diff --git a/manifests/site.pp b/manifests/site.pp
index 4cf935c984..7da4da86a9 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -288,8 +288,11 @@ node /^elasticsearch\d*\.openstack\.org$/ {
# A CentOS machine to run cgit and git daemon.
node 'git.openstack.org' {
class { 'openstack_project::git':
- sysadmins => hiera('sysadmins'),
- git_gerrit_ssh_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
+ sysadmins => hiera('sysadmins'),
+ git_gerrit_ssh_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
+ ssl_cert_file_contents => hiera('git_ssl_cert_file_contents'),
+ ssl_key_file_contents => hiera('git_ssl_key_file_contents'),
+ ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'),
}
}
diff --git a/modules/cgit/files/cgit.conf b/modules/cgit/files/cgit.conf
deleted file mode 100644
index 3ca820f689..0000000000
--- a/modules/cgit/files/cgit.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-Alias /cgit-data /usr/share/cgit
-ScriptAlias /cgit /var/www/cgi-bin/cgit
-RewriteEngine On
-RewriteRule ^/$ /cgit [R]
diff --git a/modules/cgit/manifests/init.pp b/modules/cgit/manifests/init.pp
index 5279a31df2..9215a861ec 100644
--- a/modules/cgit/manifests/init.pp
+++ b/modules/cgit/manifests/init.pp
@@ -14,7 +14,16 @@
#
# Class: cgit
#
-class cgit {
+class cgit(
+ $vhost_name = $::fqdn,
+ $serveradmin = "webmaster@${::fqdn}",
+ $ssl_cert_file = '',
+ $ssl_key_file = '',
+ $ssl_chain_file = '',
+ $ssl_cert_file_contents = '', # If left empty puppet will not create file.
+ $ssl_key_file_contents = '', # If left empty puppet will not create file.
+ $ssl_chain_file_contents = '', # If left empty puppet will not create file.
+) {
include apache
@@ -66,10 +75,12 @@ class cgit {
value => on
}
- file { '/etc/httpd/conf.d/cgit.conf':
- ensure => present,
- source => 'puppet:///modules/cgit/cgit.conf',
- mode => '0644'
+ apache::vhost { $vhost_name:
+ port => 443,
+ docroot => 'MEANINGLESS ARGUMENT',
+ priority => '50',
+ template => 'cgit/git.vhost.erb',
+ ssl => true,
}
file { '/etc/xinetd.d/git':
@@ -84,4 +95,34 @@ class cgit {
ensure => running,
subscribe => File['/etc/xinetd.d/git'],
}
+
+ if $ssl_cert_file_contents != '' {
+ file { $ssl_cert_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_cert_file_contents,
+ before => Apache::Vhost[$vhost_name],
+ }
+ }
+
+ if $ssl_key_file_contents != '' {
+ file { $ssl_key_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_key_file_contents,
+ before => Apache::Vhost[$vhost_name],
+ }
+ }
+
+ if $ssl_chain_file_contents != '' {
+ file { $ssl_chain_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_chain_file_contents,
+ before => Apache::Vhost[$vhost_name],
+ }
+ }
}
diff --git a/modules/cgit/templates/git.vhost.erb b/modules/cgit/templates/git.vhost.erb
new file mode 100644
index 0000000000..91dc5eb1c2
--- /dev/null
+++ b/modules/cgit/templates/git.vhost.erb
@@ -0,0 +1,39 @@
+:80>
+ ServerName <%= scope.lookupvar("cgit::vhost_name") %>
+ ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
+
+ ErrorLog ${APACHE_LOG_DIR}/git-error.log
+
+ LogLevel warn
+
+ CustomLog ${APACHE_LOG_DIR}/git-access.log combined
+
+ Redirect / https://<%= scope.lookupvar("cgit::vhost_name") %>/
+
+
+
+
+:443>
+ ServerName <%= scope.lookupvar("cgit::vhost_name") %>
+ ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
+
+ Alias /cgit-data /usr/share/cgit
+ ScriptAlias /cgit /var/www/cgi-bin/cgit
+ RewriteEngine On
+ RewriteRule ^/$ /cgit [R]
+
+ ErrorLog ${APACHE_LOG_DIR}/git-error.log
+
+ LogLevel warn
+
+ CustomLog ${APACHE_LOG_DIR}/git-access.log combined
+
+ SSLEngine on
+
+ SSLCertificateFile <%= scope.lookupvar("cgit::ssl_cert_file") %>
+ SSLCertificateKeyFile <%= scope.lookupvar("cgit::ssl_key_file") %>
+<% if scope.lookupvar("cgit::ssl_chain_file") != "" %>
+ SSLCertificateChainFile <%= scope.lookupvar("cgit::ssl_chain_file") %>
+<% end %>
+
+
diff --git a/modules/openstack_project/files/git/cgitrc b/modules/openstack_project/files/git/cgitrc
index db14123036..937c7121cd 100644
--- a/modules/openstack_project/files/git/cgitrc
+++ b/modules/openstack_project/files/git/cgitrc
@@ -6,7 +6,7 @@
cache-size=0
# Specify some default clone prefixes
-clone-prefix=git://git.openstack.org http://git.openstack.org/cgit
+clone-prefix=git://git.openstack.org https://git.openstack.org/cgit
# Specify the css url
css=/cgit-data/cgit.css
diff --git a/modules/openstack_project/manifests/git.pp b/modules/openstack_project/manifests/git.pp
index 71bdd336a9..04d0197649 100644
--- a/modules/openstack_project/manifests/git.pp
+++ b/modules/openstack_project/manifests/git.pp
@@ -18,9 +18,12 @@
class openstack_project::git (
$sysadmins = [],
$git_gerrit_ssh_key = '',
+ $ssl_cert_file_contents = '',
+ $ssl_key_file_contents = '',
+ $ssl_chain_file_contents = '',
) {
class { 'openstack_project::server':
- iptables_public_tcp_ports => [80, 9418],
+ iptables_public_tcp_ports => [80, 443, 9418],
sysadmins => $sysadmins,
}
@@ -28,6 +31,15 @@ class openstack_project::git (
include jeepyb
include pip
+ class { 'cgit':
+ ssl_cert_file => '/etc/ssl/certs/git.openstack.org.pem',
+ ssl_key_file => '/etc/ssl/private/git.openstack.org.key',
+ ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
+ ssl_cert_file_contents => $ssl_cert_file_contents,
+ ssl_key_file_contents => $ssl_key_file_contents,
+ ssl_chain_file_contents => $ssl_chain_file_contents,
+ }
+
# We don't actually use these, but jeepyb requires them.
$local_git_dir = '/var/lib/git'
$ssh_project_key = ''