[MediaWiki-commits] [Gerrit] operations/puppet[production]: [WIP] Produce webrequests from varnishkafka to jumbo Kafka c...

Ottomata (Code Review) Wed, 17 Jan 2018 09:43:56 -0800

Ottomata has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/404737 )


Change subject: [WIP] Produce webrequests from varnishkafka to jumbo Kafka 
cluster via TLS
......................................................................

[WIP] Produce webrequests from varnishkafka to jumbo Kafka cluster via TLS

This needs a lot of very careful review and coordination to merge in prod.
For now this exists in gerrit and is cherry-picked in deployment-prep.

Bug: T175461
Change-Id: I1760c36ee26f015617472073e4c5ab95d53d3e44
---
M modules/profile/manifests/cache/kafka/webrequest.pp
1 file changed, 27 insertions(+), 18 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/37/404737/1

diff --git a/modules/profile/manifests/cache/kafka/webrequest.pp 
b/modules/profile/manifests/cache/kafka/webrequest.pp
index 655779b..50321b1 100644
--- a/modules/profile/manifests/cache/kafka/webrequest.pp
+++ b/modules/profile/manifests/cache/kafka/webrequest.pp
@@ -1,34 +1,39 @@
 # === class profile::cache::kafka::webrequest
 #
 # Sets up a varnishkafka instance producing varnish
-# webrequest logs to the analytics Kafka brokers in eqiad.
+# webrequest logs to a Kafka cluster via TLS.
 #
 # === Parameters
 #
-# [*monitoring_enabled*]
-#   True if the varnishkafka instance should be monitored.
-#
 # [*cache_cluster*]
-#   the name of the cache cluster
+#   The name of the cache cluster.
 #
 # [*statsd*]
 #   The host:port to send statsd data to.
 #
+# [*kafka_cluster_name*]
+#   Name of the Kafka cluster in the hiera kafka_clusters hash.  This can
+#   be unqualified (without DC suffix) or fully qualified. Default: jumbo
+#
+# [*monitoring_enabled*]
+#   True if the varnishkafka instance should be monitored.  Default: false
+#
 class profile::cache::kafka::webrequest(
-    $monitoring_enabled = 
hiera('profile::cache::kafka::webrequest::monitoring_enabled', false),
     $cache_cluster      = hiera('cache::cluster'),
     $statsd             = hiera('statsd'),
+    $kafka_cluster_name = 
hiera('profile::cache::kafka::webrequest::kafka_cluster_name', 'jumbo'),
+    $monitoring_enabled = 
hiera('profile::cache::kafka::webrequest::monitoring_enabled', false),
 ) {
-    $config = kafka_config('analytics')
-    # NOTE: This is used by inheriting classes role::cache::kafka::*
-    $kafka_brokers = $config['brokers']['array']
+    # Include this class to get key and certificate for varnishkafka
+    # to produce to Kafka over SSL/TLS.
+    require ::profile::cache::kafka::certificate
 
-    $topic = "webrequest_${cache_cluster}"
-    # These used to be parameters, but I don't really see why given we never 
change
-    # them
-    $varnish_name           = 'frontend'
-    $varnish_svc_name       = 'varnish-frontend'
-    $kafka_protocol_version = '0.9.0.1'
+    $config = kafka_config($kafka_cluster_name)
+    $kafka_brokers = $config['brokers']['ssl_array']
+
+    $topic            = "webrequest_${cache_cluster}"
+    $varnish_name     = 'frontend'
+    $varnish_svc_name = 'varnish-frontend'
 
     # Background task: T136314
     # Background info about the parameters used:
@@ -88,10 +93,7 @@
     $peak_rps_estimate = 9000
 
     varnishkafka::instance { 'webrequest':
-        # FIXME - top-scope var without namespace, will break in puppet 2.8
-        # lint:ignore:variable_scope
         brokers                      => $kafka_brokers,
-        # lint:endignore
         topic                        => $topic,
         format_type                  => 'json',
         compression_codec            => 'snappy',
@@ -122,6 +124,13 @@
         # stats will be fresh when polled from gmetad.
         log_statistics_interval      => 15,
         force_protocol_version       => $kafka_protocol_version,
+        #TLS/SSL config
+        ssl_enabled                  => true,
+        ssl_ca_location              => 
$::profile::cache::kafka::certificate::ssl_ca_location,
+        ssl_key_password             => 
$::profile::cache::kafka::certificate::ssl_key_password,
+        ssl_key_location             => 
$::profile::cache::kafka::certificate::ssl_key_location,
+        ssl_certificate_location     => 
$::profile::cache::kafka::certificate::ssl_certificate_location,
+        ssl_cipher_suites            => 
$::profile::cache::kafka::certificate::ssl_cipher_suites,
     }
 
     if $monitoring_enabled {

-- 
To view, visit https://gerrit.wikimedia.org/r/404737
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1760c36ee26f015617472073e4c5ab95d53d3e44
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ottomata <ao...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: [WIP] Produce webrequests from varnishkafka to jumbo Kafka c...

Reply via email to