BBlack has submitted this change and it was merged.
Change subject: Turn on r::c::ssl::sni locally for varnishes
......................................................................
Turn on r::c::ssl::sni locally for varnishes
This switches the ulsfo caches from r::c::ssl::unified to ::sni
for actual prod traffic flow. For eqiad/esams, it configures the
::sni -style local nginx service on the cache hosts themselves,
but LVS will still be sending the traffic to the ssl[13]00x
machines at these datacenters instead of the new local ssl
services until further changes are merged.
Change-Id: I24013da78641970733649749b6dd2c5eaf507d8e
---
M manifests/role/cache.pp
M manifests/site.pp
2 files changed, 16 insertions(+), 17 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp
index 2f5c9c9..7e29ca7 100644
--- a/manifests/role/cache.pp
+++ b/manifests/role/cache.pp
@@ -556,18 +556,6 @@
}
}
- class ssl::unified {
- #TODO: kill the old wmf_ca
- include certificates::wmf_ca
- include certificates::wmf_ca_2014_2017
- include role::protoproxy::ssl::common
-
- localssl { 'unified':
- certname => 'unified.wikimedia.org',
- default_server => true,
- }
- }
-
# ssl::sni To replace ssl::unified above after testing...
class ssl::sni {
#TODO: kill the old wmf_ca
@@ -734,6 +722,10 @@
description => 'text Varnish cache server',
}
+ if $::realm == 'production' {
+ include role::cache::ssl::sni
+ }
+
require geoip
require geoip::dev # for VCL compilation using libGeoIP
@@ -893,6 +885,10 @@
system::role { 'role::cache::upload':
description => 'upload Varnish cache server',
+ }
+
+ if $::realm == 'production' {
+ include role::cache::ssl::sni
}
class { 'lvs::realserver':
@@ -1070,6 +1066,10 @@
class bits inherits role::cache::varnish::1layer {
+ if $::realm == 'production' {
+ include role::cache::ssl::sni
+ }
+
class { 'lvs::realserver':
realserver_ips =>
$lvs::configuration::lvs_service_ips[$::realm]['bits'][$::site],
}
@@ -1169,6 +1169,10 @@
class mobile inherits role::cache::varnish::2layer {
+ if $::realm == 'production' {
+ include role::cache::ssl::sni
+ }
+
class { 'lvs::realserver':
realserver_ips =>
$lvs::configuration::lvs_service_ips[$::realm]['mobile'][$::site],
}
diff --git a/manifests/site.pp b/manifests/site.pp
index f021f21..cf0f987 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -484,7 +484,6 @@
interface::add_ip6_mapped { 'main': }
$cluster = 'cache_text'
include role::cache::text
- include role::cache::ssl::sni
include role::authdns::testns # test dns stuff too
}
@@ -621,7 +620,6 @@
$cluster = 'cache_bits'
include role::cache::bits
- include role::cache::ssl::unified
}
node /^cp40(0[5-7]|1[3-5])\.ulsfo\.wmnet$/ {
@@ -635,7 +633,6 @@
$cluster = 'cache_upload'
include role::cache::upload
- include role::cache::ssl::unified
}
node /^cp40(0[89]|1[0678])\.ulsfo\.wmnet$/ {
@@ -649,7 +646,6 @@
$cluster = 'cache_text'
include role::cache::text
- include role::cache::ssl::unified
}
node /^cp40(1[129]|20)\.ulsfo\.wmnet$/ {
@@ -663,7 +659,6 @@
$cluster = 'cache_mobile'
include role::cache::mobile
- include role::cache::ssl::unified
}
node 'dataset1001.wikimedia.org' {
--
To view, visit https://gerrit.wikimedia.org/r/175464
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I24013da78641970733649749b6dd2c5eaf507d8e
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
