Rush has submitted this change and it was merged.
Change subject: Replace role::cache::ssl::wikimedia with an SNI capable
role::cache::ssl::misc
......................................................................
Replace role::cache::ssl::wikimedia with an SNI capable role::cache::ssl::misc
protoproxy::localssl should now support multiple sites with SNI.
role::cache::ssl::misc is a new role class that sets up the sites
needed for the misc-web SSL/caching cluster.
Also, let's use the full domain name for site names now. We may
not always only have .org...
Change-Id: Iffde3305bd972b7a8780ffabcc31b6a57aafe4db
---
M manifests/role/cache.pp
1 file changed, 29 insertions(+), 8 deletions(-)
Approvals:
Rush: Verified; Looks good to me, approved
diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp
index 9528c75..0dac48b 100644
--- a/manifests/role/cache.pp
+++ b/manifests/role/cache.pp
@@ -604,17 +604,38 @@
}
}
- class ssl::wikimedia {
- class { '::role::cache::ssl':
- sitename => 'wikimedia',
- certname => 'star.wikimedia.org',
- }
- }
-
class ssl::unified {
class { '::role::cache::ssl':
sitename => 'unified',
certname => 'unified.wikimedia.org',
+ }
+ }
+
+ class ssl::misc::certs {
+ install_certificate { ['star.wikimedia.org',
'star.wmfusercontent.org']: }
+ }
+
+ # This class sets up multiple sites with multiple SSL certs using SNI
+ class ssl::misc {
+ include certificates::wmf_ca, role::protoproxy::ssl::common
+ require ::role::cache::ssl::misc::certs
+
+ # Assumes that LVS service IPs are setup elsewhere
+
+ protoproxy::localssl {
+ 'wikimedia':
+ proxy_server_cert_name => 'star.wikimedia.org',
+ default_server => true;
+ 'wmfusercontent.org':
+ server_name => 'wmfusercontent.org',
+ proxy_server_cert_name => 'star.wmfusercontent.org';
+ }
+
+ # FIXME: Icinga monitoring with support for SNI
+
+ monitor_service { 'https':
+ description => 'HTTPS',
+ check_command => "check_ssl_cert!star.wikimedia.org",
}
}
@@ -1407,7 +1428,7 @@
include standard
include nrpe
- include role::cache::ssl::wikimedia
+ include role::cache::ssl::misc
$memory_storage_size = 8
--
To view, visit https://gerrit.wikimedia.org/r/160047
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Iffde3305bd972b7a8780ffabcc31b6a57aafe4db
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Mark Bergsma <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
