Ottomata has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/404698 )
Change subject: Parameterize varnishkafka certificate name for easier setup in
Cloud VPS.
......................................................................
Parameterize varnishkafka certificate name for easier setup in Cloud VPS.
I want to set up Kafka TLS and varnishkafka in deployment-prep.
This should be a no-op in prod (currently only on canary).
Bug: T121561
Change-Id: If3bc94f0591b138578191f78ed784a3e632af712
---
M modules/profile/manifests/cache/kafka/certificate.pp
1 file changed, 38 insertions(+), 5 deletions(-)
Approvals:
Ottomata: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/profile/manifests/cache/kafka/certificate.pp
b/modules/profile/manifests/cache/kafka/certificate.pp
index 14505b9..52cf1ff 100644
--- a/modules/profile/manifests/cache/kafka/certificate.pp
+++ b/modules/profile/manifests/cache/kafka/certificate.pp
@@ -3,22 +3,40 @@
# This expects that a 'varnishkafka' SSL/TLS key and certificate is created by
Cergen and
# signed by our PuppetCA, and available in the Puppet private secrets module.
# == Parameters.
+#
# [*ssl_key_password*]
# The password to decrypt the TLS client certificate. Default: undef
#
+# [*certificate_name*]
+# Name of certificate (cergen) in the secrets module. This will be used
+# To find the certificate file secret() puppet paths.
+#
+# [*certificate_name*]
+# Name of certificate (cergen) in the secrets module. This will be used
+# To find the certificate file secret() puppet paths. You might want to
+# change this if you are testing in Cloud VPS. Default: varnishkafka.
+#
+# [*use_puppet_internal_ca*]
+# If true, the CA cert.pem file will be assumed to be already installed at
+# /etc/ssl/certs/Puppet_Internal_CA.pem, and will be used as the
ssl.ca.location
+# for varnishkafka/librdkafka. Default: true. Set this to false if the
+# certificate name you set is not signed by the Puppet CA, and the
+# cergen created ca.crt.pem file will be used.
+#
class profile::cache::kafka::certificate(
$ssl_key_password =
hiera('profile::cache::kafka::certificate::ssl_key_password', undef),
+ $certificate_name =
hiera('profile::cache::kafka::certificate::certificate_name', 'varnishkafka'),
+ $use_puppet_internal_ca =
hiera('profile::cache::kafka::certificate::use_puppet_internal_ca', true),
) {
# TLS/SSL configuration
- $ssl_ca_location = '/etc/ssl/certs/Puppet_Internal_CA.pem'
$ssl_location = '/etc/varnishkafka/ssl'
$ssl_location_private = '/etc/varnishkafka/ssl/private'
- $ssl_key_location_secrets_path =
'certificates/varnishkafka/varnishkafka.key.private.pem'
- $ssl_key_location = "${ssl_location_private}/varnishkafka.key.pem"
+ $ssl_key_location_secrets_path =
"certificates/${certificate_name}/${certificate_name}.key.private.pem"
+ $ssl_key_location = "${ssl_location_private}/${certificate_name}.key.pem"
- $ssl_certificate_secrets_path =
'certificates/varnishkafka/varnishkafka.crt.pem'
- $ssl_certificate_location = "${ssl_location}/varnishkafka.crt.pem"
+ $ssl_certificate_secrets_path =
"certificates/${certificate_name}/${certificate_name}.crt.pem"
+ $ssl_certificate_location = "${ssl_location}/${certificate_name}.crt.pem"
$ssl_cipher_suites = 'ECDHE-ECDSA-AES256-GCM-SHA384'
file { $ssl_location:
@@ -50,4 +68,19 @@
group => 'root',
mode => '0444',
}
+
+ if $use_puppet_internal_ca {
+ $ssl_ca_location = '/etc/ssl/certs/Puppet_Internal_CA.pem'
+ }
+ else {
+ $ssl_ca_location_secrets_path =
"certificates/${certificate_name}/ca.crt.pem"
+ $ssl_ca_location = "${ssl_location}/ca.crt.pem"
+
+ file { $ssl_ca_location:
+ content => secret($ssl_ca_location_secrets_path),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ }
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/404698
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If3bc94f0591b138578191f78ed784a3e632af712
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ottomata <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
