opendev
/
puppet-zuul
Code Issues Proposed changes

Split v2 and v3 web config 

In v3, we need to be able to use some variables from zuul/web.pp in the
vhost template, but the vhost is created in ::zuul because of how v2
worked.

Split the config, and split where we're defining it so that in the next
patch we can make use of variables from zuul/web.pp.

Change-Id: I3e1c72bb773be050854f5563d09f6c19af8bc6dc
Depends-On: https://review.openstack.org/557085
This commit is contained in:
Monty Taylor 2018-03-27 09:16:09 -05:00
parent ad7b7953d0
commit fa66845b5b
No known key found for this signature in database
GPG Key ID: 7BAE94BC7141A594
5 changed files with 280 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

164
manifests/init.pp
View File

@ -105,12 +105,6 @@ class zuul (
$pip_command = 'pip' $pip_command = 'pip'
} }
if ($zuul_tenant_name) {
$zuul_web_full_url = "${zuul_web_url}/${zuul_tenant_name}"
} else {
$zuul_web_full_url = $zuul_web_url
}
$packages = [ $packages = [
'libffi-dev', 'libffi-dev',
'libssl-dev', 'libssl-dev',
@ -513,12 +507,6 @@ class zuul (
mode => '0444', mode => '0444',
content => "PIDFILE=/var/run/zuul/merger.pid\n", content => "PIDFILE=/var/run/zuul/merger.pid\n",
} }
file { '/etc/default/zuul-web':
ensure => present,
mode => '0444',
content => "PIDFILE=/var/run/zuul/web.pid\n",
}
} }
file { '/etc/init.d/zuul': file { '/etc/init.d/zuul':
@ -566,50 +554,52 @@ class zuul (
notify => Class['zuul::systemd_reload'], notify => Class['zuul::systemd_reload'],
} }
if $proxy_ssl_cert_file_contents == '' { if ! $zuulv3 {
$ssl = false if $proxy_ssl_cert_file_contents == '' {
} else { $ssl = false
$ssl = true } else {
file { '/etc/ssl/certs': $ssl = true
ensure => directory, file { '/etc/ssl/certs':
owner => 'root', ensure => directory,
group => 'root', owner => 'root',
mode => '0755', group => 'root',
} mode => '0755',
file { '/etc/ssl/private': }
ensure => directory, file { '/etc/ssl/private':
owner => 'root', ensure => directory,
group => 'root', owner => 'root',
mode => '0700', group => 'root',
} mode => '0700',
file { "/etc/ssl/certs/${vhost_name}.pem": }
ensure => present, file { "/etc/ssl/certs/${vhost_name}.pem":
owner => 'root',
group => 'root',
mode => '0644',
content => $proxy_ssl_cert_file_contents,
require => File['/etc/ssl/certs'],
before => Httpd::Vhost[$vhost_name],
}
file { "/etc/ssl/private/${vhost_name}.key":
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $proxy_ssl_key_file_contents,
require => File['/etc/ssl/private'],
before => Httpd::Vhost[$vhost_name],
}
if $proxy_ssl_chain_file_contents != '' {
file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
ensure => present, ensure => present,
owner => 'root', owner => 'root',
group => 'root', group => 'root',
mode => '0644', mode => '0644',
content => $proxy_ssl_chain_file_contents, content => $proxy_ssl_cert_file_contents,
require => File['/etc/ssl/certs'], require => File['/etc/ssl/certs'],
before => Httpd::Vhost[$vhost_name], before => Httpd::Vhost[$vhost_name],
} }
file { "/etc/ssl/private/${vhost_name}.key":
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $proxy_ssl_key_file_contents,
require => File['/etc/ssl/private'],
before => Httpd::Vhost[$vhost_name],
}
if $proxy_ssl_chain_file_contents != '' {
file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $proxy_ssl_chain_file_contents,
require => File['/etc/ssl/certs'],
before => Httpd::Vhost[$vhost_name],
}
}
} }
} }
@ -625,47 +615,45 @@ class zuul (
} }
} }
::httpd::vhost { $vhost_name: if ! $zuulv3 {
port => 443, # Is required despite not being used. ::httpd::vhost { $vhost_name:
docroot => 'MEANINGLESS ARGUMENT', port => 443, # Is required despite not being used.
priority => '50', docroot => 'MEANINGLESS ARGUMENT',
ssl => $ssl, priority => '50',
template => 'zuul/zuul.vhost.erb', ssl => $ssl,
vhost_name => $vhost_name, template => 'zuul/zuul.vhost.erb',
} vhost_name => $vhost_name,
if ! defined(Httpd::Mod['rewrite']) {
httpd::mod { 'rewrite': ensure => present }
}
if ! defined(Httpd::Mod['proxy']) {
httpd::mod { 'proxy': ensure => present }
}
if ! defined(Httpd::Mod['proxy_http']) {
httpd::mod { 'proxy_http': ensure => present }
}
if ! defined(Httpd::Mod['cache']) {
httpd::mod { 'cache': ensure => present }
}
if ! defined(Httpd::Mod['cgid']) {
httpd::mod { 'cgid': ensure => present }
}
if !defined(Mod['proxy_wstunnel']) {
httpd::mod { 'proxy_wstunnel': ensure => present }
}
case $::lsbdistcodename {
'precise': {
if ! defined(Httpd::Mod['mem_cache']) {
httpd::mod { 'mem_cache': ensure => present }
}
if ! defined(Httpd::Mod['version']) {
httpd::mod { 'version': ensure => present }
}
} }
default: { if ! defined(Httpd::Mod['rewrite']) {
if ! defined(Httpd::Mod['cache_disk']) { httpd::mod { 'rewrite': ensure => present }
httpd::mod { 'cache_disk': ensure => present } }
if ! defined(Httpd::Mod['proxy']) {
httpd::mod { 'proxy': ensure => present }
}
if ! defined(Httpd::Mod['proxy_http']) {
httpd::mod { 'proxy_http': ensure => present }
}
if ! defined(Httpd::Mod['cache']) {
httpd::mod { 'cache': ensure => present }
}
if ! defined(Httpd::Mod['cgid']) {
httpd::mod { 'cgid': ensure => present }
}
case $::lsbdistcodename {
'precise': {
if ! defined(Httpd::Mod['mem_cache']) {
httpd::mod { 'mem_cache': ensure => present }
}
if ! defined(Httpd::Mod['version']) {
httpd::mod { 'version': ensure => present }
}
}
default: {
if ! defined(Httpd::Mod['cache_disk']) {
httpd::mod { 'cache_disk': ensure => present }
}
} }
} }
} }
} }

103
manifests/web.pp
View File

@ -35,6 +35,7 @@ class zuul::web (
enable => true, enable => true,
hasrestart => true, hasrestart => true,
require => [File['/etc/init.d/zuul-web'], require => [File['/etc/init.d/zuul-web'],
File['/etc/default/zuul-web'],
Class['zuul::systemd_reload']] Class['zuul::systemd_reload']]
} }
@ -78,6 +79,12 @@ class zuul::web (
require => Service['zuul-web'], require => Service['zuul-web'],
} }
file { '/etc/default/zuul-web':
ensure => present,
mode => '0444',
content => "PIDFILE=/var/run/zuul/web.pid\n",
}
if !defined(Package['curl']) { if !defined(Package['curl']) {
package { 'curl': package { 'curl':
ensure => present ensure => present
@ -97,10 +104,10 @@ class zuul::web (
# We are downloading this file at a location served by the vhost so that we # We are downloading this file at a location served by the vhost so that we
# can query it easily should the need arise. # can query it easily should the need arise.
# If the status.json is unavailable for download, no new files are created. # If the status.json is unavailable for download, no new files are created.
if $zuul::proxy_ssl_cert_file_contents != '' { if $ssl_cert_file_contents != '' {
$status = "https://${zuul::vhost_name}/status" $status = "https://${vhost_name}/status"
} else { } else {
$status = "http://${zuul::vhost_name}/status" $status = "http://${vhost_name}/status"
} }
cron { 'zuul_scheduler_status_backup': cron { 'zuul_scheduler_status_backup':
user => 'root', user => 'root',
@ -123,10 +130,59 @@ class zuul::web (
} }
} }
file { '/var/lib/zuul/www/static': if $ssl_cert_file_contents == '' {
ensure => absent, $use_ssl = false
} else {
$use_ssl = true
file { '/etc/ssl/certs':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
file { "/etc/ssl/certs/${vhost_name}.pem":
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $ssl_cert_file_contents,
require => File['/etc/ssl/certs'],
before => Httpd::Vhost[$vhost_name],
}
file { "/etc/ssl/private/${vhost_name}.key":
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $ssl_key_file_contents,
require => File['/etc/ssl/private'],
before => Httpd::Vhost[$vhost_name],
}
if $ssl_chain_file_contents != '' {
file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $ssl_chain_file_contents,
require => File['/etc/ssl/certs'],
before => Httpd::Vhost[$vhost_name],
}
}
} }
$web_url = "http://${web_listen_address}:${web_listen_port}"
if ($tenant_name) {
$zuul_web_full_url = "${web_url}/${tenant_name}"
} else {
$zuul_web_full_url = $web_url
}
$zuul_web_root = '/opt/zuul-web' $zuul_web_root = '/opt/zuul-web'
$zuul_web_content_root = '/opt/zuul-web/content' $zuul_web_content_root = '/opt/zuul-web/content'
$zuul_web_src_root = '/opt/zuul-web/source' $zuul_web_src_root = '/opt/zuul-web/source'
@ -199,4 +255,41 @@ class zuul::web (
subscribe => Exec['unpack-zuul-web'], subscribe => Exec['unpack-zuul-web'],
} }
::httpd::vhost { $vhost_name:
port => 80,
docroot => $zuul_web_content_root,
priority => '50',
ssl => false,
template => 'zuul/zuulv3.vhost.erb',
vhost_name => $vhost_name,
}
if $use_ssl {
::httpd::vhost { "${vhost_name}-ssl":
port => 443,
docroot => $zuul_web_content_root,
priority => '50',
ssl => true,
template => 'zuul/zuulv3.vhost.erb',
vhost_name => $vhost_name,
}
}
if ! defined(Httpd::Mod['rewrite']) {
httpd::mod { 'rewrite': ensure => present }
}
if ! defined(Httpd::Mod['proxy']) {
httpd::mod { 'proxy': ensure => present }
}
if ! defined(Httpd::Mod['proxy_http']) {
httpd::mod { 'proxy_http': ensure => present }
}
if ! defined(Httpd::Mod['cache']) {
httpd::mod { 'cache': ensure => present }
}
if !defined(Mod['proxy_wstunnel']) {
httpd::mod { 'proxy_wstunnel': ensure => present }
}
if ! defined(Httpd::Mod['cache_disk']) {
httpd::mod { 'cache_disk': ensure => present }
}
} }

9
spec/acceptance/fixtures/default.pp
View File

@ -1,6 +1,4 @@
class { '::zuul': class { '::zuul':
proxy_ssl_cert_file_contents => file('/etc/ssl/certs/ssl-cert-snakeoil.pem'),
proxy_ssl_key_file_contents => file('/etc/ssl/private/ssl-cert-snakeoil.key'),
zuul_ssh_private_key => file('/tmp/zuul-ssh-keys/ssh_rsa_key'), zuul_ssh_private_key => file('/tmp/zuul-ssh-keys/ssh_rsa_key'),
zuulv3 => true, zuulv3 => true,
python_version => 3, python_version => 3,
@ -14,7 +12,12 @@ class { '::zuul::scheduler':
class { '::zuul::merger': } class { '::zuul::merger': }
class { '::zuul::executor': } class { '::zuul::executor': }
class { '::zuul::web': } class { '::zuul::web':
tenant_name => 'openstack',
ssl_cert_file_contents => file('/etc/ssl/certs/ssl-cert-snakeoil.pem'),
ssl_key_file_contents => file('/etc/ssl/private/ssl-cert-snakeoil.key'),
}
class { '::zuul::fingergw': } class { '::zuul::fingergw': }
class { '::zuul::known_hosts': class { '::zuul::known_hosts':

75
templates/zuul.vhost.erb
View File

@ -1,15 +1,25 @@
<VirtualHost *:80> <VirtualHost *:80>
ServerName <%= @vhost_name %> ServerName <%= @vhost_name %>
ServerAdmin <%= @serveradmin %> ServerAdmin <%= @serveradmin %>
DocumentRoot /var/lib/zuul/www
<Directory /var/lib/zuul/www>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order deny,allow
Allow from all
</IfVersion>
</Directory>
<Directory /usr/lib/git-core> <Directory /usr/lib/git-core>
<IfVersion >= 2.4> <IfVersion >= 2.4>
Require all granted Require all granted
</IfVersion> </IfVersion>
<IfVersion < 2.4> <IfVersion < 2.4>
Order deny,allow Order deny,allow
Allow from all Allow from all
</IfVersion> </IfVersion>
</Directory> </Directory>
ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
@ -26,16 +36,8 @@
RewriteRule ^/status.json - [F] RewriteRule ^/status.json - [F]
<% end -%> <% end -%>
<% unless @zuulv3 %>
RewriteRule ^/status.json$ <%= @zuul_status_url %>/status.json [P] RewriteRule ^/status.json$ <%= @zuul_status_url %>/status.json [P]
RewriteRule ^/status/(.*) <%= @zuul_status_url %>/status/$1 [P] RewriteRule ^/status/(.*) <%= @zuul_status_url %>/status/$1 [P]
<% end %>
<% if @zuulv3 %>
RewriteRule ^/console-stream <%= @zuul_web_full_url.sub('http://', 'ws://') %>/console-stream [P]
RewriteRule ^/(.*)$ <%= @zuul_web_full_url %>/$1 [P]
RewriteRule ^/$ <%= @zuul_web_full_url %>/status.html [P]
<% end %>
AddOutputFilterByType DEFLATE application/json AddOutputFilterByType DEFLATE application/json
@ -49,12 +51,8 @@
<IfModule mod_cache.c> <IfModule mod_cache.c>
CacheDefaultExpire 5 CacheDefaultExpire 5
<IfModule mod_mem_cache.c> <IfModule mod_mem_cache.c>
<% if @zuulv3 %>
CacheEnable mem /status CacheEnable mem /status
CacheEnable mem /status.json CacheEnable mem /status.json
<% else %>
CacheEnable mem /status.json
<% end %>
# 12MByte total cache size. # 12MByte total cache size.
MCacheSize 12288 MCacheSize 12288
MCacheMaxObjectCount 10 MCacheMaxObjectCount 10
@ -64,12 +62,8 @@
MCacheMaxStreamingBuffer 8388608 MCacheMaxStreamingBuffer 8388608
</IfModule> </IfModule>
<IfModule mod_cache_disk.c> <IfModule mod_cache_disk.c>
<% if @zuulv3 %>
CacheEnable disk /status CacheEnable disk /status
CacheEnable disk /status.json CacheEnable disk /status.json
<% else %>
CacheEnable disk /status.json
<% end %>
CacheRoot /var/cache/apache2/mod_cache_disk CacheRoot /var/cache/apache2/mod_cache_disk
</IfModule> </IfModule>
</IfModule> </IfModule>
@ -90,12 +84,22 @@
<% end %> <% end %>
<Directory /var/lib/zuul/www> <Directory /var/lib/zuul/www>
Allow from all <IfVersion >= 2.4>
Satisfy Any Require all granted
</IfVersion>
<IfVersion < 2.4>
Order deny,allow
Allow from all
</IfVersion>
</Directory> </Directory>
<Directory /usr/lib/git-core> <Directory /usr/lib/git-core>
Allow from all <IfVersion >= 2.4>
Satisfy Any Require all granted
</IfVersion>
<IfVersion < 2.4>
Order deny,allow
Allow from all
</IfVersion>
</Directory> </Directory>
ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
@ -111,16 +115,9 @@
RewriteCond %{HTTP_REFERER} =<%= referer %> RewriteCond %{HTTP_REFERER} =<%= referer %>
RewriteRule ^/status.json - [F] RewriteRule ^/status.json - [F]
<% end -%> <% end -%>
<% unless @zuulv3 %>
RewriteRule ^/status.json$ <%= @zuul_status_url %>/status.json [P] RewriteRule ^/status.json$ <%= @zuul_status_url %>/status.json [P]
RewriteRule ^/status/(.*) <%= @zuul_status_url %>/status/$1 [P] RewriteRule ^/status/(.*) <%= @zuul_status_url %>/status/$1 [P]
<% end %>
<% if @zuulv3 %>
RewriteRule ^/console-stream <%= @zuul_web_full_url.sub('http://', 'ws://') %>/console-stream [P]
RewriteRule ^/(.*)$ <%= @zuul_web_full_url %>/$1 [P]
RewriteRule ^/$ <%= @zuul_web_full_url %>/status.html [P]
<% end %>
AddOutputFilterByType DEFLATE application/json AddOutputFilterByType DEFLATE application/json
@ -134,12 +131,8 @@
<IfModule mod_cache.c> <IfModule mod_cache.c>
CacheDefaultExpire 5 CacheDefaultExpire 5
<IfModule mod_mem_cache.c> <IfModule mod_mem_cache.c>
<% if @zuulv3 %>
CacheEnable mem /status CacheEnable mem /status
CacheEnable mem /status.json CacheEnable mem /status.json
<% else %>
CacheEnable mem /status.json
<% end %>
# 12MByte total cache size. # 12MByte total cache size.
MCacheSize 12288 MCacheSize 12288
MCacheMaxObjectCount 10 MCacheMaxObjectCount 10
@ -149,12 +142,8 @@
MCacheMaxStreamingBuffer 8388608 MCacheMaxStreamingBuffer 8388608
</IfModule> </IfModule>
<IfModule mod_cache_disk.c> <IfModule mod_cache_disk.c>
<% if @zuulv3 %>
CacheEnable disk /status CacheEnable disk /status
CacheEnable disk /status.json CacheEnable disk /status.json
<% else %>
CacheEnable disk /status.json
<% end %>
CacheRoot /var/cache/apache2/mod_cache_disk CacheRoot /var/cache/apache2/mod_cache_disk
</IfModule> </IfModule>
</IfModule> </IfModule>

68
templates/zuulv3.vhost.erb Normal file
View File

@ -0,0 +1,68 @@
<% if @ssl -%>
<IfModule mod_ssl.c>
<% end -%>
<VirtualHost *:<%= @port %>>
<% if @ssl -%>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
<% if @ssl_chain_file_contents != '' -%>
SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
<% end -%>
<% end -%>
ServerName <%= @vhost_name %>
ServerAdmin <%= @serveradmin %>
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order deny,allow
Allow from all
</IfVersion>
</Directory>
ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
RewriteEngine on
<% @block_referers.each do |referer| -%>
RewriteCond %{HTTP_REFERER} =<%= referer %>
RewriteRule ^/status - [F]
<% end -%>
RewriteRule ^/console-stream <%= @zuul_web_full_url.sub('http://', 'ws://') %>/console-stream [P]
RewriteRule ^/(.*)$ <%= @zuul_web_full_url %>/$1 [P]
RewriteRule ^/$ <%= @zuul_web_full_url %>/status.html [P]
AddOutputFilterByType DEFLATE application/json
<IfModule mod_cache.c>
CacheDefaultExpire 5
<IfModule mod_mem_cache.c>
CacheEnable mem /status
# 12MByte total cache size.
MCacheSize 12288
MCacheMaxObjectCount 10
MCacheMinObjectSize 1
# 8MByte max size per cache entry
MCacheMaxObjectSize 8388608
MCacheMaxStreamingBuffer 8388608
</IfModule>
<IfModule mod_cache_disk.c>
CacheEnable disk /status
CacheRoot /var/cache/apache2/mod_cache_disk
</IfModule>
</IfModule>
</VirtualHost>
<% if @ssl -%>
</IfModule>
<% end -%>