Puppet Class: profile::gerrit::proxy

Defined in:
modules/profile/manifests/gerrit/proxy.pp

Overview

sets up a TLS proxy for Gerrit

Parameters:

  • ipv4 (Stdlib::IP::Address::V4) (defaults to: lookup('profile::gerrit::ipv4'))
  • ipv6 (Optional[Stdlib::IP::Address::V6]) (defaults to: lookup('profile::gerrit::ipv6'))
  • host (Stdlib::Fqdn) (defaults to: lookup('profile::gerrit::host'))
  • active_host (Stdlib::Fqdn) (defaults to: lookup('profile::gerrit::active_host'))
  • use_acmechief (Boolean) (defaults to: lookup('profile::gerrit::use_acmechief'))
  • replica_hosts (Optional[Array[Stdlib::Fqdn]]) (defaults to: lookup('profile::gerrit::replica_hosts'))
  • replica_host (Stdlib::Fqdn) (defaults to: lookup('profile::gerrit::replica_host'))
  • spare_hosts (Optional[Array[Stdlib::Fqdn]]) (defaults to: lookup('profile::gerrit::spare_hosts'))
  • spare_host (Stdlib::Fqdn) (defaults to: lookup('profile::gerrit::spare_host'))
  • enable_monitoring (Boolean) (defaults to: lookup('profile::gerrit::enable_monitoring'))
  • max_connections (Integer) (defaults to: lookup('profile::gerrit::proxy::max_connections'))
  • log_only (Boolean) (defaults to: lookup('profile::gerrit::proxy::log_only', { 'default_value' => false }))
  • gerrit_site (Stdlib::Unixpath) (defaults to: lookup('profile::gerrit::gerrit_site')) 


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
 
# File 'modules/profile/manifests/gerrit/proxy.pp', line 2

class profile::gerrit::proxy(
    Stdlib::IP::Address::V4           $ipv4                 = lookup('profile::gerrit::ipv4'),
    Optional[Stdlib::IP::Address::V6] $ipv6                 = lookup('profile::gerrit::ipv6'),
    Stdlib::Fqdn                      $host                 = lookup('profile::gerrit::host'),
    Stdlib::Fqdn                      $active_host          = lookup('profile::gerrit::active_host'),
    Boolean                           $use_acmechief        = lookup('profile::gerrit::use_acmechief'),
    Optional[Array[Stdlib::Fqdn]]     $replica_hosts        = lookup('profile::gerrit::replica_hosts'),
    Stdlib::Fqdn                      $replica_host         = lookup('profile::gerrit::replica_host'),
    Optional[Array[Stdlib::Fqdn]]     $spare_hosts          = lookup('profile::gerrit::spare_hosts'),
    Stdlib::Fqdn                      $spare_host           = lookup('profile::gerrit::spare_host'),
    Boolean                           $enable_monitoring    = lookup('profile::gerrit::enable_monitoring'),
    Integer                           $max_connections      = lookup('profile::gerrit::proxy::max_connections'),
    Boolean                           $log_only             = lookup('profile::gerrit::proxy::log_only', { 'default_value' => false }),
    Stdlib::Unixpath                  $gerrit_site          = lookup('profile::gerrit::gerrit_site'),
) {

    include network::constants
    $qos_exclude_cidrs = unique(
        $network::constants::production_networks +
        $network::constants::cloud_networks
    )
    $is_replica = $facts['fqdn'] == $replica_host
    $is_spare = $facts['fqdn'] == $spare_host

    if $is_replica {
        $tls_host = $replica_hosts[0]
    } elsif $is_spare {
        $tls_host = $spare_hosts[0]
    } else {
        $tls_host = $host
    }
    if debian::codename::eq('bookworm') {
        apt::pin { 'libapache2-mod-qos-backport':
            package  => 'libapache2-mod-qos',
            pin      => 'release n=bookworm-backports',
            priority => 1002,
        }
    }
    if debian::codename::eq('bookworm') {
        apt::package_from_bpo { 'libapache2-mod-qos':
            distro => 'bookworm',
        }
    } else {
        ensure_packages(['libapache2-mod-qos'])
    }
    if $enable_monitoring {
        monitoring::service { 'https':
            description    => 'HTTPS',
            check_command  => "check_ssl_on_host_port_letsencrypt!${tls_host}!${tls_host}!443",
            contact_group  => 'admins,gerrit',
            notes_url      => 'https://phabricator.wikimedia.org/project/view/330/',
            migration_task => 'T384922',
        }

        if !($is_replica or $is_spare) {
            prometheus::blackbox::check::http { 'gerrit-tls':
                server_name        => $tls_host,
                team               => 'collaboration-services-releng',
                severity           => 'critical',
                path               => '/',
                follow_redirects   => true,
                status_matches     => [200,302],
                ip_families        => ['ip4','ip6'],
                port               => 443,
                force_tls          => true,
                body_regex_matches => ['Gerrit Code Review'],
            }
        }
    }

    $ssl_settings = ssl_ciphersuite('apache', 'strong', true)
    class { 'httpd':
        modules             => ['rewrite', 'headers', 'proxy', 'proxy_http', 'remoteip', 'ssl', 'qos', 'setenvif'],
        wait_network_online => true,
        require             => Package['libapache2-mod-qos'],
    }

    file { '/var/www':
        ensure  => directory,
        require => Class['httpd'],
    }
    httpd::conf { 'qos_exclude_cidrs':
        content  => template('profile/gerrit/proxy/qos_exclude.conf.erb'),
        priority => 10,
        require  => Package['libapache2-mod-qos'],
    }
    httpd::conf { 'qos':
        content => template('profile/gerrit/proxy/qos.conf.erb'),
        require => Package['libapache2-mod-qos'],
    }

    httpd::site { $tls_host:
        content => template('profile/gerrit/apache.erb'),
        require => Httpd::Conf['qos'],
    }

    file { '/var/www/robots.txt':
        ensure => present,
        owner  => 'root',
        group  => 'root',
        mode   => '0444',
        source => 'puppet:///modules/profile/gerrit/robots.txt'
    }

    # Error page stuff
    file { '/var/www/error.html':
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('gerrit/error.html.erb'),
    }
    file { '/var/www/page-bkg.cache.jpg':
        ensure => link,
        owner  => 'root',
        group  => 'root',
        mode   => '0444',
        target => "${gerrit_site}/static/page-bkg.cache.jpg",
    }
    file { '/var/www/wikimedia-codereview-logo.cache.png':
        ensure => link,
        owner  => 'root',
        group  => 'root',
        mode   => '0444',
        target => "${gerrit_site}/static/wikimedia-codereview-logo.cache.png",
    }
    gerrit::proxy::set { 'production-hosts':
        ensure => present,
        hosts  => $network::constants::production_networks,
    }
    gerrit::proxy::set { 'cloud-hosts':
        ensure => present,
        hosts  => $network::constants::cloud_networks,
    }
    file { [
            '/etc/mtail/httpd_access_mod_qos-mtail.mtail',
            '/etc/mtail/httpd_error_mod_qos-mtail.mtail',
        ]:
            ensure => 'absent',
    }
    mtail::program { 'httpd_mod_qos':
        ensure => present,
        source => 'puppet:///modules/mtail/programs/httpd_mod_qos.mtail',
    }
}