diff --git a/data/webdav-defaults.yaml b/data/webdav-defaults.yaml index ecf924f..8cf3855 100644 --- a/data/webdav-defaults.yaml +++ b/data/webdav-defaults.yaml @@ -43,3 +43,4 @@ storm::webdav::voms_trust_store_refresh_interval_sec: 43200 storm::webdav::voms_cache_enabled: true storm::webdav::voms_cache_entry_lifetime_sec: 300 storm::webdav::scitag_enabled: false +storm::webdav::nginx_reverse_proxy: false diff --git a/files/etc/storm/nginx/nginx.conf b/files/etc/storm/nginx/nginx.conf new file mode 100644 index 0000000..a174f64 --- /dev/null +++ b/files/etc/storm/nginx/nginx.conf @@ -0,0 +1,33 @@ +user storm storm; +worker_processes auto; + +error_log /var/log/nginx/error.log debug; + +load_module /usr/lib64/nginx/modules/ngx_http_voms_module.so; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + resolver 127.0.0.11 ipv6=off; + + log_format storm '$time_iso8601 [$request_id] $remote_addr - $remote_user "$request" <$upstream_response_time> ' + '$ssl_protocol/$ssl_cipher ' + '"$ssl_client_s_dn" ' + '"$ssl_client_ee_s_dn" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log storm; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/manifests/webdav.pp b/manifests/webdav.pp index e4120ba..aec6992 100644 --- a/manifests/webdav.pp +++ b/manifests/webdav.pp @@ -195,6 +195,8 @@ Boolean $scitag_enabled, + Boolean $nginx_reverse_proxy, + ) { contain storm::webdav::install contain storm::webdav::config diff --git a/manifests/webdav/config.pp b/manifests/webdav/config.pp index 777b99c..35b60a4 100644 --- a/manifests/webdav/config.pp +++ b/manifests/webdav/config.pp @@ -92,6 +92,22 @@ source => "puppet:///modules/storm/etc/storm/flowd.cfg", } } + if $storm::webdav::nginx_reverse_proxy { + file { '/etc/nginx/nginx.conf' : + ensure => file, + owner => 'storm', + group => 'storm', + mode => '0644', + source => "puppet:///modules/storm/etc/storm/nginx/nginx.conf", + } + file { '/etc/nginx/conf.d/storm.conf' : + ensure => file, + content => template('storm/etc/nginx/storm.conf.erb'), + owner => 'storm', + group => 'storm', + mode => '0644', + } + } # Directory '/etc/systemd/system/storm-webdav.service.d' is created by rpm $service_dir='/etc/systemd/system/storm-webdav.service.d' diff --git a/manifests/webdav/install.pp b/manifests/webdav/install.pp index 1975e2b..8f89479 100644 --- a/manifests/webdav/install.pp +++ b/manifests/webdav/install.pp @@ -6,8 +6,8 @@ package { 'storm-webdav': ensure => '>=1.4.2', } + $el = $facts['os']['distro']['release']['major'] if $storm::webdav::scitag_enabled { - $el = $facts['os']['distro']['release']['major'] yumrepo { 'scitags-repo': ensure => present, descr => 'SciTags stable repo', @@ -20,4 +20,49 @@ require => Yumrepo['scitags-repo'], } } + if $storm::webdav::nginx_reverse_proxy { + yumrepo { 'nginx-stable-repo': + ensure => present, + descr => 'nginx stable repo', + enabled => 1, + gpgcheck => 1, + baseurl => "http://nginx.org/packages/centos/${el}/x86_64/", + gpgkey => 'https://nginx.org/keys/nginx_signing.key', + } + package { 'nginx': + ensure => 'installed', + require => Yumrepo['nginx-stable-repo'], + } + case $facts['os']['name'] { + 'CentOS', 'Scientific': { + yumrepo { 'voms': + ensure => present, + descr => 'VOMS stable repo', + baseurl => "https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/centos${el}/", + enabled => 1, + gpgcheck => 0, + } + } + 'RedHat', 'AlmaLinux': { + yumrepo { 'voms': + ensure => present, + descr => 'VOMS stable repo', + baseurl => "https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/redhat${el}/", + enabled => 1, + gpgcheck => 0, + } + } + } + yumrepo { 'storage-generic': + ensure => present, + descr => 'Storage Generic repo managed by Puppet', + baseurl => 'http://os-server.cnaf.infn.it/distro/Storage/generic/', + enabled => 1, + gpgcheck => 0, + } + package { 'nginx-module-http-voms': + ensure => 'installed', + require => Yumrepo['storage-generic'], + } + } } diff --git a/manifests/webdav/service.pp b/manifests/webdav/service.pp index 49bd44a..8494052 100644 --- a/manifests/webdav/service.pp +++ b/manifests/webdav/service.pp @@ -11,4 +11,10 @@ enable => true, } } + if $storm::webdav::nginx_reverse_proxy { + service { 'nginx': + ensure => running, + enable => true, + } + } } diff --git a/spec/classes/storm/storm_webdav_install_spec.rb b/spec/classes/storm/storm_webdav_install_spec.rb index 2b7a6cf..020a2c7 100644 --- a/spec/classes/storm/storm_webdav_install_spec.rb +++ b/spec/classes/storm/storm_webdav_install_spec.rb @@ -7,6 +7,7 @@ <<-EOF class { 'storm::webdav': scitag_enabled => false, + nginx_reverse_proxy => false, } EOF end diff --git a/spec/classes/storm/storm_webdav_service_spec.rb b/spec/classes/storm/storm_webdav_service_spec.rb index 8fd7ac0..6dae47b 100644 --- a/spec/classes/storm/storm_webdav_service_spec.rb +++ b/spec/classes/storm/storm_webdav_service_spec.rb @@ -8,6 +8,7 @@ <<-EOF class { 'storm::webdav': scitag_enabled => false, + nginx_reverse_proxy => false, } EOF end diff --git a/spec/classes/storm/storm_webdav_spec.rb b/spec/classes/storm/storm_webdav_spec.rb index d0128e6..2bb7a7d 100644 --- a/spec/classes/storm/storm_webdav_spec.rb +++ b/spec/classes/storm/storm_webdav_spec.rb @@ -70,6 +70,8 @@ 'voms_cache_entry_lifetime_sec' => 301, 'scitag_enabled' => false, + + 'nginx_reverse_proxy' => false, } end @@ -311,7 +313,6 @@ 'scitag_enabled' => true, } end - case facts[:operatingsystemmajrelease] when '9' it 'scitags-repo is installed and enabled' do @@ -341,6 +342,94 @@ end it { is_expected.to contain_service('flowd').with(ensure: 'running') } end + + context 'Check deployment behind nginx reverse proxy' do + let(:params) do + { + 'http_port' => 8080, + 'nginx_reverse_proxy' => true, + } + end + case facts[:operatingsystem] + when 'CentOS', 'Scientific' + case facts[:operatingsystemmajrelease] + when '7' + it 'nginx-stable-repo is installed and enabled' do + is_expected.to contain_yumrepo('nginx-stable-repo').with( + ensure: 'present', + baseurl: 'http://nginx.org/packages/centos/7/x86_64/', + enabled: 1, + gpgcheck: 1, + ) + end + it 'voms is installed and enabled' do + is_expected.to contain_yumrepo('voms').with( + ensure: 'present', + baseurl: 'https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/centos7/', + enabled: 1, + gpgcheck: 0, + ) + end + end + when 'RedHat', 'AlmaLinux' + case facts[:operatingsystemmajrelease] + when '9' + it 'nginx-stable-repo is installed and enabled' do + is_expected.to contain_yumrepo('nginx-stable-repo').with( + ensure: 'present', + baseurl: 'http://nginx.org/packages/centos/9/x86_64/', + enabled: 1, + gpgcheck: 1, + ) + end + it 'voms is installed and enabled' do + is_expected.to contain_yumrepo('voms').with( + ensure: 'present', + baseurl: 'https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/redhat9/', + enabled: 1, + gpgcheck: 0, + ) + end + end + end + it 'storage-generic is installed and enabled' do + is_expected.to contain_yumrepo('storage-generic').with( + ensure: 'present', + baseurl: 'http://os-server.cnaf.infn.it/distro/Storage/generic/', + enabled: 1, + gpgcheck: 0, + ) + end + it 'check sysconfig file' do + service_file = '/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf' + is_expected.to contain_file(service_file).with( + ensure: 'file', + ) + is_expected.to contain_file(service_file).with(content: %r{Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=true"}) + end + it 'check nginx configuration files' do + nginx_conf_file = '/etc/nginx/nginx.conf' + is_expected.to contain_file(nginx_conf_file).with( + ensure: 'file', + ) + nginx_storm_conf_file = '/etc/nginx/conf.d/storm.conf' + is_expected.to contain_file(nginx_storm_conf_file).with( + ensure: 'file', + ) + is_expected.to contain_file(nginx_storm_conf_file).with(content: %r{location /internal-get}) + end + it 'check nginx rpm is installed' do + is_expected.to contain_package('nginx') + end + it 'check nginx-module-http-voms rpm is installed' do + is_expected.to contain_package('nginx-module-http-voms') + end + it { is_expected.to contain_service('nginx').with(ensure: 'running') } + it 'check environment file' do + service_file = '/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf' + is_expected.to contain_file(service_file).with(content: %r{Environment="STORM_WEBDAV_HTTP_PORT=8081"}) + end + end end end end diff --git a/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb b/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb index 4a4744d..81a10f8 100644 --- a/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb +++ b/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb @@ -27,7 +27,7 @@ Environment="STORM_WEBDAV_HOSTNAME_<%= idx %>=<%= hostname %>" Environment="STORM_WEBDAV_HTTPS_PORT=<%=scope.lookupvar('storm::webdav::https_port')%>" # HTTP connector port -Environment="STORM_WEBDAV_HTTP_PORT=<%=scope.lookupvar('storm::webdav::http_port')%>" +Environment="STORM_WEBDAV_HTTP_PORT=<%=scope.lookupvar('storm::webdav::http_port') + (scope.lookupvar('storm::webdav::nginx_reverse_proxy') ? 1 : 0)%>" # Path to the service certificate. Environment="STORM_WEBDAV_CERTIFICATE_PATH=/etc/grid-security/storm-webdav/hostcert.pem" @@ -181,3 +181,7 @@ Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=<%=scope.lookupvar('stor # Enable SciTags support # Default: false Environment="STORM_WEBDAV_SCITAG_ENABLED=<%=scope.lookupvar('storm::webdav::scitag_enabled')%>" + +# Use nginx as a reverse proxy +# Default: false +Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=<%=scope.lookupvar('storm::webdav::nginx_reverse_proxy')%>"