add internal IPA support and revproxy

2023-07-25 02:23:31 -07:00 · 2023-07-25 02:23:31 -07:00 · 9bdc4d66a6
commit 9bdc4d66a6
parent ed1aafc13f
7 changed files with 70 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -34,6 +34,7 @@ gerrit_sshd_threads: "32"

 # Gerrit httpd
 gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
+gerrit_httpd_proxy_url: "http://127.0.0.1:8080/"
 gerrit_referenced_objects_reachable: false

 # Gerrit setup
@ -54,4 +55,7 @@ oauth_client_secret: "NONE"
 # ldap if enabled
 ldap_url_list:
  - ldap://ipa-us-east-2.rockylinux.org
+
+# Use freeipa CA
+tls_use_internal_freeipa: true
 ...
--- a/install-gerrit.yml
+++ b/install-gerrit.yml
@ -5,6 +5,7 @@
  become: true
  vars_files:
    - vars/gerrit.yml
+    - vars/internal.yml
  handlers:
    - import_tasks: handlers/main.yml

@ -43,6 +44,11 @@
        fail_msg: "Please set a proper database password."
      when: not gerrit_allow_insecure_passwords|bool

+  roles:
+    - role: rockylinux.ipagetcert
+      state: present
+      when: tls_use_internal_freeipa|bool
+
  tasks:
    - name: Deploy gerrit as needed
      ansible.builtin.import_tasks: tasks/install.yml
--- a/roles/requirements.yml
+++ b/roles/requirements.yml
@ -0,0 +1,7 @@
+---
+# Roles
+roles:
+  - name: rockylinux.ipagetcert
+    src: https://github.com/rocky-linux/ansible-role-ipa-getcert
+    version: main
+...
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -2,6 +2,9 @@
 - name: Setup gerrit basics
  ansible.builtin.include_tasks: setup.yml

+- name: Install and configure packages
+  ansible.builtin.include_tasks: pkg.yml
+
 - name: Install gerrit
  ansible.builtin.include_tasks: deploy.yml
 ...
--- a/tasks/pkg.yml
+++ b/tasks/pkg.yml
@ -0,0 +1,21 @@
+---
+- name: Install packages as needed
+  ansible.builtin.package:
+    name: "{{ installed_packages }}"
+    state: present
+
+- name: Deploy reverse proxy
+  ansible.builtin.template:
+    src: "gerrit.httpd.j2"
+    dest: "/etc/httpd/conf.d/gerrit.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart_httpd
+
+- name: Ensure httpd is enabled and running
+  ansible.builtin.systemd:
+    name: httpd.service
+    state: running
+    enabled: true
+...
--- a/templates/gerrit.httpd.j2
+++ b/templates/gerrit.httpd.j2
@ -0,0 +1,19 @@
+<VirtualHost *:443>
+  SSLEngine on
+  SSLCertificateFile /etc/pki/tls/certs/{{ ansible_fqdn }}.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ ansible_fqdn }}.key
+  ProxyRequests Off
+  ProxyVia Off
+  ProxyPreserveHost On
+
+  <Proxy *>
+    #Order deny,allow
+    #Allow from all
+    # Use following line instead of the previous two on Apache >= 2.4
+    Require all granted
+  </Proxy>
+
+  AllowEncodedSlashes On
+  ProxyPass / {{ gerrit_httpd_proxy_url }} nocanon
+  #ProxyPassReverse / {{ gerrit_httpd_proxy_url }} nocanon
+</VirtualHost>
--- a/vars/internal.yml
+++ b/vars/internal.yml
@ -0,0 +1,10 @@
+---
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: apache
+    key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
+    cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
+    postcmd: "/bin/systemctl reload httpd"
+    cnames:
+      - "git.rockylinux.org"
+...