1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
# File 'modules/profile/manifests/openstack/codfw1dev/db.pp', line 1
class profile::openstack::codfw1dev::db(
Array[Stdlib::Fqdn] $labweb_hosts = lookup('profile::openstack::codfw1dev::labweb_hosts'),
Array[Stdlib::IP::Address] $mysql_root_clients = lookup('mysql_root_clients', {default_value => []}),
Array[Stdlib::IP::Address] $maintenance_hosts = lookup('maintenance_hosts'),
) {
package {'wmf-mariadb104':
ensure => 'present',
}
# TODO: consider using profile::pki::get_cert
# This creates also /etc/mysql/ssl
puppet::expose_agent_certs { '/etc/mysql':
ensure => present,
provide_private => true,
user => 'mysql',
group => 'mysql',
}
file {'/etc/mysql/my.cnf':
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/profile/openstack/codfw1dev/db/my.cnf',
require => Package['wmf-mariadb104'],
}
prometheus::mysqld_exporter { 'default':
client_password => '',
client_socket => '/var/run/mysqld/mysqld.sock',
}
ferm::rule { 'labweb_mysql':
ensure => 'present',
rule => "saddr (@resolve((${labweb_hosts.join(' ')}))) proto tcp dport (3306) ACCEPT;",
}
# mysql monitoring and administration from root clients/tendril
$mysql_root_clients_str = join($mysql_root_clients, ' ')
ferm::service { 'mysql_admin_standard':
proto => 'tcp',
port => '3306',
srange => "(${mysql_root_clients_str})",
}
ferm::service { 'mysql_admin_alternative':
proto => 'tcp',
port => '3307',
srange => "(${mysql_root_clients_str})",
}
# mysql from deployment master servers and maintenance hosts (T98682, T109736)
$maintenance_hosts_str = join($maintenance_hosts, ' ')
ferm::service { 'mysql_deployment_mwmaint':
proto => 'tcp',
port => '3306',
srange => "(\$DEPLOYMENT_HOSTS ${maintenance_hosts_str})",
}
}
|