Add httpd ssl support to git.openstack.org

Certificates have been added to hiera, now adding the support for https in a new apache file. Change-Id: I8447d60a15779b103556e53f04accf671dbf4843
2013-08-05 10:24:16 -07:00 · 2013-08-05 10:24:16 -07:00 · 8b81e9d213
commit 8b81e9d213
parent ed1d2b1201
6 changed files with 104 additions and 13 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -288,8 +288,11 @@ node /^elasticsearch\d*\.openstack\.org$/ {
 # A CentOS machine to run cgit and git daemon.
 node 'git.openstack.org' {
  class { 'openstack_project::git':
-    sysadmins           => hiera('sysadmins'),
-    git_gerrit_ssh_key  => hiera('gerrit_ssh_rsa_pubkey_contents'),
+    sysadmins               => hiera('sysadmins'),
+    git_gerrit_ssh_key      => hiera('gerrit_ssh_rsa_pubkey_contents'),
+    ssl_cert_file_contents  => hiera('git_ssl_cert_file_contents'),
+    ssl_key_file_contents   => hiera('git_ssl_key_file_contents'),
+    ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'),
  }
 }

--- a/modules/cgit/files/cgit.conf
+++ b/modules/cgit/files/cgit.conf
@ -1,4 +0,0 @@
-Alias /cgit-data /usr/share/cgit
-ScriptAlias /cgit /var/www/cgi-bin/cgit
-RewriteEngine On
-RewriteRule ^/$ /cgit [R]
--- a/modules/cgit/manifests/init.pp
+++ b/modules/cgit/manifests/init.pp
@ -14,7 +14,16 @@
 #
 # Class: cgit
 #
-class cgit {
+class cgit(
+  $vhost_name = $::fqdn,
+  $serveradmin = "webmaster@${::fqdn}",
+  $ssl_cert_file = '',
+  $ssl_key_file = '',
+  $ssl_chain_file = '',
+  $ssl_cert_file_contents = '', # If left empty puppet will not create file.
+  $ssl_key_file_contents = '', # If left empty puppet will not create file.
+  $ssl_chain_file_contents = '', # If left empty puppet will not create file.
+) {

  include apache

@ -66,10 +75,12 @@ class cgit {
    value      => on
  }

-  file { '/etc/httpd/conf.d/cgit.conf':
-    ensure  => present,
-    source  => 'puppet:///modules/cgit/cgit.conf',
-    mode    => '0644'
+  apache::vhost { $vhost_name:
+    port     => 443,
+    docroot  => 'MEANINGLESS ARGUMENT',
+    priority => '50',
+    template => 'cgit/git.vhost.erb',
+    ssl      => true,
  }

  file { '/etc/xinetd.d/git':
@ -84,4 +95,34 @@ class cgit {
    ensure    => running,
    subscribe => File['/etc/xinetd.d/git'],
  }
+
+  if $ssl_cert_file_contents != '' {
+    file { $ssl_cert_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_cert_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_key_file_contents != '' {
+    file { $ssl_key_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_key_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_chain_file_contents != '' {
+    file { $ssl_chain_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_chain_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
 }
--- a/modules/cgit/templates/git.vhost.erb
+++ b/modules/cgit/templates/git.vhost.erb
@ -0,0 +1,39 @@
+<VirtualHost <%= scope.lookupvar("cgit::vhost_name") %>:80>
+  ServerName <%= scope.lookupvar("cgit::vhost_name") %>
+  ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
+
+  ErrorLog ${APACHE_LOG_DIR}/git-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/git-access.log combined
+
+  Redirect / https://<%= scope.lookupvar("cgit::vhost_name") %>/
+
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost <%= scope.lookupvar("cgit::vhost_name") %>:443>
+  ServerName <%= scope.lookupvar("cgit::vhost_name") %>
+  ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
+
+  Alias /cgit-data /usr/share/cgit
+  ScriptAlias /cgit /var/www/cgi-bin/cgit
+  RewriteEngine On
+  RewriteRule ^/$ /cgit [R]
+
+  ErrorLog ${APACHE_LOG_DIR}/git-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/git-access.log combined
+
+  SSLEngine on
+
+  SSLCertificateFile      <%= scope.lookupvar("cgit::ssl_cert_file") %>
+  SSLCertificateKeyFile   <%= scope.lookupvar("cgit::ssl_key_file") %>
+<% if scope.lookupvar("cgit::ssl_chain_file") != "" %>
+  SSLCertificateChainFile <%= scope.lookupvar("cgit::ssl_chain_file") %>
+<% end %>
+</VirtualHost>
+</IfModule>
--- a/modules/openstack_project/files/git/cgitrc
+++ b/modules/openstack_project/files/git/cgitrc
@ -6,7 +6,7 @@
 cache-size=0

 # Specify some default clone prefixes
-clone-prefix=git://git.openstack.org http://git.openstack.org/cgit
+clone-prefix=git://git.openstack.org https://git.openstack.org/cgit

 # Specify the css url
 css=/cgit-data/cgit.css
--- a/modules/openstack_project/manifests/git.pp
+++ b/modules/openstack_project/manifests/git.pp
@ -18,9 +18,12 @@
 class openstack_project::git (
  $sysadmins = [],
  $git_gerrit_ssh_key = '',
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
 ) {
  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 9418],
+    iptables_public_tcp_ports => [80, 443, 9418],
    sysadmins                 => $sysadmins,
  }

@ -28,6 +31,15 @@ class openstack_project::git (
  include jeepyb
  include pip

+  class { 'cgit':
+    ssl_cert_file           => '/etc/ssl/certs/git.openstack.org.pem',
+    ssl_key_file            => '/etc/ssl/private/git.openstack.org.key',
+    ssl_chain_file          => '/etc/ssl/certs/intermediate.pem',
+    ssl_cert_file_contents  => $ssl_cert_file_contents,
+    ssl_key_file_contents   => $ssl_key_file_contents,
+    ssl_chain_file_contents => $ssl_chain_file_contents,
+  }
+
  # We don't actually use these, but jeepyb requires them.
  $local_git_dir = '/var/lib/git'
  $ssh_project_key = ''