Add HTTP / HTTPS vhost management

The goal of this is that the module can either manage the vhost itself
or attach fragments to another vhost to embed the application. This
allows composition.

Author: ekohl

manifests/apache.pp

@@ -1,34 +1,122 @@
 # Configure an Apache vhost
 # @api private
-class pulpcore::apache {
+class pulpcore::apache (
+  String[1] $vhost_priority = '10',
+  Stdlib::Port $http_port = 80,
+  Stdlib::Port $https_port = 443,
+) {
   $api_path = '/pulp/api/v3'
   $api_url = "http://${pulpcore::api_host}:${pulpcore::api_port}${api_path}"
   $content_path = '/pulp/content'
-  $content_url = "http://${pulpcore::content_host}:${pulpcore::content_port}${content_path}"
-
-  if $pulpcore::manage_apache {
-    include apache
-    apache::vhost { 'pulpcore':
-      servername => $pulpcore::servername,
-      port       => 80,
-      priority   => '10',
-      docroot    => $pulpcore::webserver_static_dir,
-      proxy_pass => [
-        {
-          'path'         => $api_path,
-          'url'          => $api_url,
-          'reverse_urls' => [$api_url],
-        },
-        {
-          'path'         => $content_path,
-          'url'          => $content_url,
-          'reverse_urls' => [$content_url],
-        },
+  $content_base_url = "http://${pulpcore::content_host}:${pulpcore::content_port}"
+  $content_url = "${content_base_url}${content_path}"
+
+  $base_directories = [
+    {
+      provider       => 'directory',
+      path           => $pulpcore::webserver_static_dir,
+      options        => ['Indexes','FollowSymLinks'],
+      allow_override => ['None'],
+    },
+    {
+      'path'            => $content_path,
+      'provider'        => 'location',
+      'request_headers' => [
+        'unset X-CLIENT-CERT',
+        'set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT',
       ],
+    },
+  ]
+
+  if $pulpcore::remote_user_environ_name {
+    $remote_user_environ_header = $pulpcore::remote_user_environ_name.regsubst(/^HTTP_/, '')
+    $api_directories = [
+      {
+        'path'            => $api_path,
+        'provider'        => 'location',
+        'request_headers' => [
+          "unset ${remote_user_environ_header}",
+          "set ${remote_user_environ_header} \"%{SSL_CLIENT_S_DN_CN}s\" env=SSL_CLIENT_S_DN_CN",
+        ],
+      },
+    ]
+  } else {
+    $api_directories = []
+  }
+
+  $proxy_pass_content = {
+    'path' => $content_path,
+    'url'  => $content_url,
+  }
+
+  $proxy_pass_api = {
+    'path' => $api_path,
+    'url'  => $api_url,
+  }
+
+  case $pulpcore::apache_http_vhost {
+    true: {
+      $http_vhost_name = 'pulpcore'
+      $http_fragment = undef
+
+      include apache
+      include apache::mod::headers
+      apache::vhost { $http_vhost_name:
+        servername  => $pulpcore::servername,
+        port        => $http_port,
+        priority    => $vhost_priority,
+        docroot     => $pulpcore::webserver_static_dir,
+        directories => $base_directories,
+        proxy_pass  => [$proxy_pass_content],
+      }
     }
+    false: {
+      $http_vhost_name = undef
+      $http_fragment = undef
+    }
+    default: {
+      $http_vhost_name = $pulpcore::apache_http_vhost
+      $http_fragment = epp('pulpcore/apache-fragment.epp', {'proxy_pass' => [$proxy_pass_content]})
 
-    if $facts['os']['selinux']['enabled'] {
-      selinux::boolean { 'httpd_can_network_connect': }
     }
   }
+
+  case $pulpcore::apache_https_vhost {
+    true: {
+      $https_vhost_name = 'pulpcore-https'
+      $https_fragment = undef
+
+      include apache
+      include apache::mod::headers
+      apache::vhost { $https_vhost_name:
+        servername  => $pulpcore::servername,
+        port        => $https_port,
+        ssl         => true,
+        priority    => $vhost_priority,
+        docroot     => $pulpcore::webserver_static_dir,
+        directories => $base_directories + $api_directories,
+        proxy_pass  => [$proxy_pass_api, $proxy_pass_content],
+      }
+    }
+    false: {
+      $https_vhost_name = undef
+      $https_fragment = undef
+    }
+    default: {
+      $https_vhost_name = $pulpcore::apache_https_vhost
+      $https_fragment = epp('pulpcore/apache-fragment.epp', {'proxy_pass' => [$proxy_pass_api, $proxy_pass_content]})
+    }
+  }
+
+  if $http_fragment or $https_fragment {
+    pulpcore::apache::fragment { 'pulpcore':
+      http_content  => $http_fragment,
+      https_content => $https_fragment,
+    }
+  }
+
+  # TODO: should this be in the selinux policy?
+  if $pulpcore::apache_http_vhost or $pulpcore::apache_https_vhost {
+    selinux::boolean { 'httpd_can_network_connect': }
+  }
 }

manifests/apache/fragment.pp

@@ -0,0 +1,27 @@
+# @summary Deploy an Apache fragment. Only intended to be used within the module
+# @api private
+define pulpcore::apache::fragment (
+  Optional[String] $http_content = undef,
+  Optional[String] $https_content = undef,
+  Optional[Integer[0]] $order = undef,
+) {
+  include pulpcore::apache
+
+  if $pulpcore::apache::http_vhost_name and $http_content {
+    apache::vhost::fragment { "pulpcore-http-${title}":
+      vhost    => $pulpcore::apache::http_vhost_name,
+      priority => $pulpcore::apache::vhost_priority,
+      content  => $http_content,
+      order    => $order,
+    }
+  }
+
+  if $pulpcore::apache::https_vhost_name and $https_content {
+    apache::vhost::fragment { "pulpcore-https-${title}":
+      vhost    => $pulpcore::apache::https_vhost_name,
+      priority => $pulpcore::apache::vhost_priority,
+      content  => $https_content,
+      order    => $order,
+    }
+  }
+}

manifests/init.pp

@@ -15,8 +15,15 @@
 # @param user_home
 #   Pulp user home directory
 #
-# @param manage_apache
-#   Deploy a separate apache vhost for pulp3
+# @param apache_http_vhost
+#   When true, deploy a separate apache vhost for pulp3 listening on HTTP.
+#   When a name is given, fragments are attached to the specified vhost.
+#   When false, no Apache HTTP vhost is touched.
+#
+# @param apache_https_vhost
+#   When true, deploy a separate apache vhost for pulp3 listening on HTTPS.
+#   When a name is given, fragments are attached to the specified vhost.
+#   When false, no Apache HTTPS vhost is touched.
 #
 # @param api_host
 #   API service host
@@ -97,7 +104,8 @@
   String $user = 'pulp',
   String $group = 'pulp',
   Stdlib::Absolutepath $user_home = '/var/lib/pulp',
-  Boolean $manage_apache = true,
+  Variant[Boolean, String[1]] $apache_http_vhost = true,
+  Variant[Boolean, String[1]] $apache_https_vhost = true,
   Stdlib::Host $api_host = '127.0.0.1',
   Stdlib::Port $api_port = 24817,
   Stdlib::Host $content_host = '127.0.0.1',

manifests/plugin.pp

@@ -5,9 +5,17 @@
 #
 # @param config
 #   An optional config in the Pulp settings file
+#
+# @param http_content
+#   Optional fragment for the Apache HTTP vhost
+#
+# @param https_content
+#   Optional fragment for the Apache HTTPS vhost
 define pulpcore::plugin(
   String $package_name = "python3-pulp-${title}",
   Optional[String] $config = undef,
+  Optional[String] $http_content = undef,
+  Optional[String] $https_content = undef,
 ) {
   package { $package_name:
     ensure => present,
@@ -20,4 +28,12 @@
       order   => '10',
     }
   }
+
+  if $http_content or $https_content {
+    # TODO: prio below main
+    pulpcore::apache::fragment { "plugin-${title}":
+      http_content  => $http_content,
+      https_content => $https_content,
+    }
+  }
 }

manifests/plugin/container.pp

@@ -1,6 +1,17 @@
 # @summary Pulp Container plugin
-class pulpcore::plugin::container {
+# @param location_prefix
+#   In the Apache configuration a location with this prefix is exposed. The
+#   version (currently v2) will be appended.
+class pulpcore::plugin::container(
+  String $location_prefix = '/pulpcore_registry',
+) {
+  $context = {
+    'path' => "${location_prefix}/v2/",
+    'url'  => "${pulpcore::apache::content_base_url}/v2/",
+  }
+
   pulpcore::plugin { 'container':
-    config => 'TOKEN_AUTH_DISABLED=True',
+    config        => 'TOKEN_AUTH_DISABLED=True',
+    https_content => epp('pulpcore/plugin-container-apache-fragment.epp', $context),
   }
 }

manifests/plugin/file.pp

@@ -1,5 +1,22 @@
 # @summary Pulp File plugin
-class pulpcore::plugin::file {
+# @param use_pulp2_content_route
+#   Whether to redirect the legacy (Pulp 2) URLs to the content server
+class pulpcore::plugin::file (
+  Boolean $use_pulp2_content_route = false,
+) {
+  if $use_pulp2_content_route {
+    $context = {
+      'path' => '/pulp/isos',
+      'url'  => $pulpcore::apache::content_url,
+    }
+    $content = epp('pulpcore/plugin-pulp2-content-routing.epp', $context)
+  } else {
+    $content = undef
+  }
+
   pulpcore::plugin { 'file':
+    http_content  => $content,
+    https_content => $content,
   }
+
 }

manifests/plugin/rpm.pp

@@ -1,5 +1,21 @@
 # @summary Pulp RPM plugin
-class pulpcore::plugin::rpm {
+# @param use_pulp2_content_route
+#   Whether to redirect the legacy (Pulp 2) URLs to the content server
+class pulpcore::plugin::rpm (
+  Boolean $use_pulp2_content_route = false,
+) {
+  if $use_pulp2_content_route {
+    $context = {
+      'path' => '/pulp/repos',
+      'url'  => $pulpcore::apache::content_url,
+    }
+    $content = epp('pulpcore/plugin-pulp2-content-routing.epp', $context)
+  } else {
+    $content = undef
+  }
+
   pulpcore::plugin { 'rpm':
+    http_content  => $content,
+    https_content => $content,
   }
 }

metadata.json

@@ -20,7 +20,7 @@
     },
     {
       "name": "puppetlabs/apache",
-      "version_requirement": ">= 5.0.0 < 6.0.0"
+      "version_requirement": ">= 5.4.0 < 6.0.0"
     },
     {
       "name": "puppetlabs/postgresql",

spec/acceptance/basic_spec.rb

@@ -61,7 +61,7 @@ class { 'pulpcore':
     it { is_expected.to be_listening }
   end
 
-  describe command("curl -s http://#{host_inventory['fqdn']}/pulp/api/v3/status/ -w '%{response_code}' -o /dev/null") do
+  describe command("curl -sk https://#{host_inventory['fqdn']}/pulp/api/v3/status/ -w '%{response_code}' -o /dev/null") do
     its(:stdout) { is_expected.to eq("200") }
     its(:exit_status) { is_expected.to eq 0 }
   end

spec/acceptance/plugins_spec.rb

@@ -20,10 +20,14 @@ class { 'redis::globals':
     }
 
     include pulpcore
-    include pulpcore::plugin::file
+    class { 'pulpcore::plugin::file':
+      redirect_legacy => true,
+    }
     include pulpcore::plugin::container
     include pulpcore::plugin::migration
-    include pulpcore::plugin::rpm
+    class { 'pulpcore::plugin::rpm':
+      redirect_legacy => true,
+    }
     include pulpcore::plugin::certguard
     PUPPET
   }
@@ -59,7 +63,7 @@ class { 'redis::globals':
     it { is_expected.to be_listening }
   end
 
-  describe command("curl -s http://#{host_inventory['fqdn']}/pulp/api/v3/status/ -w '%{response_code}' -o /dev/null") do
+  describe command("curl -sk https://#{host_inventory['fqdn']}/pulp/api/v3/status/ -w '%{response_code}' -o /dev/null") do
     its(:stdout) { is_expected.to eq("200") }
     its(:exit_status) { is_expected.to eq 0 }
   end