[MediaWiki-commits] [Gerrit] DB: Expose Puppet SSL certs and generate CA cert - change (operations...mariadb)

Fri, 25 Mar 2016 04:09:50 -0700 

Volans has submitted this change and it was merged.

Change subject: DB: Expose Puppet SSL certs and generate CA cert
......................................................................


DB: Expose Puppet SSL certs and generate CA cert

- Expose Puppet certs to MySQL to be used for TLS
- Generate a CA certificate with both Puppet CA PEM and current MySQL CA
  PEM as a temporary backward compatible solution to accept both Puppet
  and MySQL certificates.
- The files generated by ::base::expose_puppet_certs do not conflict
  with the existing ones used by MySQL

Bug: T111654
Change-Id: I6f5904c844fc4bfb16393cfb8240c29c3fdf9ee4
---
M manifests/config.pp
1 file changed, 34 insertions(+), 1 deletion(-)

Approvals:
  Volans: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/manifests/config.pp b/manifests/config.pp
index 980e6e9..77f25f4 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -1,5 +1,5 @@
 # Please use separate .cnf templates for each type of server.
-# Keep this independent and modular. It should be includable 
+# Keep this independent and modular. It should be includable
 # without the mariadb class.
 
 class mariadb::config(
@@ -142,5 +142,38 @@
             content   => secret('mysql/client-cert.pem'),
             require   => File['/etc/mysql/ssl'],
         }
+
+        ::base::expose_puppet_certs { '/etc/mysql':
+            ensure          => present,
+            provide_private => true,
+            user            => 'mysql',
+            group           => 'mysql',
+        }
+
+        # Temporary CA certificate with multiple PEM for backward compatibility
+        concat { '/etc/mysql/ssl/ca.crt':
+            ensure  => present,
+            owner   => 'mysql',
+            group   => 'mysql',
+            mode    => '0444',
+            warn    => true,
+            require => [
+                File['/etc/ssl/certs/Puppet_Internal_CA.pem'],
+                File['/etc/mysql/ssl/cacert.pem'],
+            ],
+        }
+
+        concat::fragment { 'mysql_ca':
+            target  => '/etc/mysql/ssl/ca.crt',
+            content => file('/etc/mysql/ssl/cacert.pem'),
+            order   => '01',
+        }
+
+        concat::fragment { 'puppet_ca':
+            target  => '/etc/mysql/ssl/ca.crt',
+            content => file('/etc/ssl/certs/Puppet_Internal_CA.pem'),
+            order   => '02',
+        }
+
     }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/278042
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I6f5904c844fc4bfb16393cfb8240c29c3fdf9ee4
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet/mariadb
Gerrit-Branch: master
Gerrit-Owner: Volans <[email protected]>
Gerrit-Reviewer: Jcrespo <[email protected]>
Gerrit-Reviewer: Volans <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to