Jcrespo has submitted this change and it was merged.
Change subject: Allow ssl key usage
......................................................................
Allow ssl key usage
If ssl is enabled, import keys and certificates from the private
repository and set them with restricted privileges on the subdir
/etc/mysql/ssl.
For now, we will share the certificates, probably we should
generate one per host in the future.
The certificates and keys have to exist first before deploying
this commit.
Change-Id: Ice0a9c81b2815cce99aa591bbac66ba75a8eb123
References: T111654
---
M manifests/config.pp
A manifests/ssl_key.pp
2 files changed, 45 insertions(+), 4 deletions(-)
Approvals:
Jcrespo: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/config.pp b/manifests/config.pp
index 96107cb..e028fac 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -1,5 +1,6 @@
# Please use separate .cnf templates for each type of server.
-# Keep this independent and modular. It should be includable without the
mariadb class.
+# Keep this independent and modular. It should be includable
+# without the mariadb class.
class mariadb::config(
$config = 'mariadb/default.my.cnf.erb',
@@ -14,7 +15,8 @@
) {
$server_id = inline_template(
- "<%= @ipaddress.split('.').inject(0) {|total,value| (total << 8 ) +
value.to_i} %>"
+ "<%= @ipaddress.split('.').inject(0)\
+{|total,value| (total << 8 ) + value.to_i} %>"
)
file { '/etc/my.cnf':
@@ -39,8 +41,8 @@
}
file { '/etc/mysql/my.cnf':
- ensure => link,
- target => '/etc/my.cnf',
+ ensure => link,
+ target => '/etc/my.cnf',
require => File['/etc/mysql'],
}
@@ -79,4 +81,31 @@
mode => '0755',
source => 'puppet:///files/icinga/check_mariadb.pl',
}
+
+ if ($ssl == 'on') {
+ include mariadb::ssl_key
+
+ file { '/etc/mysql/ssl':
+ ensure => directory,
+ owner => 'root',
+ group => 'mysql',
+ mode => '0750',
+ require => File['/etc/mysql']
+ }
+ ssl_key { 'cacert':
+ file => 'cacert.pem',
+ }
+ ssl_key { 'server-key':
+ file => 'server-key.pem',
+ }
+ ssl_key { 'server-cert':
+ file => 'server-cert.pem',
+ }
+ ssl_key { 'client-key':
+ file => 'client-key.pem',
+ }
+ ssl_key { 'client-cert':
+ file => 'client-cert.pem',
+ }
+ }
}
diff --git a/manifests/ssl_key.pp b/manifests/ssl_key.pp
new file mode 100644
index 0000000..e378617
--- /dev/null
+++ b/manifests/ssl_key.pp
@@ -0,0 +1,12 @@
+class mariadb::ssl_key ($file) {
+ file { "/etc/mysql/ssl/${file}":
+ ensure => file,
+ owner => 'root',
+ group => 'mysql',
+ mode => '0440',
+ show_diff => false,
+ backup => false,
+ content => secret("mysql/${file}"),
+ require => File['/etc/mysql/ssl'],
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/256395
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ice0a9c81b2815cce99aa591bbac66ba75a8eb123
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet/mariadb
Gerrit-Branch: master
Gerrit-Owner: Jcrespo <jcre...@wikimedia.org>
Gerrit-Reviewer: Jcrespo <jcre...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
