Puppet Class: profile::opensearch::dashboards::httpd_proxy

Defined in:
modules/profile/manifests/opensearch/dashboards/httpd_proxy.pp

Overview

Class: profile::opensearch::dashboards::httpd_proxy

Provisions Authentication for OpenSearch Dashboards

Parameters:

  • $vhost: Apache vhost name

  • $serveradmin: Email address for contacting server administrator

  • $auth_type: Vhost auth type. One of ldap, local, none

  • $require_ssl: Require SSL connection to vhost?

  • $auth_realm: HTTP basic auth realm description

  • $auth_file: Path to htpasswd file for $auth_type == 'local'

  • $ldap_authurl: AuthLDAPURL for $auth_type == 'ldap'

  • $ldap_binddn: AuthLDAPBindDN for $auth_type == 'ldap'

  • $ldap_groups: List of ldap-group names for $auth_type == 'ldap'

  • $aliases: List of additional vhosts to answer to

filtertags: labs-project-deployment-prep

Parameters:

  • vhost (String) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::vhost'))
  • serveradmin (String) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::serveradmin'))
  • auth_type (Enum['ldap','local','none','sso']) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::auth_type'))
  • require_ssl (Boolean) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::require_ssl', { 'default_value' => true }))
  • auth_realm (Optional[String]) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::auth_realm', { 'default_value' => undef }))
  • auth_file (Optional[String]) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::auth_file', { 'default_value' => undef }))
  • ldap_authurl (Optional[String]) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::ldap_authurl', { 'default_value' => undef }))
  • ldap_binddn (Optional[String]) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::ldap_binddn', { 'default_value' => undef }))
  • ldap_groups (Optional[Array[String]]) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::ldap_groups', { 'default_value' => [] }))
  • aliases (Optional[Array[String]]) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::aliases', { 'default_value' => [] }))
  • sso_client_secret (Optional[Sensitive[String]]) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::sso_client_secret', { 'default_value' => undef }))
  • sso_cookie_secret (Optional[Sensitive[String]]) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::sso_cookie_secret', { 'default_value' => undef }))
  • sso_issuer_url (Stdlib::HTTPSUrl) (defaults to: lookup('profile::opensearch::dashboards::httpd_proxy::sso_issuer_url', { 'default_value' => 'https://idp.wikimedia.org/oidc' })) 


21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'modules/profile/manifests/opensearch/dashboards/httpd_proxy.pp', line 21

class profile::opensearch::dashboards::httpd_proxy (
    String                            $vhost              = lookup('profile::opensearch::dashboards::httpd_proxy::vhost'),
    String                            $serveradmin        = lookup('profile::opensearch::dashboards::httpd_proxy::serveradmin'),
    Enum['ldap','local','none','sso'] $auth_type          = lookup('profile::opensearch::dashboards::httpd_proxy::auth_type'),
    Boolean                           $require_ssl        = lookup('profile::opensearch::dashboards::httpd_proxy::require_ssl',       { 'default_value' => true }),
    Optional[String]                  $auth_realm         = lookup('profile::opensearch::dashboards::httpd_proxy::auth_realm',        { 'default_value' => undef }),
    Optional[String]                  $auth_file          = lookup('profile::opensearch::dashboards::httpd_proxy::auth_file',         { 'default_value' => undef }),
    Optional[String]                  $ldap_authurl       = lookup('profile::opensearch::dashboards::httpd_proxy::ldap_authurl',      { 'default_value' => undef }),
    Optional[String]                  $ldap_binddn        = lookup('profile::opensearch::dashboards::httpd_proxy::ldap_binddn',       { 'default_value' => undef }),
    Optional[Array[String]]           $ldap_groups        = lookup('profile::opensearch::dashboards::httpd_proxy::ldap_groups',       { 'default_value' => [] }),
    Optional[Array[String]]           $aliases            = lookup('profile::opensearch::dashboards::httpd_proxy::aliases',           { 'default_value' => [] }),
    Optional[Sensitive[String]]       $sso_client_secret  = lookup('profile::opensearch::dashboards::httpd_proxy::sso_client_secret', { 'default_value' => undef }),
    Optional[Sensitive[String]]       $sso_cookie_secret  = lookup('profile::opensearch::dashboards::httpd_proxy::sso_cookie_secret', { 'default_value' => undef }),
    Stdlib::HTTPSUrl                  $sso_issuer_url     = lookup('profile::opensearch::dashboards::httpd_proxy::sso_issuer_url',    { 'default_value' => 'https://idp.wikimedia.org/oidc' }),
) {
    $httpd_base_modules = [
        'proxy_http',
        'proxy',
        'alias',
        'headers',
        'rewrite'
    ]

    if $auth_type == 'sso' {
        # reverse proxy everything to oauth2-proxy
        $upstream_port = 4180
    } else {
        # opensearch-dashboards
        $upstream_port = 5601
    }

    if $auth_type == 'ldap' {
        $httpd_extra_modules = ['authnz_ldap']
        include ::passwords::ldap::production

        # FIXME: move this into hiera config
        $ldap_bindpass = $passwords::ldap::production::proxypass

    } elsif $auth_type == 'local' {
        $httpd_extra_modules = ['authz_groupfile', 'authz_user']

    } elsif $auth_type == 'none' {
        $httpd_extra_modules = []

    } elsif $auth_type == 'sso' {
        $httpd_extra_modules = []

        class { 'profile::oauth2_proxy::oidc':
            upstreams        => ['http://localhost:5601'],
            client_id        => 'logstash_oidc',
            client_secret    => $sso_client_secret,
            cookie_secret    => $sso_cookie_secret,
            issuer_url       => $sso_issuer_url,
            cookie_domain    => $vhost,
            redirect_url     => "https://${vhost}/oauth2/callback",
            skip_auth_routes => [ '^/api/status' ],
        }
    }

    $httpd_modules = concat($httpd_base_modules, $httpd_extra_modules)

    class { '::httpd':
        modules => $httpd_modules,
    }

    $apache_auth = template("profile/opensearch/common/httpd_proxy/apache-auth-${auth_type}.erb")

    if $auth_type != 'none' {
      ferm::service { 'opensearch_dashboards_frontend':
          proto   => 'tcp',
          port    => 80,
          notrack => true,
          srange  => '$DOMAIN_NETWORKS',
      }
    }

    httpd::site { $vhost:
        content => template('profile/opensearch/dashboards/httpd_proxy/apache.conf.erb'),
    }
}