Add full Apache management

[ekohl]

The goal of this PR is to keep all Apache configuration within the module. There should be no Apache config fragments at all in puppet-foreman_proxy_content. There are parameters to attach fragments to an existing vhost. This makes it easy to switch between the co-located implementation (Foreman is the vhost) or standalone.

Currently this is very much a draft. Tests will fail and the proxy setup is not configured when attaching. It may also need parameters for HTTPS certificates.

[ehelms]

Something you may want to consider as part of this re-design is the ability to deploy a content app and its Apache configurations without deploying the API app.

[ekohl]

Yes, I agree. But then you also want to be able to deploy a content app without workers. By that point you're really blowing up the size of the PR.

[ehelms]

This is already a large change so I don't mind it covering that use case :) If you want to plan to come back and layer that change on top of this design I'm OK with that too.

[ekohl]

Something you may want to consider as part of this re-design is the ability to deploy a content app and its Apache configurations without deploying the API app.

What's the goal of deploying one without the API? Shared filesystem with shared database to scale out? I suspect we may also need to support a shared Redis deployment then so I'd prefer to tackle it later. We can write acceptance tests with multiple servers so I'd hope to really set a new level of verification in this module. That does require some research on my side though.

[ehelms]

Correct. With the Pulp 3 architecture, it's possible to deploy just a content app connected to the database of a main Pulp or mirror, as well as the storage (either shared filesystem or S3) for a lighter weight scale out. For that architecture, Redis is only needed by the main Pulp where the API app and workers are.

[ekohl]

I've split off #108 as a preparation PR which will reduce the size of this PR. That can already be merged.

I'm starting to feel fairly confident about this but no tests have been done on attaching to another vhost (which is currently the primary deployment). Hence it's still a draft.

[ekohl]

Looks like EL8 doesn't generate a certificate by default where EL7 does so which is why they fail.

[ehelms]

I think these also need to be passed to the pulpcore::apache::fragment use as well so that authentication is configured through remote user environ.

[ekohl]

So a small update. I started with better integration tests:

• Introduce a curl_command helper #110 makes doing curl commands easier
• A client certificate is generated that can auth
• The API is verified as authenticated and non-authenticated to verify that works

Now that this appears to mostly work, I'm going to continue with testing deployment as part of the Foreman vhost.

[ehelms]

I wouldn't know what to do with this TODO. Could you expand on the details?

[ekohl]

I think this is where I need to solve the issue you saw in fpc where the content was added after the main reverse proxy so they ended up not being proxied.

[ekohl]

I've started doing testing and this appears to work well now. I'm doing a final EL7 pipeline to verify it end to end. EL8 is untested, but I noticed that on EL8's Apache we need to do more work. https://pulp-certguard.readthedocs.io/en/latest/reverse_proxy_config.html#apache-2-4-10-config-example states we need to encode it.

[ehelms]

This is painful to read and parse as a developer. Is there empty lines we could add to separate blocks more? Or processing that can happen inside the puppet class rather than in the template? I think, if we are going to go this route of trying to have a generic fragment that handles all cases, rather than having easy to read, specific templates we need to make the template easier to read and accept that the rendered version may not look like you would exactly design an Apache config file indentation and grouping of parameters wise.

[ekohl]

I should have mentioned this, but it's a trimmed down version of https://github.com/puppetlabs/puppetlabs-apache/blob/main/templates/vhost/_directories.erb with strict input checking. I could probably avoid it altogether and use template('apache/vhost/_directories.erb') but I wasn't quite sure about scoping.

I also wasn't quite sure about best practices. Room for improvement but I liked the strict typing checks.

I'll probably submit this upstream in puppetlabs-apache, but in the short term I don't think we can rely on that.

[ekohl]

I think the tests should now be green, but Travis is backed up. After that, I think this is pretty much ready to be merged.

[ehelms]

This is hard to parse in this in this syntax. I think it could benefit from:

<%- $directories.each |$directory| { -%>
  <%- if $directory['provider'] =~ /^(.*)match$/ {
      $provider = $1.capitalize + 'Match'
    } else {
      $provider = $directory['provider'].capitalize
    }
  -%>

[ehelms]

Could this be:

| -%>

<%-

[ehelms]

I had green install pipeline with this change. I just have questions regarding the EPP template formatting

[ekohl]

How about this? I kept it as a separate commit to make the diff easier to read, but will squash if you agree.

[ehelms]

Yes, that helps a lot, thank you! I can squash on merge once the tests run.

[ehelms]

Trying to kick Travis