Giuseppe Lavagetto has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/385342 )
Change subject: profile::docker::registry: allow using an external certificate ...................................................................... profile::docker::registry: allow using an external certificate This allows to offer an https endpoint to clients through the discovery DNS name Bug: T178606 Change-Id: Ie48a63d17c6fbbaa84d495492a84f3594dc85e52 --- A files/ssl/docker-registry.discovery.wmnet.crt M hieradata/role/common/docker/registry.yaml M modules/profile/manifests/docker/registry.pp 3 files changed, 43 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/42/385342/1 diff --git a/files/ssl/docker-registry.discovery.wmnet.crt b/files/ssl/docker-registry.discovery.wmnet.crt new file mode 100644 index 0000000..b5b8927 --- /dev/null +++ b/files/ssl/docker-registry.discovery.wmnet.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEczCCAlugAwIBAgICDQ8wDQYJKoZIhvcNAQELBQAwKzEpMCcGA1UEAwwgUHVw +cGV0IENBOiBwYWxsYWRpdW0uZXFpYWQud21uZXQwHhcNMTcxMDE5MDg1MDAxWhcN +MjIxMDE5MDg1MDAxWjCBiTEoMCYGA1UEAwwfZG9ja2VyLXJlZ2lzdHJ5LmRpc2Nv +dmVyeS53bW5ldDEjMCEGA1UECgwaV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYy4x +CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4g +RnJhbmNpc2NvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7O1Gd4wgaKP+5JRg +V4QhE3ioVFx2xP7YYO8elAqfDhADOWGhQbOJGuJy9XygqzAlHuVtGSa4pNefnFVi +gJJRe6OCAQswggEHMDUGCWCGSAGG+EIBDQQoUHVwcGV0IFJ1YnkvT3BlblNTTCBJ +bnRlcm5hbCBDZXJ0aWZpY2F0ZTBOBgNVHREERzBFgiJkb2NrZXItcmVnaXN0cnkt +cncuZGlzY292ZXJ5LndtbmV0gh9kb2NrZXItcmVnaXN0cnkuZGlzY292ZXJ5Lndt +bmV0MA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUNXW9GzvaOqV5VgvCR59tuldj +fWowHwYDVR0jBBgwFoAUWeSGMH4Crw0ApnTtmvYOF65srrowDQYJKoZIhvcNAQEL +BQADggIBAHzBZHFDpquyHs8alWIyttJDAop//7PT/sUF0HjiIY4fvDj9C4oMcyte +ri67W80JKD1jVt9gitsY/H7iiRfd5exZypglG+ciDBfzikptFXoK1gZxvdUpzo8e +ETJpS3Dibf0Ochgw5iOdrCWP5tApVrbfd2yiws5xVz5VskL8cQYkKLjrNsllmgg5 +owV1X//HrBB9luytYaTe9r/LQECxExXo/0ozq70TRVoVtsanclZ+X4EGSIcbvMey +ufywtvd+sAKEhMQYmrad+8UsTKqn8IOZPRLI4CN0wTcagwHIdDWFHKHpOId/y2uJ +oRyZU+VzL+Dv9g321Si8kHxQmHezC0yj8JGQKqSuZ6ybA4/86ZGEr6pF2vhzwzqC +9wkNTBHywuLquGhVWuVqWU7aVBTCBdgmcm4fp8HCbk6J1IdV0XxmlScdQQNnFwJX +HV7QSVMjfihBzOmaTVXgovJ9rdyS9pw4oCaAyg9xr5SYKEFijPRvbYEqS+Tl/zBO +E7hk1WoTETQ4gWzH6L/pqaQeJOfnxTQUkGP07is6ozFj08X632jhrBeF8vt3Xm1G +i/eR9PAxeDu+vXXbQ4G6EBksZQJMRdeKoXIuuriV8veXwYyMIqatBh65tcdmXsLu +q9+bRxQtZ8/Lc3TeJrttddaHe3uIZxY8tnCEv4lN3EUyoodFClgD +-----END CERTIFICATE----- diff --git a/hieradata/role/common/docker/registry.yaml b/hieradata/role/common/docker/registry.yaml index d1f59d5..cfece08 100644 --- a/hieradata/role/common/docker/registry.yaml +++ b/hieradata/role/common/docker/registry.yaml @@ -10,3 +10,4 @@ #profile::docker::registry::swift_password defined in the private repo profile::docker::registry::swift_auth_url: "http://ms-fe.svc.codfw.wmnet/v1/"; profile::docker::swift_container: "docker_registry" +profile::docker::registry::certname: "docker-registry.discovery.wmnet" diff --git a/modules/profile/manifests/docker/registry.pp b/modules/profile/manifests/docker/registry.pp index e465f2f..fdb18f1 100644 --- a/modules/profile/manifests/docker/registry.pp +++ b/modules/profile/manifests/docker/registry.pp @@ -7,8 +7,9 @@ # cache misc nodes are allowed to connect via HTTP, if defined $hnodes = hiera('cache::misc::nodes', {}), # Storage configuration - $storage_backend = hiera('profile::docker::registry::storage_backend', 'filebackend') - + $storage_backend = hiera('profile::docker::registry::storage_backend', 'filebackend'), + $certname = hiera('profile::docker::registry::certname', undef), + $rw_sitename = hiera('profile::docker::registry::rw_sitename', $facts['fqdn']), ) { require ::network::constants # Hiera configurations @@ -29,12 +30,24 @@ # Nginx frontend class { '::sslcert::dhparam': } + if $certname { + sslcert::certificate { $certname: + ensure => present, + skip_private => false, + before => Service['nginx'], + } + $use_puppet = false + } else { + $use_puppet = true + } + class { '::docker::registry::web': docker_username => $username, docker_password_hash => $hash, allow_push_from => $image_builders, ssl_settings => ssl_ciphersuite('nginx', 'mid'), - use_puppet_certs => true, + use_puppet_certs => $use_puppet, + ssl_certificate_name => $certname, http_endpoint => true, http_allowed_hosts => $http_allowed_hosts, } -- To view, visit https://gerrit.wikimedia.org/r/385342 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie48a63d17c6fbbaa84d495492a84f3594dc85e52 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
