Closed Bug 1389542 Opened 8 years ago Closed 8 years ago

configure new tc-host-secrets servers in releng puppet

Categories

(Infrastructure & Operations :: RelOps: Puppet, task)

Product:
Infrastructure & Operations
Component:
RelOps: Puppet
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dhouse, Assigned: dhouse)

References

Details

Attachments

(4 files, 3 obsolete files)

add tc-host-secrets node def
1.02 KB, patch
dividehex
: review+
dragrom
: review+
dhouse
: checked-in+
Details | Diff | Splinter Review
add fw role for tc_host_secrets
2.03 KB, patch
dividehex
: review+
dragrom
: review+
dhouse
: checked-in+
Details | Diff | Splinter Review
allow changing host-secrets port. set tc-host-secretsN to port 80
1.63 KB, patch
dividehex
: review+
dragrom
: review+
dhouse
: checked-in+
Details | Diff | Splinter Review
apply host-based firewall to tc-host-secrets hosts
464 bytes, patch
dividehex
: review+
dhouse
: checked-in+
Details | Diff | Splinter Review
Need to add nodes in releng puppet for the new tc-host-secrets servers in scl3 and mdc1 and then configure how the tc-host-secrets module+package is installed and set up.
This will be similar to how it was set up on the puppet-masters in bug 1341654
Attachment #8898855 - Flags: review?(jwatkins)
Attached patch add fw role for tc_host_secrets (obsolete) — Splinter Review
Attachment #8898868 - Flags: review?(jwatkins)
Comment on attachment 8898868 [details] [diff] [review] add fw role for tc_host_secrets Review of attachment 8898868 [details] [diff] [review]: ----------------------------------------------------------------- ::: modules/fw/manifests/profiles/taskcluster_host_secrets.pp @@ +6,5 @@ > + > + case $::fqdn { > + /.*\.(scl3|mdc1)\.mozilla\.com/: { > + include ::fw::roles::taskcluster_host_secrets > + include ::fw::roles::ssh_from_rejh Missing nrpe_from_nagios role; we'll definitely need nagios checks. Also, we're not entirely ready to limit this to rejh only since no one in releng is even enrolled in duo yet. Please change this to ssh_from_anywhere in the meantime. When we are ready and announce the activation of the jumphost restrictions, I'll make sure to swap it back out for ssh_from_rejh. ::: modules/fw/manifests/roles/taskcluster_host_secrets.pp @@ +8,5 @@ > + fw::rules { 'allow_taskcluster_host_secrets_http': > + sources => $::fw::networks::dc_test, > + app => 'http' > + } > +} \ No newline at end of file For this role, the file (and class) should be named 'taskcluster_host_secrets_from_dc_test.pp' to stay in accordance with the naming standard of <type_of_service>_from_<its_sources>. Also, title the fw:rules with 'allow_taskcluster_host_secrets_from_dc_test'. Sticking with this standard gives much better readability. The See other roles for examples. (I should also update the fw wiki docs since it isn't obvious)
Attachment #8898868 - Flags: review?(jwatkins) → review-
Comment on attachment 8898855 [details] [diff] [review] Add taskcluster_host_secrets server class and node def Review of attachment 8898855 [details] [diff] [review]: ----------------------------------------------------------------- ::: manifests/moco-nodes.pp @@ +20,5 @@ > include generic_worker::disabled > } > > +# taskcluster-host-secrets hosts > +node /tc-host-secrets\d+\.srv\.releng\.(mdc1|scl3)\.mozilla\.com/ { Please put a ^ in the front just to be more explicit. I think that should be a standard going forward for node def regex. /^tc-host-secrets\d+\.srv\.releng\.(mdc1|scl3)\.mozilla\.com/ @@ +21,5 @@ > } > > +# taskcluster-host-secrets hosts > +node /tc-host-secrets\d+\.srv\.releng\.(mdc1|scl3)\.mozilla\.com/ { > + $aspects = [ 'low-security' ] I can only assume that since this service is handling giving out security tokens, it should probably be treated with a much higher security aspect. Possibly 'high' or 'maximum'? Maybe :dustin would know.
Attachment #8898855 - Flags: review?(jwatkins) → review-
Dustin, which sec aspect should be used here?
Flags: needinfo?(dustin)
I don't remember what the details of each level are, but yes -- higher than "low"! Also, last I knew there wasn't much difference above "high", so let's just say "high".
Flags: needinfo?(dustin)
Attachment #8898855 - Attachment is obsolete: true
Attachment #8899566 - Flags: review?(jwatkins)
Attachment #8899566 - Flags: review?(dcrisan)
Attached patch add fw role for tc_host_secrets (obsolete) — Splinter Review
Attachment #8899567 - Flags: review?(jwatkins)
Attachment #8899567 - Flags: review?(dcrisan)
Attachment #8899567 - Attachment is patch: true
Attachment #8898868 - Attachment is obsolete: true
Attachment #8899566 - Flags: review?(jwatkins) → review+
Attachment #8899567 - Attachment is obsolete: true
Attachment #8899567 - Flags: review?(jwatkins)
Attachment #8899567 - Flags: review?(dcrisan)
Attachment #8899600 - Flags: review?(jwatkins)
Attachment #8899600 - Flags: review?(dcrisan)
Comment on attachment 8899600 [details] [diff] [review] add fw role for tc_host_secrets Review of attachment 8899600 [details] [diff] [review]: ----------------------------------------------------------------- Perfect! thanks
Attachment #8899600 - Flags: review?(jwatkins) → review+
Attachment #8899566 - Flags: checked-in+
Comment on attachment 8899600 [details] [diff] [review] add fw role for tc_host_secrets Pushed the fw role for tc-host-secrets to prod. remote: https://hg.mozilla.org/build/puppet/rev/43a08ca645e1557720fe94caaa178e404a23fd51
Attachment #8899600 - Flags: checked-in+
Comment on attachment 8899566 [details] [diff] [review] add tc-host-secrets node def LGTM
Attachment #8899566 - Flags: review?(dcrisan) → review+
Comment on attachment 8899600 [details] [diff] [review] add fw role for tc_host_secrets LGTM
Attachment #8899600 - Flags: review?(dcrisan) → review+
Need to be able to configure which port tc-host-secrets listens on: [dhouse@tc-host-secrets1.srv.releng.mdc1.mozilla.com ~]$ cat /var/log/taskcluster-host-secrets.stderr.log Tue, 29 Aug 2017 15:21:20 GMT typed-env-config Config file missing: user-config.yml Tue, 29 Aug 2017 15:21:20 GMT taskcluster-lib-validate Attempting to set constants by file: /opt/taskcluster-host-secrets/code/schemas/constants.yml Tue, 29 Aug 2017 15:21:20 GMT taskcluster-lib-validate finished walking tree of schemas Tue, 29 Aug 2017 15:21:21 GMT taskcluster-client Calling: awsS3Credentials, retry: 0 Tue, 29 Aug 2017 15:21:21 GMT taskcluster-client Success calling: awsS3Credentials, (0 retries) Tue, 29 Aug 2017 15:21:22 GMT taskcluster-lib-docs { ETag: '"9c02caf90740342c701ae4a093b85330"', PartNumber: 1, receivedSize: 3183, uploadedSize: 3183 } Tue, 29 Aug 2017 15:21:22 GMT taskcluster-lib-docs { Location: 'https://taskcluster-raw-docs.s3.amazonaws.com/taskcluster-host-secrets%2Flatest.tar.gz', Bucket: 'taskcluster-raw-docs', Key: 'taskcluster-host-secrets/latest.tar.gz', ETag: '"08443b35e8ec6564027e2bb9a072945c-1"' } Tue, 29 Aug 2017 15:21:22 GMT base:app Server listening on port 80
Attachment #8902324 - Flags: review?(jwatkins)
Attachment #8902324 - Flags: review?(dcrisan)
Attachment #8902324 - Attachment is patch: true
Comment on attachment 8902324 [details] [diff] [review] allow changing host-secrets port. set tc-host-secretsN to port 80 Review of attachment 8902324 [details] [diff] [review]: ----------------------------------------------------------------- I think this is a fine solution but one thing I'd like to steer clear of in the future is the excessive use of node scope variables. I know I've defaulted to them in the past but I think we should make a point to putting things in moco-config.pp and using $::fqdn selector switch instead. In the meantime, this works and we can go back and remove it once the new hosts are running and the old service is removed from the puppetmasters. So... Ship it! :-)
Attachment #8902324 - Flags: review?(jwatkins) → review+
Comment on attachment 8902324 [details] [diff] [review] allow changing host-secrets port. set tc-host-secretsN to port 80 Review of attachment 8902324 [details] [diff] [review]: ----------------------------------------------------------------- lgtm ::: manifests/moco-nodes.pp @@ +31,3 @@ > # taskcluster-host-secrets hosts > node /^tc-host-secrets\d+\.srv\.releng\.(mdc1|scl3)\.mozilla\.com/ { > $aspects = [ 'high-security' ] arrange the = sign
Attachment #8902324 - Flags: review?(dcrisan) → review+
Comment on attachment 8902324 [details] [diff] [review] allow changing host-secrets port. set tc-host-secretsN to port 80 remote: https://hg.mozilla.org/build/puppet/rev/8522549e51d108355b022b3061a36e72790965e4 travis passed. pushed to prod: remote: https://hg.mozilla.org/build/puppet/rev/6c4a88d95a2a8552718dd4688550bd378d9dc062
Attachment #8902324 - Flags: checked-in+
(In reply to Dragos Crisan [:dragrom] from comment #18) > Comment on attachment 8902324 [details] [diff] [review] > allow changing host-secrets port. set tc-host-secretsN to port 80 > > Review of attachment 8902324 [details] [diff] [review]: > ----------------------------------------------------------------- > > lgtm > > ::: manifests/moco-nodes.pp > @@ +31,3 @@ > > # taskcluster-host-secrets hosts > > node /^tc-host-secrets\d+\.srv\.releng\.(mdc1|scl3)\.mozilla\.com/ { > > $aspects = [ 'high-security' ] > > arrange the = sign Amended for aligning the equals: remote: https://hg.mozilla.org/build/puppet/rev/6aa02e22a075b0491cb465bab05d684f36763f86 travis passed. pushed to prod remote: https://hg.mozilla.org/build/puppet/rev/89c50bdb3259f38d2bed0ea55652ce5ec023590b
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
This allows only port 80(from test/wintest in scl3/mdc1), nagios, and ssh (from anywhere with logging).
Attachment #8905206 - Flags: review?(jwatkins)
Attachment #8905206 - Flags: review?(jwatkins) → review+
Comment on attachment 8905206 [details] [diff] [review] apply host-based firewall to tc-host-secrets hosts Applied host-based fw patch remote: https://hg.mozilla.org/build/puppet/rev/5f6f6561cd8c5f24284a13d2d7095f781e7f4bcf Travis passed. Pushed to production: remote: https://hg.mozilla.org/build/puppet/rev/59e0531c26f446c5298f6260c7f6377d1ee17d70
Attachment #8905206 - Flags: checked-in+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: