SMW query to see how eqiad hosts are configured: https://wikitech.wikimedia.org/w/index.php?title=Special%3AAsk&q=%5B%5BResource+Type%3A%3Ainstance%5D%5D%0D%0A%5B%5BProject%3A%3Adeployment-prep%5D%5D%0D%0A%5B%5BRegion%3A%3Aeqiad%5D%5D&po=%3FPuppet+Var%0D%0A&eq=yes&p%5Bformat%5D=broadtable&sort%5B0%5D=Modification+date&order%5B0%5D=DESC&sort_num=&order_num=ASC&p%5Blimit%5D=200&p%5Boffset%5D=&p%5Blink%5D=all&p%5Bsort%5D=Modification+date&p%5Bheaders%5D=show&p%5Bmainlabel%5D=Instance&p%5Bintro%5D=&p%5Boutro%5D=&p%5Bsearchlabel%5D=%E2%80%A6+further+results&p%5Bdefault%5D=&p%5Bclass%5D=sortable+wikitable+smwtable&eq=yes

Should we set those parameters directly in the puppet manifests? This way whenever an instance is created it will be configured to point to that puppet master.

Maybe just after manifests/realm.pp

For now, manual instructions on configuring a host are given at https://wikitech.wikimedia.org/wiki/Nova_Resource:Deployment-prep/How_code_is_updated#Converting_a_host_to_use_local_puppetmaster_and_salt_master

We still need to have to set the configuration manually. Pointing to the local puppet seems easy enough, I am not sure how we could automatically sign the puppet/salt keys though :(

Both salt http://docs.saltstack.com/en/latest/ref/configuration/master.html#auto-accept and puppet https://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html can be configured to automatically sign keys. I personally don't see that there would be an sort of serious security implications of making this work within the beta cluster.

Yuvi and Giuseppe are working on integrating wikitech and hiera in such a way that it should be possible to setup per-project configuration that can automate adding the proper roles and settings to all hosts in the deployment-prep project. The trickiest part will probably be trying to find a way to automate removing the salt key for the labs wide master so that the project specific master's key can be saved on each host.

This may be possible via the new hiera integration with wikitech.

The beta salt and puppet masters would need to be configured to auto-sign certificates to go along with this as noted previously. I think this is reasonably safe since you can not communicate with our salt and puppet masters from outside the project and only admins who would also be able to sign certs can create new instances.

I have created two subtasks to auto accept keys on the salt master (T75766) and puppet master (T75767).

Hmm, I wonder if we should enable a hiera thing that lets you switch puppetmasters. Problem there would be reverting - if the puppetmaster you pointed to was wrong, reverting won't work since that would require a puppet run to work.

In T64795#782492, @yuvipanda wrote:

Hmm, I wonder if we should enable a hiera thing that lets you switch puppetmasters. Problem there would be reverting - if the puppetmaster you pointed to was wrong, reverting won't work since that would require a puppet run to work.

This should just be setting $::puppetmaster and enabling role::puppet::self which you can already do easily in the wikitech interface. I haven't tried yet to control either of these via the hiera settings, but in theory it should be possible. It would probably be nicer with a bit of refactoring on the puppet side. I don't know if we are using hiera_include('classes') or something similar in site.pp yet to apply classes defined in hiera.

This can be done now easily thanks to thcipriani's patches.