Puppet Class: profile::gerrit

Defined in:
modules/profile/manifests/gerrit.pp

Overview

modules/profile/manifests/gerrit/server.pp

Parameters:

  • ldap_config (Hash) (defaults to: lookup('ldap', Hash, hash, {}))
  • ipv4 (Stdlib::IP::Address::V4) (defaults to: lookup('profile::gerrit::ipv4'))
  • ipv6 (Optional[Stdlib::IP::Address::V6]) (defaults to: lookup('profile::gerrit::ipv6'))
  • host (Stdlib::Fqdn) (defaults to: lookup('profile::gerrit::host'))
  • backups_enabled (Boolean) (defaults to: lookup('profile::gerrit::backups_enabled'))
  • backup_set (String) (defaults to: lookup('profile::gerrit::backup_set'))
  • ssh_allowed_hosts (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::gerrit::ssh_allowed_hosts'))
  • config (String) (defaults to: lookup('profile::gerrit::config'))
  • use_acmechief (Boolean) (defaults to: lookup('profile::gerrit::use_acmechief'))
  • is_replica (Boolean) (defaults to: lookup('profile::gerrit::is_replica'))
  • replica_hosts (Optional[Array[Stdlib::Fqdn]]) (defaults to: lookup('profile::gerrit::replica_hosts'))
  • daemon_user (Optional[String]) (defaults to: lookup('profile::gerrit::daemon_user'))
  • scap_user (Optional[String]) (defaults to: lookup('profile::gerrit::scap_user'))
  • manage_scap_user (Optional[Boolean]) (defaults to: lookup('profile::gerrit::manage_scap_user'))
  • scap_key_name (Optional[String]) (defaults to: lookup('profile::gerrit::scap_key_name'))
  • enable_monitoring (Boolean) (defaults to: lookup('profile::gerrit::enable_monitoring'))
  • replication (Hash[String, Hash]) (defaults to: lookup('profile::gerrit::replication'))
  • ssh_host_key (String) (defaults to: lookup('profile::gerrit::ssh_host_key'))
  • git_dir (Stdlib::Unixpath) (defaults to: lookup('profile::gerrit::git_dir'))
  • java_home (Stdlib::Unixpath) (defaults to: lookup('profile::gerrit::java_home')) 


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
 
# File 'modules/profile/manifests/gerrit.pp', line 3

class profile::gerrit(
    Hash                              $ldap_config       = lookup('ldap', Hash, hash, {}),
    Stdlib::IP::Address::V4           $ipv4              = lookup('profile::gerrit::ipv4'),
    Optional[Stdlib::IP::Address::V6] $ipv6              = lookup('profile::gerrit::ipv6'),
    Stdlib::Fqdn                      $host              = lookup('profile::gerrit::host'),
    Boolean                           $backups_enabled   = lookup('profile::gerrit::backups_enabled'),
    String                            $backup_set        = lookup('profile::gerrit::backup_set'),
    Array[Stdlib::Fqdn]               $ssh_allowed_hosts = lookup('profile::gerrit::ssh_allowed_hosts'),
    String                            $config            = lookup('profile::gerrit::config'),
    Boolean                           $use_acmechief     = lookup('profile::gerrit::use_acmechief'),
    Boolean                           $is_replica        = lookup('profile::gerrit::is_replica'),
    Optional[Array[Stdlib::Fqdn]]     $replica_hosts     = lookup('profile::gerrit::replica_hosts'),
    Optional[String]                  $daemon_user       = lookup('profile::gerrit::daemon_user'),
    Optional[String]                  $scap_user         = lookup('profile::gerrit::scap_user'),
    Optional[Boolean]                 $manage_scap_user  = lookup('profile::gerrit::manage_scap_user'),
    Optional[String]                  $scap_key_name     = lookup('profile::gerrit::scap_key_name'),
    Boolean                           $enable_monitoring = lookup('profile::gerrit::enable_monitoring'),
    Hash[String, Hash]                $replication       = lookup('profile::gerrit::replication'),
    String                            $ssh_host_key      = lookup('profile::gerrit::ssh_host_key'),
    Stdlib::Unixpath                  $git_dir           = lookup('profile::gerrit::git_dir'),
    Stdlib::Unixpath                  $java_home         = lookup('profile::gerrit::java_home'),
) {
    require ::profile::java

    interface::alias { 'gerrit server':
        ipv4 => $ipv4,
        ipv6 => $ipv6,
    }

    if !$is_replica and $enable_monitoring {
        monitoring::service { 'gerrit_ssh':
            description   => 'SSH access',
            check_command => "check_ssh_port_ip!29418!${ipv4}",
            contact_group => 'admins,gerrit',
            notes_url     => 'https://wikitech.wikimedia.org/wiki/Gerrit',
        }
    }

    # ssh from users to gerrit
    ferm::service { 'gerrit_ssh_users':
        proto  => 'tcp',
        port   => '29418',
        drange => "(${ipv4} ${ipv6})",
    }

    # ssh between gerrit servers for cluster support
    $ssh_allowed_hosts_ferm=join($ssh_allowed_hosts, ' ')
    ferm::service { 'gerrit_ssh_cluster':
        port   => '22',
        proto  => 'tcp',
        srange => "(@resolve((${ssh_allowed_hosts_ferm})) @resolve((${ssh_allowed_hosts_ferm}), AAAA))",
    }

    ferm::service { 'gerrit_http':
        proto => 'tcp',
        port  => 'http',
    }

    ferm::service { 'gerrit_https':
        proto => 'tcp',
        port  => 'https',
    }

    if $backups_enabled and $backup_set != undef {
        backup::set { $backup_set:
            jobdefaults => "Hourly-${profile::backup::host::day}-${profile::backup::host::pool}"
        }
    }

    if $use_acmechief {
        class { 'sslcert::dhparam': }
        acme_chief::cert { 'gerrit':
            puppet_svc => 'apache2',
        }
    } else {
        ensure_packages('certbot')
        systemd::timer::job { 'certbot-renew':
            ensure      => present,
            user        => 'root',
            description => 'renew TLS certificate using certbot',
            command     => "/usr/bin/certbot -q renew --post-hook \"systemctl reload apache\"",
            interval    => {'start' => 'OnCalendar', 'interval' => '*-*-* 04:04:00'},
        }
    }

    class { 'gerrit':
        host              => $host,
        ipv4              => $ipv4,
        ipv6              => $ipv6,
        replica           => $is_replica,
        replica_hosts     => $replica_hosts,
        config            => $config,
        use_acmechief     => $use_acmechief,
        ldap_config       => $ldap_config,
        daemon_user       => $daemon_user,
        scap_user         => $scap_user,
        manage_scap_user  => $manage_scap_user,
        scap_key_name     => $scap_key_name,
        enable_monitoring => $enable_monitoring,
        replication       => $replication,
        ssh_host_key      => $ssh_host_key,
        git_dir           => $git_dir,
        java_home         => $java_home,
    }

    class { 'gerrit::replication_key':
        user    => $daemon_user,
        require => Class['gerrit'],
    }
    $sshkey = 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQCF8pwFLehzCXhbF1jfHWtd9d1LFq2NirplEBQYs7AOrGwQ/6ZZI0gvZFYiEiaw1o+F1CMfoHdny1VfWOJF3mJ1y9QMKAacc8/Z3tG39jBKRQCuxmYLO1SWymv7/Uvx9WQlkNRoTdTTa9OJFy6UqvLQEXKYaokfMIUHZ+oVFf1CgQ=='

    @@sshkey { 'gerrit.wikimedia.org':
        ensure       => 'present',
        key          => $sshkey,
        type         => 'ssh-rsa',
        host_aliases => [ipresolve('gerrit.wikimedia.org'), ipresolve('gerrit.wikimedia.org', 6)],
    }

    # Ship Gerrit built-in logs to ELK
    rsyslog::input::file { 'gerrit-json':
        path => '/var/log/gerrit/*_log.json',
    }

    # Apache reverse proxies to jetty
    rsyslog::input::file { 'gerrit-apache2-error':
        path => '/var/log/apache2/*error*.log',
    }
    rsyslog::input::file { 'gerrit-apache2-access':
        path => '/var/log/apache2/*access*.log',
    }
}