opendev
/
system-config
Code Issues Proposed changes

Make storyboard run over ssl 

We're doing auth now, so we should really do it over SSL.

The cert contents are already in hiera.

Change-Id: Ia939e228785168705840acd6d377e6c25ba3370d
This commit is contained in:
Monty Taylor 2014-03-06 12:27:42 -08:00
parent 339d73ac34
commit fa3b8f4869
4 changed files with 108 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
manifests/site.pp
View File

@ -454,13 +454,13 @@ node 'summit.openstack.org' {
# A machine to run Storyboard
node 'storyboard.openstack.org' {
class { 'openstack_project::storyboard':
sysadmins => hiera('sysadmins'),
mysql_host => hiera('storyboard_db_host'),
mysql_user => hiera('storyboard_db_user'),
mysql_password => hiera('storyboard_db_password'),
# ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
# ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
# ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
sysadmins => hiera('sysadmins'),
mysql_host => hiera('storyboard_db_host'),
mysql_user => hiera('storyboard_db_user'),
mysql_password => hiera('storyboard_db_password'),
ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
}
}

21
modules/openstack_project/manifests/storyboard.pp
View File

@ -5,18 +5,29 @@ class openstack_project::storyboard(
$mysql_password = '',
$mysql_user = '',
$sysadmins = [],
$ssl_cert_file_contents = '',
$ssl_key_file_contents = '',
$ssl_chain_file_contents = '',
) {
class { 'openstack_project::server':
sysadmins => $sysadmins,
iptables_public_tcp_ports => [80],
iptables_public_tcp_ports => [80, 443],
}
class { '::storyboard':
mysql_host => $mysql_host,
mysql_password => $mysql_password,
mysql_user => $mysql_user,
projects_file =>
mysql_host => $mysql_host,
mysql_password => $mysql_password,
mysql_user => $mysql_user,
projects_file =>
'puppet:///modules/openstack_project/review.projects.yaml',
ssl_cert_file =>
'/etc/ssl/certs/storyboard.openstack.org.pem',
ssl_key_file =>
'/etc/ssl/private/storyboard.openstack.org.key',
ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
ssl_cert_file_contents => $ssl_cert_file_contents,
ssl_key_file_contents => $ssl_key_file_contents,
ssl_chain_file_contents => $ssl_chain_file_contents,
}
}

40
modules/storyboard/manifests/init.pp
View File

@ -20,10 +20,16 @@ class storyboard (
$mysql_password,
$mysql_user,
$projects_file,
$ssl_cert_file,
$ssl_key_file,
$ssl_chain_file,
$storyboard_git_source_repo = 'https://git.openstack.org/openstack-infra/storyboard/',
$storyboard_revision = 'master',
$storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz'
$storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz',
$serveradmin = "webmaster@${::fqdn}",
$ssl_cert_file_contents = '',
$ssl_key_file_contents = '',
$ssl_chain_file_contents = ''
) {
include apache
include mysql::python
@ -162,6 +168,7 @@ class storyboard (
priority => '50',
template => 'storyboard/storyboard.vhost.erb',
require => Package['libapache2-mod-wsgi'],
ssl => true,
}
a2mod { 'proxy':
@ -177,4 +184,33 @@ class storyboard (
require => Package['libapache2-mod-wsgi'],
}
if $ssl_cert_file_contents != '' {
file { $ssl_cert_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_cert_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_key_file_contents != '' {
file { $ssl_key_file:
owner => 'root',
group => 'ssl-cert',
mode => '0640',
content => $ssl_key_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_chain_file_contents != '' {
file { $ssl_chain_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_chain_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
}

50
modules/storyboard/templates/storyboard.vhost.erb
View File

@ -1,7 +1,49 @@
<VirtualHost *:80>
<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:80>
ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
ErrorLog ${APACHE_LOG_DIR}/storyboard-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/storyboard-access.log combined
Redirect / https://<%= scope.lookupvar("storyboard::vhost_name") %>/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:443>
ServerName <%= scope.lookupvar("storyboard::vhost_name") %>
ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
ErrorLog ${APACHE_LOG_DIR}/storyboard-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/storyboard-ssl-access.log combined
SSLEngine on
SSLCertificateFile <%= scope.lookupvar("storyboard::ssl_cert_file") %>
SSLCertificateKeyFile <%= scope.lookupvar("storyboard::ssl_key_file") %>
<% if scope.lookupvar("storyboard::ssl_chain_file") != "" %>
SSLCertificateChainFile <%= scope.lookupvar("storyboard::ssl_chain_file") %>
<% end %>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
DocumentRoot /var/lib/storyboard/www
ErrorLog /var/log/apache2/storyboard-error.log
CustomLog /var/log/apache2/storyboard-access.log common
WSGIDaemonProcess storyboard user=storyboard group=storyboard threads=5 python-path=/usr/local/lib/python2.7/dist-packages
WSGIScriptAlias /api /usr/local/lib/python2.7/dist-packages/storyboard/api/app.wsgi
@ -15,4 +57,6 @@
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
</IfModule>