Alexandros Kosiaris has submitted this change and it was merged.
Change subject: puppetmaster: Vary ssldir in frontend on masterness
......................................................................
puppetmaster: Vary ssldir in frontend on masterness
A frontend might or might not be a master. Vary the $ssldir variable on
it based on that to allow for non-master frontends to have the correct
SSL apache directives
Change-Id: I431f7e8f9f732a261ef3940d6b7b1d08c1c9eb16
---
M modules/puppetmaster/manifests/web_frontend.pp
M modules/puppetmaster/templates/web-frontend.conf.erb
2 files changed, 10 insertions(+), 8 deletions(-)
Approvals:
Alexandros Kosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/puppetmaster/manifests/web_frontend.pp
b/modules/puppetmaster/manifests/web_frontend.pp
index f4b4215..1c6a193 100644
--- a/modules/puppetmaster/manifests/web_frontend.pp
+++ b/modules/puppetmaster/manifests/web_frontend.pp
@@ -29,7 +29,11 @@
$alt_names=undef,
){
$server_name = $title
- $ssldir = $::puppetmaster::ssl::ssldir
+ if $master != $::fqdn {
+ $ssldir = '/var/lib/puppet/ssl'
+ } else {
+ $ssldir = $::puppetmaster::ssl::ssldir
+ }
$ssl_settings = ssl_ciphersuite('apache', 'compat')
if $alt_names {
@@ -57,12 +61,10 @@
creates => "${ssldir}/certs/${server_name}.pem",
before => Service['apache2'],
}
-
}
apache::site { $server_name:
ensure => present,
content => template('puppetmaster/web-frontend.conf.erb'),
priority => $priority,
}
-
}
diff --git a/modules/puppetmaster/templates/web-frontend.conf.erb
b/modules/puppetmaster/templates/web-frontend.conf.erb
index 7abcb20..26c66fa 100644
--- a/modules/puppetmaster/templates/web-frontend.conf.erb
+++ b/modules/puppetmaster/templates/web-frontend.conf.erb
@@ -4,13 +4,13 @@
<%- if @alt_names %> ServerAlias <%= @alt_names.sort.join(" ") %><% end %>
SSLEngine on
<%= @ssl_settings.join("\n") %>
- SSLCertificateFile /var/lib/puppet/server/ssl/certs/<%= @server_name
%>.pem
- SSLCertificateKeyFile /var/lib/puppet/server/ssl/private_keys/<%=
@server_name %>.pem
- SSLCACertificateFile /var/lib/puppet/server/ssl/ca/ca_crt.pem
- SSLCertificateChainFile /var/lib/puppet/server/ssl/ca/ca_crt.pem
+ SSLCertificateFile <%= @ssldir %>/certs/<%= @server_name %>.pem
+ SSLCertificateKeyFile <%= @ssldir %>/private_keys/<%= @server_name %>.pem
+ SSLCACertificateFile <%= @ssldir %>/ca/ca_crt.pem
+ SSLCertificateChainFile <%= @ssldir %>/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can try
disabling
# CRL checking by commenting the next line, but this is not recommended.
- SSLCARevocationPath /var/lib/puppet/server/ssl/crl
+ SSLCARevocationPath <%= @ssldir %>/crl
SSLVerifyClient <%= scope.lookupvar('puppetmaster::verify_client') %>
SSLVerifyDepth 1
SSLOptions +StdEnvVars
--
To view, visit https://gerrit.wikimedia.org/r/308442
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I431f7e8f9f732a261ef3940d6b7b1d08c1c9eb16
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
