[MediaWiki-commits] [Gerrit] operations/puppet[production]: tlsproxy: separate ECDSA/RSA stapling for all

Thu, 10 Nov 2016 06:42:49 -0800 

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320783

Change subject: tlsproxy: separate ECDSA/RSA stapling for all
......................................................................

tlsproxy: separate ECDSA/RSA stapling for all

Change-Id: I31257369d72954095bdb6b0c7f31e5c73888eb5f
---
M hieradata/hosts/cp1008.yaml
M hieradata/role/common/cache/maps.yaml
M hieradata/role/common/cache/misc.yaml
M modules/tlsproxy/manifests/localssl.pp
M modules/tlsproxy/templates/localssl.erb
5 files changed, 4 insertions(+), 22 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/83/320783/1

diff --git a/hieradata/hosts/cp1008.yaml b/hieradata/hosts/cp1008.yaml
index ed8d166..13a26b6 100644
--- a/hieradata/hosts/cp1008.yaml
+++ b/hieradata/hosts/cp1008.yaml
@@ -7,4 +7,3 @@
       - 'cp1008.wikimedia.org'
     codfw:
       - 'cp1008.wikimedia.org'
-do_ocsp_multi: true
diff --git a/hieradata/role/common/cache/maps.yaml 
b/hieradata/role/common/cache/maps.yaml
index ef727f4..b2bf818 100644
--- a/hieradata/role/common/cache/maps.yaml
+++ b/hieradata/role/common/cache/maps.yaml
@@ -26,4 +26,3 @@
   ulsfo: 'codfw'
   esams: 'eqiad'
 varnish_version4: true
-do_ocsp_multi: true
diff --git a/hieradata/role/common/cache/misc.yaml 
b/hieradata/role/common/cache/misc.yaml
index 075178e..f40ae08 100644
--- a/hieradata/role/common/cache/misc.yaml
+++ b/hieradata/role/common/cache/misc.yaml
@@ -26,4 +26,3 @@
   esams: 'eqiad'
 varnish_version4: true
 cache::websocket_support: true
-do_ocsp_multi: true
diff --git a/modules/tlsproxy/manifests/localssl.pp 
b/modules/tlsproxy/manifests/localssl.pp
index 052316e..dfcfbaf 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -84,23 +84,12 @@
         }
     }
 
-    # temp for feature testing
-    $do_ocsp_multi = hiera('do_ocsp_multi', false)
-
     if $do_ocsp and !empty($certs) {
         include tlsproxy::ocsp
 
-        if $do_ocsp_multi {
-            sslcert::ocsp::conf { $certs:
-                proxy  => "webproxy.${::site}.wmnet:8080",
-                before => [Service['nginx'], Exec['nginx-reload']],
-            }
-        } else {
-            sslcert::ocsp::conf { $title:
-                proxy  => "webproxy.${::site}.wmnet:8080",
-                certs  => $certs,
-                before => [Service['nginx'], Exec['nginx-reload']],
-            }
+        sslcert::ocsp::conf { $certs:
+            proxy  => "webproxy.${::site}.wmnet:8080",
+            before => [Service['nginx'], Exec['nginx-reload']],
         }
     }
 
diff --git a/modules/tlsproxy/templates/localssl.erb 
b/modules/tlsproxy/templates/localssl.erb
index 329bf9a..0219940 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -32,12 +32,8 @@
        <%- end -%>
        <%- if @do_ocsp -%>
        ssl_stapling on;
-          <%- if @do_ocsp_multi -%>
-           <%- @certs.each do |cert| -%>
+         <%- @certs.each do |cert| -%>
        ssl_stapling_file /var/cache/ocsp/<%= cert %>.ocsp;
-           <%- end -%>
-         <%- else -%>
-       ssl_stapling_file /var/cache/ocsp/<%= @name %>.ocsp;
          <%- end -%>
        <%- end -%>
 

-- 
To view, visit https://gerrit.wikimedia.org/r/320783
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I31257369d72954095bdb6b0c7f31e5c73888eb5f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to