You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Our infrastructure uses puppet with public puppet modules. All our secrets and our installation-spesific parameters are thus placed in hiera.

Data distribution

The hieradata directory contains multiple .yaml files holding our information. When we have multiple puppet masters its important that each of the puppetmasters have an updated version of the hieradata, in addition to an updated list of puppet-modules. As the hiera-data are full of secrets we cannot publish them on github, and have all puppetmasters pull the information from there. What we do instead is to let the hieradata be a local git-repo which each puppetserver is pulling from eachother.

Hiera keys

Depending on what services you are handling with puppet, you might need various keys in hiera. This page tries to list which keys needs to be present to use our role/profile repositories.

General information

There are quite a bit of data which are not associated to a specific service, but are rather used by various modules, and should thus generally allways be present:

Dashboard

The general configuration of the dashboard are based on the following keys:

KeyDescriptionExampleCreated byData-type

Used by:

profile::dashboard::django::secretA secret key used for misc. security features in the django backend. Should be the same on all dashboard servers'pM[`SiZd'=+ycXOAKm`srXY?@8DRw=BVdQXg$blHD"RD\2iv97'pwgen -s -y 50 -1Stringrole::bootstrap, role::dashboard
profile::dashboard::nameThe DNS name used to access the dashboard. This name should have an A and AAAA record configured with the address of the dashboard server (or loadbalancer). 'dashboard.example.com'N/A String role::bootstrap, role::dashboard
profile::dashboard::name::v4onlyA DNS name wich also points to the dashboard, but this name should only resolve to an IPv4 address. This is because of some processes currently only works over IPv4 (Authorization of the retrieval of PXE preseed files for example)  'v4dashboard.example.com'N/A String role::bootstrap, role::dashboard
profile::dashboard::ldap::urlThe url for the LDAP server used for authentication.'ldaps://ldap.example.com:636'N/AStringrole::bootstrap, role::dashboard
profile::dashboard::ldap::search_baseLDAP search base'OU=Users,DC=ldap,DC=example,DC=com'N/AStringrole::bootstrap, role::dashboard
profile::dashboard::ldap::domainLDAP domain nam'example-com'N/AStringrole::bootstrap, role::dashboard

There are also some keys which have a suggested value wich should work for all installations, but are still included in hiera for flexibility:

KeyDescriptionSuggested valueData-type

Used by:

profile::dashboard::apiA HTTP link used by external clients connecting to the dashboard.'http://%{hiera('profile::dashboard::name::v4only')}'Stringrole::bootstrap, role::dashboard
profile::dashboard::datadirA location where the dashboard can store files.'/var/lib/machineadmin'Stringrole::bootstrap, role::dashboard

Database

KeyDescriptionExampleCreated byData-type

Used by:

profile::dashboard::database::typeThe database type.'mysql' or 'sqlite'N/AStringrole::bootstrap, role::dashboard
profile::dashboard::database::nameThe database name (for mysql) or location (for sqlite)'dashboard' or '/var/dashboard.sqlite'N/AStringrole::bootstrap, role::dashboard
profile::dashboard::database::userThe database username

'dashboard'

N/AStringrole::bootstrap, role::dashboard
profile::dashboard::database::passThe database password'x&1/7LjWbz:i<:W&p+PG'pwgen -s -y 20 -1Stringrole::bootstrap, role::dashboard
profile::dashboard::database::hostThe database host. Could be a static string, or a hiera lookup.'mysql.example.com', '192.0.2.38' or "%{hiera('profile::haproxy::management::ip')}"N/AStringrole::bootstrap, role::dashboard

DHCP configuration:

The dashboard needs the keys listed at the section DHCP server in addition to the following keys to configure the DHCP servers:

KeyDescriptionExampleCreated byData-type

Used by:

profile::dhcp::serversA list of hashes describing the dhcp servers. Key=DHCP-Server-name and value=DHCP-IPv4'dhcp1': '192.0.2.21'N/AList of hashesrole::bootstrap, role::dashboard

DNS configuration:

The Dashboard requires some keys listed under the section DNS-Server, in addition to the following keys:

KeyDescriptionExampleCreated byData-type

Used by:

profile::dns::<shortname>::keyThe TSIG key used for updates sent to this server. It can be useful to let this be a hiera-lookup for the zones managed by our own DNS servers.

'UvetjoX5zMiw/NbQr3biug=='

"%{hiera('profile::dns::key::update')}"

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname>Stringrole::bootstrap, role::dashboard

DHCP server

When running DHCP servers, the following keys are needed:

KeyDescriptionExampleCreated byData-typeUsed by:
profile::dhcp::omapi::keyThe omapi key used to update the DHCP servers'omapi_key=='
dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST key_name
String

role::bootstrap, role::dashboard, role::dhcp

profile::dhcp::omapi::nameThe omapi key name

'key_name'

String

role::bootstrap, role::dashboard, role::dhcp

profile::dhcp::searchdomainThe default search-domain handed to DHCP clients'cloud.domain.com'N/AString

role::bootstrap, role::dhcp

profile::dns::resolversThe DNS resolvers for clients to use

- '<ip-addres-DNS1>'

- '<ip-address-DNS2>'

N/AList of strings

role::bootstrap, role::dhcp

DNS server

If you are hosting a DNS server the following keys are needed:

KeyDescriptionExampleCreated byData-typeUsed by:
profile::dns::forwardersWhich DNS servers your DNS server should use to resolve domainnames where it is not an authorative DNS

- '<ip-addres-DNS1>'

- '<ip-address-DNS2>'

N/AList of strings

role::bootstrap, role::dns::master

profile::dns::key::transferThe TSIG keys used for zone-transfers'UvetjoX5zMiw/NbQr3biug=='dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname>Stringrole::bootstrap, role::dns::master, role::dns::slave
profile::dns::key::updateThe TSIG keys used for DNS updates'UvetjoX5zMiw/NbQr3biug=='dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname>Stringrole::bootstrap, role::dns::master, role::dns::slave
profile::dns::slavesA list over DNS slave-servers which replicates the zone-files from the main DNS server. The hash is structured as key=Servername and value=DNS-IPv4'ns2.example.com': '192.0.2.130'N/AList of Hashesrole::bootstrap, role::dns::master, role::dns::slave
profile::dns::zonesA list over DNS zones managed by our DNS servers, or used by our dashboard. The hash is structured as key=DNS-zone and value=DNS-server-shortname.'zone.example.com': 'ns1'N/AList of Hashesrole::bootstrap, role::dashboard, role::dns::master, role::dns::slave

I addition there are a set of keys which are needed for each DNS server managing a DNS zone used by us. Shortname is here the name used in "profile::dns::zones".

KeyDescriptionExampleCreated byData-typeUsed by:
profile::dns::<shortname>::ipv4The IPv4 address of a specific DNS server.'192.0.2.129'N/AStringrole::bootstrap, role::dashboard, role::dns::master, role::dns::slave
profile::dns::<shortname>::nameThe fqdn of a specific DNS server'ns1.example.com'N/AStringrole::bootstrap, role::dns::master, role::dns::slave

Redis

KeyDescriptionExampleCreated byData-typeUsed by:
profile::redis::masterName or IP address of initial redis master'redis1.cloud.domain.com'

N/A

String

role::redis

profile::redis::nodetypeDefined on each redis-node. Only valid values are 'master' or 'slave''master'N/AStringrole::redis
profile::redis::ipThe IP redis clients should contact redis on. Typically the haproxy ip

'192.168.100.10'

or

"%{hiera('profile::haproxy::management::ip')}"

or

redis.cloud.domain.com

N/AStringAll
  • No labels