Filippo Giunchedi has uploaded a new change for review. https://gerrit.wikimedia.org/r/237397
Change subject: cassandra: install certs and CA from private.git ...................................................................... cassandra: install certs and CA from private.git Also make server encryption configurable, but disabled. Bug: T108953 Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a --- M modules/cassandra/manifests/init.pp M modules/cassandra/templates/cassandra.yaml.erb 2 files changed, 45 insertions(+), 10 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/97/237397/1 diff --git a/modules/cassandra/manifests/init.pp b/modules/cassandra/manifests/init.pp index 3299afd..c4887fd 100644 --- a/modules/cassandra/manifests/init.pp +++ b/modules/cassandra/manifests/init.pp @@ -175,6 +175,20 @@ # [*key_cache_size_in_mb*] # Maximum size of the key cache in memory. # Default: empty (aka "auto" (min(5% of heap (in MB), 100MB))) +# +# [*tls_cluster_name*] +# If specified, use private keys (client and server) from private.git +# belonging to this cluster. Also install the cluster's CA as trusted. +# Default: undef +# +# [*internode_encryption*] +# What level of inter node encryption to enable +# Default: none +# +# [*client_encryption_enabled*] +# Enable client-side encryption +# Default: false + class cassandra( $cluster_name = 'Test Cluster', $seeds = [$::ipaddress], @@ -214,6 +228,9 @@ $dc = 'datacenter1', $rack = 'rack1', $key_cache_size_in_mb = 400, + $tls_cluster_name = undef, + $internode_encryption = none, + $client_encryption_enabled = false, $yaml_template = "${module}/cassandra.yaml.erb", $env_template = "${module}/cassandra-env.sh.erb", @@ -344,6 +361,24 @@ require => Package['cassandra'], } + if ($tls_cluster_name) { + file { '/etc/cassandra/tls/server.key': + content => secret("cassandra/${tls_cluster_name}/${hostname}/${hostname}.kst"), + owner => 'cassandra', + group => 'cassandra', + mode => '0400', + require => Package['cassandra'], + } + + file { '/etc/cassandra/tls/server.trust': + content => secret("cassandra/${tls_cluster_name}/truststore"), + owner => 'cassandra', + group => 'cassandra', + mode => '0400', + require => Package['cassandra'], + } + } + file { '/etc/default/cassandra': content => template("${module_name}/cassandra.default.erb"), owner => 'cassandra', diff --git a/modules/cassandra/templates/cassandra.yaml.erb b/modules/cassandra/templates/cassandra.yaml.erb index dc23590..b8a62ed 100644 --- a/modules/cassandra/templates/cassandra.yaml.erb +++ b/modules/cassandra/templates/cassandra.yaml.erb @@ -731,11 +731,11 @@ # http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore # server_encryption_options: - internode_encryption: none - keystore: conf/.keystore - keystore_password: cassandra - truststore: conf/.truststore - truststore_password: cassandra + internode_encryption: <%= @internode_encryption %> + keystore: tls/server.key + keystore_password: placeholder + truststore: tls/server.trust + truststore_password: placeholder # More advanced defaults below: # protocol: TLS # algorithm: SunX509 @@ -745,13 +745,13 @@ # enable or disable client/server encryption. client_encryption_options: - enabled: false - keystore: conf/.keystore - keystore_password: cassandra + enabled: <%= @client_encryption_enabled %> + keystore: tls/client.key + keystore_password: placeholder # require_client_auth: false # Set trustore and truststore_password if require_client_auth is true - # truststore: conf/.truststore - # truststore_password: cassandra + # truststore: tls/client.trust + # truststore_password: placeholder # More advanced defaults below: # protocol: TLS # algorithm: SunX509 -- To view, visit https://gerrit.wikimedia.org/r/237397 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Filippo Giunchedi <fgiunch...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits