10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
# File 'modules/profile/manifests/etcd/tlsproxy.pp', line 10
class profile::etcd::tlsproxy(
Stdlib::Fqdn $cert_name = lookup('profile::etcd::tlsproxy::cert_name'),
Hash[Stdlib::Unixpath, Array[String]] $acls = lookup('profile::etcd::tlsproxy::acls'),
String $salt = lookup('profile::etcd::tlsproxy::salt'),
Boolean $read_only = lookup('profile::etcd::tlsproxy::read_only'),
Stdlib::Port $listen_port = lookup('profile::etcd::tlsproxy::listen_port'),
Stdlib::Port $upstream_port = lookup('profile::etcd::tlsproxy::upstream_port'),
Boolean $tls_upstream = lookup('profile::etcd::tlsproxy::tls_upstream'),
String $pool_pwd_seed = lookup('etcd::autogen_pwd_seed')
) {
require profile::tlsproxy::instance
require passwords::etcd
# this is a hash of user => password
$accounts = $passwords::etcd::accounts
# Clusters that are in conftool but do not have standard load balancers
# and so are not in hieradata/common/service.yaml.
$base_acls = {
# Used for managing scap pools only, no load balancing
'/conftool/v1/pools/eqiad/testserver' => ['root', 'conftool', 'pool-eqiad-testserver'],
'/conftool/v1/pools/codfw/testserver' => ['root', 'conftool', 'pool-codfw-testserver'],
# Load balanced via cloudlb servers
'/conftool/v1/pools/eqiad/wikireplica-db-analytics' => ['root', 'conftool', 'pool-eqiad-wikireplica-db-analytics'],
'/conftool/v1/pools/eqiad/wikireplica-db-web' => ['root', 'conftool', 'pool-eqiad-wikireplica-db-web'],
}
# Autogenerate the acls for all the conftool pools.
# Else all autogenerated users will share the same password seed.
$pool_acls = wmflib::service::fetch(true).map |$name, $service| {
$cl = $service['lvs']['conftool']['cluster']
$service['sites'].map |$dc| {
{"/conftool/v1/pools/${dc}/${cl}" => ['root', 'conftool', "pool-${dc}-${cl}"]}
}.reduce({}) |$m, $v| { $m.merge($v) }
}
.reduce($base_acls) |$memo, $val| { $memo.merge($val) }
$all_acls = $acls.merge($pool_acls)
# TODO: also support TLS cert auth to the backend
$upstream_scheme = $tls_upstream ? {
true => 'https',
default => 'http'
}
$upstream_host = $tls_upstream ? {
true => $facts['networking']['fqdn'],
default => '127.0.0.1',
}
sslcert::certificate { $cert_name:
skip_private => false,
use_cergen => true,
before => Service['nginx'],
}
monitoring::service { 'etcd-tlsproxy-ssl':
description => "etcd tlsproxy SSL ${upstream_host}:${listen_port}",
check_command => "check_ssl_on_host_port!${upstream_host}!${upstream_host}!${listen_port}",
notes_url => 'https://wikitech.wikimedia.org/wiki/Cergen',
}
file { '/etc/nginx/auth/':
ensure => directory,
mode => '0550',
owner => 'www-data',
before => Service['nginx'],
}
file { '/etc/nginx/etcd-errors':
ensure => directory,
mode => '0550',
owner => 'www-data',
before => Service['nginx'],
}
# Simulate the etcd auth error
file { '/etc/nginx/etcd-errors/401.json':
ensure => file,
mode => '0444',
content => '{"errorCode":110,"message":"The request requires user authentication","cause":"Insufficient credentials","index":0}',
}
file { '/etc/nginx/etcd-errors/readonly.json':
ensure => file,
mode => '0444',
content => '{"errorCode":107,"message":"This cluster is in read-only mode","cause":"Cluster configured to be read-only","index":0}',
}
$all_acls.each |$path, $users| {
$file_location = regsubst($path, '/', '_', 'G')
$file_name = "/etc/nginx/auth/${file_location}.htpasswd"
file { $file_name:
content => template('profile/etcd/htpasswd.erb'),
owner => 'www-data',
group => 'www-data',
mode => '0444',
}
}
nginx::site { 'etcd_tls_proxy':
ensure => present,
content => template('profile/etcd/tls_proxy.conf.erb'),
}
}
|