diff --git a/manifests/site.pp b/manifests/site.pp index be2c61b130..94cdecdba9 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -549,16 +549,16 @@ node 'static.openstack.org' { sysadmins => hiera('sysadmins', []), } class { 'openstack_project::static': - project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', - swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/', - swift_user => 'infra-files-ro', - swift_key => hiera('infra_files_ro_password', 'XXX'), - swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'), - swift_region_name => 'DFW', - swift_default_container => 'infra-files', - security_ssl_cert_file_contents => hiera('security_ssl_cert_file_contents', 'XXX'), - security_ssl_key_file_contents => hiera('security_ssl_key_file_contents', 'XXX'), - security_ssl_chain_file_contents => hiera('security_ssl_chain_file_contents', 'XXX'), + project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', + swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/', + swift_user => 'infra-files-ro', + swift_key => hiera('infra_files_ro_password', 'XXX'), + swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'), + swift_region_name => 'DFW', + swift_default_container => 'infra-files', + ssl_cert_file_contents => hiera('static_ssl_cert_file_contents', 'XXX'), + ssl_key_file_contents => hiera('static_ssl_key_file_contents', 'XXX'), + ssl_chain_file_contents => hiera('static_ssl_chain_file_contents', 'XXX'), } } diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp index 35c791df62..f1567eba7b 100644 --- a/modules/openstack_project/manifests/static.pp +++ b/modules/openstack_project/manifests/static.pp @@ -8,9 +8,12 @@ class openstack_project::static ( $swift_region_name = '', $swift_default_container = '', $project_config_repo = '', - $security_ssl_cert_file_contents = '', - $security_ssl_key_file_contents = '', - $security_ssl_chain_file_contents = '', + $ssl_cert_file = '', + $ssl_cert_file_contents = '', + $ssl_key_file = '', + $ssl_key_file_contents = '', + $ssl_chain_file = '', + $ssl_chain_file_contents = '', $jenkins_gitfullname = 'OpenStack Jenkins', $jenkins_gitemail = 'jenkins@openstack.org', ) { @@ -44,6 +47,98 @@ class openstack_project::static ( } } + file { '/etc/ssl/certs': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + file { '/etc/ssl/private': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0700', + } + + # To use the standard ssl-certs package snakeoil certificate, leave both + # $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing + # certificate, specify its path for $ssl_cert_file and leave + # $ssl_cert_file_contents empty. To manage the certificate with puppet, + # provide $ssl_cert_file_contents and optionally specify the path to use for + # it in $ssl_cert_file. + if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') { + $cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' + } else { + if $ssl_cert_file == '' { + $cert_file = "/etc/ssl/certs/${::fqdn}.pem" + } else { + $cert_file = $ssl_cert_file + } + if $ssl_cert_file_contents != '' { + file { $cert_file: + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $ssl_cert_file_contents, + require => File['/etc/ssl/certs'], + } + } + } + + # To use the standard ssl-certs package snakeoil key, leave both + # $ssl_key_file and $ssl_key_file_contents empty. To use an existing key, + # specify its path for $ssl_key_file and leave $ssl_key_file_contents empty. + # To manage the key with puppet, provide $ssl_key_file_contents and + # optionally specify the path to use for it in $ssl_key_file. + if ($ssl_key_file == '') and ($ssl_key_file_contents == '') { + $key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' + } else { + if $ssl_key_file == '' { + $key_file = "/etc/ssl/private/${::fqdn}.key" + } else { + $key_file = $ssl_key_file + } + if $ssl_key_file_contents != '' { + file { $key_file: + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $ssl_key_file_contents, + require => File['/etc/ssl/private'], + } + } + } + + # To avoid using an intermediate certificate chain, leave both + # $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing + # chain, specify its path for $ssl_chain_file and leave + # $ssl_chain_file_contents empty. To manage the chain with puppet, provide + # $ssl_chain_file_contents and optionally specify the path to use for it in + # $ssl_chain_file. + if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') { + $chain_file = '' + } else { + if $ssl_chain_file == '' { + $chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem" + } else { + $chain_file = $ssl_chain_file + } + if $ssl_chain_file_contents != '' { + file { $chain_file: + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $ssl_chain_file_contents, + require => File['/etc/ssl/certs'], + before => File[$cert_file], + } + } + } + ########################################################### # Tarballs @@ -120,7 +215,11 @@ class openstack_project::static ( ssl => true, template => 'openstack_project/security.vhost.erb', vhost_name => 'security.openstack.org', - require => File['/srv/static/security'], + require => [ + File['/srv/static/security'], + File[$cert_file], + File[$key_file], + ], } file { '/srv/static/security': @@ -130,48 +229,15 @@ class openstack_project::static ( require => User['jenkins'], } - file { '/etc/ssl/certs': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - } - - file { '/etc/ssl/private': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0700', - } - + #TODO(fungi) this cleanup can be removed once puppet has deleted them file { '/etc/ssl/certs/security.openstack.org.pem': - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - content => $security_ssl_cert_file_contents, - require => File['/etc/ssl/certs'], - before => Httpd::Vhost['security.openstack.org'], + ensure => absent, } - file { '/etc/ssl/private/security.openstack.org.key': - ensure => present, - owner => 'root', - group => 'root', - mode => '0600', - content => $security_ssl_key_file_contents, - require => File['/etc/ssl/private'], - before => Httpd::Vhost['security.openstack.org'], + ensure => absent, } - file { '/etc/ssl/certs/security.openstack.org_intermediate.pem': - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - content => $security_ssl_chain_file_contents, - require => File['/etc/ssl/certs'], - before => Httpd::Vhost['security.openstack.org'], + ensure => absent, } ########################################################### diff --git a/modules/openstack_project/templates/security.vhost.erb b/modules/openstack_project/templates/security.vhost.erb index 79464e450c..4b66589324 100644 --- a/modules/openstack_project/templates/security.vhost.erb +++ b/modules/openstack_project/templates/security.vhost.erb @@ -23,9 +23,11 @@ # only is guarenteed. SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on - SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem - SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key - SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem + SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %> + SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %> +<% if scope['openstack_project::static::chain_file'] != '' %> + SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %> +<% end %> > Allow from all Satisfy Any