diff --git a/manifests/builder.pp b/manifests/builder.pp
index 214e407..c0a87b0 100644
--- a/manifests/builder.pp
+++ b/manifests/builder.pp
@@ -26,6 +26,12 @@ class nodepool::builder(
$build_workers = '1',
$upload_workers = '4',
$zuulv3 = false,
+ $ssl_cert_file = '',
+ $ssl_cert_file_contents = '',
+ $ssl_chain_file = '',
+ $ssl_chain_file_contents = '',
+ $ssl_key_file = '',
+ $ssl_key_file_contents = '',
) {
# This requires custom packages which aren't build for arm64; if we
@@ -110,11 +116,17 @@ class nodepool::builder(
if $enable_build_log_via_http == true {
include ::httpd
+ if $ssl_cert_file != '' {
+ $http_template = 'nodepool/nodepool-builder.vhost.erb'
+ } else {
+ $http_template = 'nodepool/nodepool-builder.ssl.vhost.erb'
+ }
+
::httpd::vhost { $vhost_name:
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
- template => 'nodepool/nodepool-builder.vhost.erb',
+ template => $http_template,
}
if ! defined(Httpd::Mod['rewrite']) {
httpd::mod { 'rewrite': ensure => present }
@@ -125,6 +137,49 @@ class nodepool::builder(
if ! defined(Httpd::Mod['proxy_http']) {
httpd::mod { 'proxy_http': ensure => present }
}
+
+ file { '/etc/ssl/certs':
+ ensure => directory,
+ owner => 'root',
+ mode => '0755',
+ }
+
+ file { '/etc/ssl/private':
+ ensure => directory,
+ owner => 'root',
+ mode => '0700',
+ }
+
+ if $ssl_cert_file_contents != '' {
+ file { $ssl_cert_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_cert_file_contents,
+ before => Httpd::Vhost[$vhost_name],
+ }
+ }
+
+ if $ssl_key_file_contents != '' {
+ file { $ssl_key_file:
+ owner => 'root',
+ group => 'ssl-cert',
+ mode => '0640',
+ content => $ssl_key_file_contents,
+ require => Package['ssl-cert'],
+ before => Httpd::Vhost[$vhost_name],
+ }
+ }
+
+ if $ssl_chain_file_contents != '' {
+ file { $ssl_chain_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_chain_file_contents,
+ before => Httpd::Vhost[$vhost_name],
+ }
+ }
}
file { $build_log_document_root:
@@ -138,4 +193,6 @@ class nodepool::builder(
],
}
+
+
}
diff --git a/templates/nodepool-builder.ssl.vhost.erb b/templates/nodepool-builder.ssl.vhost.erb
new file mode 100644
index 0000000..ddfb090
--- /dev/null
+++ b/templates/nodepool-builder.ssl.vhost.erb
@@ -0,0 +1,59 @@
+
+ ServerName <%= scope.lookupvar("nodepool::builder::vhost_name") %>
+
+ ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/nodepool_error.log
+ LogLevel warn
+ CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/nodepool_access.log combined
+ ServerSignature Off
+
+ Redirect / https://<%= scope.lookupvar("nodepool::builder::vhost_name") %>/
+
+
+
+
+
+ ServerName <%= scope.lookupvar("nodepool::builder::vhost_name") %>
+
+ SSLEngine on
+
+ SSLCertificateFile <%= scope.lookupvar("nodepool::builder::ssl_cert_file") %>
+ SSLCertificateKeyFile <%= scope.lookupvar("nodepool::builder::ssl_key_file") %>
+ <% if scope.lookupvar("nodepool::builder::ssl_chain_file") != "" %>
+ SSLCertificateChainFile <%= scope.lookupvar("nodepool::builder::ssl_chain_file") %>
+ <% end %>
+
+ DocumentRoot <%= scope.lookupvar("nodepool::builder::build_log_document_root") %>
+ >
+ Options <%= scope.lookupvar("httpd::params::options") %>
+ AllowOverride None
+ Require all granted
+
+
+ # Allow access to image files
+ Alias /images /opt/nodepool_dib
+
+ Options <%= scope.lookupvar("httpd::params::options") %>
+ AllowOverride None
+ Require all granted
+ # Only allow access to the qcow2 files as they are smallest
+
+ Require all denied
+
+
+ # Exclude the dib build dir as well.
+
+ Require all denied
+
+
+ ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/nodepool_error.log
+ LogLevel warn
+ CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/nodepool_access.log combined
+ ServerSignature Off
+
+ AddType text/plain .log
+
+
+ SetOutputFilter DEFLATE
+
+
+