Page MenuHomePhabricator
Create Task
Maniphest T352640

Fix Pontoon to bootstrap from Bookworm and Puppetserver
Open, Needs TriagePublic
Actions

Description

The bootstrap/quickstart instructions for Ponton at https://wikitech.wikimedia.org/wiki/Puppet/Pontoon mention grabbing a Buster host, which isn't going to work anymore.

Pontoon should instead bootstrap and work from a Bookworm host, making use of a self-hosted puppetserver

Details

SubjectRepoBranchLines +/-
postgresql: install configuration before starting the serveroperations/puppetproduction+62 -21
puppetdb: allow both secret() and source for site key materialoperations/puppetproduction+38 -9
puppetserver: add Puppet CA custom name and SANsoperations/puppetproduction+29 -3
postgresql: use 'systemd reload' for pgreloadoperations/puppetproduction+2 -2
multirootca: depend on cfssl when generating CRLsoperations/puppetproduction+1 -0
pontoon: copy post-receive hook from puppetmasteroperations/puppetproduction+19 -0
Customize query in gerrit

Related Objects

Event Timeline

fgiunchedi created this task.Dec 4 2023, 9:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 4 2023, 9:22 AM
gerritbot added a comment.Dec 22 2023, 11:18 AM

Change 985125 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] pontoon: copy post-receive hook from puppetmaster

https://gerrit.wikimedia.org/r/985125

gerritbot added a project: Patch-For-Review.Dec 22 2023, 11:18 AM
gerritbot added a comment.Dec 22 2023, 11:24 AM

Change 985125 merged by Filippo Giunchedi:

[operations/puppet@production] pontoon: copy post-receive hook from puppetmaster

https://gerrit.wikimedia.org/r/985125

Maintenance_bot removed a project: Patch-For-Review.Dec 22 2023, 11:30 AM
fgiunchedi added a comment.Jan 2 2024, 2:39 PM

I have made some progress on getting puppetserver::pontoon to be a thing.

Things mostly work, however for a successful bootstrap I have made the following changes:

  • The puppetserver CA is used to issue certificates (as opposed to PKI) and to bootstrap pki.discovery.wmnet I'm using SANs on the multirootca host. Therefore I have changes to set the CA name to a well known name (as opposed to defaulting to the puppetserver fqdn) and allow_san option
  • puppetdb cert key at the moment allows only secret() calls, whereas in Pontoon the key might be found on the server filesystem. For this I've implemented an approach similar to what we're doing in pki where content/source for the key can come either from secret() or the filesystem
JMeybohm subscribed.Jan 3 2024, 2:39 PM
fgiunchedi mentioned this in T354412: Quota increase request for project 'monitoring'.Jan 5 2024, 11:02 AM
gerritbot added a comment.Feb 12 2024, 9:35 AM

Change 1002384 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] multirootca: depend on cfssl when generating CRLs

https://gerrit.wikimedia.org/r/1002384

gerritbot added a project: Patch-For-Review.Feb 12 2024, 9:36 AM

Change 1002385 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] puppetserver: add Puppet CA custom name and SANs

https://gerrit.wikimedia.org/r/1002385

gerritbot added a comment.Feb 12 2024, 9:36 AM

Change 1002386 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] puppetdb: allow both secret() and source for site key material

https://gerrit.wikimedia.org/r/1002386

gerritbot added a comment.Feb 12 2024, 9:36 AM

Change 1002387 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] postgresql: install configuration before starting the server

https://gerrit.wikimedia.org/r/1002387

gerritbot added a comment.Feb 12 2024, 9:36 AM

Change 1002388 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] postgresql: use 'systemd reload' for pgreload

https://gerrit.wikimedia.org/r/1002388

gerritbot added a comment.Feb 13 2024, 1:31 PM

Change 1002384 merged by Filippo Giunchedi:

[operations/puppet@production] multirootca: depend on cfssl when generating CRLs

https://gerrit.wikimedia.org/r/1002384

gerritbot added a comment.Feb 13 2024, 1:38 PM

Change 1002388 merged by Filippo Giunchedi:

[operations/puppet@production] postgresql: use 'systemd reload' for pgreload

https://gerrit.wikimedia.org/r/1002388

gerritbot added a comment.Feb 13 2024, 1:50 PM

Change 1002385 merged by Filippo Giunchedi:

[operations/puppet@production] puppetserver: add Puppet CA custom name and SANs

https://gerrit.wikimedia.org/r/1002385

Stashbot added a comment.Feb 13 2024, 2:18 PM

Mentioned in SAL (#wikimedia-operations) [2024-02-13T14:18:26Z] <godog> bounce puppetserver on puppetserver1003 to test noop config change - T352640

gerritbot added a comment.Feb 13 2024, 3:22 PM

Change 1002386 merged by Filippo Giunchedi:

[operations/puppet@production] puppetdb: allow both secret() and source for site key material

https://gerrit.wikimedia.org/r/1002386

fgiunchedi mentioned this in T360703: Replace or remove Debian Buster VMs in 'monitoring' cloud-vps project.Mar 22 2024, 8:51 AM
fgiunchedi added a project: User-fgiunchedi.Mar 29 2024, 10:32 AM
fgiunchedi mentioned this in T361566: Request creation of o11y VPS project to replace monitoring.Apr 2 2024, 9:22 AM
Kormat subscribed.Tue, Apr 16, 10:15 AM
andrea.denisse subscribed.Wed, May 15, 2:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL