Herron has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/404689 )
Change subject: add support for SSLCARevocationCheck setting in puppetmaster
frontend
......................................................................
add support for SSLCARevocationCheck setting in puppetmaster frontend
Add SSLCARevocationCheck setting to puppetmaster Apache frontend template.
This sets a default value of 'chain' in profile::puppetmaster::frontend (to
check revoked agent certificates by default) and is tunable using the hiera
key profile::puppetmaster::frontend::ssl_ca_revocation_check.
Bug: T184444
Change-Id: I0ddcb90411d4323a7144bc5d28ebd3580723e776
---
M modules/profile/manifests/puppetmaster/frontend.pp
M modules/puppetmaster/manifests/web_frontend.pp
M modules/puppetmaster/templates/web-frontend.conf.erb
3 files changed, 15 insertions(+), 8 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/89/404689/1
diff --git a/modules/profile/manifests/puppetmaster/frontend.pp
b/modules/profile/manifests/puppetmaster/frontend.pp
index 6d26ca1..b3d2e8d 100644
--- a/modules/profile/manifests/puppetmaster/frontend.pp
+++ b/modules/profile/manifests/puppetmaster/frontend.pp
@@ -8,6 +8,7 @@
$ca_server = hiera('puppetmaster::ca_server',
'puppetmaster1001.eqiad.wmnet'),
$servers = hiera('puppetmaster::servers', {}),
$puppet_major_version = hiera('puppet_major_version', undef),
+ $ssl_ca_revocation_check =
hiera('profile::puppetmaster::frontend::ssl_ca_revocation_check', 'chain'),
$allow_from = [
'*.wikimedia.org',
'*.eqiad.wmnet',
@@ -65,19 +66,21 @@
# Main site to respond to
::puppetmaster::web_frontend { $web_hostname:
- master => $ca_server,
- workers => $workers,
- bind_address => $::puppetmaster::bind_address,
- priority => 40,
+ master => $ca_server,
+ workers => $workers,
+ bind_address => $::puppetmaster::bind_address,
+ priority => 40,
+ ssl_ca_revocation_check => $ssl_ca_revocation_check,
}
# On all the puppetmasters, we should respond
# to the FQDN too, in case we point them explicitly
::puppetmaster::web_frontend { $::fqdn:
- master => $ca_server,
- workers => $workers,
- bind_address => $::puppetmaster::bind_address,
- priority => 50,
+ master => $ca_server,
+ workers => $workers,
+ bind_address => $::puppetmaster::bind_address,
+ priority => 50,
+ ssl_ca_revocation_check => $ssl_ca_revocation_check,
}
# Run the rsync servers on all puppetmaster frontends, and activate
diff --git a/modules/puppetmaster/manifests/web_frontend.pp
b/modules/puppetmaster/manifests/web_frontend.pp
index 0d55814..e690e04 100644
--- a/modules/puppetmaster/manifests/web_frontend.pp
+++ b/modules/puppetmaster/manifests/web_frontend.pp
@@ -28,6 +28,7 @@
$priority=90,
$alt_names=undef,
$cert_secret_path = 'puppetmaster',
+ $ssl_ca_revocation_check = undef,
){
$server_name = $title
$ssldir = '/var/lib/puppet/ssl'
diff --git a/modules/puppetmaster/templates/web-frontend.conf.erb
b/modules/puppetmaster/templates/web-frontend.conf.erb
index 7b64457..144f1c8 100644
--- a/modules/puppetmaster/templates/web-frontend.conf.erb
+++ b/modules/puppetmaster/templates/web-frontend.conf.erb
@@ -12,6 +12,9 @@
# CRL checking by commenting the next line, but this is not recommended.
# NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is
not updated. Need to reevaluate this
SSLCARevocationPath <%= scope.lookupvar('::puppetmaster::ssl::ssldir')
%>/crl
+ <% if @ssl_ca_revocation_check -%>
+ SSLCARevocationCheck <%= @ssl_ca_revocation_check %>
+ <% end -%>
SSLVerifyClient <%= scope.lookupvar('puppetmaster::verify_client') %>
SSLVerifyDepth 1
SSLOptions +StdEnvVars
--
To view, visit https://gerrit.wikimedia.org/r/404689
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0ddcb90411d4323a7144bc5d28ebd3580723e776
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Herron <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
