[MediaWiki-commits] [Gerrit] cassandra: install certs and CA from private.git - change (operations/puppet)

Fri, 11 Sep 2015 01:57:08 -0700 

Filippo Giunchedi has submitted this change and it was merged.

Change subject: cassandra: install certs and CA from private.git
......................................................................


cassandra: install certs and CA from private.git

Also make server encryption configurable, but disabled.

Bug: T108953
Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a
---
M modules/cassandra/manifests/init.pp
M modules/cassandra/templates/cassandra.yaml.erb
2 files changed, 53 insertions(+), 10 deletions(-)

Approvals:
  Filippo Giunchedi: Verified; Looks good to me, approved
  Eevans: Looks good to me, but someone else must approve
  GWicke: Looks good to me, but someone else must approve



diff --git a/modules/cassandra/manifests/init.pp 
b/modules/cassandra/manifests/init.pp
index 3299afd..91fb7bd 100644
--- a/modules/cassandra/manifests/init.pp
+++ b/modules/cassandra/manifests/init.pp
@@ -175,6 +175,20 @@
 # [*key_cache_size_in_mb*]
 #   Maximum size of the key cache in memory.
 #   Default: empty (aka "auto" (min(5% of heap (in MB), 100MB)))
+#
+# [*tls_cluster_name*]
+#   If specified, use private keys (client and server) from private.git
+#   belonging to this cluster. Also install the cluster's CA as trusted.
+#   Default: undef
+#
+# [*internode_encryption*]
+#   What level of inter node encryption to enable
+#   Default: none
+#
+# [*client_encryption_enabled*]
+#   Enable client-side encryption
+#   Default: false
+
 class cassandra(
     $cluster_name                     = 'Test Cluster',
     $seeds                            = [$::ipaddress],
@@ -214,6 +228,9 @@
     $dc                               = 'datacenter1',
     $rack                             = 'rack1',
     $key_cache_size_in_mb             = 400,
+    $tls_cluster_name                 = undef,
+    $internode_encryption             = none,
+    $client_encryption_enabled        = false,
 
     $yaml_template                    = "${module}/cassandra.yaml.erb",
     $env_template                     = "${module}/cassandra-env.sh.erb",
@@ -344,6 +361,32 @@
         require => Package['cassandra'],
     }
 
+    if ($tls_cluster_name) {
+        file { '/etc/cassandra/tls':
+            ensure  => directory,
+            owner   => 'cassandra',
+            group   => 'cassandra',
+            mode    => '0400',
+            require => Package['cassandra'],
+        }
+
+        file { '/etc/cassandra/tls/server.key':
+            content => 
secret("cassandra/${tls_cluster_name}/${hostname}/${hostname}.kst"),
+            owner   => 'cassandra',
+            group   => 'cassandra',
+            mode    => '0400',
+            require => File['/etc/cassandra/tls'],
+        }
+
+        file { '/etc/cassandra/tls/server.trust':
+            content => secret("cassandra/${tls_cluster_name}/truststore"),
+            owner   => 'cassandra',
+            group   => 'cassandra',
+            mode    => '0400',
+            require => File['/etc/cassandra/tls'],
+        }
+    }
+
     file { '/etc/default/cassandra':
         content => template("${module_name}/cassandra.default.erb"),
         owner   => 'cassandra',
diff --git a/modules/cassandra/templates/cassandra.yaml.erb 
b/modules/cassandra/templates/cassandra.yaml.erb
index dc23590..dd78730 100644
--- a/modules/cassandra/templates/cassandra.yaml.erb
+++ b/modules/cassandra/templates/cassandra.yaml.erb
@@ -731,11 +731,11 @@
 # 
http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
 #
 server_encryption_options:
-    internode_encryption: none
-    keystore: conf/.keystore
-    keystore_password: cassandra
-    truststore: conf/.truststore
-    truststore_password: cassandra
+    internode_encryption: <%= @internode_encryption %>
+    keystore: /etc/cassandra/tls/server.key
+    keystore_password: placeholder
+    truststore: /etc/cassandra/tls/server.trust
+    truststore_password: placeholder
     # More advanced defaults below:
     # protocol: TLS
     # algorithm: SunX509
@@ -745,13 +745,13 @@
 
 # enable or disable client/server encryption.
 client_encryption_options:
-    enabled: false
-    keystore: conf/.keystore
-    keystore_password: cassandra
+    enabled: <%= @client_encryption_enabled %>
+    keystore: /etc/cassandra/tls/client.key
+    keystore_password: placeholder
     # require_client_auth: false
     # Set trustore and truststore_password if require_client_auth is true
-    # truststore: conf/.truststore
-    # truststore_password: cassandra
+    # truststore: /etc/cassandra/tls/client.trust
+    # truststore_password: placeholder
     # More advanced defaults below:
     # protocol: TLS
     # algorithm: SunX509

-- 
To view, visit https://gerrit.wikimedia.org/r/237397
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Eevans <eev...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: GWicke <gwi...@wikimedia.org>
Gerrit-Reviewer: Mobrovac <mobro...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to