.2.21List of hashes | String | common.yaml | role::bootstrap, role::dashboard |
DNS configuration:
The Dashboard requires some keys listed under the section DNS-Server, in addition to the following keys:
profile::dashboard::database::name | The database name (for mysql) or location (for sqlite) | 'dashboard' or '/var/dashboard.sqlite' | N/A | String | common.yaml | role::bootstrap, role::dashboard |
profile::dashboard::database::user | The database username | 'dashboard' | N/A | String | common.yaml |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::dns::<shortname>::key | The TSIG key used for updates sent to this server. It can be useful to let this be a hiera-lookup for the zones managed by our own DNS servers. | 'UvetjoX5zMiw/NbQr3biug==' "%{hiera('profile::dns::key::update')}" | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | role::bootstrap, role::dashboard |
PXE-Booting
The dashboard and the DHCP servers are together providing a pxeboot environment where we boot and install operatingsystem images.
profile::dashboard::database::pass | The database password | 'x&1/7LjWbz:i<:W&p+PG' | pwgen -s -y 20 -1 | String | common.yaml |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::pxe::images | A list over image short-names (ID's used to identify images later). | - '1604amd64' | N/A | List of stringsdhcppxe<shortname>nameA descriptive name of the specific image | 'Ubuntu 16.04 Server amd64'host | The database host. Could be a static string, or a hiera lookup. | 'mysql.example.com', '192.0.2.38' or "%{hiera('profile::haproxy::management::ip')}" | N/A | String | common.yaml | role::bootstrap, role:: |
dhcpprofile::pxe::<shortname>::kernel | A URL to the kernel of the specific OS | 'http://archive.ubuntu.com/ubuntu/dists/xenial-proposed/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/linux' | N/A | String | role::bootstrap, role::dhcp |
profile::pxe::<shortname>::initrd | A URL to the initrd image of the specific OS | DHCP configuration:
The dashboard needs the keys listed at the section DHCP server in addition to the following keys to configure the DHCP servers:
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|
profile::dhcp::servers | A list of hashes describing the dhcp servers. Key=DHCP-Server-name and value=DHCP-IPv4 | 'dhcp1': '192.0.2.21' | N/A | List of hashes | common.yaml |
'http://archive.ubuntu.com/ubuntu/dists/xenial-proposed/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/initrd.gz' | N/A | StringdhcpDHCP server
When running DHCP servers, the following keys are needed:
DNS configuration:
The Dashboard requires some keys listed under the section DNS-Server, in addition to the following keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile:: |
dhcpomapi omapi to update the DHCP servers'omapi_key=='for updates sent to this server. It can be useful to let this be a hiera-lookup for the zones managed by our own DNS servers. | 'UvetjoX5zMiw/NbQr3biug==' "%{hiera('profile::dns::key::update')}" | dnssec-keygen |
-r /dev/urandom -a HMAC-MD5 -b 512 -n HOST key_name-a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml |
String | role::bootstrap, role::dashboard |
, PXE-Booting
The dashboard and the DHCP servers are together providing a pxeboot environment where we boot and install operatingsystem images.
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::pxe::images | A list over image short-names (ID's used to identify images later). | - '1604amd64' | N/A | List of strings | common.yaml | role::bootstrap |
role::dhcpprofile::dhcp::omapi::name | The omapi key name | 'key_name' | ↑ | String | role::bootstrap, role::dashboard, role::dhcp |
profile::pxe:: |
dhcpsearchdomainThe default search-domain handed to DHCP clients | 'cloud.domain.comname | A descriptive name of the specific image | 'Ubuntu 16.04 Server amd64' | N/A | String | common.yaml | role::bootstrap, role::dhcp |
profile::pxe:: |
dnsresolversThe DNS resolvers for clients to use | - '<ip-addres-DNS1>'
- '<ip-address-DNS2>List of stringsString | common.yaml | role::bootstrap, role::dhcp |
DNS server
DHCP server
When running DHCP servers, the following keys are neededIf you are hosting a DNS server the following keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::dhcp: |
dnsforwardersWhich DNS servers your DNS server should use to resolve domainnames where it is not an authorative DNS | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | key | The omapi key used to update the DHCP servers | 'omapi_key==' | dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST key_name | String | common.yaml |
List of stringsdnsmasterdnskeytransfer'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | TSIG keys used for zone-transfersomapi key name | 'key_name' | ↑ | String | common.yaml |
dns::masterdns::slavednskey::updateThe TSIG keys used for DNS updates | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | searchdomain | The default search-domain handed to DHCP clients | 'cloud.domain.com' | N/A | String | common.yaml | role::bootstrap, role:: |
dns::master, role::dns::slaveslavesA list over DNS slave-servers which replicates the zone-files from the main DNS server. The hash is structured as key=Servername and value=DNS-IPv4 | The DNS resolvers for clients to use | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' |
'ns2.example.com': '192.0.2.130' Hashesstrings | common.yaml | role::bootstrap, role::dhcp |
DNS server
If you are hosting a DNS server the following keys are needed:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
dns::master, role::dns::slavezonesA list over DNS zones managed by our DNS servers, or used by our dashboard. The hash is structured as key=DNS-zone and value=DNS-server-shortname. | 'zone.example.com': 'ns1Which DNS servers your DNS server should use to resolve domainnames where it is not an authorative DNS | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | List of |
Hashesstrings | common.yaml | role::bootstrap, role::dns::master |
profile::dns::key::transfer | The TSIG keys used for zone-transfers | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml | role:: |
dashboardbootstrap, role::dns::master, role::dns::slave |
...
...
update | The TSIG keys used for DNS updates | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | common.yaml | role::bootstrap, role |
Key | Description | Example | Created by | Data-type | Used by: |
profile<shortname>ipv4The IPv4 address of a specific DNS server. | 'dns::slave |
profile::dns::slaves | A list over DNS slave-servers which replicates the zone-files from the main DNS server. The hash is structured as key=Servername and value=DNS-IPv4 | 'ns2.example.com': '192.0.2. |
129String | List of Hashes | common.yaml | role::bootstrap |
, role::dashboard, role::dns::master, role::dns::slave |
profile::dns:: |
<shortname>::nameThe fqdn of a specific DNS server | 'ns1zones | A list over DNS zones managed by our DNS servers, or used by our dashboard. The hash is structured as key=DNS-zone and value=DNS-server-shortname. | 'zone.example.com': 'ns1' | N/A |
String | List of Hashes | common.yaml | role::bootstrap, role::dashboard, role::dns::master, role::dns::slave |
KVM / Libvirt
Networks
The class role::kvm makes use of the following general purpose keys to auto create OVS bridges, which the VMs can connect to:
- profile::networks
- profile::networks::${network}::vlanid
In addition every KVM host needs to specify which physical interface(s) that carries the networks specified in the profile::networks keyI addition there are a set of keys which are needed for each DNS server managing a DNS zone used by us. Shortname is here the name used in "profile::dns::zones".
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile:: |
kvminterfaces<networkname>Example:
profile::kvm::interfaces::management
Name of the physical interfaces that carries the given networkname. Multiple networks can have the same physical interface, which will be the case if the NIC is connected to a VLAN trunk port. | 'eno2'ipv4 | The IPv4 address of a specific DNS server. | '192.0.2.129' | N/A | String | common.yaml | role::bootstrap, role::dashboard, role:: |
kvm
Haproxy
We use haproxy to loadbalance multiple of our services. It needs the following keys present in hiera to work:
dns::master, role::dns::slave |
profile::dns::<shortname>::name | The fqdn of a specific DNS server | 'ns1.example.com' |
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::haproxy::management::ipv4 | The IPv4 address used in front og the loadbalancer used for managemnet services | '192.0.2.151' | N/A | String | common.yaml | role::bootstrap, role:: |
puppetdbpuppet::server, role::mysql, role::balancer::managementKVM / Libvirt
Networks
The class role::kvm makes use of the following general purpose keys to auto create OVS bridges, which the VMs can connect to:
- profile::networks
- profile::
...
- networks::${network}::vlanid
In addition every KVM host needs to specify which physical interface(s) that carries the networks specified in the profile::networks key
Key | Description | Example | Created by | Data-type | Used by: |
---|
profile::kvm::interfaces::<networkname> Example: profile::kvm::interfaces::management | Name of the physical interfaces that carries the given networkname. Multiple networks can have the same physical interface, which will be the case if the NIC is connected to a VLAN trunk port. | 'eno2' | N/A | String | role::kvm |
Haproxy
We use haproxy to loadbalance multiple of our services. It needs the following keys present in hiera to work:
Key | Description | Example | Created by | Data-type | Datafile: | Used by: |
---|
profile::haproxy::web::profile | Which web profile should this haproxy node have | 'management |
management::ipv4::idThe VRRP id used by the IPv4 VRRP instance. | 11 | N/A | Integer | role::bootstrap, role::balancer::management | profile::haproxy::management::ipv4::priority | The VRRP priority used by the IPv4 VRRP instance. | 10 | N/A | Integer | role::bootstrap, role::balancer::management |
profile::haproxy::management::ipv6 | The IPv4 address used in front og the loadbalancer used for managemnet services | '2001:db8:beef:707::7b1' | N/A | String | node-specific | role::bootstrap, role:: |
puppet::db, balancer::* |
profile::haproxy::${profile}::ipv4 | The IPv4 address used in front og the loadbalancer used for managemnet services | '192.0.2.151' | N/A | String | networking.yaml | role::bootstrap, role::puppet::db, role::puppet::server, role::mysql, role::balancer::management |
managementipv6ipv4::id | The VRRP id used by the |
IPv6 1211 | N/A | Integer | networking.yaml | role::bootstrap, role::balancer::management |
profile::haproxy:: |
managementipv6ipv4::priority | The VRRP priority used by the |
IPv6 10rolenetworking.yaml | role::bootstrap, role::balancer::management |
MySQL
Our mysql cluster uses the following hiera-keys:
profile::haproxy::${profile}::ipv6 | The IPv4 address used in front og the loadbalancer used for managemnet services | '2001:db8:beef:707::7b1 |
Key | Description | Example | Created by | Data-type | Used by |
---|
profile::mysqlcluster::servers | This is a list over IPv4 addresses used by servers in the cluster. This list are used when a server starts up, to discover at least one of the machines already in the cluster. | - '192.0.2.201' | N/A | String | networking.yaml | role::bootstrap, role:: |
mysqlprofilemysqlcluster::masterThe fqdn of one of the mysql-servers. This are in theory used by the puppet-galera module to start one server in case all servers are down. | 'mysql1.example.com' | N/A | String | role::bootstrap, role::mysql | profile::mysqlcluster::root_password | This is the password of the mysql root user | 'OwT$Etc$=|;h(=upip#3' | pwgen -s -y 20 -1 | db, role::puppet::server, role::mysql, role::balancer::management |
profile::haproxy::${profile}::ipv6::id | The VRRP id used by the IPv6 VRRP instance. | 12 | N/A | Integer | networking.yaml |
String | role::bootstrap, role::balancer:: |
mysqlmanagement |
profile::haproxy:: |
mysqlclusterstatus_passwordThis is the password of the mysql status user | ';^8P"M,Oem6le\T"am!0' | pwgen -s -y 20 -1 | priority | The VRRP priority used by the IPv6 VRRP instance. | 10 | N/A | Integer | networking.yaml |
String | role::bootstrap, role::balancer:: |
mysqlmanagement |
profile::haproxy:: |
mysqlcluster${profile}::domains | Which domains haproxy |
_passwordThis is the password of the mysql haproxy user. This user is so that haproxy can create more robust checks than just see if port 3306 is open. | '4g36-&jHNFF?J-7yQZHa' | pwgen -s -y 20 -1 | String | role::bootstrap, role::mysql | Postgres
Our postgres servers uses the following hiera keys:
should forward for in frontend "ft_web" for given profile | -'foo.com' -'bar.foo.com' | N/A | List of strings | common.yaml | role::balancer::* |
profile::haproxy::management::apicert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative
| Multiline string | certs.yaml |
Key | Description | Example | Created by | Data-type | Used by |
---|
profile::postgres::ipv4 | The IPv4 address to use in front of the postgres servers. | '192.0.2.204' | N/A | Stringpostgresmaster, role::postgres::slave, role::puppet::dbpostgresipv4idThe VRRP id to use for the VRRP instance negotiating for postgres's IPv4 address | 13 | N/A | apicert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative
| Multiline string | certs.yaml |
Integerpostgresmaster, rolepostgres::slaveprofile::postgres::ipv4::priority | The VRRP priority to use for the VRRP instance negotiating for postgres's IPv4 address | 10 | N/A | Integer | role::bootstrap, role::postgres::master, role::postgres::slave |
haproxy::${profile}::webcert | A .pem certificate bundle with private key, CAcert and server cert | tl;dr | cat private_key.key server.crt ca.crt > haproxy_web.pem The order is important! TLS from CertManager: Choose the "as Certificate (w/ issuer after)" alternative
| Multiline string | certs.yaml | role::balancer::* |
profile::haproxy::management::apicert::certfile | Filepath and name for the apicert bundle | '/etc/ssl/private/haproxy_web.pem' | N/A | String | certs.yaml | role::balancer::web |
Munin
Key | Description | Example | Created by | Data-type | Datafile | Used by |
---|
profile::munin::urls | List of FQDNs the munin server should create a vhost in apache for. Typically - set the "world reachable" FQDN in common.yaml Each node will get a vhost with their FQDN automaticly, through the apache class. Only set a munin url in node specific file if it's different from the servers hostname. | - 'munin.exaxmple.com' - 'munin1.example.com' | N/A | List of Strings | common.yaml Node specific | role::munin |
MySQL
Our mysql cluster uses the following hiera-keys:
Key | Description | Example | Created by | Data-type | Datafile | Used by |
---|
profile::mysqlcluster::servers | This is a list over IPv4 addresses used by servers in the cluster. This list are used when a server starts up, to discover at least one of the machines already in the cluster. | - '192.0.2.201' | N/A | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::master | The fqdn of one of the mysql-servers. This are in theory used by the puppet-galera module to start one server in case all servers are down. | 'mysql1.example.com' | N/A | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::root_password | This is the password of the mysql root user | 'OwT$Etc$=|;h(=upip#3' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::status_password | This is the password of the mysql status user | ';^8P"M,Oem6le\T"am!0' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
profile::mysqlcluster::haproxy_password | This is the password of the mysql haproxy user. This user is so that haproxy can create more robust checks than just see if port 3306 is open. | '4g36-&jHNFF?J-7yQZHa' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::mysql |
Openstack
General keys, shared amongst various Openstack services
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::openstack::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Cinder
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::cinder::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Glance
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::glance::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Heat
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::heat::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Horizon
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::horizon::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Keystone
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::keystone::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Neutron
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::neutron::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Nova
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::nova::foo | foo | foo | N/A | String | openstack.yaml | role::foo |
Postgres
Our postgres servers uses the following hiera keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::postgres::ipv4 | The IPv4 address to use in front of the postgres servers. | '192.0.2.204' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave, role::puppet::db |
profile::postgres::ipv4::id | The VRRP id to use for the VRRP instance negotiating for postgres's IPv4 address | 13 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv4::priority | The VRRP priority to use for the VRRP instance negotiating for postgres's IPv4 address | 10 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv6 | The IPv6 address to use in front of the postgres servers. | '2001:db8:beef:707::9:6591' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave, role::puppet::db |
profile::postgres::ipv6::id | The VRRP id to use for the VRRP instance negotiating for postgres's IPv6 address | 14 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::ipv6::priority | The VRRP priority to use for the VRRP instance negotiating for postgres's IPv6 address | 10 | N/A | Integer | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::masterserver | A fqdn identifying the postgres server which is supposed to be the master. This affects which servers are going to create databases and users. | 'pgsql1.example.com' | N/A | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::password | The password for the "postgres" postgresql user. | 'd4Cwfl)W}onosE~Y[]G,' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
profile::postgres::replicatorpassword | The password used for the "replicator" postgresql user. | 'Gz,j*>Qt'dF{-\Sr4N-_' | pwgen -s -y 20 -1 | String | common.yaml | role::bootstrap, role::postgres::master, role::postgres::slave |
Puppet
These are our puppet-related hiera keys:
Key | Description | Example | Created by | Data-type | Datafile: | Used by |
---|
profile::puppet::aptkey | The gpg key used to authenticate the puppetlabs apt repository | '6F6B15509CF8E59E6E469F327F438280EF8D349F' | puppetlabs | String | common.yaml | All |
profile::puppet::caserver | The fqdn of the puppetca server | 'puppetca.example.com' | N/A | String | common.yaml | All |
profile::puppet::environment | The puppet environment a certain host should be configured to use. This needs to be a valid puppet environment, but it will also be owerridden by the ENC, so it is not important exactly which environment are listed her as long as it exists. If you do not use an ENC, this is the puppet environment a client will retrieve config from. | 'production' | N/A | String | common.yaml | All |
profile::puppet::hostname | This is the fqdn the clients use to contact the puppetmasters. | 'puppet.example.com' | N/A | String | common.yaml | All |
profile::puppet::r10k::repo | The path to the git-repository which r10k uses to retrieve environments and modules. | 'https://github.com/myorg/r10k.git' | N/A | String | common.yaml |
profile::postgres::ipv6 | The IPv6 address to use in front of the postgres servers. | '2001:db8:beef:707::9:6591' | N/A | Stringpostgresmaster, role::postgres::slavedbpostgresipv6::idThe VRRP id to use for the VRRP instance negotiating for postgres's IPv6 address | 14runinterval | How often the puppet client should run. Given as a string consisting of a number and a prefix (h, m). | '60m' | N/A |
Integer | role::bootstrap, role::postgres::master, role::postgres::slavepostgresipv6priority VRRP priority to use for the VRRP instance negotiating for postgres's IPv6 address10name of the postgres database used by puppetdb | 'puppetdb' | N/A |
IntegerString | common.yaml | role::bootstrap, role:: |
postgresmasterslavemaster |
profile::puppetdb:: |
postgresmasterserverA fqdn identifying the postgres server which is supposed to be the master. This affects which servers are going to create databases and users. | user | The username of the postgres database used by puppetdb | 'puppetdb |
'pgsql1.example.com' | N/A | String | common.yaml | role::bootstrap, role:: |
postgresmasterslavepostgrespassword for "postgres" postgresql user.'d4Cwfl)W}onosE~Y[]G,postgres database used by puppetdb NB: The pwgen command lacks -y because some special characters will cause errors
| 'ys0c85FlLhhfqeteFIfx' | pwgen - |
s -y s 20 -1 | String | common.yaml | role::bootstrap, role:: |
postgresmasterslavepostgresreplicatorpassword password used for the "replicator" postgresql user.'Gz,j*>Qt'dF{-\Sr4N-_' | pwgen -s -y 20 -1 | String | hostname which the puppetservers use to contact the puppetdb service | 'puppetdb.example.com' | N/A | String | common.yaml | role::bootstrap, role:: |
postgresmaster, postgresslavePuppet
Rabbitmq
...
Key | Description | Example | Created by | Data-type | Datafile | Used by |
---|
profile:puppet::aptkeyThe gpg key used to authenticate the puppetlabs apt repository | '6F6B15509CF8E59E6E469F327F438280EF8D349F' | puppetlabs | String | All | puppetcaserverThe fqdn of the puppetca server | 'puppetca.example.comip | IP address for rabbitmq keepalived VIP | '10.212.132.11' | N/A | String |
| networking.yaml | role::rabbitmq, role::compute |
AllpuppetenvironmentThe puppet environment a certain host should be configured to use. This needs to be a valid puppet environment, but it will also be owerridden by the ENC, so it is not important exactly which environment are listed her as long as it exists. If you do not use an ENC, this is the puppet environment a client will retrieve config from. | 'production' | N/A | String | All | id | The VRRP id to use for the VRRP instance negotiating for rabbitmq's IPv4 address | 12 | N/A | Integer | networking.yaml | role::rabbitmq |
profile::rabbitmq::vrrp::priority | The VRRP priority to use for the VRRP instance negotiating for rabbitmq's IPv4 address | 100 | N/A | Integer | networking.yaml or node-specific | role::rabbitmq |
profile::rabbitmq::rabbituser | Default user to create in rabbitmq | 'rabbit |
profile::puppet::hostname | This is the fqdn the clients use to contact the puppetmasters. | 'puppet.example.comAll | profile::puppet::r10k::repo | The path to the git-repository which r10k uses to retrieve environments and modules. | 'https://github.com/myorg/r10k.git' | N/A | String | role::bootstrap, role::puppet::server, role::puppet::ca |
| common.yaml | role::rabbitmq, role::compute |
profile::rabbitmq::rabbitpass | Password for default vhost / | | pwgen -s -y 20 -1 | String | | role::rabbitmq, role::compute |
profile::rabbitmq::rabbitsecret | rabbitmq master secret | | pwgen -s -y 20 -1 | String | | role::rabbitmq |
Redis
Key | Description | Example | Created by | Data-type | Datafile | Used by: |
---|
profile::redis::master | Name or IP address of initial redis master | 'redis1.cloud.domain.com' or '192.168.100.12' WARNING: If you use DNS name, ensure that the name DOESN'T resolve to 127.0.0.1 at the given redis host, or else this node will not add itself to the redis-sentinel cluster |
profile::puppet::runinterval | How often the puppet client should run. Given as a string consisting of a number and a prefix (h, m). | '60m'AllprofilepuppetdbdatabasenameThe name of the postgres database used by puppetdb | 'puppetdb' | N/A | masterauth | Password for master communitcation | 'teY.>&3@Ub$X-OGxOFQ7' | pwgen -s -y 20 -1 | String | common.yaml |
Stringbootstrap, puppetdb, postgresmasterpuppetdbdatabase::usernodetype | Defined on each redis-node. Only valid values are 'master' or 'slave' | 'master |
The username of the postgres database used by puppetdb | 'puppetdbrole::bootstrap, role::puppet::db, postgres::masterpuppetdbdatabase::passThe password of the postgres database used by puppetdb | 'teY.>&3@Ub$X-OGxOFQ7' | pwgen -s -y 20 -1 | String | role::bootstrap, role::puppet::db, role::postgres::master | ip | The IP redis clients should contact redis on. Typically the haproxy ip | '192.168.100.10' or "%{hiera('profile::haproxy::management::ipv4')}" or redis.cloud.domain.com |
profile::puppetdb::hostname | The hostname which the puppetservers use to contact the puppetdb service | 'puppetdb.example.com'rolebootstrap, role::puppet::server role::puppet::ca...
Sensu
Key | Description | Example | Created by | Data-type | Datafile | Used by |
---|
: |
---|
profile::sensu::install | Opt-out for installing sensu. If not set to false, sensu-clients will be installed everywhere | false | N/A | Boolean | sensu.yaml or node-specific | All |
Data-type | Used by:redismasterName or IP address of initial redis master | 'redis1.cloud.domain.com' or '192.168.100.12' WARNING: If you use DNS name, ensure that the name DOESN'T resolve to 127.0.0.1 at the given redis host, or else this node will not add itself to the redis-sentinel cluster | N/A | String | role::redis | private_key | Private key for uchiwa JWT creation | Content of generated file | openssl genrsa -out uchiwa.rsa 2048 | String | sensu.yaml | role::sensuserver |
profile::sensu::uchiwa::public_key | Public key for uchiwa JWT creation | Content of generated file | openssl rsa -in uchiwa.rsa -pubout > uchiwa.rsa.pub | String | sensu.yaml |
profile::redis::masterauth | Password for master communitcation | 'teY.>&3@Ub$X-OGxOFQ7' | pwgen -s -y 20 -1 | String | role::redis
role::balancer::management | role::sensuserver |
profile::sensu:: |
redisnodetypeDefined on each redis-node. Only valid values are 'master' or 'slave' | 'master' | N/A | String | role::redis | profile::redis::ip | The IP redis clients should contact redis on. Typically the haproxy ip | '192.168.100.10'
or
"%{hiera('profile::haproxy::management::ip')}"
or
password | Password for default (and only) user 'sensu' in Uchiwa | 'g00dp@$$w0rd' | pwgen -s -y 20 1 | String | sensu.yaml | role::sensuserver |
profile::sensu::uchiwa::fqdn | FQDN for uchiwa web frontend (not FQDN for the server running an instance of it) | 'sensu |
redis.cloud.domain.com' | N/A | String |
roles::sensuserver | Sensu
sensu.yaml | role::sensuserver, role::bootstrap, role::balancer::mangement |
Key | Description | Example | Created by | Data-type | Used by:installOpt-out for installing sensu. If not set to false, sensu-clients will be installed everywhere | false | N/A | Booleanrabbit_password | Password for sensu user at the /sensu rabbitmq vhost. Needed for rabbitmq servers, sensu servers AND all sensu clients. | 'g00dp@$$w0rd' | pwgen -s -y 20 1 | String | sensu.yaml | All |
profile::sensu:: |
uchiwaprivate_keyPrivate key for uchiwa JWT creation | Content of generated file | openssl genrsa -out uchiwa.rsa 2048 | String | role::sensuserver | url | URL to Uchiwa web frontend, that will appear in e-mails from Sensu | "http://%{hiera('profile::sensu::uchiwa:: |
public_keyPublic key for uchiwa JWT creation | Content of generated file | openssl rsa -in uchiwa.rsa -pubout > uchiwa.rsa.pub | fqdn')}" | N/A | String | sensu.yaml |
String | role::sensuserver |
profile::sensu:: |
uchiwapasswordPassword for default (and only) user 'sensu' in Uchiwa | 'g00dp@$$w0rd' | pwgen -s -y 20 1 | mail_from | The address sensu will send e-mail alerts from | 'sensu@sensu.domain.com' | N/A | String | sensu.yaml |
String | role::sensuserver |
profile::sensu:: |
uchiwa::fqdnFQDN for uchiwa web frontend (not FQDN for the server running an instance of it) | mailer::mail_to | List of addresses that sensu will send e-mail alerts to | - 'sysadmin1@cloud.domain.com' - 'sysadmin2@cloud |
'sensu.cloudString | List of strings | sensu.yaml | role::sensuserver |
profile::sensu::mailer:: |
rabbit_passwordPassword for sensu user at the /sensu rabbitmq vhost. Needed for rabbitmq servers, sensu servers AND all sensu clients. | 'g00dp@$$w0rd' | pwgen -s -y 20 1 | String | smtp_address | Outgoing SMTP server mail alerts | 'smtp.cloud.domain.com' | N/A | String | sensu.yaml | role::sensuserver |
AllurlURL to Uchiwa web frontend, that will appear in e-mails from Sensu | smtp_port | TCP port used for connections to the given SMTP server | 25 |
"http://%{hiera('profile::sensu::uchiwa::fqdn')}"Stringsensu.yaml | role::sensuserver |
profile::sensu::mailer:: |
mailfromThe address sensu will send e-mail alerts from | 'sensu@sensu.domain.com' | N/A | String | sensu.yaml | role::sensuserver |
profile::sensu |
::mailer::mail_toList of addresses that sensu will send e-mail alerts to | - 'sysadmin1@cloud.domain.com' - 'sysadmin2@cloud.domain.com' | N/A | List of strings | role::sensuserver | ::plugins | The plugins listed here will be installed on all clients. OBS: The example value is actually mandatory, because the checks tagged with 'all' in profile::sensu::checks rely on them. Puppet will not fail without defining this key, but none of the cheks will make any sense... | - 'sensu-plugins-disk-checks' - 'sensu-plugins-load-checks' - 'sensu-plugins-memory-checks' - 'sensu-plugins-process-checks' - 'sensu-plugins-hardware' - 'sensu-plugins-puppet' - 'sensu-plugins-dns' - 'sensu-plugins-ntp' | N/A | List of strings | sensu.yaml | All |
sensu::redact | Values that match the patterns in this list will be redacted in all output from sensu | - 'password' - 'pass' - 'pw' | N/A | List of strings | sensu.yaml | All |
sensu::subscriptions | Which checks a sensu-client should subscribe to. This is typically set per node. By default, a sensu-client will subscribe to checks tagged with 'all', and if the client is a physical server, it will also subscribe to 'physical-servers' | - 'mysql' - 'rabbitmq' - 'roundrobin:ceph' | N/A | List of strings | node-specific | All |
sensu::client_custom | If you want to override parameters for check command. I.e thresholds, specifying passowrd etc. This where you do that. Should only be set per node | 'load': warning: "8,4,2" critical: "16,8,4" 'mysql': password: "%{hiera('profile::mysqlcluster::status_password')}" 'disk': mountpoints: '/,/home,/var' | N/A | List of hashes | node-specific or really anywhere if you configure lookup_options to deep merge | All (or, more precise, just the client you add this key to) |
profile::sensu::checks::tlsexpiry | A hash of 'fqdn[:port]' : 'shortname' which should be checked for TLS Expiry | 'www.foo.com' : 'foo' 'api.foo.com:8080' : 'api' 'munin.foo.com' : 'munin' | N/A | Hash | sensu.yaml | role::sensuserver |
lookup_options: | You might wanna set this in sensu.yaml to allow client_custom settings to be set in multple hiera files without overwriting them with the settings in the top of the hierarchy | sensu::client_custom: merge: strategy: 'deep' merge_hash_arrays: true | N/A | List of hashes | sensu.yaml | All |
profile::sensu::mailer::smtp_address | Outgoing SMTP server mail alerts | 'smtp.cloud.domain.com' | N/A | String | role::sensuserver |
profile::sensu::mailer::smtp_port | TCP port used for connections to the given SMTP server | 25 | N/A | Integer | role::sensuserver |
profile::sensu::mailer::smtp_domain | SMTP domain | 'cloud.domain.com' | N/A | String | role::sensuserver |
profile::sensu::plugins | The plugins listed here will be installed on all clients. OBS: The example value is actually mandatory, because the checks tagged with 'all' in profile::sensu::checks rely on them. Puppet will not fail without defining this key, but none of the cheks will make any sense... | - 'sensu-plugins-disk-checks' - 'sensu-plugins-load-checks' - 'sensu-plugins-memory-checks' - 'sensu-plugins-process-checks' - 'sensu-plugins-hardware' - 'sensu-plugins-puppet' - 'sensu-plugins-dns' - 'sensu-plugins-ntp' | N/A | List of strings | All |
sensu::redact | Values that match the patterns in this list will be redacted in all output from sensu | - 'password' - 'pass' - 'pw' | N/A | List of strings | All |
sensu::subscriptions | Which checks a sensu-client should subscribe to. This is typically set per node. By default, a sensu-client will subscribe to checks tagged with 'all', and if the client is a physical server, it will also subscribe to 'physical-servers' | - 'mysql' - 'rabbitmq' - 'roundrobin:ceph' | N/A | List of strings | All |
sensu::client_custom | If you want to override parameters for check command. I.e thresholds, specifying passowrd etc. This where you do that. Should only be set per node | 'load': warning: "8,4,2" critical: "16,8,4" 'mysql': password: "%{hiera('profile::mysqlcluster::status_password')}" 'disk': mountpoints: '/,/home,/var' | N/A | List of hashes | All (or, more precise, just the client you add this key to)