Split v2 and v3 web config

In v3, we need to be able to use some variables from zuul/web.pp in the vhost template, but the vhost is created in ::zuul because of how v2 worked. Split the config, and split where we're defining it so that in the next patch we can make use of variables from zuul/web.pp. Change-Id: I3e1c72bb773be050854f5563d09f6c19af8bc6dc Depends-On: https://review.openstack.org/557085
2018-03-27 09:16:09 -05:00 · 2018-03-27 09:16:09 -05:00 · fa66845b5b
commit fa66845b5b
parent ad7b7953d0
5 changed files with 280 additions and 139 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -105,12 +105,6 @@ class zuul (
    $pip_command = 'pip'
  }

-  if ($zuul_tenant_name) {
-    $zuul_web_full_url = "${zuul_web_url}/${zuul_tenant_name}"
-  } else {
-    $zuul_web_full_url = $zuul_web_url
-  }
-
  $packages = [
    'libffi-dev',
    'libssl-dev',
@ -513,12 +507,6 @@ class zuul (
      mode    => '0444',
      content => "PIDFILE=/var/run/zuul/merger.pid\n",
    }
-
-    file { '/etc/default/zuul-web':
-      ensure  => present,
-      mode    => '0444',
-      content => "PIDFILE=/var/run/zuul/web.pid\n",
-    }
  }

  file { '/etc/init.d/zuul':
@ -566,50 +554,52 @@ class zuul (
    notify => Class['zuul::systemd_reload'],
  }

-  if $proxy_ssl_cert_file_contents == '' {
-    $ssl = false
-  } else {
-    $ssl = true
-    file { '/etc/ssl/certs':
-      ensure => directory,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0755',
-    }
-    file { '/etc/ssl/private':
-      ensure => directory,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0700',
-    }
-    file { "/etc/ssl/certs/${vhost_name}.pem":
-      ensure  => present,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => $proxy_ssl_cert_file_contents,
-      require => File['/etc/ssl/certs'],
-      before  => Httpd::Vhost[$vhost_name],
-    }
-    file { "/etc/ssl/private/${vhost_name}.key":
-      ensure  => present,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0600',
-      content => $proxy_ssl_key_file_contents,
-      require => File['/etc/ssl/private'],
-      before  => Httpd::Vhost[$vhost_name],
-    }
-    if $proxy_ssl_chain_file_contents != '' {
-      file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
+  if ! $zuulv3 {
+    if $proxy_ssl_cert_file_contents == '' {
+      $ssl = false
+    } else {
+      $ssl = true
+      file { '/etc/ssl/certs':
+        ensure => directory,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0755',
+      }
+      file { '/etc/ssl/private':
+        ensure => directory,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0700',
+      }
+      file { "/etc/ssl/certs/${vhost_name}.pem":
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
-        content => $proxy_ssl_chain_file_contents,
+        content => $proxy_ssl_cert_file_contents,
        require => File['/etc/ssl/certs'],
        before  => Httpd::Vhost[$vhost_name],
      }
+      file { "/etc/ssl/private/${vhost_name}.key":
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0600',
+        content => $proxy_ssl_key_file_contents,
+        require => File['/etc/ssl/private'],
+        before  => Httpd::Vhost[$vhost_name],
+      }
+      if $proxy_ssl_chain_file_contents != '' {
+        file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
+          ensure  => present,
+          owner   => 'root',
+          group   => 'root',
+          mode    => '0644',
+          content => $proxy_ssl_chain_file_contents,
+          require => File['/etc/ssl/certs'],
+          before  => Httpd::Vhost[$vhost_name],
+        }
+      }
    }
  }

@ -625,47 +615,45 @@ class zuul (
    }
  }

-  ::httpd::vhost { $vhost_name:
-    port       => 443, # Is required despite not being used.
-    docroot    => 'MEANINGLESS ARGUMENT',
-    priority   => '50',
-    ssl        => $ssl,
-    template   => 'zuul/zuul.vhost.erb',
-    vhost_name => $vhost_name,
-  }
-  if ! defined(Httpd::Mod['rewrite']) {
-    httpd::mod { 'rewrite': ensure => present }
-  }
-  if ! defined(Httpd::Mod['proxy']) {
-    httpd::mod { 'proxy': ensure => present }
-  }
-  if ! defined(Httpd::Mod['proxy_http']) {
-    httpd::mod { 'proxy_http': ensure => present }
-  }
-  if ! defined(Httpd::Mod['cache']) {
-    httpd::mod { 'cache': ensure => present }
-  }
-  if ! defined(Httpd::Mod['cgid']) {
-    httpd::mod { 'cgid': ensure => present }
-  }
-  if !defined(Mod['proxy_wstunnel']) {
-    httpd::mod { 'proxy_wstunnel': ensure => present }
-  }
-
-  case $::lsbdistcodename {
-    'precise': {
-      if ! defined(Httpd::Mod['mem_cache']) {
-        httpd::mod { 'mem_cache': ensure => present }
-      }
-      if ! defined(Httpd::Mod['version']) {
-        httpd::mod { 'version': ensure => present }
-      }
+  if ! $zuulv3 {
+    ::httpd::vhost { $vhost_name:
+      port       => 443, # Is required despite not being used.
+      docroot    => 'MEANINGLESS ARGUMENT',
+      priority   => '50',
+      ssl        => $ssl,
+      template   => 'zuul/zuul.vhost.erb',
+      vhost_name => $vhost_name,
    }
-    default: {
-      if ! defined(Httpd::Mod['cache_disk']) {
-        httpd::mod { 'cache_disk': ensure => present }
+    if ! defined(Httpd::Mod['rewrite']) {
+      httpd::mod { 'rewrite': ensure => present }
+    }
+    if ! defined(Httpd::Mod['proxy']) {
+      httpd::mod { 'proxy': ensure => present }
+    }
+    if ! defined(Httpd::Mod['proxy_http']) {
+      httpd::mod { 'proxy_http': ensure => present }
+    }
+    if ! defined(Httpd::Mod['cache']) {
+      httpd::mod { 'cache': ensure => present }
+    }
+    if ! defined(Httpd::Mod['cgid']) {
+      httpd::mod { 'cgid': ensure => present }
+    }
+
+    case $::lsbdistcodename {
+      'precise': {
+        if ! defined(Httpd::Mod['mem_cache']) {
+          httpd::mod { 'mem_cache': ensure => present }
+        }
+        if ! defined(Httpd::Mod['version']) {
+          httpd::mod { 'version': ensure => present }
+        }
+      }
+      default: {
+        if ! defined(Httpd::Mod['cache_disk']) {
+          httpd::mod { 'cache_disk': ensure => present }
+        }
      }
    }
  }
-
 }
--- a/manifests/web.pp
+++ b/manifests/web.pp
@ -35,6 +35,7 @@ class zuul::web (
    enable     => true,
    hasrestart => true,
    require    => [File['/etc/init.d/zuul-web'],
+                  File['/etc/default/zuul-web'],
                  Class['zuul::systemd_reload']]
  }

@ -78,6 +79,12 @@ class zuul::web (
    require => Service['zuul-web'],
  }

+  file { '/etc/default/zuul-web':
+    ensure  => present,
+    mode    => '0444',
+    content => "PIDFILE=/var/run/zuul/web.pid\n",
+  }
+
  if !defined(Package['curl']) {
    package { 'curl':
      ensure => present
@ -97,10 +104,10 @@ class zuul::web (
    # We are downloading this file at a location served by the vhost so that we
    # can query it easily should the need arise.
    # If the status.json is unavailable for download, no new files are created.
-    if $zuul::proxy_ssl_cert_file_contents != '' {
-      $status = "https://${zuul::vhost_name}/status"
+    if $ssl_cert_file_contents != '' {
+      $status = "https://${vhost_name}/status"
    } else {
-      $status = "http://${zuul::vhost_name}/status"
+      $status = "http://${vhost_name}/status"
    }
    cron { 'zuul_scheduler_status_backup':
      user    => 'root',
@ -123,10 +130,59 @@ class zuul::web (
    }
  }

-  file { '/var/lib/zuul/www/static':
-    ensure  => absent,
+  if $ssl_cert_file_contents == '' {
+    $use_ssl = false
+  } else {
+    $use_ssl = true
+    file { '/etc/ssl/certs':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+    file { '/etc/ssl/private':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0700',
+    }
+    file { "/etc/ssl/certs/${vhost_name}.pem":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => $ssl_cert_file_contents,
+      require => File['/etc/ssl/certs'],
+      before  => Httpd::Vhost[$vhost_name],
+    }
+    file { "/etc/ssl/private/${vhost_name}.key":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $ssl_key_file_contents,
+      require => File['/etc/ssl/private'],
+      before  => Httpd::Vhost[$vhost_name],
+    }
+    if $ssl_chain_file_contents != '' {
+      file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        content => $ssl_chain_file_contents,
+        require => File['/etc/ssl/certs'],
+        before  => Httpd::Vhost[$vhost_name],
+      }
+    }
  }

+  $web_url = "http://${web_listen_address}:${web_listen_port}"
+  if ($tenant_name) {
+    $zuul_web_full_url = "${web_url}/${tenant_name}"
+  } else {
+    $zuul_web_full_url = $web_url
+  }
  $zuul_web_root = '/opt/zuul-web'
  $zuul_web_content_root = '/opt/zuul-web/content'
  $zuul_web_src_root = '/opt/zuul-web/source'
@ -199,4 +255,41 @@ class zuul::web (
    subscribe   => Exec['unpack-zuul-web'],
  }

+  ::httpd::vhost { $vhost_name:
+    port       => 80,
+    docroot    => $zuul_web_content_root,
+    priority   => '50',
+    ssl        => false,
+    template   => 'zuul/zuulv3.vhost.erb',
+    vhost_name => $vhost_name,
+  }
+  if $use_ssl {
+    ::httpd::vhost { "${vhost_name}-ssl":
+      port       => 443,
+      docroot    => $zuul_web_content_root,
+      priority   => '50',
+      ssl        => true,
+      template   => 'zuul/zuulv3.vhost.erb',
+      vhost_name => $vhost_name,
+    }
+  }
+  if ! defined(Httpd::Mod['rewrite']) {
+    httpd::mod { 'rewrite': ensure => present }
+  }
+  if ! defined(Httpd::Mod['proxy']) {
+    httpd::mod { 'proxy': ensure => present }
+  }
+  if ! defined(Httpd::Mod['proxy_http']) {
+    httpd::mod { 'proxy_http': ensure => present }
+  }
+  if ! defined(Httpd::Mod['cache']) {
+    httpd::mod { 'cache': ensure => present }
+  }
+  if !defined(Mod['proxy_wstunnel']) {
+    httpd::mod { 'proxy_wstunnel': ensure => present }
+  }
+  if ! defined(Httpd::Mod['cache_disk']) {
+    httpd::mod { 'cache_disk': ensure => present }
+  }
+
 }
--- a/spec/acceptance/fixtures/default.pp
+++ b/spec/acceptance/fixtures/default.pp
@ -1,6 +1,4 @@
 class { '::zuul':
-  proxy_ssl_cert_file_contents => file('/etc/ssl/certs/ssl-cert-snakeoil.pem'),
-  proxy_ssl_key_file_contents  => file('/etc/ssl/private/ssl-cert-snakeoil.key'),
  zuul_ssh_private_key         => file('/tmp/zuul-ssh-keys/ssh_rsa_key'),
  zuulv3                       => true,
  python_version               => 3,
@ -14,7 +12,12 @@ class { '::zuul::scheduler':

 class { '::zuul::merger': }
 class { '::zuul::executor': }
-class { '::zuul::web': }
+class { '::zuul::web':
+  tenant_name            => 'openstack',
+  ssl_cert_file_contents => file('/etc/ssl/certs/ssl-cert-snakeoil.pem'),
+  ssl_key_file_contents  => file('/etc/ssl/private/ssl-cert-snakeoil.key'),
+}
+
 class { '::zuul::fingergw': }

 class { '::zuul::known_hosts':
--- a/templates/zuul.vhost.erb
+++ b/templates/zuul.vhost.erb
@ -1,15 +1,25 @@
 <VirtualHost *:80>
  ServerName <%= @vhost_name %>
  ServerAdmin <%= @serveradmin %>
+  DocumentRoot /var/lib/zuul/www

+  <Directory /var/lib/zuul/www>
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+    <IfVersion < 2.4>
+        Order deny,allow
+        Allow from all
+    </IfVersion>
+  </Directory>
  <Directory /usr/lib/git-core>
-      <IfVersion >= 2.4>
-          Require all granted
-      </IfVersion>
-      <IfVersion < 2.4>
-          Order deny,allow
-          Allow from all
-      </IfVersion>
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+    <IfVersion < 2.4>
+        Order deny,allow
+        Allow from all
+    </IfVersion>
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
@ -26,16 +36,8 @@
  RewriteRule ^/status.json - [F]
  <% end -%>

-<% unless @zuulv3 %>
  RewriteRule ^/status.json$ <%= @zuul_status_url %>/status.json [P]
  RewriteRule ^/status/(.*) <%= @zuul_status_url %>/status/$1 [P]
-<% end %>
-
-<% if @zuulv3 %>
-  RewriteRule ^/console-stream <%= @zuul_web_full_url.sub('http://', 'ws://') %>/console-stream [P]
-  RewriteRule ^/(.*)$ <%= @zuul_web_full_url %>/$1 [P]
-  RewriteRule ^/$ <%= @zuul_web_full_url %>/status.html [P]
-<% end %>

  AddOutputFilterByType DEFLATE application/json

@ -49,12 +51,8 @@
  <IfModule mod_cache.c>
    CacheDefaultExpire 5
    <IfModule mod_mem_cache.c>
-<% if @zuulv3 %>
      CacheEnable mem /status
      CacheEnable mem /status.json
-<% else %>
-      CacheEnable mem /status.json
-<% end %>
      # 12MByte total cache size.
      MCacheSize 12288
      MCacheMaxObjectCount 10
@ -64,12 +62,8 @@
      MCacheMaxStreamingBuffer 8388608
    </IfModule>
    <IfModule mod_cache_disk.c>
-<% if @zuulv3 %>
      CacheEnable disk /status
      CacheEnable disk /status.json
-<% else %>
-      CacheEnable disk /status.json
-<% end %>
      CacheRoot /var/cache/apache2/mod_cache_disk
    </IfModule>
  </IfModule>
@ -90,12 +84,22 @@
 <% end %>

  <Directory /var/lib/zuul/www>
-    Allow from all
-    Satisfy Any
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+    <IfVersion < 2.4>
+        Order deny,allow
+        Allow from all
+    </IfVersion>
  </Directory>
  <Directory /usr/lib/git-core>
-    Allow from all
-    Satisfy Any
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+    <IfVersion < 2.4>
+        Order deny,allow
+        Allow from all
+    </IfVersion>
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
@ -111,16 +115,9 @@
  RewriteCond %{HTTP_REFERER} =<%= referer %>
  RewriteRule ^/status.json - [F]
  <% end -%>
-<% unless @zuulv3 %>
+
  RewriteRule ^/status.json$ <%= @zuul_status_url %>/status.json [P]
  RewriteRule ^/status/(.*) <%= @zuul_status_url %>/status/$1 [P]
-<% end %>
-
-<% if @zuulv3 %>
-  RewriteRule ^/console-stream <%= @zuul_web_full_url.sub('http://', 'ws://') %>/console-stream [P]
-  RewriteRule ^/(.*)$ <%= @zuul_web_full_url %>/$1 [P]
-  RewriteRule ^/$ <%= @zuul_web_full_url %>/status.html [P]
-<% end %>

  AddOutputFilterByType DEFLATE application/json

@ -134,12 +131,8 @@
  <IfModule mod_cache.c>
    CacheDefaultExpire 5
    <IfModule mod_mem_cache.c>
-<% if @zuulv3 %>
      CacheEnable mem /status
      CacheEnable mem /status.json
-<% else %>
-      CacheEnable mem /status.json
-<% end %>
      # 12MByte total cache size.
      MCacheSize 12288
      MCacheMaxObjectCount 10
@ -149,12 +142,8 @@
      MCacheMaxStreamingBuffer 8388608
    </IfModule>
    <IfModule mod_cache_disk.c>
-<% if @zuulv3 %>
      CacheEnable disk /status
      CacheEnable disk /status.json
-<% else %>
-      CacheEnable disk /status.json
-<% end %>
      CacheRoot /var/cache/apache2/mod_cache_disk
    </IfModule>
  </IfModule>
--- a/templates/zuulv3.vhost.erb
+++ b/templates/zuulv3.vhost.erb
@ -0,0 +1,68 @@
+<% if @ssl -%>
+<IfModule mod_ssl.c>
+<% end -%>
+<VirtualHost *:<%= @port %>>
+
+<% if @ssl -%>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
+<% if @ssl_chain_file_contents != '' -%>
+  SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
+<% end -%>
+<% end -%>
+
+  ServerName <%= @vhost_name %>
+  ServerAdmin <%= @serveradmin %>
+
+  DocumentRoot <%= @docroot %>
+  <Directory <%= @docroot %>>
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+    <IfVersion < 2.4>
+        Order deny,allow
+        Allow from all
+    </IfVersion>
+  </Directory>
+
+  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
+
+  RewriteEngine on
+  <% @block_referers.each do |referer| -%>
+  RewriteCond %{HTTP_REFERER} =<%= referer %>
+  RewriteRule ^/status - [F]
+  <% end -%>
+
+  RewriteRule ^/console-stream <%= @zuul_web_full_url.sub('http://', 'ws://') %>/console-stream [P]
+  RewriteRule ^/(.*)$ <%= @zuul_web_full_url %>/$1 [P]
+  RewriteRule ^/$ <%= @zuul_web_full_url %>/status.html [P]
+
+  AddOutputFilterByType DEFLATE application/json
+
+  <IfModule mod_cache.c>
+    CacheDefaultExpire 5
+    <IfModule mod_mem_cache.c>
+      CacheEnable mem /status
+      # 12MByte total cache size.
+      MCacheSize 12288
+      MCacheMaxObjectCount 10
+      MCacheMinObjectSize 1
+      # 8MByte max size per cache entry
+      MCacheMaxObjectSize 8388608
+      MCacheMaxStreamingBuffer 8388608
+    </IfModule>
+    <IfModule mod_cache_disk.c>
+      CacheEnable disk /status
+      CacheRoot /var/cache/apache2/mod_cache_disk
+    </IfModule>
+  </IfModule>
+</VirtualHost>
+<% if @ssl -%>
+</IfModule>
+<% end -%>