In the parent ticket we're going to be creating a central puppetmaster instance(s) in the cloudinfra project.
One of the functions of the current central puppetmaster setup is Cumin. Cumin's private key lives here, presumably via production's puppet-private secrets, and it SSHes into target VMs using bastion-restricted as a proxy.
There's a few unanswered questions around this:
- Why is labpuppetmaster1001 involved at all? Why not just have bastion-restricted be a Cumin master? Are there concerns around key security if cumin lives on an instance too exposed to the internet like bastion-restricted? I know in the past there have been issues causing bastion-restricted to ironically be one of the least restricted Wikimedia servers.
- Why are various unrelated cloudinfra instances set up like bastion-restricted to get connections directly from labpuppetmaster1001 instead of just bastion-restricted? Specifically it's the profile::openstack::main::cumin::auth_group: cumin_real_masters in their hiera. Additionally it's only a subset of cloudinfra - the puppetmasters Andrew made in there appear to be normal.
- Should the Cumin master for Cloud VPS continue to be hosted alongside the central puppetmaster, or should it be a separate instance?