Merge pull request #1119 from lsst-it/IT-4780/cp-tang

(role/tang) add cp site support
lsst-it · Apr 9, 2024 · 1cbd908 · 1cbd908
2 parents cabe27a + 964cea5
commit 1cbd908
Show file tree

Hide file tree

Showing 11 changed files with 235 additions and 0 deletions.
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
@@ -388,6 +388,15 @@ ipset::sets:
       - "139.229.152.128/26"  # vlan2503
       - "139.229.152.192/26"  # vlan2504
       - "139.229.154.0/26"  # vlan2507
+  cpfde:  # cps site hosts which might need FDE
+    ensure: "present"
+    type: "hash:net"
+    set:
+      - "139.229.160.0/24"  # vlan1101
+      - "139.229.161.0/27"  # vlan1102
+      - "139.229.175.128/25"  # vlan1502
+      - "139.229.175.0/26"  # vlan1510
+      - "139.229.175.64/26"  # vlan1511
 
 # sssd ipa client setup -- do not use on ipa servers
 sssd::main_config:

diff --git a/hieradata/node/tang01.cp.lsst.org.yaml b/hieradata/node/tang01.cp.lsst.org.yaml
@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.161.4/27,139.229.161.30"
+        dns: "139.229.160.53;139.229.160.54;139.229.160.55;"
+        dns-search: "cp.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}
diff --git a/hieradata/node/tang02.cp.lsst.org.yaml b/hieradata/node/tang02.cp.lsst.org.yaml
@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.161.5/27,139.229.161.30"
+        dns: "139.229.160.53;139.229.160.54;139.229.160.55;"
+        dns-search: "cp.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}
diff --git a/hieradata/node/tang03.cp.lsst.org.yaml b/hieradata/node/tang03.cp.lsst.org.yaml
@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.161.6/27,139.229.161.30"
+        dns: "139.229.160.53;139.229.160.54;139.229.160.55;"
+        dns-search: "cp.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}
diff --git a/hieradata/site/cp/role/foreman.yaml b/hieradata/site/cp/role/foreman.yaml
@@ -4,6 +4,10 @@ profile::core::foreman::foreman_hostgroup:
     description: "cp site"
 profile::core::foreman::smee_url: "https://smee.io/lpxrggGObEn5YTA"
 puppet::server::puppetdb::server: "puppetdb.cp.lsst.org"
+profile::core::foreman::foreman_global_parameter:
+  disk_enc_tang_servers:  # XXX not idempotent
+    parameter_type: "json"
+    value: '["tang01.cp.lsst.org:7500", "tang02.cp.lsst.org:7500", "tang03.cp.lsst.org:7500"]'
 
 r10k::sources:
   control:

diff --git a/hieradata/site/cp/role/tang.yaml b/hieradata/site/cp/role/tang.yaml
@@ -0,0 +1,8 @@
+---
+profile::core::firewall::firewall:
+  "200 accept tang":
+    proto: "tcp"
+    state: "NEW"
+    ipset: "cpfde src"
+    dport: "7500"
+    action: "accept"
diff --git a/spec/hosts/nodes/tang01.cp.lsst.org_spec.rb b/spec/hosts/nodes/tang01.cp.lsst.org_spec.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'tang01.cp.lsst.org', :sitepp do
+  on_supported_os.each do |os, os_facts|
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      let(:facts) do
+        override_facts(os_facts,
+                       fqdn: 'tang01.cp.lsst.org',
+                       is_virtual: true,
+                       virtual: 'kvm',
+                       dmi: {
+                         'product' => {
+                           'name' => 'KVM',
+                         },
+                       })
+      end
+      let(:node_params) do
+        {
+          role: 'tang',
+          site: 'cp',
+        }
+      end
+
+      it { is_expected.to compile.with_all_deps }
+
+      include_examples 'vm'
+      include_context 'with nm interface'
+      it { is_expected.to have_nm__connection_resource_count(1) }
+
+      context 'with enp1s0' do
+        let(:interface) { 'enp1s0' }
+
+        it_behaves_like 'nm enabled interface'
+        it_behaves_like 'nm ethernet interface'
+        it_behaves_like 'nm manual interface'
+        it { expect(nm_keyfile['ipv4']['address1']).to eq('139.229.161.4/27,139.229.161.30') }
+        it { expect(nm_keyfile['ipv4']['dns']).to eq('139.229.160.53;139.229.160.54;139.229.160.55;') }
+        it { expect(nm_keyfile['ipv4']['dns-search']).to eq('cp.lsst.org;') }
+      end
+    end # on os
+  end # on_supported_os
+end
diff --git a/spec/hosts/nodes/tang02.cp.lsst.org_spec.rb b/spec/hosts/nodes/tang02.cp.lsst.org_spec.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'tang02.cp.lsst.org', :sitepp do
+  on_supported_os.each do |os, os_facts|
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      let(:facts) do
+        override_facts(os_facts,
+                       fqdn: 'tang02.cp.lsst.org',
+                       is_virtual: true,
+                       virtual: 'kvm',
+                       dmi: {
+                         'product' => {
+                           'name' => 'KVM',
+                         },
+                       })
+      end
+      let(:node_params) do
+        {
+          role: 'tang',
+          site: 'cp',
+        }
+      end
+
+      it { is_expected.to compile.with_all_deps }
+
+      include_examples 'vm'
+      include_context 'with nm interface'
+      it { is_expected.to have_nm__connection_resource_count(1) }
+
+      context 'with enp1s0' do
+        let(:interface) { 'enp1s0' }
+
+        it_behaves_like 'nm enabled interface'
+        it_behaves_like 'nm ethernet interface'
+        it_behaves_like 'nm manual interface'
+        it { expect(nm_keyfile['ipv4']['address1']).to eq('139.229.161.5/27,139.229.161.30') }
+        it { expect(nm_keyfile['ipv4']['dns']).to eq('139.229.160.53;139.229.160.54;139.229.160.55;') }
+        it { expect(nm_keyfile['ipv4']['dns-search']).to eq('cp.lsst.org;') }
+      end
+    end # on os
+  end # on_supported_os
+end
diff --git a/spec/hosts/nodes/tang03.cp.lsst.org_spec.rb b/spec/hosts/nodes/tang03.cp.lsst.org_spec.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'tang03.cp.lsst.org', :sitepp do
+  on_supported_os.each do |os, os_facts|
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      let(:facts) do
+        override_facts(os_facts,
+                       fqdn: 'tang03.cp.lsst.org',
+                       is_virtual: true,
+                       virtual: 'kvm',
+                       dmi: {
+                         'product' => {
+                           'name' => 'KVM',
+                         },
+                       })
+      end
+      let(:node_params) do
+        {
+          role: 'tang',
+          site: 'cp',
+        }
+      end
+
+      it { is_expected.to compile.with_all_deps }
+
+      include_examples 'vm'
+      include_context 'with nm interface'
+      it { is_expected.to have_nm__connection_resource_count(1) }
+
+      context 'with enp1s0' do
+        let(:interface) { 'enp1s0' }
+
+        it_behaves_like 'nm enabled interface'
+        it_behaves_like 'nm ethernet interface'
+        it_behaves_like 'nm manual interface'
+        it { expect(nm_keyfile['ipv4']['address1']).to eq('139.229.161.6/27,139.229.161.30') }
+        it { expect(nm_keyfile['ipv4']['dns']).to eq('139.229.160.53;139.229.160.54;139.229.160.55;') }
+        it { expect(nm_keyfile['ipv4']['dns-search']).to eq('cp.lsst.org;') }
+      end
+    end # on os
+  end # on_supported_os
+end
diff --git a/spec/hosts/roles/tang_spec.rb b/spec/hosts/roles/tang_spec.rb
@@ -66,6 +66,16 @@
                 action: 'accept',
               )
             end
+          when 'cp'
+            it do
+              is_expected.to contain_firewall('200 accept tang').with(
+                proto: 'tcp',
+                state: 'NEW',
+                ipset: 'cpfde src',
+                dport: '7500',
+                action: 'accept',
+              )
+            end
           end
 
           it do

diff --git a/spec/support/spec/ipset.rb b/spec/support/spec/ipset.rb
@@ -72,4 +72,16 @@
       ],
     ).that_comes_before('Class[firewall]')
   end
+
+  it do
+    is_expected.to contain_ipset__set('cpfde').with_set(
+      %w[
+        139.229.160.0/24
+        139.229.161.0/27
+        139.229.175.128/25
+        139.229.175.0/26
+        139.229.175.64/26
+      ],
+    ).that_comes_before('Class[firewall]')
+  end
 end