Faidon Liambotis has submitted this change and it was merged.
Change subject: Split check_ssl between traditional year-long certs and LE's 3
month certs
......................................................................
Split check_ssl between traditional year-long certs and LE's 3 month certs
Bug: T144293
Change-Id: I03d1c3e85b404c3501fbb46b9d3ea18a096691a8
---
M modules/gerrit/manifests/proxy.pp
M modules/icinga/manifests/monitor/certs.pp
M modules/install_server/manifests/web_server.pp
M modules/mirrors/manifests/serve.pp
M modules/nagios_common/files/check_commands/check_ssl.cfg
M modules/role/manifests/cache/ssl/unified.pp
M modules/role/manifests/gerrit/server.pp
M modules/role/manifests/labs/openstack/nova.pp
M modules/tlsproxy/manifests/localssl.pp
M modules/toolserver_legacy/manifests/init.pp
10 files changed, 33 insertions(+), 13 deletions(-)
Approvals:
Faidon Liambotis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/gerrit/manifests/proxy.pp
b/modules/gerrit/manifests/proxy.pp
index 6aa665c..b055e5c 100644
--- a/modules/gerrit/manifests/proxy.pp
+++ b/modules/gerrit/manifests/proxy.pp
@@ -9,6 +9,12 @@
system_svc => 'apache2',
}
+ monitoring::service { 'https':
+ description => 'HTTPS',
+ check_command => "check_ssl_http_letsencrypt!${host}",
+ contact_group => 'admins,gerrit',
+ }
+
$ssl_settings = ssl_ciphersuite('apache', 'mid', true)
apache::site { $host:
diff --git a/modules/icinga/manifests/monitor/certs.pp
b/modules/icinga/manifests/monitor/certs.pp
index 36a4756..d568152 100644
--- a/modules/icinga/manifests/monitor/certs.pp
+++ b/modules/icinga/manifests/monitor/certs.pp
@@ -10,7 +10,7 @@
}
monitoring::service { 'https_blog':
description => 'HTTPS-blog',
- check_command => 'check_ssl_http!blog.wikimedia.org',
+ check_command => 'check_ssl_http_letsencrypt!blog.wikimedia.org',
host => 'blog.wikimedia.org',
}
@@ -36,7 +36,7 @@
monitoring::service { 'https_toolserver':
description => 'HTTPS-toolserver',
- check_command => 'check_ssl_http!www.toolserver.org',
+ check_command => 'check_ssl_http_letsencrypt!www.toolserver.org',
host => 'www.toolserver.org',
}
diff --git a/modules/install_server/manifests/web_server.pp
b/modules/install_server/manifests/web_server.pp
index 5109b1c..221c2e1 100644
--- a/modules/install_server/manifests/web_server.pp
+++ b/modules/install_server/manifests/web_server.pp
@@ -21,6 +21,7 @@
puppet_svc => 'nginx',
system_svc => 'nginx',
}
+ # TODO: Monitor SSL?
$ssl_settings = ssl_ciphersuite('nginx', 'mid', true)
diff --git a/modules/mirrors/manifests/serve.pp
b/modules/mirrors/manifests/serve.pp
index a2fb059..8215b2d 100644
--- a/modules/mirrors/manifests/serve.pp
+++ b/modules/mirrors/manifests/serve.pp
@@ -7,6 +7,7 @@
puppet_svc => 'nginx',
system_svc => 'nginx',
}
+ # TODO: Monitor SSL?
$ssl_settings = ssl_ciphersuite('nginx', 'mid', true)
diff --git a/modules/nagios_common/files/check_commands/check_ssl.cfg
b/modules/nagios_common/files/check_commands/check_ssl.cfg
index 519a97e..b7471cc 100644
--- a/modules/nagios_common/files/check_commands/check_ssl.cfg
+++ b/modules/nagios_common/files/check_commands/check_ssl.cfg
@@ -3,15 +3,27 @@
command_name check_ssl_http
command_line $USER1$/check_ssl --warning 60 --critical 30 -H
$HOSTADDRESS$ -p 443 --cn $ARG1$
}
+define command{
+ command_name check_ssl_http_letsencrypt
+ command_line $USER1$/check_ssl --warning 7 --critical 3 -H
$HOSTADDRESS$ -p 443 --cn $ARG1$
+}
define command{
command_name check_ssl_http_on_port
command_line $USER1$/check_ssl --warning 60 --critical 30 -H
$HOSTADDRESS$ --cn $ARG1$ -p $ARG2$
}
+define command{
+ command_name check_ssl_http_on_port_letsencrypt
+ command_line $USER1$/check_ssl --warning 7 --critical 3 -H
$HOSTADDRESS$ --cn $ARG1$ -p $ARG2$
+}
define command{
command_name check_ssl_http_on_host_port
command_line $USER1$/check_ssl --warning 60 --critical 30 --cn $ARG1$
-H $ARG2$ -p $ARG3$
+}
+define command{
+ command_name check_ssl_http_on_host_port_letsencrypt
+ command_line $USER1$/check_ssl --warning 7 --critical 3 --cn $ARG1$ -H
$ARG2$ -p $ARG3$
}
# check SSL certs on LDAP servers
@@ -19,4 +31,7 @@
command_name check_ssl_ldap
command_line $USER1$/check_ssl --warning 60 --critical 30 -H
$HOSTADDRESS$ -p 636 --cn $ARG1$
}
-
+define command{
+ command_name check_ssl_ldap_letsencrypt
+ command_line $USER1$/check_ssl --warning 7 --critical 3 -H
$HOSTADDRESS$ -p 636 --cn $ARG1$
+}
diff --git a/modules/role/manifests/cache/ssl/unified.pp
b/modules/role/manifests/cache/ssl/unified.pp
index fa752fe..ec7c7e7 100644
--- a/modules/role/manifests/cache/ssl/unified.pp
+++ b/modules/role/manifests/cache/ssl/unified.pp
@@ -3,7 +3,6 @@
$labs_subjects = ['beta.wmflabs.org'],
) {
if ( $::realm == 'production' ) {
-
$check_cn = 'en.wikipedia.org'
$check_sans = [
'wikipedia.org', '*.wikipedia.org', '*.m.wikipedia.org',
'*.zero.wikipedia.org',
@@ -52,6 +51,7 @@
upstream_ports => [3120, 3121, 3122, 3123, 3124, 3125, 3126, 3127],
redir_port => 8080,
}
+ # TODO: Monitor SSL? Also commented in tlsproxy::localssl
}
# ordering ensures nginx/varnish config/service-start are
diff --git a/modules/role/manifests/gerrit/server.pp
b/modules/role/manifests/gerrit/server.pp
index f336111..a4cbc8a 100644
--- a/modules/role/manifests/gerrit/server.pp
+++ b/modules/role/manifests/gerrit/server.pp
@@ -6,14 +6,6 @@
include role::backup::host
include base::firewall
- $host = hiera('gerrit::host')
-
- monitoring::service { 'https':
- description => 'HTTPS',
- check_command => "check_ssl_http!${host}",
- contact_group => 'admins,gerrit',
- }
-
monitoring::service { 'gerrit_ssh':
description => 'SSH access',
check_command => 'check_ssh_port!29418',
diff --git a/modules/role/manifests/labs/openstack/nova.pp
b/modules/role/manifests/labs/openstack/nova.pp
index 670575d..673f9e9 100644
--- a/modules/role/manifests/labs/openstack/nova.pp
+++ b/modules/role/manifests/labs/openstack/nova.pp
@@ -54,6 +54,7 @@
$sitename = 'wikitech.wikimedia.org'
$certificate = $sitename
sslcert::certificate { $sitename: }
+ $cert_type = ''
}
'labtest': {
$sitename = 'labtestwikitech.wikimedia.org'
@@ -63,15 +64,17 @@
puppet_svc => 'apache2',
system_svc => 'apache2',
}
+ $cert_type = '_letsencrypt'
}
default: {
notify {"unknown realm ${::realm}; https cert will not be
installed.":}
+ $cert_type = ''
}
}
monitoring::service { 'https':
description => 'HTTPS',
- check_command => "check_ssl_http!${sitename}",
+ check_command => "check_ssl_http${cert_type}!${sitename}",
}
$ssl_settings = ssl_ciphersuite('apache', 'compat', true)
diff --git a/modules/tlsproxy/manifests/localssl.pp
b/modules/tlsproxy/manifests/localssl.pp
index dfcfbaf..10d5d6d 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -82,6 +82,7 @@
puppet_svc => 'nginx',
system_svc => 'nginx',
}
+ # TODO: Maybe add monitoring to this in role::cache::ssl::unified
}
if $do_ocsp and !empty($certs) {
diff --git a/modules/toolserver_legacy/manifests/init.pp
b/modules/toolserver_legacy/manifests/init.pp
index 8b41709..a45c86d 100644
--- a/modules/toolserver_legacy/manifests/init.pp
+++ b/modules/toolserver_legacy/manifests/init.pp
@@ -18,6 +18,7 @@
puppet_svc => 'apache2',
system_svc => 'apache2',
}
+ # Monitored externally by icinga::monitor::certs due to this being run in
labs...
apache::site { 'www.toolserver.org':
content => template('toolserver_legacy/www.toolserver.org.erb'),
--
To view, visit https://gerrit.wikimedia.org/r/313805
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I03d1c3e85b404c3501fbb46b9d3ea18a096691a8
Gerrit-PatchSet: 8
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk <[email protected]>
Gerrit-Reviewer: Alex Monk <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Ema <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Gehel <[email protected]>
Gerrit-Reviewer: RobH <[email protected]>
Gerrit-Reviewer: Volans <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
