[MediaWiki-commits] [Gerrit] operations/puppet[production]: add support for SSLCARevocationCheck setting in puppetmaster...

Wed, 17 Jan 2018 07:29:59 -0800 

Herron has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/404689 )

Change subject: add support for SSLCARevocationCheck setting in puppetmaster 
frontend
......................................................................

add support for SSLCARevocationCheck setting in puppetmaster frontend

Add SSLCARevocationCheck setting to puppetmaster Apache frontend template.

This sets a default value of 'chain' in profile::puppetmaster::frontend (to
check revoked agent certificates by default) and is tunable using the hiera
key profile::puppetmaster::frontend::ssl_ca_revocation_check.

Bug: T184444
Change-Id: I0ddcb90411d4323a7144bc5d28ebd3580723e776
---
M modules/profile/manifests/puppetmaster/frontend.pp
M modules/puppetmaster/manifests/web_frontend.pp
M modules/puppetmaster/templates/web-frontend.conf.erb
3 files changed, 15 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/89/404689/1

diff --git a/modules/profile/manifests/puppetmaster/frontend.pp 
b/modules/profile/manifests/puppetmaster/frontend.pp
index 6d26ca1..b3d2e8d 100644
--- a/modules/profile/manifests/puppetmaster/frontend.pp
+++ b/modules/profile/manifests/puppetmaster/frontend.pp
@@ -8,6 +8,7 @@
     $ca_server = hiera('puppetmaster::ca_server', 
'puppetmaster1001.eqiad.wmnet'),
     $servers = hiera('puppetmaster::servers', {}),
     $puppet_major_version = hiera('puppet_major_version', undef),
+    $ssl_ca_revocation_check = 
hiera('profile::puppetmaster::frontend::ssl_ca_revocation_check', 'chain'),
     $allow_from = [
       '*.wikimedia.org',
       '*.eqiad.wmnet',
@@ -65,19 +66,21 @@
 
     # Main site to respond to
     ::puppetmaster::web_frontend { $web_hostname:
-        master       => $ca_server,
-        workers      => $workers,
-        bind_address => $::puppetmaster::bind_address,
-        priority     => 40,
+        master                  => $ca_server,
+        workers                 => $workers,
+        bind_address            => $::puppetmaster::bind_address,
+        priority                => 40,
+        ssl_ca_revocation_check => $ssl_ca_revocation_check,
     }
 
     # On all the puppetmasters, we should respond
     # to the FQDN too, in case we point them explicitly
     ::puppetmaster::web_frontend { $::fqdn:
-        master       => $ca_server,
-        workers      => $workers,
-        bind_address => $::puppetmaster::bind_address,
-        priority     => 50,
+        master                  => $ca_server,
+        workers                 => $workers,
+        bind_address            => $::puppetmaster::bind_address,
+        priority                => 50,
+        ssl_ca_revocation_check => $ssl_ca_revocation_check,
     }
 
     # Run the rsync servers on all puppetmaster frontends, and activate
diff --git a/modules/puppetmaster/manifests/web_frontend.pp 
b/modules/puppetmaster/manifests/web_frontend.pp
index 0d55814..e690e04 100644
--- a/modules/puppetmaster/manifests/web_frontend.pp
+++ b/modules/puppetmaster/manifests/web_frontend.pp
@@ -28,6 +28,7 @@
     $priority=90,
     $alt_names=undef,
     $cert_secret_path = 'puppetmaster',
+    $ssl_ca_revocation_check = undef,
 ){
     $server_name = $title
     $ssldir = '/var/lib/puppet/ssl'
diff --git a/modules/puppetmaster/templates/web-frontend.conf.erb 
b/modules/puppetmaster/templates/web-frontend.conf.erb
index 7b64457..144f1c8 100644
--- a/modules/puppetmaster/templates/web-frontend.conf.erb
+++ b/modules/puppetmaster/templates/web-frontend.conf.erb
@@ -12,6 +12,9 @@
     # CRL checking by commenting the next line, but this is not recommended.
     # NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is 
not updated. Need to reevaluate this
     SSLCARevocationPath     <%= scope.lookupvar('::puppetmaster::ssl::ssldir') 
%>/crl
+    <% if @ssl_ca_revocation_check -%>
+    SSLCARevocationCheck    <%= @ssl_ca_revocation_check %>
+    <% end -%>
     SSLVerifyClient <%= scope.lookupvar('puppetmaster::verify_client') %>
     SSLVerifyDepth  1
     SSLOptions +StdEnvVars

-- 
To view, visit https://gerrit.wikimedia.org/r/404689
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0ddcb90411d4323a7144bc5d28ebd3580723e776
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Herron <kher...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to