Add SSL support in builder
We wish to export the build logs and artifacts via https; not so much for any security reasons but for transparent-proxy-busting effects. Add SSL arguments and a template that redirects 80->443 for hosts if they're passing in key contents. Change-Id: I8a15333a7c662f3d32fa4045785498dafc87ad53
This commit is contained in:
Ian Wienand
parent
f4f6314397
commit
c1ca2795c2
|
|
@ -26,6 +26,12 @@ class nodepool::builder(
|
|||
$build_workers = '1',
|
||||
$upload_workers = '4',
|
||||
$zuulv3 = false,
|
||||
$ssl_cert_file = '',
|
||||
$ssl_cert_file_contents = '',
|
||||
$ssl_chain_file = '',
|
||||
$ssl_chain_file_contents = '',
|
||||
$ssl_key_file = '',
|
||||
$ssl_key_file_contents = '',
|
||||
) {
|
||||
|
||||
# This requires custom packages which aren't build for arm64; if we
|
||||
|
|
@ -110,11 +116,17 @@ class nodepool::builder(
|
|||
if $enable_build_log_via_http == true {
|
||||
include ::httpd
|
||||
|
||||
if $ssl_cert_file != '' {
|
||||
$http_template = 'nodepool/nodepool-builder.vhost.erb'
|
||||
} else {
|
||||
$http_template = 'nodepool/nodepool-builder.ssl.vhost.erb'
|
||||
}
|
||||
|
||||
::httpd::vhost { $vhost_name:
|
||||
port => 80,
|
||||
priority => '50',
|
||||
docroot => 'MEANINGLESS_ARGUMENT',
|
||||
template => 'nodepool/nodepool-builder.vhost.erb',
|
||||
template => $http_template,
|
||||
}
|
||||
if ! defined(Httpd::Mod['rewrite']) {
|
||||
httpd::mod { 'rewrite': ensure => present }
|
||||
|
|
@ -125,6 +137,49 @@ class nodepool::builder(
|
|||
if ! defined(Httpd::Mod['proxy_http']) {
|
||||
httpd::mod { 'proxy_http': ensure => present }
|
||||
}
|
||||
|
||||
file { '/etc/ssl/certs':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
file { '/etc/ssl/private':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
mode => '0700',
|
||||
}
|
||||
|
||||
if $ssl_cert_file_contents != '' {
|
||||
file { $ssl_cert_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $ssl_cert_file_contents,
|
||||
before => Httpd::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
|
||||
if $ssl_key_file_contents != '' {
|
||||
file { $ssl_key_file:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
mode => '0640',
|
||||
content => $ssl_key_file_contents,
|
||||
require => Package['ssl-cert'],
|
||||
before => Httpd::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
|
||||
if $ssl_chain_file_contents != '' {
|
||||
file { $ssl_chain_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $ssl_chain_file_contents,
|
||||
before => Httpd::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
file { $build_log_document_root:
|
||||
|
|
@ -138,4 +193,6 @@ class nodepool::builder(
|
|||
],
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,59 @@
|
|||
<VirtualHost *:80>
|
||||
ServerName <%= scope.lookupvar("nodepool::builder::vhost_name") %>
|
||||
|
||||
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/nodepool_error.log
|
||||
LogLevel warn
|
||||
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/nodepool_access.log combined
|
||||
ServerSignature Off
|
||||
|
||||
Redirect / https://<%= scope.lookupvar("nodepool::builder::vhost_name") %>/
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName <%= scope.lookupvar("nodepool::builder::vhost_name") %>
|
||||
|
||||
SSLEngine on
|
||||
|
||||
SSLCertificateFile <%= scope.lookupvar("nodepool::builder::ssl_cert_file") %>
|
||||
SSLCertificateKeyFile <%= scope.lookupvar("nodepool::builder::ssl_key_file") %>
|
||||
<% if scope.lookupvar("nodepool::builder::ssl_chain_file") != "" %>
|
||||
SSLCertificateChainFile <%= scope.lookupvar("nodepool::builder::ssl_chain_file") %>
|
||||
<% end %>
|
||||
|
||||
DocumentRoot <%= scope.lookupvar("nodepool::builder::build_log_document_root") %>
|
||||
<Directory <%= scope.lookupvar("nodepool::builder::build_log_document_root") %>>
|
||||
Options <%= scope.lookupvar("httpd::params::options") %>
|
||||
AllowOverride None
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
# Allow access to image files
|
||||
Alias /images /opt/nodepool_dib
|
||||
<Directory /opt/nodepool_dib>
|
||||
Options <%= scope.lookupvar("httpd::params::options") %>
|
||||
AllowOverride None
|
||||
Require all granted
|
||||
# Only allow access to the qcow2 files as they are smallest
|
||||
<FilesMatch ".+\.(vhd|raw)(\.(md5|sha256))?$">
|
||||
Require all denied
|
||||
</FilesMatch>
|
||||
</Directory>
|
||||
# Exclude the dib build dir as well.
|
||||
<Directory /opt/nodepool_dib/*.d/>
|
||||
Require all denied
|
||||
</Directory>
|
||||
|
||||
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/nodepool_error.log
|
||||
LogLevel warn
|
||||
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/nodepool_access.log combined
|
||||
ServerSignature Off
|
||||
|
||||
AddType text/plain .log
|
||||
|
||||
<IfModule mod_deflate.c>
|
||||
SetOutputFilter DEFLATE
|
||||
</IfModule>
|
||||
|
||||
</VirtualHost>
|
||||
Loading…
Reference in New Issue