From 15e526fb18fdc00757c0e038b38069e51b54d3a0 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Tue, 2 Oct 2012 15:49:18 -0700
Subject: [PATCH] Pass review.o.o SSL certs in from Hiera.
Use Hiera to store the review.o.o SSL certs and pass them down to the
gerrit module.
While modifying these files fix indentation and rocket ship alignment
according to puppet lint in the sections touched.
Change-Id: I914b0dea72c77dedb44a4e6f51417985e673b315
Reviewed-on: https://review.openstack.org/13975
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
---
manifests/site.pp | 15 +-
modules/gerrit/manifests/init.pp | 119 ++++++++-----
modules/openstack_project/manifests/gerrit.pp | 161 +++++++++---------
modules/openstack_project/manifests/review.pp | 50 +++---
4 files changed, 199 insertions(+), 146 deletions(-)
diff --git a/manifests/site.pp b/manifests/site.pp
index af8efecf17..0394279049 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -13,12 +13,15 @@ node default {
#
node 'review.openstack.org' {
class { 'openstack_project::review':
- github_oauth_token => hiera('gerrit_github_token'),
- mysql_password => hiera('gerrit_mysql_password'),
- mysql_root_password => hiera('gerrit_mysql_root_password'),
- email_private_key => hiera('gerrit_email_private_key'),
- gerritbot_password => hiera('gerrit_gerritbot_password'),
- sysadmins => hiera('sysadmins'),
+ github_oauth_token => hiera('gerrit_github_token'),
+ mysql_password => hiera('gerrit_mysql_password'),
+ mysql_root_password => hiera('gerrit_mysql_root_password'),
+ email_private_key => hiera('gerrit_email_private_key'),
+ gerritbot_password => hiera('gerrit_gerritbot_password'),
+ ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
+ ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
+ ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
+ sysadmins => hiera('sysadmins'),
}
}
diff --git a/modules/gerrit/manifests/init.pp b/modules/gerrit/manifests/init.pp
index 900b8c84f6..b3b8cffc0f 100644
--- a/modules/gerrit/manifests/init.pp
+++ b/modules/gerrit/manifests/init.pp
@@ -9,6 +9,10 @@
# Used in the Apache virtual host to specify the SSL cert and key files.
# ssl_chain_file:
# Optional, if you have an intermediate cert Apache should serve.
+# ssl_*_file_contents:
+# Optional, the contents of the respective cert files as a string. Will be
+# used to have Puppet ensure the contents of these files. Default value of
+# '' means Puppet should not manage these files.
# openidssourl:
# The URL to use for OpenID in SSO mode.
# email:
@@ -62,42 +66,45 @@
# TODO: make more gerrit options configurable here
class gerrit($vhost_name=$fqdn,
- $canonicalweburl="https://$fqdn/",
- $serveradmin="webmaster@$fqdn",
- $ssl_cert_file='/etc/ssl/certs/ssl-cert-snakeoil.pem',
- $ssl_key_file='/etc/ssl/private/ssl-cert-snakeoil.key',
- $ssl_chain_file='',
- $openidssourl="https://login.launchpad.net/+openid",
- $email='',
- $database_poollimit='',
- $container_heaplimit='',
- $core_packedgitopenfiles='',
- $core_packedgitlimit='',
- $core_packedgitwindowsize='',
- $sshd_threads='',
- $httpd_acceptorthreads='',
- $httpd_minthreads='',
- $httpd_maxthreads='',
- $httpd_maxwait='',
- $commentlinks = [],
- $war,
- $contactstore=false,
- $contactstore_appsec='',
- $contactstore_pubkey='',
- $contactstore_url='',
- $projects_file = 'UNDEF',
- $enable_melody = 'false',
- $melody_session = 'false',
- $mysql_password,
- $mysql_root_password,
- $email_private_key,
- $replicate_github=false,
- $replicate_local=true,
- $local_git_dir='/var/lib/git',
- $replication_targets=[],
- $gitweb=true,
- $testmode=false
- ) {
+ $canonicalweburl="https://$fqdn/",
+ $serveradmin="webmaster@$fqdn",
+ $ssl_cert_file='/etc/ssl/certs/ssl-cert-snakeoil.pem',
+ $ssl_key_file='/etc/ssl/private/ssl-cert-snakeoil.key',
+ $ssl_chain_file='',
+ $ssl_cert_file_contents='', # If left empty puppet will not create file.
+ $ssl_key_file_contents='', # If left empty puppet will not create file.
+ $ssl_chain_file_contents='', # If left empty puppet will not create file.
+ $openidssourl="https://login.launchpad.net/+openid",
+ $email='',
+ $database_poollimit='',
+ $container_heaplimit='',
+ $core_packedgitopenfiles='',
+ $core_packedgitlimit='',
+ $core_packedgitwindowsize='',
+ $sshd_threads='',
+ $httpd_acceptorthreads='',
+ $httpd_minthreads='',
+ $httpd_maxthreads='',
+ $httpd_maxwait='',
+ $commentlinks = [],
+ $war,
+ $contactstore=false,
+ $contactstore_appsec='',
+ $contactstore_pubkey='',
+ $contactstore_url='',
+ $projects_file = 'UNDEF',
+ $enable_melody = 'false',
+ $melody_session = 'false',
+ $mysql_password,
+ $mysql_root_password,
+ $email_private_key,
+ $replicate_github=false,
+ $replicate_local=true,
+ $local_git_dir='/var/lib/git',
+ $replication_targets=[],
+ $gitweb=true,
+ $testmode=false
+) {
include apache
@@ -239,7 +246,7 @@ class gerrit($vhost_name=$fqdn,
require => File["/home/gerrit2/review_site/etc"]
}
-# Set up MySQL.
+ # Set up MySQL.
class {"mysql::server":
config_hash => {
@@ -258,14 +265,14 @@ class gerrit($vhost_name=$fqdn,
charset => "latin1",
}
-# Set up apache.
+ # Set up apache.
apache::vhost { $vhost_name:
- port => 443,
- docroot => 'MEANINGLESS ARGUMENT',
+ port => 443,
+ docroot => 'MEANINGLESS ARGUMENT',
priority => '50',
template => 'gerrit/gerrit.vhost.erb',
- ssl => true,
+ ssl => true,
}
a2mod { 'rewrite':
ensure => present
@@ -277,6 +284,36 @@ class gerrit($vhost_name=$fqdn,
ensure => present
}
+ if $ssl_cert_file_contents != '' {
+ file { $ssl_cert_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_cert_file_contents,
+ before => Apache::Vhost[$vhost_name],
+ }
+ }
+
+ if $ssl_key_file_contents != '' {
+ file { $ssl_key_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_key_file_contents,
+ before => Apache::Vhost[$vhost_name],
+ }
+ }
+
+ if $ssl_chain_file_contents != '' {
+ file { $ssl_chain_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_chain_file_contents,
+ before => Apache::Vhost[$vhost_name],
+ }
+ }
+
# Install Gerrit itself.
# The Gerrit WAR is specified as a url like 'http://tarballs.openstack.org/ci/gerrit-2.2.2-363-gd0a67ce.war'
diff --git a/modules/openstack_project/manifests/gerrit.pp b/modules/openstack_project/manifests/gerrit.pp
index 06392a3df3..a7212b3a53 100644
--- a/modules/openstack_project/manifests/gerrit.pp
+++ b/modules/openstack_project/manifests/gerrit.pp
@@ -4,41 +4,44 @@
# TODO: launchpadlib creds for user sync script
class openstack_project::gerrit (
- $vhost_name=$fqdn,
- $canonicalweburl="https://$fqdn/",
- $serveradmin='webmaster@openstack.org',
- $ssh_host_key='/home/gerrit2/review_site/etc/ssh_host_rsa_key',
- $ssl_cert_file='',
- $ssl_key_file='',
- $ssl_chain_file='',
- $email='',
- $database_poollimit='',
- $container_heaplimit='',
- $core_packedgitopenfiles='',
- $core_packedgitlimit='',
- $core_packedgitwindowsize='',
- $sshd_threads='',
- $httpd_acceptorthreads='',
- $httpd_minthreads='',
- $httpd_maxthreads='',
- $httpd_maxwait='',
- $war,
- $contactstore=false,
- $contactstore_appsec='',
- $contactstore_pubkey='',
- $contactstore_url='',
- $script_user='update',
- $script_key_file='/home/gerrit2/.ssh/id_rsa',
- $script_logging_conf='/home/gerrit2/.sync_logging.conf',
- $projects_file='UNDEF',
- $github_username,
- $github_oauth_token,
- $mysql_password,
- $mysql_root_password,
- $trivial_rebase_role_id,
- $email_private_key,
- $testmode=false,
- $sysadmins=[]
+ $vhost_name=$fqdn,
+ $canonicalweburl="https://$fqdn/",
+ $serveradmin='webmaster@openstack.org',
+ $ssh_host_key='/home/gerrit2/review_site/etc/ssh_host_rsa_key',
+ $ssl_cert_file='',
+ $ssl_key_file='',
+ $ssl_chain_file='',
+ $ssl_cert_file_contents='',
+ $ssl_key_file_contents='',
+ $ssl_chain_file_contents='',
+ $email='',
+ $database_poollimit='',
+ $container_heaplimit='',
+ $core_packedgitopenfiles='',
+ $core_packedgitlimit='',
+ $core_packedgitwindowsize='',
+ $sshd_threads='',
+ $httpd_acceptorthreads='',
+ $httpd_minthreads='',
+ $httpd_maxthreads='',
+ $httpd_maxwait='',
+ $war,
+ $contactstore=false,
+ $contactstore_appsec='',
+ $contactstore_pubkey='',
+ $contactstore_url='',
+ $script_user='update',
+ $script_key_file='/home/gerrit2/.ssh/id_rsa',
+ $script_logging_conf='/home/gerrit2/.sync_logging.conf',
+ $projects_file='UNDEF',
+ $github_username,
+ $github_oauth_token,
+ $mysql_password,
+ $mysql_root_password,
+ $trivial_rebase_role_id,
+ $email_private_key,
+ $testmode=false,
+ $sysadmins=[]
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
@@ -46,51 +49,55 @@ class openstack_project::gerrit (
}
class { '::gerrit':
- vhost_name => $vhost_name,
- canonicalweburl => $canonicalweburl,
+ vhost_name => $vhost_name,
+ canonicalweburl => $canonicalweburl,
# opinions
- enable_melody => 'true',
- melody_session => 'true',
+ enable_melody => 'true',
+ melody_session => 'true',
# passthrough
- ssl_cert_file => $ssl_cert_file,
- ssl_key_file => $ssl_key_file,
- ssl_chain_file => $ssl_chain_file,
- email => $email,
- openidssourl => "https://login.launchpad.net/+openid",
- database_poollimit => $database_poollimit,
- container_heaplimit => $container_heaplimit,
- core_packedgitopenfiles => $core_packedgitopenfiles,
- core_packedgitlimit => $core_packedgitlimit,
+ ssl_cert_file => $ssl_cert_file,
+ ssl_key_file => $ssl_key_file,
+ ssl_chain_file => $ssl_chain_file,
+ ssl_cert_file_contents => $ssl_cert_file_contents,
+ ssl_key_file_contents => $ssl_key_file_contents,
+ ssl_chain_file_contents => $ssl_chain_file_contents,
+ email => $email,
+ openidssourl => "https://login.launchpad.net/+openid",
+ database_poollimit => $database_poollimit,
+ container_heaplimit => $container_heaplimit,
+ core_packedgitopenfiles => $core_packedgitopenfiles,
+ core_packedgitlimit => $core_packedgitlimit,
core_packedgitwindowsize => $core_packedgitwindowsize,
- sshd_threads => $sshd_threads,
- httpd_acceptorthreads => $httpd_acceptorthreads,
- httpd_minthreads => $httpd_minthreads,
- httpd_maxthreads => $httpd_maxthreads,
- httpd_maxwait => $httpd_maxwait,
- commentlinks => [ { name => 'changeid',
- match => '(I[0-9a-f]{8,40})',
- link => '#q,$1,n,z' },
-
- { name => 'launchpad',
- match => '([Bb]ug|[Ll][Pp])[\\s#:]*(\\d+)',
- link => 'https://code.launchpad.net/bugs/$2' },
-
- { name => 'blueprint',
- match => '([Bb]lue[Pp]rint|[Bb][Pp])[\\s#:]*([A-Za-z0-9\\-]+)',
- link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2' },
- ],
- war => $war,
- contactstore => $contactstore,
- contactstore_appsec => $contactstore_appsec,
- contactstore_pubkey => $contactstore_pubkey,
- contactstore_url => $contactstore_url,
- mysql_password => $mysql_password,
- mysql_root_password => $mysql_root_password,
- email_private_key => $email_private_key,
- projects_file => $projects_file,
- replicate_github => true,
- testmode => $testmode,
- require => Class[openstack_project::server],
+ sshd_threads => $sshd_threads,
+ httpd_acceptorthreads => $httpd_acceptorthreads,
+ httpd_minthreads => $httpd_minthreads,
+ httpd_maxthreads => $httpd_maxthreads,
+ httpd_maxwait => $httpd_maxwait,
+ commentlinks => [{ name => 'changeid',
+ match => '(I[0-9a-f]{8,40})',
+ link => '#q,$1,n,z'
+ },
+ { name => 'launchpad',
+ match => '([Bb]ug|[Ll][Pp])[\\s#:]*(\\d+)',
+ link => 'https://code.launchpad.net/bugs/$2'
+ },
+ { name => 'blueprint',
+ match => '([Bb]lue[Pp]rint|[Bb][Pp])[\\s#:]*([A-Za-z0-9\\-]+)',
+ link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2'
+ },
+ ],
+ war => $war,
+ contactstore => $contactstore,
+ contactstore_appsec => $contactstore_appsec,
+ contactstore_pubkey => $contactstore_pubkey,
+ contactstore_url => $contactstore_url,
+ mysql_password => $mysql_password,
+ mysql_root_password => $mysql_root_password,
+ email_private_key => $email_private_key,
+ projects_file => $projects_file,
+ replicate_github => true,
+ testmode => $testmode,
+ require => Class[openstack_project::server],
}
if ($testmode == false) {
class { 'gerrit::cron':
diff --git a/modules/openstack_project/manifests/review.pp b/modules/openstack_project/manifests/review.pp
index 5f1b8894c7..a8d8565432 100644
--- a/modules/openstack_project/manifests/review.pp
+++ b/modules/openstack_project/manifests/review.pp
@@ -30,32 +30,38 @@ class openstack_project::review (
$mysql_root_password,
$email_private_key,
$gerritbot_password,
+ $ssl_cert_file_contents = '',
+ $ssl_key_file_contents = '',
+ $ssl_chain_file_contents = '',
$sysadmins = []
) {
class { 'openstack_project::gerrit':
- ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem',
- ssl_key_file => '/etc/ssl/private/review.openstack.org.key',
- ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
- email => 'review@openstack.org',
- database_poollimit => '150', # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
- container_heaplimit => '8g',
- core_packedgitopenfiles => '4096',
- core_packedgitlimit => '400m',
+ ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem',
+ ssl_key_file => '/etc/ssl/private/review.openstack.org.key',
+ ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
+ ssl_cert_file_contents => $ssl_cert_file_contents,
+ ssl_key_file_contents => $ssl_key_file_contents,
+ ssl_chain_file_contents => $ssl_chain_file_contents,
+ email => 'review@openstack.org',
+ database_poollimit => '150', # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
+ container_heaplimit => '8g',
+ core_packedgitopenfiles => '4096',
+ core_packedgitlimit => '400m',
core_packedgitwindowsize => '16k',
- sshd_threads => '100',
- httpd_maxwait => '5000min',
- war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war',
- script_user => 'launchpadsync',
- script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
- script_logging_conf => '/home/gerrit2/.sync_logging.conf',
- projects_file => 'puppet:///openstack_project/review.projects.yaml',
- github_username => 'openstack-gerrit',
- github_oauth_token => $github_oauth_token,
- mysql_password => $mysql_password,
- mysql_root_password => $mysql_root_password,
- trivial_rebase_role_id => 'trivial-rebase@review.openstack.org',
- email_private_key => $email_private_key,
- sysadmins => $sysadmins
+ sshd_threads => '100',
+ httpd_maxwait => '5000min',
+ war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war',
+ script_user => 'launchpadsync',
+ script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
+ script_logging_conf => '/home/gerrit2/.sync_logging.conf',
+ projects_file => 'puppet:///openstack_project/review.projects.yaml',
+ github_username => 'openstack-gerrit',
+ github_oauth_token => $github_oauth_token,
+ mysql_password => $mysql_password,
+ mysql_root_password => $mysql_root_password,
+ trivial_rebase_role_id => 'trivial-rebase@review.openstack.org',
+ email_private_key => $email_private_key,
+ sysadmins => $sysadmins
}
class { 'gerritbot':
nick => 'openstackgerrit',