BBlack has submitted this change and it was merged.
Change subject: tlsproxy: $certs_active as a subset of $certs
......................................................................
tlsproxy: $certs_active as a subset of $certs
The $certs_active set is what's actually configured for runtime
use in nginx, and should be a subset of $certs (all of which are
deployed to the host with full OCSP setup). This enables easier
cert renewal transitions as well as multi-vendor setups with
clean switchovers.
Change-Id: I93dd23a8205dc3fd633dcc284514cb2f7e627cfd
---
M modules/tlsproxy/manifests/localssl.pp
M modules/tlsproxy/templates/localssl.erb
2 files changed, 15 insertions(+), 1 deletion(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/tlsproxy/manifests/localssl.pp
b/modules/tlsproxy/manifests/localssl.pp
index 9c75b7c..edf696a 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -15,6 +15,12 @@
# support is required. This is intended to support duplicate keys with
# differing crypto (e.g. ECDSA + RSA).
#
+# [*certs_active*]
+# Optional - if "certs" above is used, this defines the subset of the certs
to
+# actually configure on the server. This allows for additional certs to be
+# fully deployed and OCSP stapled (ready for use), which aren't actually used
+# to serve traffic. Defaults to the entire set from "certs".
+#
# [*acme_subjects*]
# Optional - specify either this or certs.
# Array of certificate subjects, beginning with the canonical one - the rest
@@ -41,6 +47,7 @@
define tlsproxy::localssl(
$certs = [],
+ $certs_active = [],
$acme_subjects = [],
$server_name = $::fqdn,
$server_aliases = [],
@@ -71,6 +78,13 @@
}
}
+ if !empty($certs) and !empty($certs_active) {
+ # Ideally, we'd sanity-check that active is a subset of certs, too
+ $certs_nginx = $certs_active
+ } else {
+ $certs_nginx = $certs
+ }
+
if !empty($certs) {
sslcert::certificate { $certs:
skip_private => $skip_private,
diff --git a/modules/tlsproxy/templates/localssl.erb
b/modules/tlsproxy/templates/localssl.erb
index ffe37f2..89f91a8 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -22,7 +22,7 @@
error_log /var/log/nginx/<%= @name %>.error.log;
access_log off;
- <%- @certs.each do |cert| -%>
+ <%- @certs_nginx.each do |cert| -%>
ssl_certificate /etc/ssl/localcerts/<%= cert %>.chained.crt;
ssl_certificate_key /etc/ssl/private/<%= cert %>.key;
<%- end -%>
--
To view, visit https://gerrit.wikimedia.org/r/322664
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I93dd23a8205dc3fd633dcc284514cb2f7e627cfd
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Ema <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
