Giuseppe Lavagetto has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/383073 )
Change subject: profile::cache::ssl::unified: move from role, refactor ...................................................................... profile::cache::ssl::unified: move from role, refactor role::cache::ssl::unified had a big if $realm guard; refactor it to be slightly more general by making the if guards depending on the features we want to enable. While this refactoring is far from complete, it lays the path to have SSL monitoring in beta as well. Change-Id: Ib34c2373659d12b16753a142c2eb6265441d9be7 --- M hieradata/labs.yaml M hieradata/role/common/cache/canary.yaml M hieradata/role/common/cache/misc.yaml M hieradata/role/common/cache/text.yaml M hieradata/role/common/cache/upload.yaml M modules/profile/manifests/cache/base.pp R modules/profile/manifests/cache/ssl/unified.pp M modules/role/manifests/cache/misc.pp M modules/role/manifests/cache/text.pp M modules/role/manifests/cache/upload.pp 10 files changed, 80 insertions(+), 47 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/73/383073/1 diff --git a/hieradata/labs.yaml b/hieradata/labs.yaml index 423c9c2..99de41f 100644 --- a/hieradata/labs.yaml +++ b/hieradata/labs.yaml @@ -60,6 +60,12 @@ profile::cache::base::zero_site: 'https://zero.wikimedia.beta.wmflabs.org' profile::cache::base::purge_host_only_upload_re: '^(upload|maps)\.beta\.wmflabs\.org$' profile::cache::base::purge_host_not_upload_re: '^(?!(upload|maps)\.beta\.wmflabs\.org)' +# Profile::cache::ssl::unified +profile::cache::ssl::unified::monitoring: false +profile::cache::ssl::unified::letsencrypt: true +profile::cache::ssl::unified::le_server_name: 'beta.wmflabs.org' +profile::cache::ssl::unified::le_subjects: ['beta.wmflabs.org'] + role::cache::upload::upload_domain: 'upload.beta.wmflabs.org' role::cache::upload::maps_domain: 'maps.beta.wmflabs.org' role::cache::text::static_host: 'deployment.wikimedia.beta.wmflabs.org' diff --git a/hieradata/role/common/cache/canary.yaml b/hieradata/role/common/cache/canary.yaml index af9af16..3f38c01 100644 --- a/hieradata/role/common/cache/canary.yaml +++ b/hieradata/role/common/cache/canary.yaml @@ -81,3 +81,6 @@ profile::cache::base::purge_host_only_upload_re: '^(upload|maps)\.wikimedia\.org$' profile::cache::base::purge_host_not_upload_re: '^(?!(upload|maps)\.wikimedia\.org)' profile::cache::base::storage_parts: ['sda3', 'sdb3'] +# Profile::cache::ssl::unified +profile::cache::ssl::unified::monitoring: true +profile::cache::ssl::unified::letsencrypt: false diff --git a/hieradata/role/common/cache/misc.yaml b/hieradata/role/common/cache/misc.yaml index 46c4dd5..179b7f6 100644 --- a/hieradata/role/common/cache/misc.yaml +++ b/hieradata/role/common/cache/misc.yaml @@ -280,3 +280,6 @@ profile::cache::base::purge_host_only_upload_re: '^(upload|maps)\.wikimedia\.org$' profile::cache::base::purge_host_not_upload_re: '^(?!(upload|maps)\.wikimedia\.org)' profile::cache::base::storage_parts: ['sda3', 'sdb3'] +# Profile::cache::ssl::unified +profile::cache::ssl::unified::monitoring: true +profile::cache::ssl::unified::letsencrypt: false diff --git a/hieradata/role/common/cache/text.yaml b/hieradata/role/common/cache/text.yaml index eb2c805..6fc0b46 100644 --- a/hieradata/role/common/cache/text.yaml +++ b/hieradata/role/common/cache/text.yaml @@ -88,3 +88,6 @@ profile::cache::base::purge_host_only_upload_re: '^(upload|maps)\.wikimedia\.org$' profile::cache::base::purge_host_not_upload_re: '^(?!(upload|maps)\.wikimedia\.org)' profile::cache::base::storage_parts: ['sda3', 'sdb3'] +# Profile::cache::ssl::unified +profile::cache::ssl::unified::monitoring: true +profile::cache::ssl::unified::letsencrypt: false diff --git a/hieradata/role/common/cache/upload.yaml b/hieradata/role/common/cache/upload.yaml index d154fcb..8a42003 100644 --- a/hieradata/role/common/cache/upload.yaml +++ b/hieradata/role/common/cache/upload.yaml @@ -57,3 +57,6 @@ profile::cache::base::purge_host_only_upload_re: '^(upload|maps)\.wikimedia\.org$' profile::cache::base::purge_host_not_upload_re: '^(?!(upload|maps)\.wikimedia\.org)' profile::cache::base::storage_parts: ['sda3', 'sdb3'] +# Profile::cache::ssl::unified +profile::cache::ssl::unified::monitoring: true +profile::cache::ssl::unified::letsencrypt: false diff --git a/modules/profile/manifests/cache/base.pp b/modules/profile/manifests/cache/base.pp index 1df5db5..5994e0e 100644 --- a/modules/profile/manifests/cache/base.pp +++ b/modules/profile/manifests/cache/base.pp @@ -27,6 +27,8 @@ require ::profile::conftool::client require ::profile::cache::kafka::webrequest require ::profile::prometheus::varnish_exporter + require ::profile::cache::ssl::unified + include ::role::lvs::realserver require ::standard @@ -34,10 +36,14 @@ class { 'conftool::scripts': } + # TLS termination + + + + # TODO: Spin off a profile::cache::base::production? if $::realm == 'production' { # Only production needs system perf tweaks class { 'cacheproxy::performance': } - # Periodic cron restarts, we need this to mitigate T145661 class { 'cacheproxy::cron_restart': nodes => $nodes diff --git a/modules/role/manifests/cache/ssl/unified.pp b/modules/profile/manifests/cache/ssl/unified.pp similarity index 73% rename from modules/role/manifests/cache/ssl/unified.pp rename to modules/profile/manifests/cache/ssl/unified.pp index d131ced..028d799 100644 --- a/modules/role/manifests/cache/ssl/unified.pp +++ b/modules/profile/manifests/cache/ssl/unified.pp @@ -1,8 +1,52 @@ -class role::cache::ssl::unified( - $labs_server_name = 'beta.wmflabs.org', - $labs_subjects = ['beta.wmflabs.org'], +# == Class profile::cache::ssl::unified +# +# Sets up TLS termination for a cache host. It can be used both with letsencrypt +# and with a certificate from a commercial vendor (typically when a unified, +# multiple-wildcard cert is needed, as in production). +# +class profile::cache::ssl::unified( + $monitoring=hiera('profile::cache::ssl::unified::monitoring'), + $letsencrypt=hiera('profile::cache::ssl::unified::letsencrypt'), + $ucv=hiera('public_tls_unified_cert_vendor', undef), + $le_server_name=hiera('profile::cache::ssl::unified::le_server_name', undef), + $le_subjects=hiera('profile::cache::ssl::le_subjects', undef) ) { - if ( $::realm == 'production' ) { + if $letsencrypt { + tlsproxy::localssl { 'unified': + server_name => $le_server_name, + acme_subjects => $le_subjects, + default_server => true, + do_ocsp => false, + skip_private => true, + upstream_ports => [3120, 3121, 3122, 3123, 3124, 3125, 3126, 3127], + redir_port => 8080, + } + + } else { + # TODO: generalize this a bit? + $certs_active = [ + "${ucv}-2016-ecdsa-unified", "${ucv}-2016-rsa-unified", + ] + # These certs are deployed to all caches and OCSP stapled, + # ready for use in $certs_active as options + $certs = [ + 'globalsign-2016-ecdsa-unified', 'globalsign-2016-rsa-unified', + 'digicert-2016-ecdsa-unified', 'digicert-2016-rsa-unified', + ] + tlsproxy::localssl { 'unified': + server_name => 'www.wikimedia.org', + certs => $certs, + certs_active => $certs_active, + default_server => true, + do_ocsp => true, + upstream_ports => [3120, 3121, 3122, 3123, 3124, 3125, 3126, 3127], + redir_port => 8080, + } + } + + if ( $monitoring ) { + # TODO: this is just good for production of course, we might + # want to move these variables to hiera $check_cn = 'en.wikipedia.org' $check_sans = [ 'wikipedia.org', '*.wikipedia.org', '*.m.wikipedia.org', '*.zero.wikipedia.org', @@ -32,42 +76,7 @@ description => 'HTTPS Unified RSA', check_command => "check_ssl_unified!RSA!${check_cn}!${check_sans_str}", } - - # These certs are deployed to all caches and OCSP stapled, ready for use in $certs_active as options - $certs = [ - 'globalsign-2016-ecdsa-unified', 'globalsign-2016-rsa-unified', - 'digicert-2016-ecdsa-unified', 'digicert-2016-rsa-unified', - ] - - # These are the active set of certs, varies by datacenter in hieradata - $ucv = hiera('public_tls_unified_cert_vendor') # 'globalsign' or 'digicert' - $certs_active = [ - "${ucv}-2016-ecdsa-unified", "${ucv}-2016-rsa-unified", - ] - - tlsproxy::localssl { 'unified': - server_name => 'www.wikimedia.org', - certs => $certs, - certs_active => $certs_active, - default_server => true, - do_ocsp => true, - upstream_ports => [3120, 3121, 3122, 3123, 3124, 3125, 3126, 3127], - redir_port => 8080, - } } - else { - tlsproxy::localssl { 'unified': - server_name => $labs_server_name, - acme_subjects => $labs_subjects, - default_server => true, - do_ocsp => false, - skip_private => true, - upstream_ports => [3120, 3121, 3122, 3123, 3124, 3125, 3126, 3127], - redir_port => 8080, - } - # TODO: Monitor SSL? Also commented in tlsproxy::localssl - } - # ordering ensures nginx/varnish config/service-start are # not intermingled during initial install where they could # have temporary conflicts on binding port 80 diff --git a/modules/role/manifests/cache/misc.pp b/modules/role/manifests/cache/misc.pp index de1e456..55b49cb 100644 --- a/modules/role/manifests/cache/misc.pp +++ b/modules/role/manifests/cache/misc.pp @@ -3,8 +3,8 @@ description => 'misc Varnish cache server', } - include profile::cache::base - include role::cache::ssl::unified + include ::profile::cache::base + include ::profile::cache::ssl::unified class { 'tlsproxy::prometheus': } class { 'prometheus::node_vhtcpd': } diff --git a/modules/role/manifests/cache/text.pp b/modules/role/manifests/cache/text.pp index 6f409dd..5ceab14 100644 --- a/modules/role/manifests/cache/text.pp +++ b/modules/role/manifests/cache/text.pp @@ -12,8 +12,8 @@ require geoip require geoip::dev # for VCL compilation using libGeoIP - include profile::cache::base - include role::cache::ssl::unified + include ::profile::cache::base + include ::profile::cache::ssl::unified include ::standard class { 'tlsproxy::prometheus': } diff --git a/modules/role/manifests/cache/upload.pp b/modules/role/manifests/cache/upload.pp index d1b4741..f4e9ff0 100644 --- a/modules/role/manifests/cache/upload.pp +++ b/modules/role/manifests/cache/upload.pp @@ -7,8 +7,8 @@ description => 'upload Varnish cache server', } - include profile::cache::base - include role::cache::ssl::unified + include ::profile::cache::base + include ::profile::cache::ssl::unified include ::standard class { 'prometheus::node_vhtcpd': } @@ -76,7 +76,7 @@ $common_runtime_params = ['default_ttl=86400'] - class { 'role::cache::instances': + class { 'cacheproxy::instances': cache_type => 'upload', fe_jemalloc_conf => 'lg_dirty_mult:8,lg_chunk:17', fe_runtime_params => $common_runtime_params, -- To view, visit https://gerrit.wikimedia.org/r/383073 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib34c2373659d12b16753a142c2eb6265441d9be7 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
