[MediaWiki-commits] [Gerrit] Replace role::cache::ssl::wikimedia with an SNI capable role... - change (operations/puppet)

Mark Bergsma (Code Review) Fri, 12 Sep 2014 11:13:03 -0700

Mark Bergsma has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/160047


Change subject: Replace role::cache::ssl::wikimedia with an SNI capable 
role::cache::ssl::misc
......................................................................

Replace role::cache::ssl::wikimedia with an SNI capable role::cache::ssl::misc

protoproxy::localssl should now support multiple sites with SNI.
role::cache::ssl::misc is a new role class that sets up the sites
needed for the misc-web SSL/caching cluster.

Change-Id: Iffde3305bd972b7a8780ffabcc31b6a57aafe4db
---
M manifests/role/cache.pp
1 file changed, 29 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/47/160047/1

diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp
index 9528c75..0c3a91e 100644
--- a/manifests/role/cache.pp
+++ b/manifests/role/cache.pp
@@ -604,17 +604,38 @@
         }
     }
 
-    class ssl::wikimedia {
-        class { '::role::cache::ssl':
-            sitename => 'wikimedia',
-            certname => 'star.wikimedia.org',
-        }
-    }
-
     class ssl::unified {
         class { '::role::cache::ssl':
             sitename => 'unified',
             certname => 'unified.wikimedia.org',
+        }
+    }
+
+    class ssl::misc::certs {
+        install_certificate { ['star.wikimedia.org', 
'star.wmfusercontent.org']: }
+    }
+
+    # This class sets up multiple sites with multiple SSL certs using SNI
+    class ssl::misc {
+        include certificates::wmf_ca, role::protoproxy::ssl::common
+        require ::role::cache::ssl::misc::certs
+
+        # Assumes that LVS service IPs are setup elsewhere
+
+        protoproxy::localssl {
+            'wikimedia':
+                proxy_server_cert_name => 'star.wikimedia.org',
+                default_server => true;
+            'wmfusercontent':
+                server_name => 'wmfusercontent.org',
+                proxy_server_cert_name => 'star.wmfusercontent.org';
+        }
+
+        # FIXME: Icinga monitoring with support for SNI
+
+        monitor_service { 'https':
+            description   => 'HTTPS',
+            check_command => "check_ssl_cert!star.wikimedia.org",
         }
     }
 
@@ -1407,7 +1428,7 @@
 
         include standard
         include nrpe
-        include role::cache::ssl::wikimedia
+        include role::cache::ssl::misc
 
         $memory_storage_size = 8
 

-- 
To view, visit https://gerrit.wikimedia.org/r/160047
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iffde3305bd972b7a8780ffabcc31b6a57aafe4db
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Mark Bergsma <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Replace role::cache::ssl::wikimedia with an SNI capable role... - change (operations/puppet)

Reply via email to