Add ssl cert to wiki.o.o.

Change-Id: I6c6ad0ddd000e3f140cb08faef7dce2cb9ae7079 Reviewed-on: https://review.openstack.org/18349 Reviewed-by: Ryan Lane Reviewed-by: Monty Taylor <mordred@inaugust.com> Approved: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Tested-by: Jenkins
2012-12-18 14:11:43 -08:00 · 2012-12-18 14:11:43 -08:00 · 37daa678e2
commit 37daa678e2
parent 26ce53321a
4 changed files with 60 additions and 9 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -163,8 +163,11 @@ node 'etherpad-dev.openstack.org' {

 node 'wiki.openstack.org' {
  class { 'openstack_project::wiki':
-    mysql_root_password => hiera('wiki_db_password'),
-    sysadmins           => hiera('sysadmins'),
+    mysql_root_password     => hiera('wiki_db_password'),
+    sysadmins               => hiera('sysadmins'),
+    ssl_cert_file_contents  => hiera('wiki_ssl_cert_file_contents'),
+    ssl_key_file_contents   => hiera('wiki_ssl_key_file_contents'),
+    ssl_chain_file_contents => hiera('wiki_ssl_chain_file_contents'),
  }
 }

--- a/modules/mediawiki/manifests/init.pp
+++ b/modules/mediawiki/manifests/init.pp
@ -3,7 +3,13 @@
 class mediawiki(
  $role = '',
  $site_hostname = '',
-  $mediawiki_location = ''
+  $mediawiki_location = '',
+  $ssl_cert_file = "/etc/ssl/certs/${::fqdn}.pem",
+  $ssl_key_file = "/etc/ssl/private/${::fqdn}.key",
+  $ssl_chain_file = '',
+  $ssl_cert_file_contents = '',  # If left empty puppet will not create file.
+  $ssl_key_file_contents = '',   # If left empty puppet will not create file.
+  $ssl_chain_file_contents = '', # If left empty puppet will not create file.
 ) {

  if ($role == 'app' or $role == 'all') {
@ -16,6 +22,36 @@ class mediawiki(
      ensure => present,
    }

+    if $ssl_cert_file_contents != '' {
+      file { $ssl_cert_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $ssl_cert_file_contents,
+        before  => Apache::Vhost[$site_hostname],
+      }
+    }
+
+    if $ssl_key_file_contents != '' {
+      file { $ssl_key_file:
+        owner   => 'root',
+        group   => 'ssl-cert',
+        mode    => '0640',
+        content => $ssl_key_file_contents,
+        before  => Apache::Vhost[$site_hostname],
+      }
+    }
+
+    if $ssl_chain_file_contents != '' {
+      file { $ssl_chain_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $ssl_chain_file_contents,
+        before  => Apache::Vhost[$site_hostname],
+      }
+    }
+
    apache::vhost { $site_hostname:
      port     => 443,
      docroot  => 'MEANINGLESS ARGUMENT',
--- a/modules/mediawiki/templates/apache/mediawiki.erb
+++ b/modules/mediawiki/templates/apache/mediawiki.erb
@ -39,8 +39,11 @@
        ServerName <%= scope.lookupvar("mediawiki::site_hostname") %>

        SSLEngine on
-        SSLCertificateFile /etc/ssl/certs/<%= fqdn %>.pem
-        SSLCertificateKeyFile /etc/ssl/private/<%= fqdn %>.key
+        SSLCertificateFile      <%= scope.lookupvar("mediawiki::ssl_cert_file") %>
+        SSLCertificateKeyFile   <%= scope.lookupvar("mediawiki::ssl_key_file") %>
+        <% if scope.lookupvar("mediawiki::ssl_chain_file") != "" %>
+          SSLCertificateChainFile <%= scope.lookupvar("mediawiki::ssl_chain_file") %>
+        <% end %>

        RedirectMatch ^/$ http://<%= scope.lookupvar("mediawiki::site_hostname") %>/wiki/

--- a/modules/openstack_project/manifests/wiki.pp
+++ b/modules/openstack_project/manifests/wiki.pp
@ -2,7 +2,10 @@
 #
 class openstack_project::wiki (
  $mysql_root_password = '',
-  $sysadmins = []
+  $sysadmins = [],
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
 ) {

  include openssl
@ -18,9 +21,15 @@ class openstack_project::wiki (
  )

  class { 'mediawiki':
-    role               => 'all',
-    mediawiki_location => '/srv/mediawiki/w',
-    site_hostname      => $::fqdn,
+    role                    => 'all',
+    mediawiki_location      => '/srv/mediawiki/w',
+    site_hostname           => $::fqdn,
+    ssl_cert_file           => "/etc/ssl/certs/${::fqdn}.pem",
+    ssl_key_file            => "/etc/ssl/private/${::fqdn}.key",
+    ssl_chain_file          => '/etc/ssl/certs/intermediate.pem',
+    ssl_cert_file_contents  => $ssl_cert_file_contents,
+    ssl_key_file_contents   => $ssl_key_file_contents,
+    ssl_chain_file_contents => $ssl_chain_file_contents,
  }
  class { 'memcached':
    max_memory => 2048,