From 8d9a6f160298e8ee62b7bde56d87bc994ec477d6 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Sat, 10 Oct 2020 15:14:13 +0200 Subject: [PATCH] Factor out Apache to its own class Prior to this, when the Apache config was modified a full database refresh was triggered. There's no need for that and this makes applying those changes faster. --- manifests/apache.pp | 82 ++++++++++++++++++++ manifests/config.pp | 102 +------------------------ manifests/init.pp | 24 +++++- manifests/service.pp | 10 --- templates/foreman.socket-overrides.erb | 2 +- 5 files changed, 105 insertions(+), 115 deletions(-) create mode 100644 manifests/apache.pp diff --git a/manifests/apache.pp b/manifests/apache.pp new file mode 100644 index 000000000..ef4a821e6 --- /dev/null +++ b/manifests/apache.pp @@ -0,0 +1,82 @@ +# @summary The apache configuration for Foreman +# @api private +class foreman::apache { + class { 'foreman::config::apache': + app_root => $foreman::app_root, + priority => $foreman::vhost_priority, + servername => $foreman::servername, + serveraliases => $foreman::serveraliases, + server_port => $foreman::server_port, + server_ssl_port => $foreman::server_ssl_port, + proxy_backend => "unix://${foreman::listen_socket}", + ssl => $foreman::ssl, + ssl_ca => $foreman::server_ssl_ca, + ssl_chain => $foreman::server_ssl_chain, + ssl_cert => $foreman::server_ssl_cert, + ssl_certs_dir => $foreman::server_ssl_certs_dir, + ssl_key => $foreman::server_ssl_key, + ssl_crl => $foreman::server_ssl_crl, + ssl_protocol => $foreman::server_ssl_protocol, + ssl_verify_client => $foreman::server_ssl_verify_client, + user => $foreman::user, + foreman_url => $foreman::foreman_url, + ipa_authentication => $foreman::ipa_authentication, + keycloak => $foreman::keycloak, + keycloak_app_name => $foreman::keycloak_app_name, + keycloak_realm => $foreman::keycloak_realm, + } + + contain foreman::config::apache + + if $foreman::ipa_authentication { + if $facts['os']['selinux']['enabled'] { + selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']: + persistent => true, + value => 'on', + } + } + + if $foreman::ipa_manage_sssd { + service { 'sssd': + ensure => running, + enable => true, + require => Package['sssd-dbus'], + } + } + + file { "/etc/pam.d/${foreman::pam_service}": + ensure => file, + owner => root, + group => root, + mode => '0644', + content => template('foreman/pam_service.erb'), + } + + $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab") + + exec { 'ipa-getkeytab': + command => "/bin/echo Get keytab \ + && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k \ + && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -k ${http_keytab} -p HTTP/${facts['networking']['fqdn']} \ + && kdestroy -c KEYRING:session:get-http-service-keytab", + creates => $http_keytab, + } + -> file { $http_keytab: + ensure => file, + owner => $apache::user, + mode => '0600', + } + + foreman::config::apache::fragment { 'intercept_form_submit': + ssl_content => template('foreman/intercept_form_submit.conf.erb'), + } + + foreman::config::apache::fragment { 'lookup_identity': + ssl_content => template('foreman/lookup_identity.conf.erb'), + } + + foreman::config::apache::fragment { 'auth_gssapi': + ssl_content => template('foreman/auth_gssapi.conf.erb'), + } + } +} diff --git a/manifests/config.pp b/manifests/config.pp index 2df77fb19..f2e4a5c0c 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -94,110 +94,10 @@ } if $foreman::apache { - $listen_socket = '/run/foreman.sock' - - class { 'foreman::config::apache': - app_root => $foreman::app_root, - priority => $foreman::vhost_priority, - servername => $foreman::servername, - serveraliases => $foreman::serveraliases, - server_port => $foreman::server_port, - server_ssl_port => $foreman::server_ssl_port, - proxy_backend => "unix://${listen_socket}", - ssl => $foreman::ssl, - ssl_ca => $foreman::server_ssl_ca, - ssl_chain => $foreman::server_ssl_chain, - ssl_cert => $foreman::server_ssl_cert, - ssl_certs_dir => $foreman::server_ssl_certs_dir, - ssl_key => $foreman::server_ssl_key, - ssl_crl => $foreman::server_ssl_crl, - ssl_protocol => $foreman::server_ssl_protocol, - ssl_verify_client => $foreman::server_ssl_verify_client, - user => $foreman::user, - foreman_url => $foreman::foreman_url, - ipa_authentication => $foreman::ipa_authentication, - keycloak => $foreman::keycloak, - keycloak_app_name => $foreman::keycloak_app_name, - keycloak_realm => $foreman::keycloak_realm, - } - - contain foreman::config::apache - $foreman_socket_override = template('foreman/foreman.socket-overrides.erb') if $foreman::ipa_authentication { - if $facts['os']['selinux']['enabled'] { - selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']: - persistent => true, - value => 'on', - } - } - - if $foreman::ipa_manage_sssd { - service { 'sssd': - ensure => running, - enable => true, - require => Package['sssd-dbus'], - } - } - - file { "/etc/pam.d/${foreman::pam_service}": - ensure => file, - owner => root, - group => root, - mode => '0644', - content => template('foreman/pam_service.erb'), - } - - $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab") - - exec { 'ipa-getkeytab': - command => "/bin/echo Get keytab \ - && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k \ - && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -k ${http_keytab} -p HTTP/${facts['networking']['fqdn']} \ - && kdestroy -c KEYRING:session:get-http-service-keytab", - creates => $http_keytab, - } - -> file { $http_keytab: - ensure => file, - owner => $apache::user, - mode => '0600', - } - - foreman::config::apache::fragment { 'intercept_form_submit': - ssl_content => template('foreman/intercept_form_submit.conf.erb'), - } - - foreman::config::apache::fragment { 'lookup_identity': - ssl_content => template('foreman/lookup_identity.conf.erb'), - } - - foreman::config::apache::fragment { 'auth_gssapi': - ssl_content => template('foreman/auth_gssapi.conf.erb'), - } - - - if $foreman::ipa_manage_sssd { - $sssd = pick(fact('foreman_sssd'), {}) - $sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ') - $sssd_ldap_user_extra_attrs = join(unique(pick($sssd['ldap_user_extra_attrs'], []) + ['email:mail', 'lastname:sn', 'firstname:givenname']), ', ') - $sssd_allowed_uids = join(unique(pick($sssd['allowed_uids'], []) + [$apache::user, 'root']), ', ') - $sssd_user_attributes = join(unique(pick($sssd['user_attributes'], []) + ['+email', '+firstname', '+lastname']), ', ') - - augeas { 'sssd-ifp-extra-attributes': - context => '/files/etc/sssd/sssd.conf', - changes => [ - "set target[.=~regexp('domain/.*')]/ldap_user_extra_attrs '${sssd_ldap_user_extra_attrs}'", - "set target[.='sssd']/services '${sssd_services}'", - 'set target[.=\'ifp\'] \'ifp\'', - "set target[.='ifp']/allowed_uids '${sssd_allowed_uids}'", - "set target[.='ifp']/user_attributes '${sssd_user_attributes}'", - ], - notify => Service['sssd'], - } - } - - concat::fragment {'foreman_settings+02-authorize_login_delegation.yaml': + concat::fragment { 'foreman_settings+02-authorize_login_delegation.yaml': target => '/etc/foreman/settings.yaml', content => template('foreman/settings-external-auth.yaml.erb'), order => '02', diff --git a/manifests/init.pp b/manifests/init.pp index d8c264aed..3462c1ef8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -312,19 +312,28 @@ timeout => 0, } + $listen_socket = '/run/foreman.sock' + include foreman::install include foreman::config include foreman::database - contain foreman::service + include foreman::service + + anchor { 'foreman::running': # lint:ignore:anchor_resource + } Anchor <| title == 'foreman::repo' |> ~> Class['foreman::install'] Class['foreman::install'] ~> Class['foreman::config', 'foreman::service'] Class['foreman::config'] ~> Class['foreman::database', 'foreman::service'] Class['foreman::database'] ~> Class['foreman::service'] - Class['foreman::service'] -> Foreman_smartproxy <| base_url == $foreman_url |> + Class['foreman::service'] -> Anchor['foreman::running'] + Anchor['foreman::running'] -> Foreman_smartproxy <| base_url == $foreman_url |> if $apache { - Class['foreman::database'] -> Class['apache::service'] + include foreman::apache + + Class['foreman::config', 'foreman::database'] -> Class['foreman::apache'] + Class['foreman::apache', 'apache::service'] -> Anchor['foreman::running'] if $ipa_authentication and $keycloak { fail("${facts['networking']['hostname']}: External authentication via IPA and Keycloak are mutually exclusive.") } @@ -334,6 +343,15 @@ fail("${facts['networking']['hostname']}: External authentication via Keycloak can only be enabled when Apache is used.") } + # Ensure SSL certs from the puppetmaster are available + # Relationship is duplicated there as defined() is parse-order dependent + if $ssl and defined(Class['puppet::server::config']) { + Class['puppet::server::config'] -> Class['foreman::service'] + if $apache { + Class['puppet::server::config'] -> Class['foreman::apache'] + } + } + # Anchor these separately so as not to break # the notify between main classes Class['foreman::install'] diff --git a/manifests/service.pp b/manifests/service.pp index b1639c1cd..94ff206b4 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -25,16 +25,6 @@ } } - if $apache { - Class['apache::service'] -> Class['foreman::service'] - - # Ensure SSL certs from the puppetmaster are available - # Relationship is duplicated there as defined() is parse-order dependent - if $ssl and defined(Class['puppet::server::config']) { - Class['puppet::server::config'] -> Class['foreman::service'] - } - } - service { "${foreman_service}.socket": ensure => $foreman_service_ensure, enable => $foreman_service_enable, diff --git a/templates/foreman.socket-overrides.erb b/templates/foreman.socket-overrides.erb index 33d1f369f..01f7823cb 100644 --- a/templates/foreman.socket-overrides.erb +++ b/templates/foreman.socket-overrides.erb @@ -1,5 +1,5 @@ [Socket] ListenStream= -ListenStream=<%= @listen_socket %> +ListenStream=<%= scope['foreman::listen_socket'] %> SocketUser=<%= scope['apache::user'] %> SocketMode=0600