[MediaWiki-commits] [Gerrit] operations/puppet[production]: mariadb: Update dbstores to use the latest TLS certificate

Fri, 02 Dec 2016 06:12:38 -0800 

Jcrespo has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/324908

Change subject: mariadb: Update dbstores to use the latest TLS certificate
......................................................................

mariadb: Update dbstores to use the latest TLS certificate

Bug: T152188
Change-Id: I1b5b8701ace8ccd78b93f38e865621631c75b407
---
M modules/role/manifests/mariadb.pp
M templates/mariadb/dbstore.my.cnf.erb
2 files changed, 13 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/08/324908/1

diff --git a/modules/role/manifests/mariadb.pp 
b/modules/role/manifests/mariadb.pp
index f7cbaf4..e391b6c 100644
--- a/modules/role/manifests/mariadb.pp
+++ b/modules/role/manifests/mariadb.pp
@@ -511,7 +511,7 @@
         config  => 'mariadb/dbstore.my.cnf.erb',
         datadir => '/srv/sqldata',
         tmpdir  => '/srv/tmp',
-        ssl     => 'on',
+        ssl     => 'puppet-cert',
         p_s     => 'off',
     }
 
diff --git a/templates/mariadb/dbstore.my.cnf.erb 
b/templates/mariadb/dbstore.my.cnf.erb
index b11d39d..8b9c9cb 100644
--- a/templates/mariadb/dbstore.my.cnf.erb
+++ b/templates/mariadb/dbstore.my.cnf.erb
@@ -13,6 +13,12 @@
 # skip server cert validation until we generate one cert per server
 # it would check the cert's common name against the host
 # ssl-verify-server-cert
+<% elsif @ssl == 'puppet-cert' %>
+# ssl
+ssl-ca=/etc/ssl/certs/Puppet_Internal_CA.pem
+ssl-cert=/etc/mysql/ssl/cert.pem
+ssl-key=/etc/mysql/ssl/server.key
+ssl-verify-server-cert
 <% end %>
 
 [mysqld]
@@ -117,6 +123,12 @@
 ssl-cert=/etc/mysql/ssl/server-cert.pem
 ssl-key=/etc/mysql/ssl/server-key.pem
 ssl-cipher=TLSv1.2
+<% elsif @ssl == 'puppet-cert' %>
+# ssl
+ssl-ca=/etc/ssl/certs/Puppet_Internal_CA.pem
+ssl-cert=/etc/mysql/ssl/cert.pem
+ssl-key=/etc/mysql/ssl/server.key
+ssl-cipher=TLSv1.2
 <% end %>
 <% if @p_s == 'on' %>
 # Enabling performance_schema (disabled by default in MariaDB10)

-- 
To view, visit https://gerrit.wikimedia.org/r/324908
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1b5b8701ace8ccd78b93f38e865621631c75b407
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Jcrespo <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to