opendev/system-config
Code Issues Proposed changes

Pass review.o.o SSL certs in from Hiera.

Browse Source 
Use Hiera to store the review.o.o SSL certs and pass them down to the
gerrit module.

While modifying these files fix indentation and rocket ship alignment
according to puppet lint in the sections touched.

Change-Id: I914b0dea72c77dedb44a4e6f51417985e673b315
Reviewed-on: https://review.openstack.org/13975
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
This commit is contained in:
Clark Boylan 2012-10-02 15:49:18 -07:00 committed by Jenkins
parent 915c4d53b4
commit 15e526fb18
4 changed files with 199 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
manifests/site.pp
View File

@ -13,12 +13,15 @@ node default {
# #
node 'review.openstack.org' { node 'review.openstack.org' {
class { 'openstack_project::review': class { 'openstack_project::review':
github_oauth_token => hiera('gerrit_github_token'), github_oauth_token => hiera('gerrit_github_token'),
mysql_password => hiera('gerrit_mysql_password'), mysql_password => hiera('gerrit_mysql_password'),
mysql_root_password => hiera('gerrit_mysql_root_password'), mysql_root_password => hiera('gerrit_mysql_root_password'),
email_private_key => hiera('gerrit_email_private_key'), email_private_key => hiera('gerrit_email_private_key'),
gerritbot_password => hiera('gerrit_gerritbot_password'), gerritbot_password => hiera('gerrit_gerritbot_password'),
sysadmins => hiera('sysadmins'), ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
sysadmins => hiera('sysadmins'),
} }
} }

119
modules/gerrit/manifests/init.pp
View File

@ -9,6 +9,10 @@
# Used in the Apache virtual host to specify the SSL cert and key files. # Used in the Apache virtual host to specify the SSL cert and key files.
# ssl_chain_file: # ssl_chain_file:
# Optional, if you have an intermediate cert Apache should serve. # Optional, if you have an intermediate cert Apache should serve.
# ssl_*_file_contents:
# Optional, the contents of the respective cert files as a string. Will be
# used to have Puppet ensure the contents of these files. Default value of
# '' means Puppet should not manage these files.
# openidssourl: # openidssourl:
# The URL to use for OpenID in SSO mode. # The URL to use for OpenID in SSO mode.
# email: # email:
@ -62,42 +66,45 @@
# TODO: make more gerrit options configurable here # TODO: make more gerrit options configurable here
class gerrit($vhost_name=$fqdn, class gerrit($vhost_name=$fqdn,
$canonicalweburl="https://$fqdn/", $canonicalweburl="https://$fqdn/",
$serveradmin="webmaster@$fqdn", $serveradmin="webmaster@$fqdn",
$ssl_cert_file='/etc/ssl/certs/ssl-cert-snakeoil.pem', $ssl_cert_file='/etc/ssl/certs/ssl-cert-snakeoil.pem',
$ssl_key_file='/etc/ssl/private/ssl-cert-snakeoil.key', $ssl_key_file='/etc/ssl/private/ssl-cert-snakeoil.key',
$ssl_chain_file='', $ssl_chain_file='',
$openidssourl="https://login.launchpad.net/+openid", $ssl_cert_file_contents='', # If left empty puppet will not create file.
$email='', $ssl_key_file_contents='', # If left empty puppet will not create file.
$database_poollimit='', $ssl_chain_file_contents='', # If left empty puppet will not create file.
$container_heaplimit='', $openidssourl="https://login.launchpad.net/+openid",
$core_packedgitopenfiles='', $email='',
$core_packedgitlimit='', $database_poollimit='',
$core_packedgitwindowsize='', $container_heaplimit='',
$sshd_threads='', $core_packedgitopenfiles='',
$httpd_acceptorthreads='', $core_packedgitlimit='',
$httpd_minthreads='', $core_packedgitwindowsize='',
$httpd_maxthreads='', $sshd_threads='',
$httpd_maxwait='', $httpd_acceptorthreads='',
$commentlinks = [], $httpd_minthreads='',
$war, $httpd_maxthreads='',
$contactstore=false, $httpd_maxwait='',
$contactstore_appsec='', $commentlinks = [],
$contactstore_pubkey='', $war,
$contactstore_url='', $contactstore=false,
$projects_file = 'UNDEF', $contactstore_appsec='',
$enable_melody = 'false', $contactstore_pubkey='',
$melody_session = 'false', $contactstore_url='',
$mysql_password, $projects_file = 'UNDEF',
$mysql_root_password, $enable_melody = 'false',
$email_private_key, $melody_session = 'false',
$replicate_github=false, $mysql_password,
$replicate_local=true, $mysql_root_password,
$local_git_dir='/var/lib/git', $email_private_key,
$replication_targets=[], $replicate_github=false,
$gitweb=true, $replicate_local=true,
$testmode=false $local_git_dir='/var/lib/git',
) { $replication_targets=[],
$gitweb=true,
$testmode=false
) {
include apache include apache
@ -239,7 +246,7 @@ class gerrit($vhost_name=$fqdn,
require => File["/home/gerrit2/review_site/etc"] require => File["/home/gerrit2/review_site/etc"]
} }
# Set up MySQL. # Set up MySQL.
class {"mysql::server": class {"mysql::server":
config_hash => { config_hash => {
@ -258,14 +265,14 @@ class gerrit($vhost_name=$fqdn,
charset => "latin1", charset => "latin1",
} }
# Set up apache. # Set up apache.
apache::vhost { $vhost_name: apache::vhost { $vhost_name:
port => 443, port => 443,
docroot => 'MEANINGLESS ARGUMENT', docroot => 'MEANINGLESS ARGUMENT',
priority => '50', priority => '50',
template => 'gerrit/gerrit.vhost.erb', template => 'gerrit/gerrit.vhost.erb',
ssl => true, ssl => true,
} }
a2mod { 'rewrite': a2mod { 'rewrite':
ensure => present ensure => present
@ -277,6 +284,36 @@ class gerrit($vhost_name=$fqdn,
ensure => present ensure => present
} }
if $ssl_cert_file_contents != '' {
file { $ssl_cert_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_cert_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_key_file_contents != '' {
file { $ssl_key_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_key_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_chain_file_contents != '' {
file { $ssl_chain_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_chain_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
# Install Gerrit itself. # Install Gerrit itself.
# The Gerrit WAR is specified as a url like 'http://tarballs.openstack.org/ci/gerrit-2.2.2-363-gd0a67ce.war' # The Gerrit WAR is specified as a url like 'http://tarballs.openstack.org/ci/gerrit-2.2.2-363-gd0a67ce.war'

161
modules/openstack_project/manifests/gerrit.pp
View File

@ -4,41 +4,44 @@
# TODO: launchpadlib creds for user sync script # TODO: launchpadlib creds for user sync script
class openstack_project::gerrit ( class openstack_project::gerrit (
$vhost_name=$fqdn, $vhost_name=$fqdn,
$canonicalweburl="https://$fqdn/", $canonicalweburl="https://$fqdn/",
$serveradmin='webmaster@openstack.org', $serveradmin='webmaster@openstack.org',
$ssh_host_key='/home/gerrit2/review_site/etc/ssh_host_rsa_key', $ssh_host_key='/home/gerrit2/review_site/etc/ssh_host_rsa_key',
$ssl_cert_file='', $ssl_cert_file='',
$ssl_key_file='', $ssl_key_file='',
$ssl_chain_file='', $ssl_chain_file='',
$email='', $ssl_cert_file_contents='',
$database_poollimit='', $ssl_key_file_contents='',
$container_heaplimit='', $ssl_chain_file_contents='',
$core_packedgitopenfiles='', $email='',
$core_packedgitlimit='', $database_poollimit='',
$core_packedgitwindowsize='', $container_heaplimit='',
$sshd_threads='', $core_packedgitopenfiles='',
$httpd_acceptorthreads='', $core_packedgitlimit='',
$httpd_minthreads='', $core_packedgitwindowsize='',
$httpd_maxthreads='', $sshd_threads='',
$httpd_maxwait='', $httpd_acceptorthreads='',
$war, $httpd_minthreads='',
$contactstore=false, $httpd_maxthreads='',
$contactstore_appsec='', $httpd_maxwait='',
$contactstore_pubkey='', $war,
$contactstore_url='', $contactstore=false,
$script_user='update', $contactstore_appsec='',
$script_key_file='/home/gerrit2/.ssh/id_rsa', $contactstore_pubkey='',
$script_logging_conf='/home/gerrit2/.sync_logging.conf', $contactstore_url='',
$projects_file='UNDEF', $script_user='update',
$github_username, $script_key_file='/home/gerrit2/.ssh/id_rsa',
$github_oauth_token, $script_logging_conf='/home/gerrit2/.sync_logging.conf',
$mysql_password, $projects_file='UNDEF',
$mysql_root_password, $github_username,
$trivial_rebase_role_id, $github_oauth_token,
$email_private_key, $mysql_password,
$testmode=false, $mysql_root_password,
$sysadmins=[] $trivial_rebase_role_id,
$email_private_key,
$testmode=false,
$sysadmins=[]
) { ) {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418], iptables_public_tcp_ports => [80, 443, 29418],
@ -46,51 +49,55 @@ class openstack_project::gerrit (
} }
class { '::gerrit': class { '::gerrit':
vhost_name => $vhost_name, vhost_name => $vhost_name,
canonicalweburl => $canonicalweburl, canonicalweburl => $canonicalweburl,
# opinions # opinions
enable_melody => 'true', enable_melody => 'true',
melody_session => 'true', melody_session => 'true',
# passthrough # passthrough
ssl_cert_file => $ssl_cert_file, ssl_cert_file => $ssl_cert_file,
ssl_key_file => $ssl_key_file, ssl_key_file => $ssl_key_file,
ssl_chain_file => $ssl_chain_file, ssl_chain_file => $ssl_chain_file,
email => $email, ssl_cert_file_contents => $ssl_cert_file_contents,
openidssourl => "https://login.launchpad.net/+openid", ssl_key_file_contents => $ssl_key_file_contents,
database_poollimit => $database_poollimit, ssl_chain_file_contents => $ssl_chain_file_contents,
container_heaplimit => $container_heaplimit, email => $email,
core_packedgitopenfiles => $core_packedgitopenfiles, openidssourl => "https://login.launchpad.net/+openid",
core_packedgitlimit => $core_packedgitlimit, database_poollimit => $database_poollimit,
container_heaplimit => $container_heaplimit,
core_packedgitopenfiles => $core_packedgitopenfiles,
core_packedgitlimit => $core_packedgitlimit,
core_packedgitwindowsize => $core_packedgitwindowsize, core_packedgitwindowsize => $core_packedgitwindowsize,
sshd_threads => $sshd_threads, sshd_threads => $sshd_threads,
httpd_acceptorthreads => $httpd_acceptorthreads, httpd_acceptorthreads => $httpd_acceptorthreads,
httpd_minthreads => $httpd_minthreads, httpd_minthreads => $httpd_minthreads,
httpd_maxthreads => $httpd_maxthreads, httpd_maxthreads => $httpd_maxthreads,
httpd_maxwait => $httpd_maxwait, httpd_maxwait => $httpd_maxwait,
commentlinks => [ { name => 'changeid', commentlinks => [{ name => 'changeid',
match => '(I[0-9a-f]{8,40})', match => '(I[0-9a-f]{8,40})',
link => '#q,$1,n,z' }, link => '#q,$1,n,z'
},
{ name => 'launchpad', { name => 'launchpad',
match => '([Bb]ug|[Ll][Pp])[\\s#:]*(\\d+)', match => '([Bb]ug|[Ll][Pp])[\\s#:]*(\\d+)',
link => 'https://code.launchpad.net/bugs/$2' }, link => 'https://code.launchpad.net/bugs/$2'
},
{ name => 'blueprint', { name => 'blueprint',
match => '([Bb]lue[Pp]rint|[Bb][Pp])[\\s#:]*([A-Za-z0-9\\-]+)', match => '([Bb]lue[Pp]rint|[Bb][Pp])[\\s#:]*([A-Za-z0-9\\-]+)',
link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2' }, link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2'
], },
war => $war, ],
contactstore => $contactstore, war => $war,
contactstore_appsec => $contactstore_appsec, contactstore => $contactstore,
contactstore_pubkey => $contactstore_pubkey, contactstore_appsec => $contactstore_appsec,
contactstore_url => $contactstore_url, contactstore_pubkey => $contactstore_pubkey,
mysql_password => $mysql_password, contactstore_url => $contactstore_url,
mysql_root_password => $mysql_root_password, mysql_password => $mysql_password,
email_private_key => $email_private_key, mysql_root_password => $mysql_root_password,
projects_file => $projects_file, email_private_key => $email_private_key,
replicate_github => true, projects_file => $projects_file,
testmode => $testmode, replicate_github => true,
require => Class[openstack_project::server], testmode => $testmode,
require => Class[openstack_project::server],
} }
if ($testmode == false) { if ($testmode == false) {
class { 'gerrit::cron': class { 'gerrit::cron':

50
modules/openstack_project/manifests/review.pp
View File

@ -30,32 +30,38 @@ class openstack_project::review (
$mysql_root_password, $mysql_root_password,
$email_private_key, $email_private_key,
$gerritbot_password, $gerritbot_password,
$ssl_cert_file_contents = '',
$ssl_key_file_contents = '',
$ssl_chain_file_contents = '',
$sysadmins = [] $sysadmins = []
) { ) {
class { 'openstack_project::gerrit': class { 'openstack_project::gerrit':
ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem', ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem',
ssl_key_file => '/etc/ssl/private/review.openstack.org.key', ssl_key_file => '/etc/ssl/private/review.openstack.org.key',
ssl_chain_file => '/etc/ssl/certs/intermediate.pem', ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
email => 'review@openstack.org', ssl_cert_file_contents => $ssl_cert_file_contents,
database_poollimit => '150', # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up) ssl_key_file_contents => $ssl_key_file_contents,
container_heaplimit => '8g', ssl_chain_file_contents => $ssl_chain_file_contents,
core_packedgitopenfiles => '4096', email => 'review@openstack.org',
core_packedgitlimit => '400m', database_poollimit => '150', # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
container_heaplimit => '8g',
core_packedgitopenfiles => '4096',
core_packedgitlimit => '400m',
core_packedgitwindowsize => '16k', core_packedgitwindowsize => '16k',
sshd_threads => '100', sshd_threads => '100',
httpd_maxwait => '5000min', httpd_maxwait => '5000min',
war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war', war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war',
script_user => 'launchpadsync', script_user => 'launchpadsync',
script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa', script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
script_logging_conf => '/home/gerrit2/.sync_logging.conf', script_logging_conf => '/home/gerrit2/.sync_logging.conf',
projects_file => 'puppet:///openstack_project/review.projects.yaml', projects_file => 'puppet:///openstack_project/review.projects.yaml',
github_username => 'openstack-gerrit', github_username => 'openstack-gerrit',
github_oauth_token => $github_oauth_token, github_oauth_token => $github_oauth_token,
mysql_password => $mysql_password, mysql_password => $mysql_password,
mysql_root_password => $mysql_root_password, mysql_root_password => $mysql_root_password,
trivial_rebase_role_id => 'trivial-rebase@review.openstack.org', trivial_rebase_role_id => 'trivial-rebase@review.openstack.org',
email_private_key => $email_private_key, email_private_key => $email_private_key,
sysadmins => $sysadmins sysadmins => $sysadmins
} }
class { 'gerritbot': class { 'gerritbot':
nick => 'openstackgerrit', nick => 'openstackgerrit',