From 37daa678e2cf4d6a20b530f40709321934028756 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@openstack.org>
Date: Tue, 18 Dec 2012 14:11:43 -0800
Subject: [PATCH] Add ssl cert to wiki.o.o.

Change-Id: I6c6ad0ddd000e3f140cb08faef7dce2cb9ae7079
Reviewed-on: https://review.openstack.org/18349
Reviewed-by: Ryan Lane
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
---
 manifests/site.pp                             |  7 +++-
 modules/mediawiki/manifests/init.pp           | 38 ++++++++++++++++++-
 .../mediawiki/templates/apache/mediawiki.erb  |  7 +++-
 modules/openstack_project/manifests/wiki.pp   | 17 +++++++--
 4 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 249e58d153..c418351a71 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -163,8 +163,11 @@ node 'etherpad-dev.openstack.org' {
 
 node 'wiki.openstack.org' {
   class { 'openstack_project::wiki':
-    mysql_root_password => hiera('wiki_db_password'),
-    sysadmins           => hiera('sysadmins'),
+    mysql_root_password     => hiera('wiki_db_password'),
+    sysadmins               => hiera('sysadmins'),
+    ssl_cert_file_contents  => hiera('wiki_ssl_cert_file_contents'),
+    ssl_key_file_contents   => hiera('wiki_ssl_key_file_contents'),
+    ssl_chain_file_contents => hiera('wiki_ssl_chain_file_contents'),
   }
 }
 
diff --git a/modules/mediawiki/manifests/init.pp b/modules/mediawiki/manifests/init.pp
index 3eea26466c..3e80b33736 100644
--- a/modules/mediawiki/manifests/init.pp
+++ b/modules/mediawiki/manifests/init.pp
@@ -3,7 +3,13 @@
 class mediawiki(
   $role = '',
   $site_hostname = '',
-  $mediawiki_location = ''
+  $mediawiki_location = '',
+  $ssl_cert_file = "/etc/ssl/certs/${::fqdn}.pem",
+  $ssl_key_file = "/etc/ssl/private/${::fqdn}.key",
+  $ssl_chain_file = '',
+  $ssl_cert_file_contents = '',  # If left empty puppet will not create file.
+  $ssl_key_file_contents = '',   # If left empty puppet will not create file.
+  $ssl_chain_file_contents = '', # If left empty puppet will not create file.
 ) {
 
   if ($role == 'app' or $role == 'all') {
@@ -16,6 +22,36 @@ class mediawiki(
       ensure => present,
     }
 
+    if $ssl_cert_file_contents != '' {
+      file { $ssl_cert_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $ssl_cert_file_contents,
+        before  => Apache::Vhost[$site_hostname],
+      }
+    }
+
+    if $ssl_key_file_contents != '' {
+      file { $ssl_key_file:
+        owner   => 'root',
+        group   => 'ssl-cert',
+        mode    => '0640',
+        content => $ssl_key_file_contents,
+        before  => Apache::Vhost[$site_hostname],
+      }
+    }
+
+    if $ssl_chain_file_contents != '' {
+      file { $ssl_chain_file:
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0640',
+        content => $ssl_chain_file_contents,
+        before  => Apache::Vhost[$site_hostname],
+      }
+    }
+
     apache::vhost { $site_hostname:
       port     => 443,
       docroot  => 'MEANINGLESS ARGUMENT',
diff --git a/modules/mediawiki/templates/apache/mediawiki.erb b/modules/mediawiki/templates/apache/mediawiki.erb
index 3a2f9fa20c..3d2aaab94e 100644
--- a/modules/mediawiki/templates/apache/mediawiki.erb
+++ b/modules/mediawiki/templates/apache/mediawiki.erb
@@ -39,8 +39,11 @@
         ServerName <%= scope.lookupvar("mediawiki::site_hostname") %>
 
         SSLEngine on
-        SSLCertificateFile /etc/ssl/certs/<%= fqdn %>.pem
-        SSLCertificateKeyFile /etc/ssl/private/<%= fqdn %>.key
+        SSLCertificateFile      <%= scope.lookupvar("mediawiki::ssl_cert_file") %>
+        SSLCertificateKeyFile   <%= scope.lookupvar("mediawiki::ssl_key_file") %>
+        <% if scope.lookupvar("mediawiki::ssl_chain_file") != "" %>
+          SSLCertificateChainFile <%= scope.lookupvar("mediawiki::ssl_chain_file") %>
+        <% end %>
 
         RedirectMatch ^/$ http://<%= scope.lookupvar("mediawiki::site_hostname") %>/wiki/
 
diff --git a/modules/openstack_project/manifests/wiki.pp b/modules/openstack_project/manifests/wiki.pp
index de67daba48..3ae9eca490 100644
--- a/modules/openstack_project/manifests/wiki.pp
+++ b/modules/openstack_project/manifests/wiki.pp
@@ -2,7 +2,10 @@
 #
 class openstack_project::wiki (
   $mysql_root_password = '',
-  $sysadmins = []
+  $sysadmins = [],
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
 ) {
 
   include openssl
@@ -18,9 +21,15 @@ class openstack_project::wiki (
   )
 
   class { 'mediawiki':
-    role               => 'all',
-    mediawiki_location => '/srv/mediawiki/w',
-    site_hostname      => $::fqdn,
+    role                    => 'all',
+    mediawiki_location      => '/srv/mediawiki/w',
+    site_hostname           => $::fqdn,
+    ssl_cert_file           => "/etc/ssl/certs/${::fqdn}.pem",
+    ssl_key_file            => "/etc/ssl/private/${::fqdn}.key",
+    ssl_chain_file          => '/etc/ssl/certs/intermediate.pem',
+    ssl_cert_file_contents  => $ssl_cert_file_contents,
+    ssl_key_file_contents   => $ssl_key_file_contents,
+    ssl_chain_file_contents => $ssl_chain_file_contents,
   }
   class { 'memcached':
     max_memory => 2048,