[Labs-announce] role::puppet::self, dns and cert changes
abogott at wikimedia.org
Tue Jun 2 16:15:07 UTC 2015
If you are only a user of tool labs, you can ignore this email.
If you manage labs instances but they do not use role::puppet::self, you
can ignore this email.
If you manage labs instances and you use role::puppet::self but each
instance is stand-alone and you don't set the $puppetmaster variable,
you can ignore this email.
Ok! If anyone is still here, here's the deal. On Monday, your instance
domains are going to change. A couple of days after that, the names of
all your puppet and salt certs are going to also change. This will
break puppet on a bunch of your instances. To avoid that, you'll need
to take the following steps:
1. Update your puppet repo. You ought to be doing this regularly
anyway, but in case you aren't, here are instructions:
2. If your $puppetmaster setting is a fqdn, change it to a simple
instance name. For example, you would change
'project-puppetmaster.eqiad.wmflabs' to 'project-puppetmaster'. The two
are currently equivalent in puppet anyway, so the change should be a no-op.
** Thursday, June 4th: Andrew merges a patch that bans fqdn
puppetmaster names. ** 
3. (optional) if you want to get a head-start, remove the
use_dnsmasq=true setting from your instances and go to step 4.
** Monday, June 8th: Andrew removes use_dnsmasq everywhere. Surprise,
your puppetmaster just changed its name from <host>.eqiad.wmflabs to
4. On all puppet clients, edit /etc/puppet/puppet.conf and change the
puppetmaster name by inserting the project name before .eqiad.wmflabs.
5. On the puppetmaster, sign all the new cert requests that rolled in
as a result of step 4. Do the same for salt, if needed.
** Thursday, June 11th: Andrew merges a patch that changes cert names,
again. ** 
6. Update your puppet repo again, as per step 1.
7. On puppetmaster, once again sign all new cert requests. Do the same
for salt, if needed.
Sorry about all the steps -- role::puppetmaster::self is a hack and you
always have to pay interest on your hacks. Feel free to respond to this
email or ping me on IRC if you require additional info about this.
 https://gerrit.wikimedia.org/r/#/c/202924/ <- that gets us cert
names that are actually human readable.
More information about the Labs-announce