Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Paste
P40102
(An Untitled Masterwork)
Active
Public
Actions
Authored by
fgiunchedi
on Nov 17 2022, 12:24 PM.
Edit Paste
Archive Paste
View Raw File
Subscribe
Mute Notifications
Award Token
Flag For Later
Tags
None
Referenced Files
F35790247: raw-paste-data.txt
Nov 17 2022, 12:24 PM
2022-11-17 12:24:14 (UTC+0)
Subscribers
None
From 06d45735854b48ca9085216201bfe21196963b46 Mon Sep 17 00:00:00 2001
From: Filippo Giunchedi <fgiunchedi@wikimedia.org>
Date: Thu, 10 Nov 2022 19:24:04 +0100
Subject: [PATCH 1/3] pontoon: use pki certs for etcd
Change-Id: I74d4963c7061a6f9e7f81f5802e7e0398d17976d
---
modules/pontoon/files/o11y-pki/hiera/configcluster.yaml | 1 +
1 file changed, 1 insertion(+)
create mode 100644 modules/pontoon/files/o11y-pki/hiera/configcluster.yaml
diff --git a/modules/pontoon/files/o11y-pki/hiera/configcluster.yaml b/modules/pontoon/files/o11y-pki/hiera/configcluster.yaml
new file mode 100644
index 0000000000..929c6e2e09
--- /dev/null
+++ b/modules/pontoon/files/o11y-pki/hiera/configcluster.yaml
@@ -0,0 +1 @@
+profile::etcd::v3::use_pki_certs: true
--
2.34.1
From 44c9c9be971022d2b30058f0ba4f5b9e37329514 Mon Sep 17 00:00:00 2001
From: Filippo Giunchedi <fgiunchedi@wikimedia.org>
Date: Thu, 10 Nov 2022 19:36:23 +0100
Subject: [PATCH 2/3] move etcd::tlsproxy to pki
Change-Id: I418652c2543c5dfcc33f6b4f687b042229565af7
---
modules/profile/manifests/etcd/tlsproxy.pp | 24 +++++++++++++++----
.../profile/templates/etcd/tls_proxy.conf.erb | 4 ++--
2 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/modules/profile/manifests/etcd/tlsproxy.pp b/modules/profile/manifests/etcd/tlsproxy.pp
index 50a63dd81a..ac3862a056 100644
--- a/modules/profile/manifests/etcd/tlsproxy.pp
+++ b/modules/profile/manifests/etcd/tlsproxy.pp
@@ -51,10 +51,26 @@ class profile::etcd::tlsproxy(
true => $facts['networking']['fqdn'],
default => '127.0.0.1',
}
- sslcert::certificate { $cert_name:
- skip_private => false,
- use_cergen => true,
- before => Service['nginx'],
+
+ if (false) {
+ sslcert::certificate { $cert_name:
+ skip_private => false,
+ use_cergen => true,
+ before => Service['nginx'],
+ }
+ $ssl_paths = {
+ 'chained' => "/etc/ssl/localcerts/${cert_name}.crt",
+ 'key' => "/etc/ssl/private/${cert_name}.key",
+ }
+ } else {
+ $ssl_paths = profile::pki::get_cert('etcd', $cert_name, {
+ # XXX need to make sure the right names are here
+ hosts => [$facts['networking']['fqdn']],
+ # XXX nginx needs to be able to read these
+ owner => 'etcd',
+ outdir => '/var/lib/etcd-tlsproxy',
+ } )
+ class { '::sslcert::dhparam': }
}
monitoring::service { 'etcd-tlsproxy-ssl':
diff --git a/modules/profile/templates/etcd/tls_proxy.conf.erb b/modules/profile/templates/etcd/tls_proxy.conf.erb
index a880726a53..74bc16c2a0 100644
--- a/modules/profile/templates/etcd/tls_proxy.conf.erb
+++ b/modules/profile/templates/etcd/tls_proxy.conf.erb
@@ -9,8 +9,8 @@ server {
# SSL settings
ssl on;
- ssl_certificate /etc/ssl/localcerts/<%= @cert_name %>.chained.crt;
- ssl_certificate_key /etc/ssl/private/<%= @cert_name %>.key;
+ ssl_certificate <%= @ssl_paths['chained'] %>;
+ ssl_certificate_key <%= @ssl_paths['key'] %>;
# keepalive timeout for long-polling watch
keepalive_timeout 3600;
--
2.34.1
From 935cf36dea004df40d833ef5cfa37c4ca845a883 Mon Sep 17 00:00:00 2001
From: Filippo Giunchedi <fgiunchedi@wikimedia.org>
Date: Fri, 11 Nov 2022 09:17:21 +0100
Subject: [PATCH 3/3] set etcd as bootstrapping
Change-Id: Ied2444088706440aea943b9e23a966e3f7894581
---
modules/pontoon/files/o11y-pki/hiera/configcluster.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/pontoon/files/o11y-pki/hiera/configcluster.yaml b/modules/pontoon/files/o11y-pki/hiera/configcluster.yaml
index 929c6e2e09..463e77014b 100644
--- a/modules/pontoon/files/o11y-pki/hiera/configcluster.yaml
+++ b/modules/pontoon/files/o11y-pki/hiera/configcluster.yaml
@@ -1 +1,2 @@
profile::etcd::v3::use_pki_certs: true
+profile::etcd::v3::cluster_bootstrap: true
--
2.34.1
Event Timeline
fgiunchedi
created this paste.
Nov 17 2022, 12:24 PM
2022-11-17 12:24:14 (UTC+0)
Log In to Comment