diff --git a/manifests/site.pp b/manifests/site.pp index 562b0bd619..315c585060 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -454,13 +454,13 @@ node 'summit.openstack.org' { # A machine to run Storyboard node 'storyboard.openstack.org' { class { 'openstack_project::storyboard': - sysadmins => hiera('sysadmins'), - mysql_host => hiera('storyboard_db_host'), - mysql_user => hiera('storyboard_db_user'), - mysql_password => hiera('storyboard_db_password'), -# ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'), -# ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'), -# ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'), + sysadmins => hiera('sysadmins'), + mysql_host => hiera('storyboard_db_host'), + mysql_user => hiera('storyboard_db_user'), + mysql_password => hiera('storyboard_db_password'), + ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'), + ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'), + ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'), } } diff --git a/modules/openstack_project/manifests/storyboard.pp b/modules/openstack_project/manifests/storyboard.pp index ace22f69e7..bc395bb0b2 100644 --- a/modules/openstack_project/manifests/storyboard.pp +++ b/modules/openstack_project/manifests/storyboard.pp @@ -5,18 +5,29 @@ class openstack_project::storyboard( $mysql_password = '', $mysql_user = '', $sysadmins = [], + $ssl_cert_file_contents = '', + $ssl_key_file_contents = '', + $ssl_chain_file_contents = '', ) { class { 'openstack_project::server': sysadmins => $sysadmins, - iptables_public_tcp_ports => [80], + iptables_public_tcp_ports => [80, 443], } class { '::storyboard': - mysql_host => $mysql_host, - mysql_password => $mysql_password, - mysql_user => $mysql_user, - projects_file => + mysql_host => $mysql_host, + mysql_password => $mysql_password, + mysql_user => $mysql_user, + projects_file => 'puppet:///modules/openstack_project/review.projects.yaml', + ssl_cert_file => + '/etc/ssl/certs/storyboard.openstack.org.pem', + ssl_key_file => + '/etc/ssl/private/storyboard.openstack.org.key', + ssl_chain_file => '/etc/ssl/certs/intermediate.pem', + ssl_cert_file_contents => $ssl_cert_file_contents, + ssl_key_file_contents => $ssl_key_file_contents, + ssl_chain_file_contents => $ssl_chain_file_contents, } } diff --git a/modules/storyboard/manifests/init.pp b/modules/storyboard/manifests/init.pp index 504e580faf..d697047eb7 100644 --- a/modules/storyboard/manifests/init.pp +++ b/modules/storyboard/manifests/init.pp @@ -20,10 +20,16 @@ class storyboard ( $mysql_password, $mysql_user, $projects_file, + $ssl_cert_file, + $ssl_key_file, + $ssl_chain_file, $storyboard_git_source_repo = 'https://git.openstack.org/openstack-infra/storyboard/', $storyboard_revision = 'master', - $storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz' - + $storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz', + $serveradmin = "webmaster@${::fqdn}", + $ssl_cert_file_contents = '', + $ssl_key_file_contents = '', + $ssl_chain_file_contents = '' ) { include apache include mysql::python @@ -162,6 +168,7 @@ class storyboard ( priority => '50', template => 'storyboard/storyboard.vhost.erb', require => Package['libapache2-mod-wsgi'], + ssl => true, } a2mod { 'proxy': @@ -177,4 +184,33 @@ class storyboard ( require => Package['libapache2-mod-wsgi'], } + if $ssl_cert_file_contents != '' { + file { $ssl_cert_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_cert_file_contents, + before => Apache::Vhost[$vhost_name], + } + } + + if $ssl_key_file_contents != '' { + file { $ssl_key_file: + owner => 'root', + group => 'ssl-cert', + mode => '0640', + content => $ssl_key_file_contents, + before => Apache::Vhost[$vhost_name], + } + } + + if $ssl_chain_file_contents != '' { + file { $ssl_chain_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_chain_file_contents, + before => Apache::Vhost[$vhost_name], + } + } } diff --git a/modules/storyboard/templates/storyboard.vhost.erb b/modules/storyboard/templates/storyboard.vhost.erb index 73f076e65e..0d3aa8d99c 100644 --- a/modules/storyboard/templates/storyboard.vhost.erb +++ b/modules/storyboard/templates/storyboard.vhost.erb @@ -1,7 +1,49 @@ - +:80> + ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %> + + ErrorLog ${APACHE_LOG_DIR}/storyboard-error.log + + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/storyboard-access.log combined + + Redirect / https://<%= scope.lookupvar("storyboard::vhost_name") %>/ + + + + +:443> + ServerName <%= scope.lookupvar("storyboard::vhost_name") %> + ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %> + + ErrorLog ${APACHE_LOG_DIR}/storyboard-ssl-error.log + + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/storyboard-ssl-access.log combined + + SSLEngine on + + SSLCertificateFile <%= scope.lookupvar("storyboard::ssl_cert_file") %> + SSLCertificateKeyFile <%= scope.lookupvar("storyboard::ssl_key_file") %> +<% if scope.lookupvar("storyboard::ssl_chain_file") != "" %> + SSLCertificateChainFile <%= scope.lookupvar("storyboard::ssl_chain_file") %> +<% end %> + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + DocumentRoot /var/lib/storyboard/www - ErrorLog /var/log/apache2/storyboard-error.log - CustomLog /var/log/apache2/storyboard-access.log common WSGIDaemonProcess storyboard user=storyboard group=storyboard threads=5 python-path=/usr/local/lib/python2.7/dist-packages WSGIScriptAlias /api /usr/local/lib/python2.7/dist-packages/storyboard/api/app.wsgi @@ -15,4 +57,6 @@ Order deny,allow Allow from all + +