Alexandros Kosiaris has submitted this change and it was merged.
Change subject: ldap-corp: Populate the per DC certificates
......................................................................
ldap-corp: Populate the per DC certificates
Use ssl::certificate to populate the per-DC certificates into the
ldap-mirror hosts. Also puppetize the ownership of the certificate and
key file to be group readable by slapd
Change-Id: I607f188d3a3ea4d73471c03a2b2af2b8d3ee12f3
---
A files/ssl/ldap-corp.codfw.wikimedia.org.crt
A files/ssl/ldap-corp.eqiad.wikimedia.org.crt
M modules/role/manifests/openldap/corp.pp
3 files changed, 54 insertions(+), 0 deletions(-)
Approvals:
Alexandros Kosiaris: Verified; Looks good to me, approved
jenkins-bot: Verified
diff --git a/files/ssl/ldap-corp.codfw.wikimedia.org.crt
b/files/ssl/ldap-corp.codfw.wikimedia.org.crt
new file mode 100644
index 0000000..8320e9f
--- /dev/null
+++ b/files/ssl/ldap-corp.codfw.wikimedia.org.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENjCCAh6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xHTAb
+BgNVBAoMFFdpa2ltZWRpYSBGb3VuZGF0aW9uMRMwEQYDVQQLDApPcGVyYXRpb25z
+MRkwFwYDVQQDDBBXTUYgQ0EgMjAxNC0yMDE3MB4XDTE1MTEwMjEzMjczOFoXDTE3
+MTAyMjEzMjczOFowfjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
+HTAbBgNVBAoMFFdpa2ltZWRpYSBGb3VuZGF0aW9uMRMwEQYDVQQLDApPcGVyYXRp
+b25zMSYwJAYDVQQDDB1sZGFwLWNvcnAuY29kZncud2lraW1lZGlhLm9yZzBcMA0G
+CSqGSIb3DQEBAQUAA0sAMEgCQQCjVv57X6iZ6VRcN/lteCHfEOTXFQlHy2Mq5Hkk
+/52rOftSgDQN/pRk00bvZTfMP/1WLqc8OTLoZSe1WehfbmNbAgMBAAGjezB5MAkG
+A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBQIdA/eF6AQe/d5oB22+qK03F3QyTAfBgNVHSMEGDAW
+gBT0DVTLq2AnYhOD+/gpO+jImK+IKTANBgkqhkiG9w0BAQsFAAOCAgEAJcwtqepR
+soY3BHfJhJ1PDFz6WfxFsnJ5MKsN5OM+498ZoSDejq24GeI+ALo7p/8jJyjEY5t+
+xcRTE9qseaGeVJvytoYtmb0ArNRDPRL3LhvPJHhCaSGYPzRVDMelST3KyJfUgZNz
+cOOY21lE2uolM9tDDBtjK8bWRty3HlkRpcNGSn7oxcA1HPAWE7VXUnTTbgNIEIvK
+somTC5FcLDD15pDPxjFv2g5iXNNNplJNWp8ffGY4AwlV9P1/1Yj2Ic1x3+5ENvpU
+Fh3ThpoYYyxXHsf+sSztnYvIrPmfrI4DWTNpUG0UPwxOscIG7z00MKAhqlfykxRx
+iLUnCtfarRYUDVXAllO93PJcfWqwgZtZY2Ad8K1I8X8s2bRQOQYyOFU3+Z9agLRD
+Axa1VdmQJhMPDGjrntMd6hgNM6irMF75mbD5SjehiB0fVVvJFg/29REoplHM3xpQ
+/IKoWPIkCoJeMgLtkz2J5895ElhhbJAOMgOvhZ9L9/6N3RIKpkJ9QUFuv7M3FuAT
+ci+wBiP+5tLVPAIWyKkNAtzGsLXEyXtbSVlAfgDsofO0pHPbrumsO9E3xFHWbbMC
+4q1xSRGZwV6t4XTWWBADtG7pH3MHLJXD0QdewS6dVS/716PrSscFJDPlK1P7hEyy
+xICy8gpEuyeyL6g4V5UGZMvRRzKVvAYaLdY=
+-----END CERTIFICATE-----
diff --git a/files/ssl/ldap-corp.eqiad.wikimedia.org.crt
b/files/ssl/ldap-corp.eqiad.wikimedia.org.crt
new file mode 100644
index 0000000..3b57b34
--- /dev/null
+++ b/files/ssl/ldap-corp.eqiad.wikimedia.org.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENjCCAh6gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xHTAb
+BgNVBAoMFFdpa2ltZWRpYSBGb3VuZGF0aW9uMRMwEQYDVQQLDApPcGVyYXRpb25z
+MRkwFwYDVQQDDBBXTUYgQ0EgMjAxNC0yMDE3MB4XDTE1MTEwMjEzMjEzOFoXDTE3
+MTAyMjEzMjEzOFowfjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
+HTAbBgNVBAoMFFdpa2ltZWRpYSBGb3VuZGF0aW9uMRMwEQYDVQQLDApPcGVyYXRp
+b25zMSYwJAYDVQQDDB1sZGFwLWNvcnAuZXFpYWQud2lraW1lZGlhLm9yZzBcMA0G
+CSqGSIb3DQEBAQUAA0sAMEgCQQDYvtpHwmkcZ3PaSvsmVq7U3hQq0JBE5pL6TkbK
+m04qCCvrmhEDr5UOySQhBkJXoZrDy3jkT2A1SJF/bjywcn6bAgMBAAGjezB5MAkG
+A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBSB8jGyMp+RupezTemKQZ83bO7Q/TAfBgNVHSMEGDAW
+gBT0DVTLq2AnYhOD+/gpO+jImK+IKTANBgkqhkiG9w0BAQsFAAOCAgEAsXG/1Z+9
+xPlsTeTFdOV3WeConsXNeQ6rFksXboUPYoBmFKEkFgFs6BDvvTBrftL0QNszBOFu
+Kn8ZtKhuQtoo4a9VjHYwWcV2t3BfRkPPud6i0zaBZX8s7LnKWVXWILx+w3kpzDUW
+co/QZW5qLLQGEfHlr7CL3bBY/TDGNqhlzAVI/rY/LP9pabR2ekrf4esIcxR1wl5F
+j4w/4VGWoXq1uYQX3la7GX8gtNwQhia/DPYpa4BgrVp+T+o3h9yHjr0SqSUCRE9O
+OHBrPIfCrpcgYatwKL9C50BOAbbNhV6x4abk3m8wO1hVHmalRrhrnQSk4S+DlMdt
+I37nCqto4lYHXUXTzNXdAN/vqWpGb7trPKhhm85Excik3wuOvxBfFnjReeSr2dvI
+yKdmTBHpRgZBls2Ui6/nDC83RuXyXC9DwRUoz0lX9svxUGJK38HrwGjlKEWDCJO+
+p7yA+Gl1IGCJ2hlKXf7CYdvCko/PmMmzfACKjp0cs17Hy5E9av+fwjQ0INCNz4Ez
+rhVuZfddQC11jBVddfyXzcd4ADsWMY53loozgUoIXi0CxvUBk1I0pmjGox1AbAKN
+X/7nE0nXGg3Qi76z6jT2kIZmbWPtKMmGJygn95vzJO55TaUemIY7AAfW/OsURYpd
+pocj5AuVu8jrdZ+NRN/pOjkEbl/gTkrezxw=
+-----END CERTIFICATE-----
diff --git a/modules/role/manifests/openldap/corp.pp
b/modules/role/manifests/openldap/corp.pp
index bda1502..8a644e0 100644
--- a/modules/role/manifests/openldap/corp.pp
+++ b/modules/role/manifests/openldap/corp.pp
@@ -13,6 +13,10 @@
$sync_pass = $passwords::openldap::corp::sync_pass
sslcert::certificate { 'ldap-mirror.wikimedia.org': }
+ # Certificate needs to be readable by slapd
+ sslcert::certificate { "ldap-corp.${::site}.wikimedia.org":
+ group => 'openldap',
+ }
class { '::openldap':
server_id => 3, # 1 and 2 used in OIT
--
To view, visit https://gerrit.wikimedia.org/r/250418
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I607f188d3a3ea4d73471c03a2b2af2b8d3ee12f3
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
