From adda6eb69bfb898cd8133884bef611e8d45a2fb2 Mon Sep 17 00:00:00 2001
From: Daniel Zahn <dzahn@wikimedia.org>
Date: Wed, 22 Jul 2020 14:01:07 -0700
Subject: [PATCH] ores: add envoy-proxy for TLS termination behind ATS

Bug: T210411
Change-Id: Ide6cb125eaa58babba444ff0e4c2ca9caad63e24
---
 hieradata/role/common/ores.yaml | 8 ++++++++
 modules/role/manifests/ores.pp  | 1 +
 2 files changed, 9 insertions(+)

diff --git a/hieradata/role/common/ores.yaml b/hieradata/role/common/ores.yaml
index 06d8598ed2d..c1c6ba77a7f 100644
--- a/hieradata/role/common/ores.yaml
+++ b/hieradata/role/common/ores.yaml
@@ -159,3 +159,11 @@ profile::prometheus::statsd_exporter::mappings:
 
 profile::ores::logstash_host: localhost
 service::configuration::logstash_host: localhost
+
+# envoy for TLS between ATS and backend servers
+profile::tlsproxy::envoy::ensure: present
+profile::tlsproxy::envoy::services:
+  - server_names: ['*']
+    port: 8081
+profile::tlsproxy::envoy::global_cert_name: "ores.discovery.wmnet"
+profile::tlsproxy::envoy::sni_support: "no"
diff --git a/modules/role/manifests/ores.pp b/modules/role/manifests/ores.pp
index 1b06551a3df..567be74a2c7 100644
--- a/modules/role/manifests/ores.pp
+++ b/modules/role/manifests/ores.pp
@@ -11,4 +11,5 @@
 
     include ::profile::ores::worker
     include ::profile::ores::web
+    include ::profile::tlsproxy::envoy # TLS termination
 }