BBlack has uploaded a new change for review. https://gerrit.wikimedia.org/r/175464
Change subject: Turn on r::c::ssl::sni locall for varnishes ...................................................................... Turn on r::c::ssl::sni locall for varnishes This switches the ulsfo caches from r::c::ssl::unified to ::sni for actual prod traffic flow. For eqiad/esams, it configures the ::sni -style local nginx service on the cache hosts themselves, but LVS will still be sending the traffic to the ssl[13]00x machines at these datacenters instead of the new local ssl services until further changes are merged. Change-Id: I24013da78641970733649749b6dd2c5eaf507d8e --- M manifests/role/cache.pp M manifests/site.pp 2 files changed, 16 insertions(+), 17 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/64/175464/1 diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp index 734b101..8ecff79 100644 --- a/manifests/role/cache.pp +++ b/manifests/role/cache.pp @@ -556,18 +556,6 @@ } } - class ssl::unified { - #TODO: kill the old wmf_ca - include certificates::wmf_ca - include certificates::wmf_ca_2014_2017 - include role::protoproxy::ssl::common - - localssl { 'unified': - certname => 'unified.wikimedia.org', - default_server => true, - } - } - # ssl::sni To replace ssl::unified above after testing... class ssl::sni { #TODO: kill the old wmf_ca @@ -745,6 +733,10 @@ description => 'text Varnish cache server', } + if $::realm == 'production' { + include role::cache::ssl::sni + } + require geoip require geoip::dev # for VCL compilation using libGeoIP @@ -904,6 +896,10 @@ system::role { 'role::cache::upload': description => 'upload Varnish cache server', + } + + if $::realm == 'production' { + include role::cache::ssl::sni } class { 'lvs::realserver': @@ -1081,6 +1077,10 @@ class bits inherits role::cache::varnish::1layer { + if $::realm == 'production' { + include role::cache::ssl::sni + } + class { 'lvs::realserver': realserver_ips => $lvs::configuration::lvs_service_ips[$::realm]['bits'][$::site], } @@ -1180,6 +1180,10 @@ class mobile inherits role::cache::varnish::2layer { + if $::realm == 'production' { + include role::cache::ssl::sni + } + class { 'lvs::realserver': realserver_ips => $lvs::configuration::lvs_service_ips[$::realm]['mobile'][$::site], } diff --git a/manifests/site.pp b/manifests/site.pp index 692fb58..c250d6b 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -484,7 +484,6 @@ interface::add_ip6_mapped { 'main': } $cluster = 'cache_text' include role::cache::text - include role::cache::ssl::sni include role::authdns::testns # test dns stuff too } @@ -621,7 +620,6 @@ $cluster = 'cache_bits' include role::cache::bits - include role::cache::ssl::unified } node /^cp40(0[5-7]|1[3-5])\.ulsfo\.wmnet$/ { @@ -635,7 +633,6 @@ $cluster = 'cache_upload' include role::cache::upload - include role::cache::ssl::unified } node /^cp40(0[89]|1[0678])\.ulsfo\.wmnet$/ { @@ -649,7 +646,6 @@ $cluster = 'cache_text' include role::cache::text - include role::cache::ssl::unified } node /^cp40(1[129]|20)\.ulsfo\.wmnet$/ { @@ -663,7 +659,6 @@ $cluster = 'cache_mobile' include role::cache::mobile - include role::cache::ssl::unified } node 'dataset1001.wikimedia.org' { -- To view, visit https://gerrit.wikimedia.org/r/175464 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I24013da78641970733649749b6dd2c5eaf507d8e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits