diff --git a/manifests/site.pp b/manifests/site.pp index af8efecf17..0394279049 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -13,12 +13,15 @@ node default { # node 'review.openstack.org' { class { 'openstack_project::review': - github_oauth_token => hiera('gerrit_github_token'), - mysql_password => hiera('gerrit_mysql_password'), - mysql_root_password => hiera('gerrit_mysql_root_password'), - email_private_key => hiera('gerrit_email_private_key'), - gerritbot_password => hiera('gerrit_gerritbot_password'), - sysadmins => hiera('sysadmins'), + github_oauth_token => hiera('gerrit_github_token'), + mysql_password => hiera('gerrit_mysql_password'), + mysql_root_password => hiera('gerrit_mysql_root_password'), + email_private_key => hiera('gerrit_email_private_key'), + gerritbot_password => hiera('gerrit_gerritbot_password'), + ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'), + ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'), + ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'), + sysadmins => hiera('sysadmins'), } } diff --git a/modules/gerrit/manifests/init.pp b/modules/gerrit/manifests/init.pp index 900b8c84f6..b3b8cffc0f 100644 --- a/modules/gerrit/manifests/init.pp +++ b/modules/gerrit/manifests/init.pp @@ -9,6 +9,10 @@ # Used in the Apache virtual host to specify the SSL cert and key files. # ssl_chain_file: # Optional, if you have an intermediate cert Apache should serve. +# ssl_*_file_contents: +# Optional, the contents of the respective cert files as a string. Will be +# used to have Puppet ensure the contents of these files. Default value of +# '' means Puppet should not manage these files. # openidssourl: # The URL to use for OpenID in SSO mode. # email: @@ -62,42 +66,45 @@ # TODO: make more gerrit options configurable here class gerrit($vhost_name=$fqdn, - $canonicalweburl="https://$fqdn/", - $serveradmin="webmaster@$fqdn", - $ssl_cert_file='/etc/ssl/certs/ssl-cert-snakeoil.pem', - $ssl_key_file='/etc/ssl/private/ssl-cert-snakeoil.key', - $ssl_chain_file='', - $openidssourl="https://login.launchpad.net/+openid", - $email='', - $database_poollimit='', - $container_heaplimit='', - $core_packedgitopenfiles='', - $core_packedgitlimit='', - $core_packedgitwindowsize='', - $sshd_threads='', - $httpd_acceptorthreads='', - $httpd_minthreads='', - $httpd_maxthreads='', - $httpd_maxwait='', - $commentlinks = [], - $war, - $contactstore=false, - $contactstore_appsec='', - $contactstore_pubkey='', - $contactstore_url='', - $projects_file = 'UNDEF', - $enable_melody = 'false', - $melody_session = 'false', - $mysql_password, - $mysql_root_password, - $email_private_key, - $replicate_github=false, - $replicate_local=true, - $local_git_dir='/var/lib/git', - $replication_targets=[], - $gitweb=true, - $testmode=false - ) { + $canonicalweburl="https://$fqdn/", + $serveradmin="webmaster@$fqdn", + $ssl_cert_file='/etc/ssl/certs/ssl-cert-snakeoil.pem', + $ssl_key_file='/etc/ssl/private/ssl-cert-snakeoil.key', + $ssl_chain_file='', + $ssl_cert_file_contents='', # If left empty puppet will not create file. + $ssl_key_file_contents='', # If left empty puppet will not create file. + $ssl_chain_file_contents='', # If left empty puppet will not create file. + $openidssourl="https://login.launchpad.net/+openid", + $email='', + $database_poollimit='', + $container_heaplimit='', + $core_packedgitopenfiles='', + $core_packedgitlimit='', + $core_packedgitwindowsize='', + $sshd_threads='', + $httpd_acceptorthreads='', + $httpd_minthreads='', + $httpd_maxthreads='', + $httpd_maxwait='', + $commentlinks = [], + $war, + $contactstore=false, + $contactstore_appsec='', + $contactstore_pubkey='', + $contactstore_url='', + $projects_file = 'UNDEF', + $enable_melody = 'false', + $melody_session = 'false', + $mysql_password, + $mysql_root_password, + $email_private_key, + $replicate_github=false, + $replicate_local=true, + $local_git_dir='/var/lib/git', + $replication_targets=[], + $gitweb=true, + $testmode=false +) { include apache @@ -239,7 +246,7 @@ class gerrit($vhost_name=$fqdn, require => File["/home/gerrit2/review_site/etc"] } -# Set up MySQL. + # Set up MySQL. class {"mysql::server": config_hash => { @@ -258,14 +265,14 @@ class gerrit($vhost_name=$fqdn, charset => "latin1", } -# Set up apache. + # Set up apache. apache::vhost { $vhost_name: - port => 443, - docroot => 'MEANINGLESS ARGUMENT', + port => 443, + docroot => 'MEANINGLESS ARGUMENT', priority => '50', template => 'gerrit/gerrit.vhost.erb', - ssl => true, + ssl => true, } a2mod { 'rewrite': ensure => present @@ -277,6 +284,36 @@ class gerrit($vhost_name=$fqdn, ensure => present } + if $ssl_cert_file_contents != '' { + file { $ssl_cert_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_cert_file_contents, + before => Apache::Vhost[$vhost_name], + } + } + + if $ssl_key_file_contents != '' { + file { $ssl_key_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_key_file_contents, + before => Apache::Vhost[$vhost_name], + } + } + + if $ssl_chain_file_contents != '' { + file { $ssl_chain_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_chain_file_contents, + before => Apache::Vhost[$vhost_name], + } + } + # Install Gerrit itself. # The Gerrit WAR is specified as a url like 'http://tarballs.openstack.org/ci/gerrit-2.2.2-363-gd0a67ce.war' diff --git a/modules/openstack_project/manifests/gerrit.pp b/modules/openstack_project/manifests/gerrit.pp index 06392a3df3..a7212b3a53 100644 --- a/modules/openstack_project/manifests/gerrit.pp +++ b/modules/openstack_project/manifests/gerrit.pp @@ -4,41 +4,44 @@ # TODO: launchpadlib creds for user sync script class openstack_project::gerrit ( - $vhost_name=$fqdn, - $canonicalweburl="https://$fqdn/", - $serveradmin='webmaster@openstack.org', - $ssh_host_key='/home/gerrit2/review_site/etc/ssh_host_rsa_key', - $ssl_cert_file='', - $ssl_key_file='', - $ssl_chain_file='', - $email='', - $database_poollimit='', - $container_heaplimit='', - $core_packedgitopenfiles='', - $core_packedgitlimit='', - $core_packedgitwindowsize='', - $sshd_threads='', - $httpd_acceptorthreads='', - $httpd_minthreads='', - $httpd_maxthreads='', - $httpd_maxwait='', - $war, - $contactstore=false, - $contactstore_appsec='', - $contactstore_pubkey='', - $contactstore_url='', - $script_user='update', - $script_key_file='/home/gerrit2/.ssh/id_rsa', - $script_logging_conf='/home/gerrit2/.sync_logging.conf', - $projects_file='UNDEF', - $github_username, - $github_oauth_token, - $mysql_password, - $mysql_root_password, - $trivial_rebase_role_id, - $email_private_key, - $testmode=false, - $sysadmins=[] + $vhost_name=$fqdn, + $canonicalweburl="https://$fqdn/", + $serveradmin='webmaster@openstack.org', + $ssh_host_key='/home/gerrit2/review_site/etc/ssh_host_rsa_key', + $ssl_cert_file='', + $ssl_key_file='', + $ssl_chain_file='', + $ssl_cert_file_contents='', + $ssl_key_file_contents='', + $ssl_chain_file_contents='', + $email='', + $database_poollimit='', + $container_heaplimit='', + $core_packedgitopenfiles='', + $core_packedgitlimit='', + $core_packedgitwindowsize='', + $sshd_threads='', + $httpd_acceptorthreads='', + $httpd_minthreads='', + $httpd_maxthreads='', + $httpd_maxwait='', + $war, + $contactstore=false, + $contactstore_appsec='', + $contactstore_pubkey='', + $contactstore_url='', + $script_user='update', + $script_key_file='/home/gerrit2/.ssh/id_rsa', + $script_logging_conf='/home/gerrit2/.sync_logging.conf', + $projects_file='UNDEF', + $github_username, + $github_oauth_token, + $mysql_password, + $mysql_root_password, + $trivial_rebase_role_id, + $email_private_key, + $testmode=false, + $sysadmins=[] ) { class { 'openstack_project::server': iptables_public_tcp_ports => [80, 443, 29418], @@ -46,51 +49,55 @@ class openstack_project::gerrit ( } class { '::gerrit': - vhost_name => $vhost_name, - canonicalweburl => $canonicalweburl, + vhost_name => $vhost_name, + canonicalweburl => $canonicalweburl, # opinions - enable_melody => 'true', - melody_session => 'true', + enable_melody => 'true', + melody_session => 'true', # passthrough - ssl_cert_file => $ssl_cert_file, - ssl_key_file => $ssl_key_file, - ssl_chain_file => $ssl_chain_file, - email => $email, - openidssourl => "https://login.launchpad.net/+openid", - database_poollimit => $database_poollimit, - container_heaplimit => $container_heaplimit, - core_packedgitopenfiles => $core_packedgitopenfiles, - core_packedgitlimit => $core_packedgitlimit, + ssl_cert_file => $ssl_cert_file, + ssl_key_file => $ssl_key_file, + ssl_chain_file => $ssl_chain_file, + ssl_cert_file_contents => $ssl_cert_file_contents, + ssl_key_file_contents => $ssl_key_file_contents, + ssl_chain_file_contents => $ssl_chain_file_contents, + email => $email, + openidssourl => "https://login.launchpad.net/+openid", + database_poollimit => $database_poollimit, + container_heaplimit => $container_heaplimit, + core_packedgitopenfiles => $core_packedgitopenfiles, + core_packedgitlimit => $core_packedgitlimit, core_packedgitwindowsize => $core_packedgitwindowsize, - sshd_threads => $sshd_threads, - httpd_acceptorthreads => $httpd_acceptorthreads, - httpd_minthreads => $httpd_minthreads, - httpd_maxthreads => $httpd_maxthreads, - httpd_maxwait => $httpd_maxwait, - commentlinks => [ { name => 'changeid', - match => '(I[0-9a-f]{8,40})', - link => '#q,$1,n,z' }, - - { name => 'launchpad', - match => '([Bb]ug|[Ll][Pp])[\\s#:]*(\\d+)', - link => 'https://code.launchpad.net/bugs/$2' }, - - { name => 'blueprint', - match => '([Bb]lue[Pp]rint|[Bb][Pp])[\\s#:]*([A-Za-z0-9\\-]+)', - link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2' }, - ], - war => $war, - contactstore => $contactstore, - contactstore_appsec => $contactstore_appsec, - contactstore_pubkey => $contactstore_pubkey, - contactstore_url => $contactstore_url, - mysql_password => $mysql_password, - mysql_root_password => $mysql_root_password, - email_private_key => $email_private_key, - projects_file => $projects_file, - replicate_github => true, - testmode => $testmode, - require => Class[openstack_project::server], + sshd_threads => $sshd_threads, + httpd_acceptorthreads => $httpd_acceptorthreads, + httpd_minthreads => $httpd_minthreads, + httpd_maxthreads => $httpd_maxthreads, + httpd_maxwait => $httpd_maxwait, + commentlinks => [{ name => 'changeid', + match => '(I[0-9a-f]{8,40})', + link => '#q,$1,n,z' + }, + { name => 'launchpad', + match => '([Bb]ug|[Ll][Pp])[\\s#:]*(\\d+)', + link => 'https://code.launchpad.net/bugs/$2' + }, + { name => 'blueprint', + match => '([Bb]lue[Pp]rint|[Bb][Pp])[\\s#:]*([A-Za-z0-9\\-]+)', + link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2' + }, + ], + war => $war, + contactstore => $contactstore, + contactstore_appsec => $contactstore_appsec, + contactstore_pubkey => $contactstore_pubkey, + contactstore_url => $contactstore_url, + mysql_password => $mysql_password, + mysql_root_password => $mysql_root_password, + email_private_key => $email_private_key, + projects_file => $projects_file, + replicate_github => true, + testmode => $testmode, + require => Class[openstack_project::server], } if ($testmode == false) { class { 'gerrit::cron': diff --git a/modules/openstack_project/manifests/review.pp b/modules/openstack_project/manifests/review.pp index 5f1b8894c7..a8d8565432 100644 --- a/modules/openstack_project/manifests/review.pp +++ b/modules/openstack_project/manifests/review.pp @@ -30,32 +30,38 @@ class openstack_project::review ( $mysql_root_password, $email_private_key, $gerritbot_password, + $ssl_cert_file_contents = '', + $ssl_key_file_contents = '', + $ssl_chain_file_contents = '', $sysadmins = [] ) { class { 'openstack_project::gerrit': - ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem', - ssl_key_file => '/etc/ssl/private/review.openstack.org.key', - ssl_chain_file => '/etc/ssl/certs/intermediate.pem', - email => 'review@openstack.org', - database_poollimit => '150', # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up) - container_heaplimit => '8g', - core_packedgitopenfiles => '4096', - core_packedgitlimit => '400m', + ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem', + ssl_key_file => '/etc/ssl/private/review.openstack.org.key', + ssl_chain_file => '/etc/ssl/certs/intermediate.pem', + ssl_cert_file_contents => $ssl_cert_file_contents, + ssl_key_file_contents => $ssl_key_file_contents, + ssl_chain_file_contents => $ssl_chain_file_contents, + email => 'review@openstack.org', + database_poollimit => '150', # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up) + container_heaplimit => '8g', + core_packedgitopenfiles => '4096', + core_packedgitlimit => '400m', core_packedgitwindowsize => '16k', - sshd_threads => '100', - httpd_maxwait => '5000min', - war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war', - script_user => 'launchpadsync', - script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa', - script_logging_conf => '/home/gerrit2/.sync_logging.conf', - projects_file => 'puppet:///openstack_project/review.projects.yaml', - github_username => 'openstack-gerrit', - github_oauth_token => $github_oauth_token, - mysql_password => $mysql_password, - mysql_root_password => $mysql_root_password, - trivial_rebase_role_id => 'trivial-rebase@review.openstack.org', - email_private_key => $email_private_key, - sysadmins => $sysadmins + sshd_threads => '100', + httpd_maxwait => '5000min', + war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war', + script_user => 'launchpadsync', + script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa', + script_logging_conf => '/home/gerrit2/.sync_logging.conf', + projects_file => 'puppet:///openstack_project/review.projects.yaml', + github_username => 'openstack-gerrit', + github_oauth_token => $github_oauth_token, + mysql_password => $mysql_password, + mysql_root_password => $mysql_root_password, + trivial_rebase_role_id => 'trivial-rebase@review.openstack.org', + email_private_key => $email_private_key, + sysadmins => $sysadmins } class { 'gerritbot': nick => 'openstackgerrit',