Tim Landscheidt has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/340462 )
Change subject: puppetdb: Allow to use Apache as frontend
......................................................................
puppetdb: Allow to use Apache as frontend
Bug: T154105
Change-Id: I7a0605d03d6307d50ce27840515121c14d4f5b14
---
M modules/puppetmaster/manifests/puppetdb.pp
A modules/puppetmaster/templates/apache-puppetdb.conf.erb
2 files changed, 60 insertions(+), 16 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/62/340462/1
diff --git a/modules/puppetmaster/manifests/puppetdb.pp
b/modules/puppetmaster/manifests/puppetdb.pp
index de2b5cb..697d4bf 100644
--- a/modules/puppetmaster/manifests/puppetdb.pp
+++ b/modules/puppetmaster/manifests/puppetdb.pp
@@ -1,29 +1,54 @@
# Class puppetmaster::puppetdb
#
# Sets up a puppetdb instance and the corresponding database server.
-class puppetmaster::puppetdb($master, $port=443, $jetty_port=8080) {
+class puppetmaster::puppetdb($master, $port=443, $jetty_port=8080,
$webfrontend='nginx') {
requires_os('Debian >= jessie')
$puppetdb_pass = hiera('puppetdb::password::rw')
## TLS Termination
- # Set up nginx as a reverse-proxy
- ::base::expose_puppet_certs { '/etc/nginx':
- ensure => present,
- provide_private => true,
- require => Class['nginx'],
- }
+ case $webfrontend {
+ 'apache': {
+ # Set up Apache as a reverse-proxy.
+ include ::apache::mod::headers
+ include ::apache::mod::proxy
+ include ::apache::mod::proxy_http
+ include ::apache::mod::ssl
- $ssl_settings = ssl_ciphersuite('nginx', 'mid')
- include ::sslcert::dhparam
- ::nginx::site { 'puppetdb':
- ensure => present,
- content => template('puppetmaster/nginx-puppetdb.conf.erb'),
- require => Class['::sslcert::dhparam'],
- }
+ $ssl_settings = ssl_ciphersuite('apache', 'mid', true)
+ include ::sslcert::dhparam
+ ::apache::site { 'puppetdb':
+ ensure => present,
+ content => template('puppetmaster/apache-puppetdb.conf.erb'),
+ require => Class['::sslcert::dhparam'],
+ }
- diamond::collector::nginx{ $::fqdn:
- port => 10080,
+ }
+
+ 'nginx': {
+ # Set up nginx as a reverse-proxy.
+ ::base::expose_puppet_certs { '/etc/nginx':
+ ensure => present,
+ provide_private => true,
+ require => Class['nginx'],
+ }
+
+ $ssl_settings = ssl_ciphersuite('nginx', 'mid')
+ include ::sslcert::dhparam
+ ::nginx::site { 'puppetdb':
+ ensure => present,
+ content => template('puppetmaster/nginx-puppetdb.conf.erb'),
+ require => Class['::sslcert::dhparam'],
+ }
+
+ diamond::collector::nginx{ $::fqdn:
+ port => 10080,
+ }
+ }
+
+ default: {
+ fail("Unknown webfrontend '${webfrontend}'")
+ }
}
## PuppetDB installation
diff --git a/modules/puppetmaster/templates/apache-puppetdb.conf.erb
b/modules/puppetmaster/templates/apache-puppetdb.conf.erb
new file mode 100644
index 0000000..da94b31
--- /dev/null
+++ b/modules/puppetmaster/templates/apache-puppetdb.conf.erb
@@ -0,0 +1,19 @@
+# This file is managed by Puppet!
+
+<VirtualHost *:<%= @port %>>
+ ServerName <%= @fqdn %>
+
+ SSLEngine on
+ <%= @ssl_settings.join("\n ") %>
+ SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem
+ SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem
+ SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
+ SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
+
+ DocumentRoot /dev/null
+
+ RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+ ProxyPass / http://localhost:<%= @jetty_port %>/
+
+ CustomLog /var/log/apache2/puppetdb.log wmf
+</VirtualHost>
--
To view, visit https://gerrit.wikimedia.org/r/340462
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7a0605d03d6307d50ce27840515121c14d4f5b14
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
