opendev/system-config
Code Issues Proposed changes

Make storyboard run over ssl

Browse Source 
We're doing auth now, so we should really do it over SSL.

The cert contents are already in hiera.

Change-Id: Ia939e228785168705840acd6d377e6c25ba3370d
This commit is contained in:
Monty Taylor 2014-03-06 12:27:42 -08:00
parent 339d73ac34
commit fa3b8f4869
4 changed files with 108 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
manifests/site.pp
View File

@ -454,13 +454,13 @@ node 'summit.openstack.org' {
# A machine to run Storyboard
node 'storyboard.openstack.org' {
class { 'openstack_project::storyboard':
sysadmins => hiera('sysadmins'),
mysql_host => hiera('storyboard_db_host'),
mysql_user => hiera('storyboard_db_user'),
mysql_password => hiera('storyboard_db_password'),
# ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
# ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
# ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
sysadmins => hiera('sysadmins'),
mysql_host => hiera('storyboard_db_host'),
mysql_user => hiera('storyboard_db_user'),
mysql_password => hiera('storyboard_db_password'),
ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
}
}

21
modules/openstack_project/manifests/storyboard.pp
View File

@ -5,18 +5,29 @@ class openstack_project::storyboard(
$mysql_password = '',
$mysql_user = '',
$sysadmins = [],
$ssl_cert_file_contents = '',
$ssl_key_file_contents = '',
$ssl_chain_file_contents = '',
) {
class { 'openstack_project::server':
sysadmins => $sysadmins,
iptables_public_tcp_ports => [80],
iptables_public_tcp_ports => [80, 443],
}
class { '::storyboard':
mysql_host => $mysql_host,
mysql_password => $mysql_password,
mysql_user => $mysql_user,
projects_file =>
mysql_host => $mysql_host,
mysql_password => $mysql_password,
mysql_user => $mysql_user,
projects_file =>
'puppet:///modules/openstack_project/review.projects.yaml',
ssl_cert_file =>
'/etc/ssl/certs/storyboard.openstack.org.pem',
ssl_key_file =>
'/etc/ssl/private/storyboard.openstack.org.key',
ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents,
}
}

40
modules/storyboard/manifests/init.pp
View File

@ -20,10 +20,16 @@ class storyboard (
$mysql_password,
$mysql_user,
$projects_file,
$ssl_cert_file,
$ssl_key_file,
$ssl_chain_file,
$storyboard_git_source_repo = 'https://git.openstack.org/openstack-infra/storyboard/',
$storyboard_revision = 'master',
$storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz'
$storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz',
$serveradmin = "webmaster@${::fqdn}",
$ssl_cert_file_contents = '',
$ssl_key_file_contents = '',
$ssl_chain_file_contents = ''
) {
include apache
include mysql::python
@ -162,6 +168,7 @@ class storyboard (
priority => '50',
template => 'storyboard/storyboard.vhost.erb',
require => Package['libapache2-mod-wsgi'],
ssl => true,
}
a2mod { 'proxy':
@ -177,4 +184,33 @@ class storyboard (
require => Package['libapache2-mod-wsgi'],
}
if $ssl_cert_file_contents != '' {
file { $ssl_cert_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_cert_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_key_file_contents != '' {
file { $ssl_key_file:
owner => 'root',
group => 'ssl-cert',
mode => '0640',
content => $ssl_key_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_chain_file_contents != '' {
file { $ssl_chain_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_chain_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
}

50
modules/storyboard/templates/storyboard.vhost.erb
View File

@ -1,7 +1,49 @@
<VirtualHost *:80>
<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:80>
ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
ErrorLog ${APACHE_LOG_DIR}/storyboard-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/storyboard-access.log combined
Redirect / https://<%= scope.lookupvar("storyboard::vhost_name") %>/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:443>
ServerName <%= scope.lookupvar("storyboard::vhost_name") %>
ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
ErrorLog ${APACHE_LOG_DIR}/storyboard-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/storyboard-ssl-access.log combined
SSLEngine on
SSLCertificateFile <%= scope.lookupvar("storyboard::ssl_cert_file") %>
SSLCertificateKeyFile <%= scope.lookupvar("storyboard::ssl_key_file") %>
<% if scope.lookupvar("storyboard::ssl_chain_file") != "" %>
SSLCertificateChainFile <%= scope.lookupvar("storyboard::ssl_chain_file") %>
<% end %>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
DocumentRoot /var/lib/storyboard/www
ErrorLog /var/log/apache2/storyboard-error.log
CustomLog /var/log/apache2/storyboard-access.log common
WSGIDaemonProcess storyboard user=storyboard group=storyboard threads=5 python-path=/usr/local/lib/python2.7/dist-packages
WSGIScriptAlias /api /usr/local/lib/python2.7/dist-packages/storyboard/api/app.wsgi
@ -15,4 +57,6 @@
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
</IfModule>