Page MenuHomePhabricator
Create Task
Maniphest T352640

Fix Pontoon to bootstrap from Bookworm and Puppetserver
Closed, ResolvedPublic
Actions

Description

The bootstrap/quickstart instructions for Ponton at https://wikitech.wikimedia.org/wiki/Puppet/Pontoon mention grabbing a Buster host, which isn't going to work anymore.

Pontoon should instead bootstrap and work from a Bookworm host, making use of a self-hosted puppetserver

The development branch for this work is sandbox/filippo/pontoon-puppetserver and now contains a modules/pontoon/README.md with instructions to get started.

Note that I've taken this occasion to also rethink/rework how Pontoon user interactions happen: pontoonctl is a new interface to handle interacting with your Pontoon stack

Details

SubjectRepoBranchLines +/-
pontoon: remove note re: sandbox/ branchoperations/puppetproduction+1 -8
pontoon: add frontend proxy capability to LBoperations/puppetproduction+104 -39
pontoon: support puppet 7 / puppetserver and openstack APIoperations/puppetproduction+2 K -652
postgresql: install configuration before starting the serveroperations/puppetproduction+62 -21
puppetdb: allow both secret() and source for site key materialoperations/puppetproduction+38 -9
puppetserver: add Puppet CA custom name and SANsoperations/puppetproduction+29 -3
postgresql: use 'systemd reload' for pgreloadoperations/puppetproduction+2 -2
multirootca: depend on cfssl when generating CRLsoperations/puppetproduction+1 -0
pontoon: copy post-receive hook from puppetmasteroperations/puppetproduction+19 -0
Customize query in gerrit

Related Objects

Event Timeline

fgiunchedi created this task.Dec 4 2023, 9:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 4 2023, 9:22 AM
gerritbot added a comment.Dec 22 2023, 11:18 AM

Change 985125 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] pontoon: copy post-receive hook from puppetmaster

https://gerrit.wikimedia.org/r/985125

gerritbot added a project: Patch-For-Review.Dec 22 2023, 11:18 AM
gerritbot added a comment.Dec 22 2023, 11:24 AM

Change 985125 merged by Filippo Giunchedi:

[operations/puppet@production] pontoon: copy post-receive hook from puppetmaster

https://gerrit.wikimedia.org/r/985125

Maintenance_bot removed a project: Patch-For-Review.Dec 22 2023, 11:30 AM
fgiunchedi added a comment.Jan 2 2024, 2:39 PM

I have made some progress on getting puppetserver::pontoon to be a thing.

Things mostly work, however for a successful bootstrap I have made the following changes:

  • The puppetserver CA is used to issue certificates (as opposed to PKI) and to bootstrap pki.discovery.wmnet I'm using SANs on the multirootca host. Therefore I have changes to set the CA name to a well known name (as opposed to defaulting to the puppetserver fqdn) and allow_san option
  • puppetdb cert key at the moment allows only secret() calls, whereas in Pontoon the key might be found on the server filesystem. For this I've implemented an approach similar to what we're doing in pki where content/source for the key can come either from secret() or the filesystem
JMeybohm subscribed.Jan 3 2024, 2:39 PM
fgiunchedi mentioned this in T354412: Quota increase request for project 'monitoring'.Jan 5 2024, 11:02 AM
gerritbot added a comment.Feb 12 2024, 9:35 AM

Change 1002384 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] multirootca: depend on cfssl when generating CRLs

https://gerrit.wikimedia.org/r/1002384

gerritbot added a project: Patch-For-Review.Feb 12 2024, 9:36 AM

Change 1002385 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] puppetserver: add Puppet CA custom name and SANs

https://gerrit.wikimedia.org/r/1002385

gerritbot added a comment.Feb 12 2024, 9:36 AM

Change 1002386 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] puppetdb: allow both secret() and source for site key material

https://gerrit.wikimedia.org/r/1002386

gerritbot added a comment.Feb 12 2024, 9:36 AM

Change 1002387 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] postgresql: install configuration before starting the server

https://gerrit.wikimedia.org/r/1002387

gerritbot added a comment.Feb 12 2024, 9:36 AM

Change 1002388 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] postgresql: use 'systemd reload' for pgreload

https://gerrit.wikimedia.org/r/1002388

gerritbot added a comment.Feb 13 2024, 1:31 PM

Change 1002384 merged by Filippo Giunchedi:

[operations/puppet@production] multirootca: depend on cfssl when generating CRLs

https://gerrit.wikimedia.org/r/1002384

gerritbot added a comment.Feb 13 2024, 1:38 PM

Change 1002388 merged by Filippo Giunchedi:

[operations/puppet@production] postgresql: use 'systemd reload' for pgreload

https://gerrit.wikimedia.org/r/1002388

gerritbot added a comment.Feb 13 2024, 1:50 PM

Change 1002385 merged by Filippo Giunchedi:

[operations/puppet@production] puppetserver: add Puppet CA custom name and SANs

https://gerrit.wikimedia.org/r/1002385

Stashbot added a comment.Feb 13 2024, 2:18 PM

Mentioned in SAL (#wikimedia-operations) [2024-02-13T14:18:26Z] <godog> bounce puppetserver on puppetserver1003 to test noop config change - T352640

gerritbot added a comment.Feb 13 2024, 3:22 PM

Change 1002386 merged by Filippo Giunchedi:

[operations/puppet@production] puppetdb: allow both secret() and source for site key material

https://gerrit.wikimedia.org/r/1002386

fgiunchedi mentioned this in T360703: Replace or remove Debian Buster VMs in 'monitoring' cloud-vps project.Mar 22 2024, 8:51 AM
fgiunchedi added a project: User-fgiunchedi.Mar 29 2024, 10:32 AM
fgiunchedi mentioned this in T361566: Request creation of o11y VPS project to replace monitoring.Apr 2 2024, 9:22 AM
Kormat subscribed.Apr 16 2024, 10:15 AM
andrea.denisse subscribed.May 15 2024, 2:47 PM
gerritbot added a comment.May 20 2024, 7:43 AM

Change #1002387 merged by Filippo Giunchedi:

[operations/puppet@production] postgresql: install configuration before starting the server

https://gerrit.wikimedia.org/r/1002387

fgiunchedi updated the task description. (Show Details)May 20 2024, 8:17 AM
fgiunchedi added a comment.May 20 2024, 8:20 AM

For the folks subscribed to this task and interested in beta-testing, please see sandbox/filippo/pontoon-puppetserver branch and its README.md: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/sandbox/filippo/pontoon-puppetserver/modules/pontoon/

The branch is to be considered in active development, i.e. git push -f to it can and will happen!

Please do reach out here or elsewhere with any feedback/ideas/etc

Maintenance_bot removed a project: Patch-For-Review.May 20 2024, 8:30 AM
andrea.denisse awarded a token.May 20 2024, 6:00 PM
fgiunchedi added a comment.Jun 14 2024, 8:48 AM

This is effectively done, what's left to do on my end is put sandbox/filippo/pontoon-puppetserver branch for review and get it merged, which I'll do in July when I'm back from vacation

gerritbot added a comment.Jul 8 2024, 12:44 PM

Change #1052730 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] pontoon: support puppet 7 / puppetserver and openstack API

https://gerrit.wikimedia.org/r/1052730

gerritbot added a project: Patch-For-Review.Jul 8 2024, 12:44 PM

Change #1052731 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] pontoon: add frontend proxy capability to LB

https://gerrit.wikimedia.org/r/1052731

gerritbot added a comment.Jul 9 2024, 8:12 AM

Change #1052730 merged by Filippo Giunchedi:

[operations/puppet@production] pontoon: support puppet 7 / puppetserver and openstack API

https://gerrit.wikimedia.org/r/1052730

gerritbot added a comment.Jul 9 2024, 8:13 AM

Change #1052731 merged by Filippo Giunchedi:

[operations/puppet@production] pontoon: add frontend proxy capability to LB

https://gerrit.wikimedia.org/r/1052731

gerritbot added a comment.Jul 9 2024, 12:25 PM

Change #1052966 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] pontoon: remove note re: sandbox/ branch

https://gerrit.wikimedia.org/r/1052966

gerritbot added a comment.Jul 9 2024, 12:31 PM

Change #1052966 merged by Filippo Giunchedi:

[operations/puppet@production] pontoon: remove note re: sandbox/ branch

https://gerrit.wikimedia.org/r/1052966

fgiunchedi closed this task as Resolved.Jul 9 2024, 12:32 PM
fgiunchedi claimed this task.

Calling this done, Pontoon now supports Puppet 7 (puppetserver) and I've updated the wikitech documentation

Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 7:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits