Enable SSL in groups-dev.openstack.org

Extend the Drupal vhost template with ssl capability, and
groups-dev.openstack.org now accepts the following hiera variables for
ssl setup:
- groups_dev_site_ssl_cert_file_contents: x509 certificate of vhost in pem format
- groups_dev_site_ssl_key_file_contents: rsa key of x509 certificate in pem format
- groups_dev_site_ssl_chain_file_contents: trusted chain of parent certificates (optional)

This patch is required for proper openstackid/oauth2 backref communication.

Change-Id: Ia148d1db743fc80bcb675c9ca2906333ef62eff8
Implements: blueprint groups-oauth2-authentication

manifests/init.pp

@@ -33,6 +33,15 @@
 # - site_alias: drush site alias name
 # - site_profile: installation profile to deploy
 #
+# SSL configuration:
+# - site_ssl_enabled: true if ssl is enabled (default: false)
+# - site_ssl_cert_file_contents: x509 certificate of vhost in pem format
+# - site_ssl_key_file_contents: rsa key of x509 certificate in pem format
+# - site_ssl_chain_file_contents: root ca's of site ssl cert
+# - site_ssl_cert_file: file path of x509 certificate
+# - site_ssl_key_file: file path of certificate rsa key
+# - site_ssl_chain_file: file path of certificate chain
+#
 # Mysql connection:
 # - mysql_user: mysql user of drupal site
 # - mysql_password: password of site user
@@ -66,6 +75,12 @@ class drupal (
   $site_create_database = false,
   $site_base_url = false,
   $site_file_owner = 'root',
+  $site_ssl_enabled = false,
+  $site_ssl_cert_file_contents = undef,
+  $site_ssl_key_file_contents = undef,
+  $site_ssl_cert_file = '',
+  $site_ssl_key_file = '',
+  $site_ssl_chain_file = '',
   $package_repository = undef,
   $package_branch = undef,
   $conf_cron_key = undef,
@@ -76,6 +91,45 @@ class drupal (
   include apache
   include pear
 
+  # ssl certificates
+  if $site_ssl_enabled == true {
+
+    include apache::ssl
+
+    # site x509 certificate
+    if $site_ssl_cert_file_contents != '' {
+      file { $site_ssl_cert_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $site_ssl_cert_file_contents,
+        before  => Apache::Vhost[$site_name],
+      }
+    }
+
+    # site ssl key
+    if $site_ssl_key_file_contents != '' {
+      file { $site_ssl_key_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $site_ssl_key_file_contents,
+        before  => Apache::Vhost[$site_name],
+      }
+    }
+
+    # site ca certificates file
+    if $site_ssl_chain_file_contents != '' {
+      file { $site_ssl_chain_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $site_ssl_chain_file_contents,
+        before  => Apache::Vhost[$site_name],
+      }
+    }
+  }
+
   # setup apache and virtualhosts, enable mod rewrite
   file { $site_vhost_root:
     ensure => directory,

templates/drupal.vhost.erb

@@ -3,8 +3,23 @@
 # Managed by Puppet
 # ************************************
 
-NameVirtualHost <%= @vhost_name %>:<%= @port %>
-<VirtualHost <%= @vhost_name %>:<%= @port %>>
+NameVirtualHost <%= @vhost_name %>:80
+<VirtualHost <%= @vhost_name %>:80>
+<% if @site_ssl_enabled %>
+  ServerName <%= @srvname %>
+  Redirect / https://<%= @srvname %>/
+</VirtualHost>
+
+NameVirtualHost <%= @vhost_name %>:443
+<VirtualHost <%= @vhost_name %>:443>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  SSLCertificateFile      <%= @site_ssl_cert_file %>
+  SSLCertificateKeyFile   <%= @site_ssl_key_file %>
+<% if @site_ssl_chain_file_contents != '' %>
+  SSLCertificateChainFile <%= @site_ssl_chain_file %>
+<% end %>
+<% end %>
   ServerName <%= @srvname %>
 <% if @serveraliases.is_a? Array -%>
 <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>