Because ssh-ing into each manually and fixing stuff sucks.
The deployment-prep labs project already has its own salt master. We are going to do the same for the integration project since CI has a ton of instances and that will make our life easier. A side effect is that salt commands meant to be executed on all labs project will no more reach 'integration' instances (just like they are not reaching the 'deployment-prep' project).
Created instance i-00000b91 m1.small with image "ubuntu-12.04-precise" and integration-saltmaster.eqiad.wmflabs.
I have applied role::salt::masters::labs::project_master and ran puppet.
- public key from /etc/salt/pki/master/master.pub
- fingerprint via salt-key -f /etc/salt/pki/master/master.pub ( 70:48:7d:38:dc:44:2a:5d:51:0e:49:fe:a3:21:0c:eb ).
Applied that to Hiera:Integration.
integration-saltmaster# salt-key --list all Accepted Keys: Unaccepted Keys: i-00000392.eqiad.wmflabs i-00000474.eqiad.wmflabs i-0000063a.eqiad.wmflabs i-00000924.eqiad.wmflabs i-00000a4c.eqiad.wmflabs i-00000a8d.eqiad.wmflabs i-00000a8e.eqiad.wmflabs i-00000a92.eqiad.wmflabs i-00000a96.eqiad.wmflabs i-00000a98.eqiad.wmflabs i-00000a9f.eqiad.wmflabs i-00000aa1.eqiad.wmflabs i-00000b2a.eqiad.wmflabs i-00000b91.eqiad.wmflabs Rejected Keys:
Now we need to find out how to have the keys to be automatically signed.
The salt autosigner is part of puppet class puppetmaster::autosigner. I have applied it and that creates the cron:
* * * * * /usr/local/sbin/puppetsigner.py > /dev/null 2>&1
That signed them all and puppet still runs fine on the instance. Example run: