Giuseppe Lavagetto has submitted this change and it was merged.
Change subject: docker::registry::web: allow using puppet certs
......................................................................
docker::registry::web: allow using puppet certs
As in production we will use the puppet certs, let's offer the
alternative here.
Change-Id: I7a7093bc88152ff09b8da60333b4c7b023c8668e
---
M modules/docker/manifests/registry/web.pp
M modules/docker/templates/registry-nginx.conf.erb
2 files changed, 19 insertions(+), 1 deletion(-)
Approvals:
Giuseppe Lavagetto: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/docker/manifests/registry/web.pp
b/modules/docker/manifests/registry/web.pp
index d9585e2..0980d54 100644
--- a/modules/docker/manifests/registry/web.pp
+++ b/modules/docker/manifests/registry/web.pp
@@ -2,9 +2,22 @@
$docker_username,
$docker_password_hash,
$allow_push_from,
- $ssl_certificate_name,
$ssl_settings,
+ $use_puppet_certs=false,
+ $ssl_certificate_name=undef,
) {
+ if (!$use_puppet_certs and ($ssl_certificate_name == undef)) {
+ fail('Either puppet certs should be used, or an ssl cert name should
be provided')
+ }
+
+ if $use_puppet_certs {
+ base::expose_puppet_certs { '/etc/nginx':
+ ensure => present,
+ provide_private => true,
+ require => Class['nginx'],
+ }
+ }
+
file { '/etc/nginx/htpasswd.registry':
content => "${docker_username}:${docker_password_hash}",
owner => 'www-data',
diff --git a/modules/docker/templates/registry-nginx.conf.erb
b/modules/docker/templates/registry-nginx.conf.erb
index 880ecd9..e8c5891 100644
--- a/modules/docker/templates/registry-nginx.conf.erb
+++ b/modules/docker/templates/registry-nginx.conf.erb
@@ -10,8 +10,13 @@
server {
listen 443 default_server ssl;
listen [::]:443 ssl default_server ipv6only=on;
+<%- if @use_puppet_certs %>
+ ssl_certificate /etc/nginx/ssl/cert.pem;
+ ssl_certificate_key /etc/nginx/ssl/server.key;
+<%- else -%>
ssl_certificate /etc/ssl/localcerts/<%= @ssl_certificate_name
%>.chained.crt;
ssl_certificate_key /etc/ssl/private/<%= @ssl_certificate_name %>.key;
+<%- end -%>
# Copied from modules/tlsproxy/templates/nginx.conf.erb. Eugh
# Enable a shared cache, since it is defined at this level
--
To view, visit https://gerrit.wikimedia.org/r/318063
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I7a7093bc88152ff09b8da60333b4c7b023c8668e
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
