ores: add envoy-proxy for TLS termination behind ATS

Bug: T210411 Change-Id: Ide6cb125eaa58babba444ff0e4c2ca9caad63e24
wikimedia · Aug 4, 2020 · adda6eb · adda6eb
1 parent ea72d1b
commit adda6eb
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/hieradata/role/common/ores.yaml b/hieradata/role/common/ores.yaml
@@ -159,3 +159,11 @@ profile::prometheus::statsd_exporter::mappings:
 
 profile::ores::logstash_host: localhost
 service::configuration::logstash_host: localhost
+
+# envoy for TLS between ATS and backend servers
+profile::tlsproxy::envoy::ensure: present
+profile::tlsproxy::envoy::services:
+  - server_names: ['*']
+    port: 8081
+profile::tlsproxy::envoy::global_cert_name: "ores.discovery.wmnet"
+profile::tlsproxy::envoy::sni_support: "no"
diff --git a/modules/role/manifests/ores.pp b/modules/role/manifests/ores.pp
@@ -11,4 +11,5 @@
 
     include ::profile::ores::worker
     include ::profile::ores::web
+    include ::profile::tlsproxy::envoy # TLS termination
 }