[MediaWiki-commits] [Gerrit] operations/puppet[production]: docker::registry::web: allow using puppet certs

Giuseppe Lavagetto (Code Review) Wed, 26 Oct 2016 02:06:07 -0700

Giuseppe Lavagetto has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/318063


Change subject: docker::registry::web: allow using puppet certs
......................................................................

docker::registry::web: allow using puppet certs

As in production we will use the puppet certs, let's offer the
alternative here.

Change-Id: I7a7093bc88152ff09b8da60333b4c7b023c8668e
---
M modules/docker/manifests/registry/web.pp
M modules/docker/templates/registry-nginx.conf.erb
2 files changed, 20 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/63/318063/1

diff --git a/modules/docker/manifests/registry/web.pp 
b/modules/docker/manifests/registry/web.pp
index d9585e2..451a87b 100644
--- a/modules/docker/manifests/registry/web.pp
+++ b/modules/docker/manifests/registry/web.pp
@@ -2,9 +2,22 @@
     $docker_username,
     $docker_password_hash,
     $allow_push_from,
-    $ssl_certificate_name,
     $ssl_settings,
+    $use_puppet_certs=false,
+    $ssl_certificate_name=undef,
 ) {
+    if !$use_puppet_certs and !defined($ssl_certificate_name) {
+        fail('Either puppet certs should be used, or an ssl cert name should 
be provided')
+    }
+
+    if $use_puppet_certs {
+        base::expose_puppet_certs { '/etc/nginx':
+            ensure          => present,
+            provide_private => true,
+            require         => Class['nginx'],
+        }
+    }
+
     file { '/etc/nginx/htpasswd.registry':
         content => "${docker_username}:${docker_password_hash}",
         owner   => 'www-data',
diff --git a/modules/docker/templates/registry-nginx.conf.erb 
b/modules/docker/templates/registry-nginx.conf.erb
index f3e08d4..e8c5891 100644
--- a/modules/docker/templates/registry-nginx.conf.erb
+++ b/modules/docker/templates/registry-nginx.conf.erb
@@ -9,9 +9,14 @@
 
 server {
     listen 443 default_server ssl;
-    listen [::]:443 ssl default_server ipv6only=on;    
+    listen [::]:443 ssl default_server ipv6only=on;
+<%- if @use_puppet_certs %>
+    ssl_certificate     /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/server.key;
+<%- else -%>
     ssl_certificate /etc/ssl/localcerts/<%= @ssl_certificate_name 
%>.chained.crt;
     ssl_certificate_key /etc/ssl/private/<%= @ssl_certificate_name %>.key;
+<%- end -%>
 
     # Copied from modules/tlsproxy/templates/nginx.conf.erb. Eugh
     # Enable a shared cache, since it is defined at this level

-- 
To view, visit https://gerrit.wikimedia.org/r/318063
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7a7093bc88152ff09b8da60333b4c7b023c8668e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: docker::registry::web: allow using puppet certs

Reply via email to