Pass review.o.o SSL certs in from Hiera.

Use Hiera to store the review.o.o SSL certs and pass them down to the gerrit module. While modifying these files fix indentation and rocket ship alignment according to puppet lint in the sections touched. Change-Id: I914b0dea72c77dedb44a4e6f51417985e673b315 Reviewed-on: https://review.openstack.org/13975 Approved: James E. Blair <corvus@inaugust.com> Reviewed-by: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2012-10-02 15:49:18 -07:00 · 2012-10-02 15:49:18 -07:00 · 15e526fb18
commit 15e526fb18
parent 915c4d53b4
4 changed files with 199 additions and 146 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -13,12 +13,15 @@ node default {
 #
 node 'review.openstack.org' {
  class { 'openstack_project::review':
-    github_oauth_token  => hiera('gerrit_github_token'),
-    mysql_password      => hiera('gerrit_mysql_password'),
-    mysql_root_password => hiera('gerrit_mysql_root_password'),
-    email_private_key   => hiera('gerrit_email_private_key'),
-    gerritbot_password  => hiera('gerrit_gerritbot_password'),
-    sysadmins           => hiera('sysadmins'),
+    github_oauth_token      => hiera('gerrit_github_token'),
+    mysql_password          => hiera('gerrit_mysql_password'),
+    mysql_root_password     => hiera('gerrit_mysql_root_password'),
+    email_private_key       => hiera('gerrit_email_private_key'),
+    gerritbot_password      => hiera('gerrit_gerritbot_password'),
+    ssl_cert_file_contents  => hiera('gerrit_ssl_cert_file_contents'),
+    ssl_key_file_contents   => hiera('gerrit_ssl_key_file_contents'),
+    ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
+    sysadmins               => hiera('sysadmins'),
  }
 }

--- a/modules/gerrit/manifests/init.pp
+++ b/modules/gerrit/manifests/init.pp
@ -9,6 +9,10 @@
 #     Used in the Apache virtual host to specify the SSL cert and key files.
 #   ssl_chain_file:
 #     Optional, if you have an intermediate cert Apache should serve.
+#   ssl_*_file_contents:
+#     Optional, the contents of the respective cert files as a string. Will be
+#     used to have Puppet ensure the contents of these files. Default value of
+#     '' means Puppet should not manage these files.
 #   openidssourl:
 #     The URL to use for OpenID in SSO mode.
 #   email:
@ -62,42 +66,45 @@
 # TODO: make more gerrit options configurable here

 class gerrit($vhost_name=$fqdn,
-      $canonicalweburl="https://$fqdn/",
-      $serveradmin="webmaster@$fqdn",
-      $ssl_cert_file='/etc/ssl/certs/ssl-cert-snakeoil.pem',
-      $ssl_key_file='/etc/ssl/private/ssl-cert-snakeoil.key',
-      $ssl_chain_file='',
-      $openidssourl="https://login.launchpad.net/+openid",
-      $email='',
-      $database_poollimit='',
-      $container_heaplimit='',
-      $core_packedgitopenfiles='',
-      $core_packedgitlimit='',
-      $core_packedgitwindowsize='',
-      $sshd_threads='',
-      $httpd_acceptorthreads='',
-      $httpd_minthreads='',
-      $httpd_maxthreads='',
-      $httpd_maxwait='',
-      $commentlinks = [],
-      $war,
-      $contactstore=false,
-      $contactstore_appsec='',
-      $contactstore_pubkey='',
-      $contactstore_url='',
-      $projects_file = 'UNDEF',
-      $enable_melody = 'false',
-      $melody_session = 'false',
-      $mysql_password,
-      $mysql_root_password,
-      $email_private_key,
-      $replicate_github=false,
-      $replicate_local=true,
-      $local_git_dir='/var/lib/git',
-      $replication_targets=[],
-      $gitweb=true,
-      $testmode=false
-      ) {
+  $canonicalweburl="https://$fqdn/",
+  $serveradmin="webmaster@$fqdn",
+  $ssl_cert_file='/etc/ssl/certs/ssl-cert-snakeoil.pem',
+  $ssl_key_file='/etc/ssl/private/ssl-cert-snakeoil.key',
+  $ssl_chain_file='',
+  $ssl_cert_file_contents='', # If left empty puppet will not create file.
+  $ssl_key_file_contents='', # If left empty puppet will not create file.
+  $ssl_chain_file_contents='', # If left empty puppet will not create file.
+  $openidssourl="https://login.launchpad.net/+openid",
+  $email='',
+  $database_poollimit='',
+  $container_heaplimit='',
+  $core_packedgitopenfiles='',
+  $core_packedgitlimit='',
+  $core_packedgitwindowsize='',
+  $sshd_threads='',
+  $httpd_acceptorthreads='',
+  $httpd_minthreads='',
+  $httpd_maxthreads='',
+  $httpd_maxwait='',
+  $commentlinks = [],
+  $war,
+  $contactstore=false,
+  $contactstore_appsec='',
+  $contactstore_pubkey='',
+  $contactstore_url='',
+  $projects_file = 'UNDEF',
+  $enable_melody = 'false',
+  $melody_session = 'false',
+  $mysql_password,
+  $mysql_root_password,
+  $email_private_key,
+  $replicate_github=false,
+  $replicate_local=true,
+  $local_git_dir='/var/lib/git',
+  $replication_targets=[],
+  $gitweb=true,
+  $testmode=false
+) {

  include apache

@ -239,7 +246,7 @@ class gerrit($vhost_name=$fqdn,
    require => File["/home/gerrit2/review_site/etc"]
  }

-# Set up MySQL.
+  # Set up MySQL.

  class {"mysql::server":
    config_hash => {
@ -258,14 +265,14 @@ class gerrit($vhost_name=$fqdn,
    charset => "latin1",
  }

-# Set up apache.
+  # Set up apache.

  apache::vhost { $vhost_name:
-    port => 443,
-    docroot => 'MEANINGLESS ARGUMENT',
+    port     => 443,
+    docroot  => 'MEANINGLESS ARGUMENT',
    priority => '50',
    template => 'gerrit/gerrit.vhost.erb',
-    ssl => true,
+    ssl      => true,
  }
  a2mod { 'rewrite':
    ensure => present
@ -277,6 +284,36 @@ class gerrit($vhost_name=$fqdn,
    ensure => present
  }

+  if $ssl_cert_file_contents != '' {
+    file { $ssl_cert_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_cert_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_key_file_contents != '' {
+    file { $ssl_key_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_key_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_chain_file_contents != '' {
+    file { $ssl_chain_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_chain_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
  # Install Gerrit itself.

  # The Gerrit WAR is specified as a url like 'http://tarballs.openstack.org/ci/gerrit-2.2.2-363-gd0a67ce.war'
--- a/modules/openstack_project/manifests/gerrit.pp
+++ b/modules/openstack_project/manifests/gerrit.pp
@ -4,41 +4,44 @@
 # TODO: launchpadlib creds for user sync script

 class openstack_project::gerrit (
-      $vhost_name=$fqdn,
-      $canonicalweburl="https://$fqdn/",
-      $serveradmin='webmaster@openstack.org',
-      $ssh_host_key='/home/gerrit2/review_site/etc/ssh_host_rsa_key',
-      $ssl_cert_file='',
-      $ssl_key_file='',
-      $ssl_chain_file='',
-      $email='',
-      $database_poollimit='',
-      $container_heaplimit='',
-      $core_packedgitopenfiles='',
-      $core_packedgitlimit='',
-      $core_packedgitwindowsize='',
-      $sshd_threads='',
-      $httpd_acceptorthreads='',
-      $httpd_minthreads='',
-      $httpd_maxthreads='',
-      $httpd_maxwait='',
-      $war,
-      $contactstore=false,
-      $contactstore_appsec='',
-      $contactstore_pubkey='',
-      $contactstore_url='',
-      $script_user='update',
-      $script_key_file='/home/gerrit2/.ssh/id_rsa',
-      $script_logging_conf='/home/gerrit2/.sync_logging.conf',
-      $projects_file='UNDEF',
-      $github_username,
-      $github_oauth_token,
-      $mysql_password,
-      $mysql_root_password,
-      $trivial_rebase_role_id,
-      $email_private_key,
-      $testmode=false,
-      $sysadmins=[]
+  $vhost_name=$fqdn,
+  $canonicalweburl="https://$fqdn/",
+  $serveradmin='webmaster@openstack.org',
+  $ssh_host_key='/home/gerrit2/review_site/etc/ssh_host_rsa_key',
+  $ssl_cert_file='',
+  $ssl_key_file='',
+  $ssl_chain_file='',
+  $ssl_cert_file_contents='',
+  $ssl_key_file_contents='',
+  $ssl_chain_file_contents='',
+  $email='',
+  $database_poollimit='',
+  $container_heaplimit='',
+  $core_packedgitopenfiles='',
+  $core_packedgitlimit='',
+  $core_packedgitwindowsize='',
+  $sshd_threads='',
+  $httpd_acceptorthreads='',
+  $httpd_minthreads='',
+  $httpd_maxthreads='',
+  $httpd_maxwait='',
+  $war,
+  $contactstore=false,
+  $contactstore_appsec='',
+  $contactstore_pubkey='',
+  $contactstore_url='',
+  $script_user='update',
+  $script_key_file='/home/gerrit2/.ssh/id_rsa',
+  $script_logging_conf='/home/gerrit2/.sync_logging.conf',
+  $projects_file='UNDEF',
+  $github_username,
+  $github_oauth_token,
+  $mysql_password,
+  $mysql_root_password,
+  $trivial_rebase_role_id,
+  $email_private_key,
+  $testmode=false,
+  $sysadmins=[]
 ) {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80, 443, 29418],
@ -46,51 +49,55 @@ class openstack_project::gerrit (
  }

  class { '::gerrit':
-    vhost_name => $vhost_name,
-    canonicalweburl => $canonicalweburl,
+    vhost_name               => $vhost_name,
+    canonicalweburl          => $canonicalweburl,
    # opinions
-    enable_melody => 'true',
-    melody_session => 'true',
+    enable_melody            => 'true',
+    melody_session           => 'true',
    # passthrough
-    ssl_cert_file => $ssl_cert_file,
-    ssl_key_file => $ssl_key_file,
-    ssl_chain_file => $ssl_chain_file,
-    email => $email,
-    openidssourl => "https://login.launchpad.net/+openid",
-    database_poollimit => $database_poollimit,
-    container_heaplimit => $container_heaplimit,
-    core_packedgitopenfiles => $core_packedgitopenfiles,
-    core_packedgitlimit => $core_packedgitlimit,
+    ssl_cert_file            => $ssl_cert_file,
+    ssl_key_file             => $ssl_key_file,
+    ssl_chain_file           => $ssl_chain_file,
+    ssl_cert_file_contents   => $ssl_cert_file_contents,
+    ssl_key_file_contents    => $ssl_key_file_contents,
+    ssl_chain_file_contents  => $ssl_chain_file_contents,
+    email                    => $email,
+    openidssourl             => "https://login.launchpad.net/+openid",
+    database_poollimit       => $database_poollimit,
+    container_heaplimit      => $container_heaplimit,
+    core_packedgitopenfiles  => $core_packedgitopenfiles,
+    core_packedgitlimit      => $core_packedgitlimit,
    core_packedgitwindowsize => $core_packedgitwindowsize,
-    sshd_threads => $sshd_threads,
-    httpd_acceptorthreads => $httpd_acceptorthreads,
-    httpd_minthreads => $httpd_minthreads,
-    httpd_maxthreads => $httpd_maxthreads,
-    httpd_maxwait => $httpd_maxwait,
-    commentlinks => [ { name => 'changeid',
-                        match => '(I[0-9a-f]{8,40})',
-                        link => '#q,$1,n,z' },
-
-                      { name => 'launchpad',
-                        match => '([Bb]ug|[Ll][Pp])[\\s#:]*(\\d+)',
-                        link => 'https://code.launchpad.net/bugs/$2' },
-
-                      { name => 'blueprint',
-                       match => '([Bb]lue[Pp]rint|[Bb][Pp])[\\s#:]*([A-Za-z0-9\\-]+)',
-                       link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2' },
-                  ],
-    war => $war,
-    contactstore => $contactstore,
-    contactstore_appsec => $contactstore_appsec,
-    contactstore_pubkey => $contactstore_pubkey,
-    contactstore_url => $contactstore_url,
-    mysql_password => $mysql_password,
-    mysql_root_password => $mysql_root_password,
-    email_private_key => $email_private_key,
-    projects_file => $projects_file,
-    replicate_github => true,
-    testmode => $testmode,
-    require => Class[openstack_project::server],
+    sshd_threads             => $sshd_threads,
+    httpd_acceptorthreads    => $httpd_acceptorthreads,
+    httpd_minthreads         => $httpd_minthreads,
+    httpd_maxthreads         => $httpd_maxthreads,
+    httpd_maxwait            => $httpd_maxwait,
+    commentlinks             => [{ name  => 'changeid',
+                                   match => '(I[0-9a-f]{8,40})',
+                                   link => '#q,$1,n,z'
+                                 },
+                                 { name  => 'launchpad',
+                                   match => '([Bb]ug|[Ll][Pp])[\\s#:]*(\\d+)',
+                                   link  => 'https://code.launchpad.net/bugs/$2'
+                                 },
+                                 { name  => 'blueprint',
+                                   match => '([Bb]lue[Pp]rint|[Bb][Pp])[\\s#:]*([A-Za-z0-9\\-]+)',
+                                   link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2'
+                                 },
+                                ],
+    war                      => $war,
+    contactstore             => $contactstore,
+    contactstore_appsec      => $contactstore_appsec,
+    contactstore_pubkey      => $contactstore_pubkey,
+    contactstore_url         => $contactstore_url,
+    mysql_password           => $mysql_password,
+    mysql_root_password      => $mysql_root_password,
+    email_private_key        => $email_private_key,
+    projects_file            => $projects_file,
+    replicate_github         => true,
+    testmode                 => $testmode,
+    require                  => Class[openstack_project::server],
  }
  if ($testmode == false) {
    class { 'gerrit::cron':
--- a/modules/openstack_project/manifests/review.pp
+++ b/modules/openstack_project/manifests/review.pp
@ -30,32 +30,38 @@ class openstack_project::review (
  $mysql_root_password,
  $email_private_key,
  $gerritbot_password,
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
  $sysadmins = []
 ) {
  class { 'openstack_project::gerrit':
-    ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem',
-    ssl_key_file => '/etc/ssl/private/review.openstack.org.key',
-    ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
-    email => 'review@openstack.org',
-    database_poollimit => '150',    # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
-    container_heaplimit => '8g',
-    core_packedgitopenfiles => '4096',
-    core_packedgitlimit => '400m',
+    ssl_cert_file            => '/etc/ssl/certs/review.openstack.org.pem',
+    ssl_key_file             => '/etc/ssl/private/review.openstack.org.key',
+    ssl_chain_file           => '/etc/ssl/certs/intermediate.pem',
+    ssl_cert_file_contents   => $ssl_cert_file_contents,
+    ssl_key_file_contents    => $ssl_key_file_contents,
+    ssl_chain_file_contents  => $ssl_chain_file_contents,
+    email                    => 'review@openstack.org',
+    database_poollimit       => '150',    # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
+    container_heaplimit      => '8g',
+    core_packedgitopenfiles  => '4096',
+    core_packedgitlimit      => '400m',
    core_packedgitwindowsize => '16k',
-    sshd_threads => '100',
-    httpd_maxwait => '5000min',
-    war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war',
-    script_user => 'launchpadsync',
-    script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
-    script_logging_conf => '/home/gerrit2/.sync_logging.conf',
-    projects_file => 'puppet:///openstack_project/review.projects.yaml',
-    github_username => 'openstack-gerrit',
-    github_oauth_token => $github_oauth_token,
-    mysql_password => $mysql_password,
-    mysql_root_password => $mysql_root_password,
-    trivial_rebase_role_id => 'trivial-rebase@review.openstack.org',
-    email_private_key => $email_private_key,
-    sysadmins => $sysadmins
+    sshd_threads             => '100',
+    httpd_maxwait            => '5000min',
+    war                      => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war',
+    script_user              => 'launchpadsync',
+    script_key_file          => '/home/gerrit2/.ssh/launchpadsync_rsa',
+    script_logging_conf      => '/home/gerrit2/.sync_logging.conf',
+    projects_file            => 'puppet:///openstack_project/review.projects.yaml',
+    github_username          => 'openstack-gerrit',
+    github_oauth_token       => $github_oauth_token,
+    mysql_password           => $mysql_password,
+    mysql_root_password      => $mysql_root_password,
+    trivial_rebase_role_id   => 'trivial-rebase@review.openstack.org',
+    email_private_key        => $email_private_key,
+    sysadmins                => $sysadmins
  }
  class { 'gerritbot':
    nick => 'openstackgerrit',