[WIP] Add HTTP / HTTPS vhost management

The goal of this is that the module can either manage the vhost itself
or attach fragments to another vhost to embed the application. This
allows composition.

Author: ekohl

manifests/apache.pp

@@ -1,69 +1,115 @@
 # Configure an Apache vhost
 # @api private
-class pulpcore::apache {
+class pulpcore::apache (
+  String[1] $vhost_priority = '10',
+  Stdlib::Port $http_port = 80,
+  Stdlib::Port $https_port = 443,
+) {
   $api_path = '/pulp/api/v3'
   $api_url = "http://${pulpcore::api_host}:${pulpcore::api_port}${api_path}"
   $content_path = '/pulp/content'
   $content_base_url = "http://${pulpcore::content_host}:${pulpcore::content_port}"
   $content_url = "${content_base_url}${content_path}"
 
-  if $pulpcore::manage_apache {
-    $base_directories = [
-      {
-        provider       => 'directory',
-        path           => $pulpcore::webserver_static_dir,
-        options        => ['Indexes','FollowSymLinks'],
-        allow_override => ['None'],
-      },
+  $base_directories = [
+    {
+      provider       => 'directory',
+      path           => $pulpcore::webserver_static_dir,
+      options        => ['Indexes','FollowSymLinks'],
+      allow_override => ['None'],
+    },
+    {
+      'path'            => $content_path,
+      'provider'        => 'location',
+      'request_headers' => [
+        'unset X-CLIENT-CERT',
+        'set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT',
+      ],
+    },
+  ]
+
+  if $pulpcore::remote_user_environ_name {
+    $remote_user_environ_header = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '')
+    $api_directories = [
       {
-        'path'            => $content_path,
+        'path'            => $api_path,
         'provider'        => 'location',
         'request_headers' => [
-          'unset X-CLIENT-CERT',
-          'set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT',
+          "unset ${remote_user_environ_header}",
+          "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
         ],
       },
     ]
+  } else {
+    $api_directories = []
+  }
 
-    if $pulpcore::remote_user_environ_name {
-      $remote_user_environ_header = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '')
-      $api_directories = [
-        {
-          'path'            => $api_path,
-          'provider'        => 'location',
-          'request_headers' => [
-            "unset ${remote_user_environ_header}",
-            "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
-          ],
-        },
-      ]
-    } else {
-      $api_directories = []
-    }
+  case $pulpcore::apache_http_vhost {
+    true: {
+      $http_vhost_name = 'pulpcore'
 
-    include apache
-    apache::vhost { 'pulpcore':
-      servername  => $pulpcore::servername,
-      port        => 80,
-      priority    => '10',
-      docroot     => $pulpcore::webserver_static_dir,
-      directories => $base_directories + $api_directories,
-      proxy_pass  => [
-        {
-          'path'         => $api_path,
-          'url'          => $api_url,
-          'reverse_urls' => [$api_url],
-        },
-        {
-          'path'         => $content_path,
-          'url'          => $content_url,
-          'reverse_urls' => [$content_url],
-        },
-      ],
+      include apache
+      apache::vhost { $http_vhost_name:
+        servername  => $pulpcore::servername,
+        port        => $http_port,
+        priority    => $vhost_priority,
+        docroot     => $pulpcore::webserver_static_dir,
+        directories => $base_directories,
+        proxy_pass  => [
+          {
+            'path'         => $content_path,
+            'url'          => $content_url,
+            'reverse_urls' => [$content_url],
+          },
+        ],
+      }
+
+    }
+    false: {
+      $http_vhost_name = undef
     }
+    default: {
+      $http_vhost_name = $pulpcore::apache_http_vhost
+    }
+  }
+
+  case $pulpcore::apache_https_vhost {
+    true: {
+      $https_vhost_name = 'pulpcore'
+
+      include apache
+      apache::vhost { $https_vhost_name:
+        servername  => $pulpcore::servername,
+        port        => $https_port,
+        ssl         => true,
+        priority    => $vhost_priority,
+        docroot     => $pulpcore::webserver_static_dir,
+        directories => $base_directories + $api_directories,
+        proxy_pass  => [
+          {
+            'path'         => $api_path,
+            'url'          => $api_url,
+            'reverse_urls' => [$api_url],
+          },
+          {
+            'path'         => $content_path,
+            'url'          => $content_url,
+            'reverse_urls' => [$content_url],
+          },
+        ],
+      }
 
-    if $facts['os']['selinux']['enabled'] {
-      selinux::boolean { 'httpd_can_network_connect': }
     }
+    false: {
+      $https_vhost_name = undef
+    }
+    default: {
+      $https_vhost_name = $pulpcore::apache_https_vhost
+    }
+  }
+
+  # TODO: should this be in the selinux policy?
+  if $pulpcore::apache_http_vhost or $pulpcore::apache_https_vhost {
+    selinux::boolean { 'httpd_can_network_connect': }
   }
 }

manifests/apache/fragment.pp

@@ -1,14 +1,26 @@
 # @summary Deploy an Apache fragment. Only intended to be used within the module
 # @api private
 define pulpcore::apache::fragment (
-  Optional[String] $content = undef,
+  Optional[String] $http_content = undef,
+  Optional[String] $https_content = undef,
   Optional[Integer[0]] $order = undef,
 ) {
-  if $pulpcore::manage_apache {
-    apache::vhost::fragment { "pulpcore-${title}":
-      vhost    => 'pulpcore',
-      priority => '10',
-      content  => $content,
+  include pulpcore::apache
+
+  if $pulpcore::apache::http_vhost_name {
+    apache::vhost::fragment { "pulpcore-http-${title}":
+      vhost    => $pulpcore::apache::http_vhost_name,
+      priority => $pulpcore::apache::vhost_priority,
+      content  => $http_content,
+      order    => $order,
+    }
+  }
+
+  if $pulpcore::apache::https_vhost_name {
+    apache::vhost::fragment { "pulpcore-https-${title}":
+      vhost    => $pulpcore::apache::https_vhost_name,
+      priority => $pulpcore::apache::vhost_priority,
+      content  => $https_content,
       order    => $order,
     }
   }

manifests/init.pp

@@ -15,8 +15,15 @@
 # @param user_home
 #   Pulp user home directory
 #
-# @param manage_apache
-#   Deploy a separate apache vhost for pulp3
+# @param apache_http_vhost
+#   When true, deploy a separate apache vhost for pulp3 listening on HTTP.
+#   When a name is given, fragments are attached to the specified vhost. 
+#   When false, no Apache HTTP vhost is touched.
+#
+# @param apache_https_vhost
+#   When true, deploy a separate apache vhost for pulp3 listening on HTTPS.
+#   When a name is given, fragments are attached to the specified vhost. 
+#   When false, no Apache HTTPS vhost is touched.
 #
 # @param api_host
 #   API service host
@@ -92,7 +99,8 @@
   String $user = 'pulp',
   String $group = 'pulp',
   Stdlib::Absolutepath $user_home = '/var/lib/pulp',
-  Boolean $manage_apache = true,
+  Variant[Boolean, String[1]] $apache_http_vhost = true,
+  Variant[Boolean, String[1]] $apache_https_vhost = false,
   Stdlib::Host $api_host = '127.0.0.1',
   Stdlib::Port $api_port = 24817,
   Stdlib::Host $content_host = '127.0.0.1',

manifests/plugin/container.pp

@@ -13,6 +13,6 @@
   $url = "${pulpcore::apache::content_base_url}/v2/"
 
   pulpcore::apache::fragment { 'container':
-    content => template('pulpcore/plugin/container-apache.erb'),
+    https_content => template('pulpcore/plugin/container-apache.erb'),
   }
 }