opendev/system-config
Code Issues Proposed changes

Merge "Add httpd ssl support to git.openstack.org"

Browse Source
This commit is contained in:
Jenkins 2013-08-07 23:03:45 +00:00 committed by Gerrit Code Review
commit 5de16a0fb9
6 changed files with 104 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
manifests/site.pp
View File

@ -288,8 +288,11 @@ node /^elasticsearch\d*\.openstack\.org$/ {
# A CentOS machine to run cgit and git daemon. # A CentOS machine to run cgit and git daemon.
node 'git.openstack.org' { node 'git.openstack.org' {
class { 'openstack_project::git': class { 'openstack_project::git':
sysadmins => hiera('sysadmins'), sysadmins => hiera('sysadmins'),
git_gerrit_ssh_key => hiera('gerrit_ssh_rsa_pubkey_contents'), git_gerrit_ssh_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
ssl_cert_file_contents => hiera('git_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('git_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'),
} }
} }

4
modules/cgit/files/cgit.conf
View File

@ -1,4 +0,0 @@
Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit /var/www/cgi-bin/cgit
RewriteEngine On
RewriteRule ^/$ /cgit [R]

51
modules/cgit/manifests/init.pp
View File

@ -14,7 +14,16 @@
# #
# Class: cgit # Class: cgit
# #
class cgit { class cgit(
$vhost_name = $::fqdn,
$serveradmin = "webmaster@${::fqdn}",
$ssl_cert_file = '',
$ssl_key_file = '',
$ssl_chain_file = '',
$ssl_cert_file_contents = '', # If left empty puppet will not create file.
$ssl_key_file_contents = '', # If left empty puppet will not create file.
$ssl_chain_file_contents = '', # If left empty puppet will not create file.
) {
include apache include apache
@ -66,10 +75,12 @@ class cgit {
value => on value => on
} }
file { '/etc/httpd/conf.d/cgit.conf': apache::vhost { $vhost_name:
ensure => present, port => 443,
source => 'puppet:///modules/cgit/cgit.conf', docroot => 'MEANINGLESS ARGUMENT',
mode => '0644' priority => '50',
template => 'cgit/git.vhost.erb',
ssl => true,
} }
file { '/etc/xinetd.d/git': file { '/etc/xinetd.d/git':
@ -84,4 +95,34 @@ class cgit {
ensure => running, ensure => running,
subscribe => File['/etc/xinetd.d/git'], subscribe => File['/etc/xinetd.d/git'],
} }
if $ssl_cert_file_contents != '' {
file { $ssl_cert_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_cert_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_key_file_contents != '' {
file { $ssl_key_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_key_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_chain_file_contents != '' {
file { $ssl_chain_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_chain_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
} }

39
modules/cgit/templates/git.vhost.erb Normal file
View File

@ -0,0 +1,39 @@
<VirtualHost <%= scope.lookupvar("cgit::vhost_name") %>:80>
ServerName <%= scope.lookupvar("cgit::vhost_name") %>
ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
ErrorLog ${APACHE_LOG_DIR}/git-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/git-access.log combined
Redirect / https://<%= scope.lookupvar("cgit::vhost_name") %>/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost <%= scope.lookupvar("cgit::vhost_name") %>:443>
ServerName <%= scope.lookupvar("cgit::vhost_name") %>
ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit /var/www/cgi-bin/cgit
RewriteEngine On
RewriteRule ^/$ /cgit [R]
ErrorLog ${APACHE_LOG_DIR}/git-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/git-access.log combined
SSLEngine on
SSLCertificateFile <%= scope.lookupvar("cgit::ssl_cert_file") %>
SSLCertificateKeyFile <%= scope.lookupvar("cgit::ssl_key_file") %>
<% if scope.lookupvar("cgit::ssl_chain_file") != "" %>
SSLCertificateChainFile <%= scope.lookupvar("cgit::ssl_chain_file") %>
<% end %>
</VirtualHost>
</IfModule>

2
modules/openstack_project/files/git/cgitrc
View File

@ -6,7 +6,7 @@
cache-size=0 cache-size=0
# Specify some default clone prefixes # Specify some default clone prefixes
clone-prefix=git://git.openstack.org http://git.openstack.org/cgit clone-prefix=git://git.openstack.org https://git.openstack.org/cgit
# Specify the css url # Specify the css url
css=/cgit-data/cgit.css css=/cgit-data/cgit.css

14
modules/openstack_project/manifests/git.pp
View File

@ -18,9 +18,12 @@
class openstack_project::git ( class openstack_project::git (
$sysadmins = [], $sysadmins = [],
$git_gerrit_ssh_key = '', $git_gerrit_ssh_key = '',
$ssl_cert_file_contents = '',
$ssl_key_file_contents = '',
$ssl_chain_file_contents = '',
) { ) {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 9418], iptables_public_tcp_ports => [80, 443, 9418],
sysadmins => $sysadmins, sysadmins => $sysadmins,
} }
@ -28,6 +31,15 @@ class openstack_project::git (
include jeepyb include jeepyb
include pip include pip
class { 'cgit':
ssl_cert_file => '/etc/ssl/certs/git.openstack.org.pem',
ssl_key_file => '/etc/ssl/private/git.openstack.org.key',
ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents,
}
# We don't actually use these, but jeepyb requires them. # We don't actually use these, but jeepyb requires them.
$local_git_dir = '/var/lib/git' $local_git_dir = '/var/lib/git'
$ssh_project_key = '' $ssh_project_key = ''