[MediaWiki-commits] [Gerrit] cassandra: install certs and CA from private.git - change (operations/puppet)
Filippo Giunchedi has submitted this change and it was merged.
Change subject: cassandra: install certs and CA from private.git
..
cassandra: install certs and CA from private.git
Also make server encryption configurable, but disabled.
Bug: T108953
Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a
---
M modules/cassandra/manifests/init.pp
M modules/cassandra/templates/cassandra.yaml.erb
2 files changed, 53 insertions(+), 10 deletions(-)
Approvals:
Filippo Giunchedi: Verified; Looks good to me, approved
Eevans: Looks good to me, but someone else must approve
GWicke: Looks good to me, but someone else must approve
diff --git a/modules/cassandra/manifests/init.pp
b/modules/cassandra/manifests/init.pp
index 3299afd..91fb7bd 100644
--- a/modules/cassandra/manifests/init.pp
+++ b/modules/cassandra/manifests/init.pp
@@ -175,6 +175,20 @@
# [*key_cache_size_in_mb*]
# Maximum size of the key cache in memory.
# Default: empty (aka "auto" (min(5% of heap (in MB), 100MB)))
+#
+# [*tls_cluster_name*]
+# If specified, use private keys (client and server) from private.git
+# belonging to this cluster. Also install the cluster's CA as trusted.
+# Default: undef
+#
+# [*internode_encryption*]
+# What level of inter node encryption to enable
+# Default: none
+#
+# [*client_encryption_enabled*]
+# Enable client-side encryption
+# Default: false
+
class cassandra(
$cluster_name = 'Test Cluster',
$seeds= [$::ipaddress],
@@ -214,6 +228,9 @@
$dc = 'datacenter1',
$rack = 'rack1',
$key_cache_size_in_mb = 400,
+$tls_cluster_name = undef,
+$internode_encryption = none,
+$client_encryption_enabled= false,
$yaml_template= "${module}/cassandra.yaml.erb",
$env_template = "${module}/cassandra-env.sh.erb",
@@ -344,6 +361,32 @@
require => Package['cassandra'],
}
+if ($tls_cluster_name) {
+file { '/etc/cassandra/tls':
+ensure => directory,
+owner => 'cassandra',
+group => 'cassandra',
+mode=> '0400',
+require => Package['cassandra'],
+}
+
+file { '/etc/cassandra/tls/server.key':
+content =>
secret("cassandra/${tls_cluster_name}/${hostname}/${hostname}.kst"),
+owner => 'cassandra',
+group => 'cassandra',
+mode=> '0400',
+require => File['/etc/cassandra/tls'],
+}
+
+file { '/etc/cassandra/tls/server.trust':
+content => secret("cassandra/${tls_cluster_name}/truststore"),
+owner => 'cassandra',
+group => 'cassandra',
+mode=> '0400',
+require => File['/etc/cassandra/tls'],
+}
+}
+
file { '/etc/default/cassandra':
content => template("${module_name}/cassandra.default.erb"),
owner => 'cassandra',
diff --git a/modules/cassandra/templates/cassandra.yaml.erb
b/modules/cassandra/templates/cassandra.yaml.erb
index dc23590..dd78730 100644
--- a/modules/cassandra/templates/cassandra.yaml.erb
+++ b/modules/cassandra/templates/cassandra.yaml.erb
@@ -731,11 +731,11 @@
#
http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
#
server_encryption_options:
-internode_encryption: none
-keystore: conf/.keystore
-keystore_password: cassandra
-truststore: conf/.truststore
-truststore_password: cassandra
+internode_encryption: <%= @internode_encryption %>
+keystore: /etc/cassandra/tls/server.key
+keystore_password: placeholder
+truststore: /etc/cassandra/tls/server.trust
+truststore_password: placeholder
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
@@ -745,13 +745,13 @@
# enable or disable client/server encryption.
client_encryption_options:
-enabled: false
-keystore: conf/.keystore
-keystore_password: cassandra
+enabled: <%= @client_encryption_enabled %>
+keystore: /etc/cassandra/tls/client.key
+keystore_password: placeholder
# require_client_auth: false
# Set trustore and truststore_password if require_client_auth is true
-# truststore: conf/.truststore
-# truststore_password: cassandra
+# truststore: /etc/cassandra/tls/client.trust
+# truststore_password: placeholder
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
--
To view, visit https://gerrit.wikimedia.org/r/237397
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit
[MediaWiki-commits] [Gerrit] cassandra: install certs and CA from private.git - change (operations/puppet)
Filippo Giunchedi has uploaded a new change for review.
https://gerrit.wikimedia.org/r/237397
Change subject: cassandra: install certs and CA from private.git
..
cassandra: install certs and CA from private.git
Also make server encryption configurable, but disabled.
Bug: T108953
Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a
---
M modules/cassandra/manifests/init.pp
M modules/cassandra/templates/cassandra.yaml.erb
2 files changed, 45 insertions(+), 10 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/97/237397/1
diff --git a/modules/cassandra/manifests/init.pp
b/modules/cassandra/manifests/init.pp
index 3299afd..c4887fd 100644
--- a/modules/cassandra/manifests/init.pp
+++ b/modules/cassandra/manifests/init.pp
@@ -175,6 +175,20 @@
# [*key_cache_size_in_mb*]
# Maximum size of the key cache in memory.
# Default: empty (aka "auto" (min(5% of heap (in MB), 100MB)))
+#
+# [*tls_cluster_name*]
+# If specified, use private keys (client and server) from private.git
+# belonging to this cluster. Also install the cluster's CA as trusted.
+# Default: undef
+#
+# [*internode_encryption*]
+# What level of inter node encryption to enable
+# Default: none
+#
+# [*client_encryption_enabled*]
+# Enable client-side encryption
+# Default: false
+
class cassandra(
$cluster_name = 'Test Cluster',
$seeds= [$::ipaddress],
@@ -214,6 +228,9 @@
$dc = 'datacenter1',
$rack = 'rack1',
$key_cache_size_in_mb = 400,
+$tls_cluster_name = undef,
+$internode_encryption = none,
+$client_encryption_enabled= false,
$yaml_template= "${module}/cassandra.yaml.erb",
$env_template = "${module}/cassandra-env.sh.erb",
@@ -344,6 +361,24 @@
require => Package['cassandra'],
}
+if ($tls_cluster_name) {
+file { '/etc/cassandra/tls/server.key':
+content =>
secret("cassandra/${tls_cluster_name}/${hostname}/${hostname}.kst"),
+owner => 'cassandra',
+group => 'cassandra',
+mode=> '0400',
+require => Package['cassandra'],
+}
+
+file { '/etc/cassandra/tls/server.trust':
+content => secret("cassandra/${tls_cluster_name}/truststore"),
+owner => 'cassandra',
+group => 'cassandra',
+mode=> '0400',
+require => Package['cassandra'],
+}
+}
+
file { '/etc/default/cassandra':
content => template("${module_name}/cassandra.default.erb"),
owner => 'cassandra',
diff --git a/modules/cassandra/templates/cassandra.yaml.erb
b/modules/cassandra/templates/cassandra.yaml.erb
index dc23590..b8a62ed 100644
--- a/modules/cassandra/templates/cassandra.yaml.erb
+++ b/modules/cassandra/templates/cassandra.yaml.erb
@@ -731,11 +731,11 @@
#
http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
#
server_encryption_options:
-internode_encryption: none
-keystore: conf/.keystore
-keystore_password: cassandra
-truststore: conf/.truststore
-truststore_password: cassandra
+internode_encryption: <%= @internode_encryption %>
+keystore: tls/server.key
+keystore_password: placeholder
+truststore: tls/server.trust
+truststore_password: placeholder
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
@@ -745,13 +745,13 @@
# enable or disable client/server encryption.
client_encryption_options:
-enabled: false
-keystore: conf/.keystore
-keystore_password: cassandra
+enabled: <%= @client_encryption_enabled %>
+keystore: tls/client.key
+keystore_password: placeholder
# require_client_auth: false
# Set trustore and truststore_password if require_client_auth is true
-# truststore: conf/.truststore
-# truststore_password: cassandra
+# truststore: tls/client.trust
+# truststore_password: placeholder
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
--
To view, visit https://gerrit.wikimedia.org/r/237397
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
