Herron has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/404689 )
Change subject: add support for SSLCARevocationCheck setting in puppetmaster frontend ...................................................................... add support for SSLCARevocationCheck setting in puppetmaster frontend Add SSLCARevocationCheck setting to puppetmaster Apache frontend template. This sets a default value of 'chain' in profile::puppetmaster::frontend (to check revoked agent certificates by default) and is tunable using the hiera key profile::puppetmaster::frontend::ssl_ca_revocation_check. Bug: T184444 Change-Id: I0ddcb90411d4323a7144bc5d28ebd3580723e776 --- M modules/profile/manifests/puppetmaster/frontend.pp M modules/puppetmaster/manifests/web_frontend.pp M modules/puppetmaster/templates/web-frontend.conf.erb 3 files changed, 15 insertions(+), 8 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/89/404689/1 diff --git a/modules/profile/manifests/puppetmaster/frontend.pp b/modules/profile/manifests/puppetmaster/frontend.pp index 6d26ca1..b3d2e8d 100644 --- a/modules/profile/manifests/puppetmaster/frontend.pp +++ b/modules/profile/manifests/puppetmaster/frontend.pp @@ -8,6 +8,7 @@ $ca_server = hiera('puppetmaster::ca_server', 'puppetmaster1001.eqiad.wmnet'), $servers = hiera('puppetmaster::servers', {}), $puppet_major_version = hiera('puppet_major_version', undef), + $ssl_ca_revocation_check = hiera('profile::puppetmaster::frontend::ssl_ca_revocation_check', 'chain'), $allow_from = [ '*.wikimedia.org', '*.eqiad.wmnet', @@ -65,19 +66,21 @@ # Main site to respond to ::puppetmaster::web_frontend { $web_hostname: - master => $ca_server, - workers => $workers, - bind_address => $::puppetmaster::bind_address, - priority => 40, + master => $ca_server, + workers => $workers, + bind_address => $::puppetmaster::bind_address, + priority => 40, + ssl_ca_revocation_check => $ssl_ca_revocation_check, } # On all the puppetmasters, we should respond # to the FQDN too, in case we point them explicitly ::puppetmaster::web_frontend { $::fqdn: - master => $ca_server, - workers => $workers, - bind_address => $::puppetmaster::bind_address, - priority => 50, + master => $ca_server, + workers => $workers, + bind_address => $::puppetmaster::bind_address, + priority => 50, + ssl_ca_revocation_check => $ssl_ca_revocation_check, } # Run the rsync servers on all puppetmaster frontends, and activate diff --git a/modules/puppetmaster/manifests/web_frontend.pp b/modules/puppetmaster/manifests/web_frontend.pp index 0d55814..e690e04 100644 --- a/modules/puppetmaster/manifests/web_frontend.pp +++ b/modules/puppetmaster/manifests/web_frontend.pp @@ -28,6 +28,7 @@ $priority=90, $alt_names=undef, $cert_secret_path = 'puppetmaster', + $ssl_ca_revocation_check = undef, ){ $server_name = $title $ssldir = '/var/lib/puppet/ssl' diff --git a/modules/puppetmaster/templates/web-frontend.conf.erb b/modules/puppetmaster/templates/web-frontend.conf.erb index 7b64457..144f1c8 100644 --- a/modules/puppetmaster/templates/web-frontend.conf.erb +++ b/modules/puppetmaster/templates/web-frontend.conf.erb @@ -12,6 +12,9 @@ # CRL checking by commenting the next line, but this is not recommended. # NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is not updated. Need to reevaluate this SSLCARevocationPath <%= scope.lookupvar('::puppetmaster::ssl::ssldir') %>/crl + <% if @ssl_ca_revocation_check -%> + SSLCARevocationCheck <%= @ssl_ca_revocation_check %> + <% end -%> SSLVerifyClient <%= scope.lookupvar('puppetmaster::verify_client') %> SSLVerifyDepth 1 SSLOptions +StdEnvVars -- To view, visit https://gerrit.wikimedia.org/r/404689 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0ddcb90411d4323a7144bc5d28ebd3580723e776 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Herron <kher...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits