Merge "Enable SSL in groups-dev.openstack.org"

2014-11-26 16:25:22 +00:00 · 2014-11-26 16:25:22 +00:00 · c07852f395
commit c07852f395
parent 774f838b86 f64a50b1e8
4 changed files with 106 additions and 24 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -218,11 +218,15 @@ node 'groups.openstack.org' {
 # Node-OS: precise
 node 'groups-dev.openstack.org' {
  class { 'openstack_project::groups_dev':
-    sysadmins           => hiera('sysadmins', []),
-    site_admin_password => hiera('groups_dev_site_admin_password', 'XXX'),
-    site_mysql_host     => hiera('groups_dev_site_mysql_host', 'localhost'),
-    site_mysql_password => hiera('groups_dev_site_mysql_password', 'XXX'),
-    conf_cron_key       => hiera('groups_dev_conf_cron_key', 'XXX'),
+    sysadmins                    => hiera('sysadmins', []),
+    site_admin_password          => hiera('groups_dev_site_admin_password', 'XXX'),
+    site_mysql_host              => hiera('groups_dev_site_mysql_host', 'localhost'),
+    site_mysql_password          => hiera('groups_dev_site_mysql_password', 'XXX'),
+    conf_cron_key                => hiera('groups_dev_conf_cron_key', 'XXX'),
+    site_ssl_cert_file_contents  => hiera('groups_dev_site_ssl_cert_file_contents', undef),
+    site_ssl_key_file_contents   => hiera('groups_dev_site_ssl_key_file_contents', undef),
+    site_ssl_cert_file           => '/etc/ssl/certs/groups-dev.openstack.org.pem',
+    site_ssl_key_file            => '/etc/ssl/private/groups-dev.openstack.org.key',
  }
 }

--- a/modules/drupal/manifests/init.pp
+++ b/modules/drupal/manifests/init.pp
@ -33,6 +33,15 @@
 # - site_alias: drush site alias name
 # - site_profile: installation profile to deploy
 #
+# SSL configuration:
+# - site_ssl_enabled: true if ssl is enabled (default: false)
+# - site_ssl_cert_file_contents: x509 certificate of vhost in pem format
+# - site_ssl_key_file_contents: rsa key of x509 certificate in pem format
+# - site_ssl_chain_file_contents: root ca's of site ssl cert
+# - site_ssl_cert_file: file path of x509 certificate
+# - site_ssl_key_file: file path of certificate rsa key
+# - site_ssl_chain_file: file path of certificate chain
+#
 # Mysql connection:
 # - mysql_user: mysql user of drupal site
 # - mysql_password: password of site user
@ -66,6 +75,12 @@ class drupal (
  $site_create_database = false,
  $site_base_url = false,
  $site_file_owner = 'root',
+  $site_ssl_enabled = false,
+  $site_ssl_cert_file_contents = undef,
+  $site_ssl_key_file_contents = undef,
+  $site_ssl_cert_file = '',
+  $site_ssl_key_file = '',
+  $site_ssl_chain_file = '',
  $package_repository = undef,
  $package_branch = undef,
  $conf_cron_key = undef,
@ -76,6 +91,45 @@ class drupal (
  include apache
  include pear

+  # ssl certificates
+  if $site_ssl_enabled == true {
+
+    include apache::ssl
+
+    # site x509 certificate
+    if $site_ssl_cert_file_contents != '' {
+      file { $site_ssl_cert_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $site_ssl_cert_file_contents,
+        before  => Apache::Vhost[$site_name],
+      }
+    }
+
+    # site ssl key
+    if $site_ssl_key_file_contents != '' {
+      file { $site_ssl_key_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $site_ssl_key_file_contents,
+        before  => Apache::Vhost[$site_name],
+      }
+    }
+
+    # site ca certificates file
+    if $site_ssl_chain_file_contents != '' {
+      file { $site_ssl_chain_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $site_ssl_chain_file_contents,
+        before  => Apache::Vhost[$site_name],
+      }
+    }
+  }
+
  # setup apache and virtualhosts, enable mod rewrite
  file { $site_vhost_root:
    ensure => directory,
--- a/modules/drupal/templates/drupal.vhost.erb
+++ b/modules/drupal/templates/drupal.vhost.erb
@ -3,8 +3,23 @@
 # Managed by Puppet
 # ************************************

-NameVirtualHost <%= @vhost_name %>:<%= @port %>
-<VirtualHost <%= @vhost_name %>:<%= @port %>>
+NameVirtualHost <%= @vhost_name %>:80
+<VirtualHost <%= @vhost_name %>:80>
+<% if @site_ssl_enabled %>
+  ServerName <%= @srvname %>
+  Redirect / https://<%= @srvname %>/
+</VirtualHost>
+
+NameVirtualHost <%= @vhost_name %>:443
+<VirtualHost <%= @vhost_name %>:443>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  SSLCertificateFile      <%= @site_ssl_cert_file %>
+  SSLCertificateKeyFile   <%= @site_ssl_key_file %>
+<% if @site_ssl_chain_file_contents != '' %>
+  SSLCertificateChainFile <%= @site_ssl_chain_file %>
+<% end %>
+<% end %>
  ServerName <%= @srvname %>
 <% if @serveraliases.is_a? Array -%>
 <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
--- a/modules/openstack_project/manifests/groups_dev.pp
+++ b/modules/openstack_project/manifests/groups_dev.pp
@ -20,6 +20,10 @@ class openstack_project::groups_dev (
  $site_mysql_password = '',
  $conf_cron_key = '',
  $sysadmins = [],
+  $site_ssl_cert_file_contents = undef,
+  $site_ssl_key_file_contents = undef,
+  $site_ssl_cert_file = '/etc/ssl/private/ssl-cert-snakeoil.key',
+  $site_ssl_key_file = '/etc/ssl/private/groups-dev.openstack.org.key',
 ) {

  realize (
@ -41,23 +45,28 @@ class openstack_project::groups_dev (
  }

  class { 'drupal':
-    site_name               => 'groups-dev.openstack.org',
-    site_root               => '/srv/vhosts/groups-dev.openstack.org',
-    site_mysql_host         => $site_mysql_host,
-    site_mysql_user         => 'groups',
-    site_mysql_password     => $site_mysql_password,
-    site_mysql_database     => 'groups_dev',
-    site_vhost_root         => '/srv/vhosts',
-    site_admin_password     => $site_admin_password,
-    site_alias              => 'groupsdev',
-    site_profile            => 'groups',
-    site_base_url           => 'http://groups-dev.openstack.org',
-    package_repository      => 'http://tarballs.openstack.org/groups/drupal-updates/release-history',
-    package_branch          => 'dev',
-    conf_cron_key           => $conf_cron_key,
-    conf_markdown_directory => '/srv/groups-static-pages',
-    conf_openid_provider    => 'https://openstackid-dev.openstack.org',
-    require                 => [ Class['openstack_project::server'],
+    site_name                    => 'groups-dev.openstack.org',
+    site_root                    => '/srv/vhosts/groups-dev.openstack.org',
+    site_mysql_host              => $site_mysql_host,
+    site_mysql_user              => 'groups',
+    site_mysql_password          => $site_mysql_password,
+    site_mysql_database          => 'groups_dev',
+    site_vhost_root              => '/srv/vhosts',
+    site_admin_password          => $site_admin_password,
+    site_alias                   => 'groupsdev',
+    site_profile                 => 'groups',
+    site_base_url                => 'http://groups-dev.openstack.org',
+    site_ssl_enabled             => true,
+    site_ssl_cert_file_contents  => $site_ssl_cert_file_contents,
+    site_ssl_key_file_contents   => $site_ssl_key_file_contents,
+    site_ssl_cert_file           => $site_ssl_cert_file,
+    site_ssl_key_file            => $site_ssl_key_file,
+    package_repository           => 'http://tarballs.openstack.org/groups/drupal-updates/release-history',
+    package_branch               => 'dev',
+    conf_cron_key                => $conf_cron_key,
+    conf_markdown_directory      => '/srv/groups-static-pages',
+    conf_openid_provider         => 'https://openstackid-dev.openstack.org',
+    require                      => [ Class['openstack_project::server'],
      Vcsrepo['/srv/groups-static-pages'] ]
  }