[MediaWiki-commits] [Gerrit] cassandra: install certs and CA from private.git - change (operations/puppet)
Filippo Giunchedi has submitted this change and it was merged. Change subject: cassandra: install certs and CA from private.git .. cassandra: install certs and CA from private.git Also make server encryption configurable, but disabled. Bug: T108953 Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a --- M modules/cassandra/manifests/init.pp M modules/cassandra/templates/cassandra.yaml.erb 2 files changed, 53 insertions(+), 10 deletions(-) Approvals: Filippo Giunchedi: Verified; Looks good to me, approved Eevans: Looks good to me, but someone else must approve GWicke: Looks good to me, but someone else must approve diff --git a/modules/cassandra/manifests/init.pp b/modules/cassandra/manifests/init.pp index 3299afd..91fb7bd 100644 --- a/modules/cassandra/manifests/init.pp +++ b/modules/cassandra/manifests/init.pp @@ -175,6 +175,20 @@ # [*key_cache_size_in_mb*] # Maximum size of the key cache in memory. # Default: empty (aka "auto" (min(5% of heap (in MB), 100MB))) +# +# [*tls_cluster_name*] +# If specified, use private keys (client and server) from private.git +# belonging to this cluster. Also install the cluster's CA as trusted. +# Default: undef +# +# [*internode_encryption*] +# What level of inter node encryption to enable +# Default: none +# +# [*client_encryption_enabled*] +# Enable client-side encryption +# Default: false + class cassandra( $cluster_name = 'Test Cluster', $seeds= [$::ipaddress], @@ -214,6 +228,9 @@ $dc = 'datacenter1', $rack = 'rack1', $key_cache_size_in_mb = 400, +$tls_cluster_name = undef, +$internode_encryption = none, +$client_encryption_enabled= false, $yaml_template= "${module}/cassandra.yaml.erb", $env_template = "${module}/cassandra-env.sh.erb", @@ -344,6 +361,32 @@ require => Package['cassandra'], } +if ($tls_cluster_name) { +file { '/etc/cassandra/tls': +ensure => directory, +owner => 'cassandra', +group => 'cassandra', +mode=> '0400', +require => Package['cassandra'], +} + +file { '/etc/cassandra/tls/server.key': +content => secret("cassandra/${tls_cluster_name}/${hostname}/${hostname}.kst"), +owner => 'cassandra', +group => 'cassandra', +mode=> '0400', +require => File['/etc/cassandra/tls'], +} + +file { '/etc/cassandra/tls/server.trust': +content => secret("cassandra/${tls_cluster_name}/truststore"), +owner => 'cassandra', +group => 'cassandra', +mode=> '0400', +require => File['/etc/cassandra/tls'], +} +} + file { '/etc/default/cassandra': content => template("${module_name}/cassandra.default.erb"), owner => 'cassandra', diff --git a/modules/cassandra/templates/cassandra.yaml.erb b/modules/cassandra/templates/cassandra.yaml.erb index dc23590..dd78730 100644 --- a/modules/cassandra/templates/cassandra.yaml.erb +++ b/modules/cassandra/templates/cassandra.yaml.erb @@ -731,11 +731,11 @@ # http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore # server_encryption_options: -internode_encryption: none -keystore: conf/.keystore -keystore_password: cassandra -truststore: conf/.truststore -truststore_password: cassandra +internode_encryption: <%= @internode_encryption %> +keystore: /etc/cassandra/tls/server.key +keystore_password: placeholder +truststore: /etc/cassandra/tls/server.trust +truststore_password: placeholder # More advanced defaults below: # protocol: TLS # algorithm: SunX509 @@ -745,13 +745,13 @@ # enable or disable client/server encryption. client_encryption_options: -enabled: false -keystore: conf/.keystore -keystore_password: cassandra +enabled: <%= @client_encryption_enabled %> +keystore: /etc/cassandra/tls/client.key +keystore_password: placeholder # require_client_auth: false # Set trustore and truststore_password if require_client_auth is true -# truststore: conf/.truststore -# truststore_password: cassandra +# truststore: /etc/cassandra/tls/client.trust +# truststore_password: placeholder # More advanced defaults below: # protocol: TLS # algorithm: SunX509 -- To view, visit https://gerrit.wikimedia.org/r/237397 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit
[MediaWiki-commits] [Gerrit] cassandra: install certs and CA from private.git - change (operations/puppet)
Filippo Giunchedi has uploaded a new change for review. https://gerrit.wikimedia.org/r/237397 Change subject: cassandra: install certs and CA from private.git .. cassandra: install certs and CA from private.git Also make server encryption configurable, but disabled. Bug: T108953 Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a --- M modules/cassandra/manifests/init.pp M modules/cassandra/templates/cassandra.yaml.erb 2 files changed, 45 insertions(+), 10 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/97/237397/1 diff --git a/modules/cassandra/manifests/init.pp b/modules/cassandra/manifests/init.pp index 3299afd..c4887fd 100644 --- a/modules/cassandra/manifests/init.pp +++ b/modules/cassandra/manifests/init.pp @@ -175,6 +175,20 @@ # [*key_cache_size_in_mb*] # Maximum size of the key cache in memory. # Default: empty (aka "auto" (min(5% of heap (in MB), 100MB))) +# +# [*tls_cluster_name*] +# If specified, use private keys (client and server) from private.git +# belonging to this cluster. Also install the cluster's CA as trusted. +# Default: undef +# +# [*internode_encryption*] +# What level of inter node encryption to enable +# Default: none +# +# [*client_encryption_enabled*] +# Enable client-side encryption +# Default: false + class cassandra( $cluster_name = 'Test Cluster', $seeds= [$::ipaddress], @@ -214,6 +228,9 @@ $dc = 'datacenter1', $rack = 'rack1', $key_cache_size_in_mb = 400, +$tls_cluster_name = undef, +$internode_encryption = none, +$client_encryption_enabled= false, $yaml_template= "${module}/cassandra.yaml.erb", $env_template = "${module}/cassandra-env.sh.erb", @@ -344,6 +361,24 @@ require => Package['cassandra'], } +if ($tls_cluster_name) { +file { '/etc/cassandra/tls/server.key': +content => secret("cassandra/${tls_cluster_name}/${hostname}/${hostname}.kst"), +owner => 'cassandra', +group => 'cassandra', +mode=> '0400', +require => Package['cassandra'], +} + +file { '/etc/cassandra/tls/server.trust': +content => secret("cassandra/${tls_cluster_name}/truststore"), +owner => 'cassandra', +group => 'cassandra', +mode=> '0400', +require => Package['cassandra'], +} +} + file { '/etc/default/cassandra': content => template("${module_name}/cassandra.default.erb"), owner => 'cassandra', diff --git a/modules/cassandra/templates/cassandra.yaml.erb b/modules/cassandra/templates/cassandra.yaml.erb index dc23590..b8a62ed 100644 --- a/modules/cassandra/templates/cassandra.yaml.erb +++ b/modules/cassandra/templates/cassandra.yaml.erb @@ -731,11 +731,11 @@ # http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore # server_encryption_options: -internode_encryption: none -keystore: conf/.keystore -keystore_password: cassandra -truststore: conf/.truststore -truststore_password: cassandra +internode_encryption: <%= @internode_encryption %> +keystore: tls/server.key +keystore_password: placeholder +truststore: tls/server.trust +truststore_password: placeholder # More advanced defaults below: # protocol: TLS # algorithm: SunX509 @@ -745,13 +745,13 @@ # enable or disable client/server encryption. client_encryption_options: -enabled: false -keystore: conf/.keystore -keystore_password: cassandra +enabled: <%= @client_encryption_enabled %> +keystore: tls/client.key +keystore_password: placeholder # require_client_auth: false # Set trustore and truststore_password if require_client_auth is true -# truststore: conf/.truststore -# truststore_password: cassandra +# truststore: tls/client.trust +# truststore_password: placeholder # More advanced defaults below: # protocol: TLS # algorithm: SunX509 -- To view, visit https://gerrit.wikimedia.org/r/237397 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1554b0e2a10338d3e1b5e35f951b975bf9c46b1a Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Filippo Giunchedi ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits