BBlack has uploaded a new change for review. https://gerrit.wikimedia.org/r/320783
Change subject: tlsproxy: separate ECDSA/RSA stapling for all ...................................................................... tlsproxy: separate ECDSA/RSA stapling for all Change-Id: I31257369d72954095bdb6b0c7f31e5c73888eb5f --- M hieradata/hosts/cp1008.yaml M hieradata/role/common/cache/maps.yaml M hieradata/role/common/cache/misc.yaml M modules/tlsproxy/manifests/localssl.pp M modules/tlsproxy/templates/localssl.erb 5 files changed, 4 insertions(+), 22 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/83/320783/1 diff --git a/hieradata/hosts/cp1008.yaml b/hieradata/hosts/cp1008.yaml index ed8d166..13a26b6 100644 --- a/hieradata/hosts/cp1008.yaml +++ b/hieradata/hosts/cp1008.yaml @@ -7,4 +7,3 @@ - 'cp1008.wikimedia.org' codfw: - 'cp1008.wikimedia.org' -do_ocsp_multi: true diff --git a/hieradata/role/common/cache/maps.yaml b/hieradata/role/common/cache/maps.yaml index ef727f4..b2bf818 100644 --- a/hieradata/role/common/cache/maps.yaml +++ b/hieradata/role/common/cache/maps.yaml @@ -26,4 +26,3 @@ ulsfo: 'codfw' esams: 'eqiad' varnish_version4: true -do_ocsp_multi: true diff --git a/hieradata/role/common/cache/misc.yaml b/hieradata/role/common/cache/misc.yaml index 075178e..f40ae08 100644 --- a/hieradata/role/common/cache/misc.yaml +++ b/hieradata/role/common/cache/misc.yaml @@ -26,4 +26,3 @@ esams: 'eqiad' varnish_version4: true cache::websocket_support: true -do_ocsp_multi: true diff --git a/modules/tlsproxy/manifests/localssl.pp b/modules/tlsproxy/manifests/localssl.pp index 052316e..dfcfbaf 100644 --- a/modules/tlsproxy/manifests/localssl.pp +++ b/modules/tlsproxy/manifests/localssl.pp @@ -84,23 +84,12 @@ } } - # temp for feature testing - $do_ocsp_multi = hiera('do_ocsp_multi', false) - if $do_ocsp and !empty($certs) { include tlsproxy::ocsp - if $do_ocsp_multi { - sslcert::ocsp::conf { $certs: - proxy => "webproxy.${::site}.wmnet:8080", - before => [Service['nginx'], Exec['nginx-reload']], - } - } else { - sslcert::ocsp::conf { $title: - proxy => "webproxy.${::site}.wmnet:8080", - certs => $certs, - before => [Service['nginx'], Exec['nginx-reload']], - } + sslcert::ocsp::conf { $certs: + proxy => "webproxy.${::site}.wmnet:8080", + before => [Service['nginx'], Exec['nginx-reload']], } } diff --git a/modules/tlsproxy/templates/localssl.erb b/modules/tlsproxy/templates/localssl.erb index 329bf9a..0219940 100644 --- a/modules/tlsproxy/templates/localssl.erb +++ b/modules/tlsproxy/templates/localssl.erb @@ -32,12 +32,8 @@ <%- end -%> <%- if @do_ocsp -%> ssl_stapling on; - <%- if @do_ocsp_multi -%> - <%- @certs.each do |cert| -%> + <%- @certs.each do |cert| -%> ssl_stapling_file /var/cache/ocsp/<%= cert %>.ocsp; - <%- end -%> - <%- else -%> - ssl_stapling_file /var/cache/ocsp/<%= @name %>.ocsp; <%- end -%> <%- end -%> -- To view, visit https://gerrit.wikimedia.org/r/320783 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I31257369d72954095bdb6b0c7f31e5c73888eb5f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits