[MediaWiki-commits] [Gerrit] operations/puppet[production]: add support for SSLCARevocationCheck setting in puppetmaster...

[Herron (Code Review)]

Herron has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/404689 )

Change subject: add support for SSLCARevocationCheck setting in puppetmaster 
frontend
......................................................................


add support for SSLCARevocationCheck setting in puppetmaster frontend

Add SSLCARevocationCheck setting to puppetmaster Apache frontend template.

This sets a default value of 'chain' in profile::puppetmaster::frontend (to
check revoked agent certificates by default) and is tunable using the hiera
key profile::puppetmaster::frontend::ssl_ca_revocation_check.

Bug: T184444
Change-Id: I0ddcb90411d4323a7144bc5d28ebd3580723e776
---
M modules/profile/manifests/puppetmaster/frontend.pp
M modules/puppetmaster/manifests/web_frontend.pp
M modules/puppetmaster/templates/web-frontend.conf.erb
3 files changed, 23 insertions(+), 8 deletions(-)

Approvals:
  Herron: Looks good to me, approved
  Alexandros Kosiaris: Looks good to me, but someone else must approve
  jenkins-bot: Verified
  Filippo Giunchedi: Looks good to me, but someone else must approve



diff --git a/modules/profile/manifests/puppetmaster/frontend.pp 
b/modules/profile/manifests/puppetmaster/frontend.pp
index 6d26ca1..b3d2e8d 100644
--- a/modules/profile/manifests/puppetmaster/frontend.pp
+++ b/modules/profile/manifests/puppetmaster/frontend.pp
@@ -8,6 +8,7 @@
     $ca_server = hiera('puppetmaster::ca_server', 
'puppetmaster1001.eqiad.wmnet'),
     $servers = hiera('puppetmaster::servers', {}),
     $puppet_major_version = hiera('puppet_major_version', undef),
+    $ssl_ca_revocation_check = 
hiera('profile::puppetmaster::frontend::ssl_ca_revocation_check', 'chain'),
     $allow_from = [
       '*.wikimedia.org',
       '*.eqiad.wmnet',
@@ -65,19 +66,21 @@
 
     # Main site to respond to
     ::puppetmaster::web_frontend { $web_hostname:
-        master       => $ca_server,
-        workers      => $workers,
-        bind_address => $::puppetmaster::bind_address,
-        priority     => 40,
+        master                  => $ca_server,
+        workers                 => $workers,
+        bind_address            => $::puppetmaster::bind_address,
+        priority                => 40,
+        ssl_ca_revocation_check => $ssl_ca_revocation_check,
     }
 
     # On all the puppetmasters, we should respond
     # to the FQDN too, in case we point them explicitly
     ::puppetmaster::web_frontend { $::fqdn:
-        master       => $ca_server,
-        workers      => $workers,
-        bind_address => $::puppetmaster::bind_address,
-        priority     => 50,
+        master                  => $ca_server,
+        workers                 => $workers,
+        bind_address            => $::puppetmaster::bind_address,
+        priority                => 50,
+        ssl_ca_revocation_check => $ssl_ca_revocation_check,
     }
 
     # Run the rsync servers on all puppetmaster frontends, and activate
diff --git a/modules/puppetmaster/manifests/web_frontend.pp 
b/modules/puppetmaster/manifests/web_frontend.pp
index 0d55814..15fe11e 100644
--- a/modules/puppetmaster/manifests/web_frontend.pp
+++ b/modules/puppetmaster/manifests/web_frontend.pp
@@ -21,6 +21,14 @@
 #
 # [*alt_names*]
 #   Alternative names, if any, which should be accepted.
+#
+# [*cert_secret_path*]
+#   Path to puppet keys/certs in secrets repository.
+#
+# [*ssl_ca_revocation_check*]
+#   CRL-based revocation checking setting in apache. See apache
+#   SSLCARevocationCheck documentation for full details.
+#   Valid settings: chain|leaf|none
 define puppetmaster::web_frontend(
     $workers,
     $master,
@@ -28,6 +36,7 @@
     $priority=90,
     $alt_names=undef,
     $cert_secret_path = 'puppetmaster',
+    $ssl_ca_revocation_check = undef,
 ){
     $server_name = $title
     $ssldir = '/var/lib/puppet/ssl'
diff --git a/modules/puppetmaster/templates/web-frontend.conf.erb 
b/modules/puppetmaster/templates/web-frontend.conf.erb
index 7b64457..144f1c8 100644
--- a/modules/puppetmaster/templates/web-frontend.conf.erb
+++ b/modules/puppetmaster/templates/web-frontend.conf.erb
@@ -12,6 +12,9 @@
     # CRL checking by commenting the next line, but this is not recommended.
     # NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is 
not updated. Need to reevaluate this
     SSLCARevocationPath     <%= scope.lookupvar('::puppetmaster::ssl::ssldir') 
%>/crl
+    <% if @ssl_ca_revocation_check -%>
+    SSLCARevocationCheck    <%= @ssl_ca_revocation_check %>
+    <% end -%>
     SSLVerifyClient <%= scope.lookupvar('puppetmaster::verify_client') %>
     SSLVerifyDepth  1
     SSLOptions +StdEnvVars

-- 
To view, visit https://gerrit.wikimedia.org/r/404689
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I0ddcb90411d4323a7144bc5d28ebd3580723e776
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Herron <kher...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: Herron <kher...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: Volans <rcocci...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits