From 274489ab9ef1e23d7ea63e93abdbc5650b6bbd76 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@hp.com>
Date: Sat, 13 Oct 2012 08:55:30 -0700
Subject: [PATCH] Align etherpad vhost ssl section with standard.

As copied from jenkins.  Both old and new names for the
cert contents are in hiera.

Change-Id: Ic6d8258479c260ac37346c49c1ecde8339c96a37
Reviewed-on: https://review.openstack.org/14432
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
---
 manifests/site.pp                             |  9 ++--
 modules/etherpad_lite/manifests/apache.pp     | 43 +++++++++++++++++--
 .../templates/etherpadlite.vhost.erb          |  7 ++-
 .../openstack_project/manifests/etherpad.pp   | 13 ++++--
 4 files changed, 58 insertions(+), 14 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 53ab863d75..7489f4869c 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -160,10 +160,11 @@ node 'pypi.openstack.org' {
 
 node 'etherpad.openstack.org' {
   class { 'openstack_project::etherpad':
-    etherpad_crt      => hiera('etherpad_crt'),
-    etherpad_key      => hiera('etherpad_key'),
-    database_password => hiera('etherpad_db_password'),
-    sysadmins         => hiera('sysadmins'),
+    ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),
+    ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),
+    ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
+    database_password       => hiera('etherpad_db_password'),
+    sysadmins               => hiera('sysadmins'),
   }
 }
 
diff --git a/modules/etherpad_lite/manifests/apache.pp b/modules/etherpad_lite/manifests/apache.pp
index 869b0fec4f..9152b106bc 100644
--- a/modules/etherpad_lite/manifests/apache.pp
+++ b/modules/etherpad_lite/manifests/apache.pp
@@ -1,11 +1,13 @@
 class etherpad_lite::apache (
   $vhost_name = $fqdn,
-  $etherpad_crt,
-  $etherpad_key
+  $ssl_cert_file='',
+  $ssl_key_file='',
+  $ssl_chain_file='',
+  $ssl_cert_file_contents='', # If left empty puppet will not create file.
+  $ssl_key_file_contents='', # If left empty puppet will not create file.
+  $ssl_chain_file_contents='' # If left empty puppet will not create file.
 ) {
 
-  include remove_nginx
-
   apache::vhost { $vhost_name:
     port => 443,
     docroot => 'MEANINGLESS ARGUMENT',
@@ -55,4 +57,37 @@ class etherpad_lite::apache (
     require => File['/etc/ssl/private'],
   }
 
+
+  if $ssl_cert_file_contents != '' {
+    file { $ssl_cert_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_cert_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_key_file_contents != '' {
+    file { $ssl_key_file:
+      owner   => 'root',
+      group   => 'ssl-cert',
+      mode    => '0640',
+      content => $ssl_key_file_contents,
+      require => Package['ssl-cert'],
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_chain_file_contents != '' {
+    file { $ssl_chain_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_chain_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+
 }
diff --git a/modules/etherpad_lite/templates/etherpadlite.vhost.erb b/modules/etherpad_lite/templates/etherpadlite.vhost.erb
index e9802a51ee..2de1e36370 100644
--- a/modules/etherpad_lite/templates/etherpadlite.vhost.erb
+++ b/modules/etherpad_lite/templates/etherpadlite.vhost.erb
@@ -24,8 +24,11 @@
 
   SSLEngine on
 
-  SSLCertificateFile /etc/ssl/certs/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>.pem
-  SSLCertificateKeyFile /etc/ssl/private/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>.key
+  SSLCertificateFile      <%= scope.lookupvar("etherpad_lite::apache::ssl_cert_file") %>
+  SSLCertificateKeyFile   <%= scope.lookupvar("etherpad_lite::apache::ssl_key_file") %>
+  <% if scope.lookupvar("etherpad_lite::apache::ssl_chain_file") != "" %>
+    SSLCertificateChainFile <%= scope.lookupvar("etherpad_lite::apache::ssl_chain_file") %>
+  <% end %>
 
   BrowserMatch "MSIE [2-6]" \
       nokeepalive ssl-unclean-shutdown \
diff --git a/modules/openstack_project/manifests/etherpad.pp b/modules/openstack_project/manifests/etherpad.pp
index ee689e96b1..05b0e6be83 100644
--- a/modules/openstack_project/manifests/etherpad.pp
+++ b/modules/openstack_project/manifests/etherpad.pp
@@ -1,6 +1,7 @@
 class openstack_project::etherpad (
-  $etherpad_crt,
-  $etherpad_key,
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
   $database_password,
   $sysadmins = []
 ) {
@@ -13,8 +14,12 @@ class openstack_project::etherpad (
   include etherpad_lite::backup
 
   class { 'etherpad_lite::apache':
-    etherpad_crt  => $etherpad_crt,
-    etherpad_key  => $etherpad_key,
+    ssl_cert_file           => '/etc/ssl/certs/etherpad.openstack.org.pem',
+    ssl_key_file            => '/etc/ssl/private/etherpad.openstack.org.key',
+    ssl_chain_file          => '/etc/ssl/certs/intermediate.pem',
+    ssl_cert_file_contents  => $ssl_cert_file_contents,
+    ssl_key_file_contents   => $ssl_key_file_contents,
+    ssl_chain_file_contents => $ssl_chain_file_contents,
   }
 
   class { 'etherpad_lite::site':