Add HTTP / HTTPS vhost management

The goal of this is that the module can either manage the vhost itself
or attach fragments to another vhost to embed the application. This
allows composition.

Author: ekohl

manifests/apache.pp

@@ -1,38 +1,155 @@
 # Configure an Apache vhost
 # @api private
-class pulpcore::apache {
+class pulpcore::apache (
+  Boolean $manage_selinux_boolean = true,
+  Stdlib::Port $http_port = 80,
+  Stdlib::Port $https_port = 443,
+  Hash[String, Any] $http_vhost_options = {},
+  Hash[String, Any] $https_vhost_options = {},
+  Enum['none', 'optional', 'require', 'optional_no_ca'] $ssl_verify_client = 'optional',
+) {
+  $vhost_priority = $pulpcore::apache_vhost_priority
   $api_path = '/pulp/api/v3'
-  $api_url = "http://${pulpcore::api_host}:${pulpcore::api_port}${api_path}"
+  $api_base_url = "http://${pulpcore::api_host}:${pulpcore::api_port}"
+  $api_url = "${api_base_url}${api_path}"
   $content_path = '/pulp/content'
-  $content_url = "http://${pulpcore::content_host}:${pulpcore::content_port}${content_path}"
-
-  if $pulpcore::manage_apache {
-    include apache
-    apache::vhost { 'pulpcore':
-      servername     => $pulpcore::servername,
-      port           => 80,
-      priority       => '10',
-      docroot        => $pulpcore::apache_docroot,
-      docroot_owner  => $pulpcore::user,
-      docroot_group  => $pulpcore::group,
-      docroot_mode   => '0755',
-      manage_docroot => true,
-      proxy_pass     => [
-        {
-          'path'         => $api_path,
-          'url'          => $api_url,
-          'reverse_urls' => [$api_url],
-        },
-        {
-          'path'         => $content_path,
-          'url'          => $content_url,
-          'reverse_urls' => [$content_url],
-        },
-      ],
+  $content_base_url = "http://${pulpcore::content_host}:${pulpcore::content_port}"
+  $content_url = "${content_base_url}${content_path}"
+
+  $docroot_directory = {
+    'provider'       => 'Directory',
+    'path'           => $pulpcore::apache_docroot,
+    'options'        => ['-Indexes', '-FollowSymLinks'],
+    'allow_override' => ['None'],
+  }
+  $content_directory = {
+    'path'            => $content_path,
+    'provider'        => 'location',
+    'proxy_pass'      => [
+      {
+        'url' => $content_url,
+      },
+    ],
+    'request_headers' => [
+      'unset X-CLIENT-CERT',
+      'set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT',
+    ],
+  }
+
+  # Pulp has a default for remote header. Here it's ensured that the end user
+  # can't send that header to spoof users.
+  $remote_user_environ_header = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '')
+  $api_directory = {
+    'path'            => $api_path,
+    'provider'        => 'location',
+    'proxy_pass'      => [
+      {
+        'url' => $api_url,
+      },
+    ],
+    'request_headers' => [
+      "unset ${remote_user_environ_header}",
+      "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
+    ],
+  }
+
+  # Static content is served by the whitenoise application. SELinux prevents
+  # Apache from serving it directly
+  $proxy_pass_static = {
+    'path' => $pulpcore::static_url,
+    'url'  => "${api_base_url}${pulpcore::static_url}",
+  }
+
+  case $pulpcore::apache_http_vhost {
+    true: {
+      $http_vhost_name = 'pulpcore'
+      $http_fragment = undef
+
+      include apache
+      include apache::mod::headers
+      apache::vhost { $http_vhost_name:
+        servername     => $pulpcore::servername,
+        port           => $http_port,
+        priority       => $vhost_priority,
+        docroot        => $pulpcore::apache_docroot,
+        manage_docroot => false,
+        directories    => [$docroot_directory, $content_directory],
+        *              => $http_vhost_options,
+      }
+    }
+    false: {
+      $http_vhost_name = undef
+      $http_fragment = undef
+    }
+    default: {
+      $http_vhost_name = $pulpcore::apache_http_vhost
+      $http_fragment = epp('pulpcore/apache-fragment.epp', {
+          'directories' => [$content_directory],
+      })
+    }
+  }
+
+  case $pulpcore::apache_https_vhost {
+    true: {
+      $https_vhost_name = 'pulpcore-https'
+      $https_fragment = undef
+
+      include apache
+      include apache::mod::headers
+      apache::vhost { $https_vhost_name:
+        servername        => $pulpcore::servername,
+        port              => $https_port,
+        ssl               => true,
+        priority          => $vhost_priority,
+        docroot           => $pulpcore::apache_docroot,
+        manage_docroot    => false,
+        directories       => [$docroot_directory, $content_directory, $api_directory],
+        proxy_pass        => [$proxy_pass_static],
+        ssl_cert          => $pulpcore::apache_https_cert,
+        ssl_key           => $pulpcore::apache_https_key,
+        ssl_chain         => $pulpcore::apache_https_chain,
+        ssl_ca            => $pulpcore::apache_https_ca,
+        ssl_verify_client => $ssl_verify_client,
+        *                 => $https_vhost_options,
+      }
+    }
+    false: {
+      $https_vhost_name = undef
+      $https_fragment = undef
+    }
+    default: {
+      $https_vhost_name = $pulpcore::apache_https_vhost
+      $https_fragment = epp('pulpcore/apache-fragment.epp', {
+          'directories' => [$content_directory, $api_directory],
+          'proxy_pass'  => [$proxy_pass_static],
+      })
+    }
+  }
+
+  if $pulpcore::apache_http_vhost == true or $pulpcore::apache_https_vhost == true {
+    file { $pulpcore::apache_docroot:
+      ensure => directory,
+      owner  => $pulpcore::user,
+      group  => $pulpcore::group,
+      mode   => '0755',
+    }
+  }
+
+  if $http_fragment or $https_fragment {
+    pulpcore::apache::fragment { 'pulpcore':
+      http_content  => $http_fragment,
+      https_content => $https_fragment,
     }
+  }
 
+  if $manage_selinux_boolean and ($pulpcore::apache_http_vhost or $pulpcore::apache_https_vhost) {
+    # Doesn't use selinux::boolean since that doesn't use ensure_resource which
+    # then conflict with the foreman module which doesn't use the selinux module.
     if $facts['os']['selinux']['enabled'] {
-      selinux::boolean { 'httpd_can_network_connect': }
+      ensure_resource('selboolean', 'httpd_can_network_connect', {
+          value      => 'on',
+          persistent => true,
+      })
     }
   }
 }

manifests/apache/fragment.pp

@@ -0,0 +1,32 @@
+# @summary Deploy an Apache fragment. Only intended to be used within the module
+# @param order
+#   This determines the order. See apache::vhost for more details.
+#   165 is chosen because it's just before the Proxy setup. In Foreman a
+#   ProxyPass /pulp ! is generated and by placing all content before that, a
+#   broken setup is avoided.
+# @api private
+define pulpcore::apache::fragment (
+  Optional[String] $http_content = undef,
+  Optional[String] $https_content = undef,
+  Integer[0] $order = 165,
+) {
+  include pulpcore::apache
+
+  if $pulpcore::apache::http_vhost_name and $http_content {
+    apache::vhost::fragment { "pulpcore-http-${title}":
+      vhost    => $pulpcore::apache::http_vhost_name,
+      priority => $pulpcore::apache::vhost_priority,
+      content  => $http_content,
+      order    => $order,
+    }
+  }
+
+  if $pulpcore::apache::https_vhost_name and $https_content {
+    apache::vhost::fragment { "pulpcore-https-${title}":
+      vhost    => $pulpcore::apache::https_vhost_name,
+      priority => $pulpcore::apache::vhost_priority,
+      content  => $https_content,
+      order    => $order,
+    }
+  }
+}

manifests/init.pp

@@ -9,8 +9,38 @@
 # @param user_home
 #   Pulp user home directory
 #
-# @param manage_apache
-#   Deploy a separate apache vhost for pulp3
+# @param apache_http_vhost
+#   When true, deploy a separate apache vhost for pulp3 listening on HTTP.
+#   When a name is given, fragments are attached to the specified vhost.
+#   When false, no Apache HTTP vhost is touched.
+#
+# @param apache_https_vhost
+#   When true, deploy a separate apache vhost for pulp3 listening on HTTPS.
+#   When a name is given, fragments are attached to the specified vhost.
+#   When false, no Apache HTTPS vhost is touched.
+#
+# @param apache_https_cert
+#   The certificate file to use in the HTTPS vhost. Only used when
+#   apache_https_vhost is true.
+#
+# @param apache_https_key
+#   The key file to use in the HTTPS vhost. Only used when apache_https_vhost
+#   is true.
+#
+# @param apache_https_ca
+#   The ca file to use in the HTTPS vhost. Only used when apache_https_vhost is
+#   true. The ca file should contain the certificates allowed to sign client
+#   certificates. This can be a different CA than the chain.
+#
+# @param apache_https_chain
+#   The chain file to use in the HTTPS vhost. Only used when apache_https_vhost
+#   is true. The chain file should contain the CA certificate an any
+#   intermediate certificates that signed the certificate.
+#
+# @param apache_vhost_priority
+#   The Apache vhost priority. When a name is passed to apache_http_vhost or
+#   apache_https_vhost, this will be used when attaching fragments to those
+#   vhosts. Note that this implies both vhosts need to have the same priority.
 #
 # @param api_host
 #   API service host
@@ -119,9 +149,15 @@
   Stdlib::Absolutepath $chunked_upload_dir = '/var/lib/pulp/upload',
   Stdlib::Absolutepath $media_root = '/var/lib/pulp/media',
   Stdlib::Absolutepath $static_root = '/var/lib/pulp/assets',
-  String[1] $static_url = '/assets/',
+  Pattern['^/.+/$'] $static_url = '/assets/',
   Stdlib::Absolutepath $apache_docroot = '/var/lib/pulp/docroot',
-  Boolean $manage_apache = true,
+  Variant[Boolean, String[1]] $apache_http_vhost = true,
+  Variant[Boolean, String[1]] $apache_https_vhost = true,
+  Optional[Stdlib::Absolutepath] $apache_https_cert = undef,
+  Optional[Stdlib::Absolutepath] $apache_https_key = undef,
+  Optional[Stdlib::Absolutepath] $apache_https_ca = undef,
+  Optional[Stdlib::Absolutepath] $apache_https_chain = undef,
+  String[1] $apache_vhost_priority = '10',
   Stdlib::Host $api_host = '127.0.0.1',
   Stdlib::Port $api_port = 24817,
   Stdlib::Host $content_host = '127.0.0.1',

manifests/plugin.pp

@@ -5,9 +5,17 @@
 #
 # @param config
 #   An optional config in the Pulp settings file
+#
+# @param http_content
+#   Optional fragment for the Apache HTTP vhost
+#
+# @param https_content
+#   Optional fragment for the Apache HTTPS vhost
 define pulpcore::plugin(
   String $package_name = "python3-pulp-${title}",
   Optional[String] $config = undef,
+  Optional[String] $http_content = undef,
+  Optional[String] $https_content = undef,
 ) {
   package { $package_name:
     ensure => present,
@@ -20,4 +28,11 @@
       order   => '10',
     }
   }
+
+  if $http_content or $https_content {
+    pulpcore::apache::fragment { "plugin-${title}":
+      http_content  => $http_content,
+      https_content => $https_content,
+    }
+  }
 }

manifests/plugin/container.pp

@@ -1,6 +1,40 @@
 # @summary Pulp Container plugin
-class pulpcore::plugin::container {
+# @param location_prefix
+#   In the Apache configuration a location with this prefix is exposed. The
+#   version (currently v2) will be appended.
+# @param registry_version_path
+#   The path beneath the location prefix to forward. This is also appended to
+#   the content base url.
+class pulpcore::plugin::container (
+  String $location_prefix = '/pulpcore_registry',
+  String $registry_version_path = '/v2/',
+) {
+  $context = {
+    'directories' => [
+      {
+        'provider'        => 'location',
+        'path'            => "${location_prefix}${registry_version_path}",
+        'proxy_pass'      => [
+          {
+            'url' => "${pulpcore::apache::api_base_url}${registry_version_path}",
+          },
+        ],
+        'request_headers' => [
+          "unset ${pulpcore::apache::remote_user_environ_header}",
+          "set ${pulpcore::apache::remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
+        ],
+      },
+    ],
+    'proxy_pass'  => [
+      {
+        'path' => '/pulp/container/',
+        'url'  => "${pulpcore::apache::content_base_url}/pulp/container/",
+      },
+    ],
+  }
+
   pulpcore::plugin { 'container':
-    config => 'TOKEN_AUTH_DISABLED=True',
+    config        => 'TOKEN_AUTH_DISABLED=True',
+    https_content => epp('pulpcore/apache-fragment.epp', $context),
   }
 }

manifests/plugin/file.pp

@@ -1,5 +1,34 @@
 # @summary Pulp File plugin
-class pulpcore::plugin::file {
+# @param use_pulp2_content_route
+#   Whether to redirect the legacy (Pulp 2) URLs to the content server
+class pulpcore::plugin::file (
+  Boolean $use_pulp2_content_route = false,
+) {
+  if $use_pulp2_content_route {
+    $context = {
+      'directories' => [
+        {
+          'provider'        => 'location',
+          'path'            => '/pulp/isos',
+          'proxy_pass'      => [
+            {
+              'url' => $pulpcore::apache::content_url,
+            },
+          ],
+          'request_headers' => [
+            'unset X-CLIENT-CERT',
+            'set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT',
+          ],
+        },
+      ],
+    }
+    $content = epp('pulpcore/apache-fragment.epp', $context)
+  } else {
+    $content = undef
+  }
+
   pulpcore::plugin { 'file':
+    http_content  => $content,
+    https_content => $content,
   }
 }