Jcrespo has submitted this change and it was merged. Change subject: Allow ssl key usage ......................................................................
Allow ssl key usage If ssl is enabled, import keys and certificates from the private repository and set them with restricted privileges on the subdir /etc/mysql/ssl. For now, we will share the certificates, probably we should generate one per host in the future. The certificates and keys have to exist first before deploying this commit. Change-Id: Ice0a9c81b2815cce99aa591bbac66ba75a8eb123 References: T111654 --- M manifests/config.pp A manifests/ssl_key.pp 2 files changed, 45 insertions(+), 4 deletions(-) Approvals: Jcrespo: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/config.pp b/manifests/config.pp index 96107cb..e028fac 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,5 +1,6 @@ # Please use separate .cnf templates for each type of server. -# Keep this independent and modular. It should be includable without the mariadb class. +# Keep this independent and modular. It should be includable +# without the mariadb class. class mariadb::config( $config = 'mariadb/default.my.cnf.erb', @@ -14,7 +15,8 @@ ) { $server_id = inline_template( - "<%= @ipaddress.split('.').inject(0) {|total,value| (total << 8 ) + value.to_i} %>" + "<%= @ipaddress.split('.').inject(0)\ +{|total,value| (total << 8 ) + value.to_i} %>" ) file { '/etc/my.cnf': @@ -39,8 +41,8 @@ } file { '/etc/mysql/my.cnf': - ensure => link, - target => '/etc/my.cnf', + ensure => link, + target => '/etc/my.cnf', require => File['/etc/mysql'], } @@ -79,4 +81,31 @@ mode => '0755', source => 'puppet:///files/icinga/check_mariadb.pl', } + + if ($ssl == 'on') { + include mariadb::ssl_key + + file { '/etc/mysql/ssl': + ensure => directory, + owner => 'root', + group => 'mysql', + mode => '0750', + require => File['/etc/mysql'] + } + ssl_key { 'cacert': + file => 'cacert.pem', + } + ssl_key { 'server-key': + file => 'server-key.pem', + } + ssl_key { 'server-cert': + file => 'server-cert.pem', + } + ssl_key { 'client-key': + file => 'client-key.pem', + } + ssl_key { 'client-cert': + file => 'client-cert.pem', + } + } } diff --git a/manifests/ssl_key.pp b/manifests/ssl_key.pp new file mode 100644 index 0000000..e378617 --- /dev/null +++ b/manifests/ssl_key.pp @@ -0,0 +1,12 @@ +class mariadb::ssl_key ($file) { + file { "/etc/mysql/ssl/${file}": + ensure => file, + owner => 'root', + group => 'mysql', + mode => '0440', + show_diff => false, + backup => false, + content => secret("mysql/${file}"), + require => File['/etc/mysql/ssl'], + } +} -- To view, visit https://gerrit.wikimedia.org/r/256395 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ice0a9c81b2815cce99aa591bbac66ba75a8eb123 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet/mariadb Gerrit-Branch: master Gerrit-Owner: Jcrespo <jcre...@wikimedia.org> Gerrit-Reviewer: Jcrespo <jcre...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits