Merge pull request puppetlabs#2157 from dodevops/te_ssl_reload

Add feature to reload apache service when content of ssl files has changed

Author: david22swan

REFERENCE.md

@@ -109,6 +109,7 @@
 * `apache::confd::no_accf`: Manages the `no-accf.conf` file.
 * `apache::default_confd_files`: Helper for setting up default conf.d files.
 * `apache::default_mods`: Installs and congfigures default mods for Apache
+* `apache::mod::ssl::reload`: Manages the puppet_ssl folder for ssl file copies, which is needed to track changes for reloading service on changes
 * `apache::package`: Installs an Apache MPM.
 * `apache::params`: This class manages Apache parameters
 * `apache::php`: This class installs PHP for Apache.
@@ -207,6 +208,7 @@ The following parameters are available in the `apache` class:
 * [`default_ssl_crl_path`](#default_ssl_crl_path)
 * [`default_ssl_crl_check`](#default_ssl_crl_check)
 * [`default_ssl_key`](#default_ssl_key)
+* [`default_ssl_reload_on_change`](#default_ssl_reload_on_change)
 * [`default_ssl_vhost`](#default_ssl_vhost)
 * [`default_type`](#default_type)
 * [`default_vhost`](#default_vhost)
@@ -434,6 +436,14 @@ environment.
 
 Default value: `$apache::params::default_ssl_key`
 
+##### <a name="default_ssl_reload_on_change"></a>`default_ssl_reload_on_change`
+
+Data type: `Boolean`
+
+Enable reloading of apache if the content of ssl files have changed.
+
+Default value: ``false``
+
 ##### <a name="default_ssl_vhost"></a>`default_ssl_vhost`
 
 Data type: `Boolean`
@@ -6369,6 +6379,7 @@ The following parameters are available in the `apache::mod::ssl` class:
 * [`ssl_stapling`](#ssl_stapling)
 * [`ssl_stapling_return_errors`](#ssl_stapling_return_errors)
 * [`ssl_mutex`](#ssl_mutex)
+* [`ssl_reload_on_change`](#ssl_reload_on_change)
 * [`apache_version`](#apache_version)
 * [`package_name`](#package_name)
 * [`ssl_sessiontickets`](#ssl_sessiontickets)
@@ -6525,6 +6536,14 @@ Default based on the OS and/or Apache version:
 
 Default value: ``undef``
 
+##### <a name="ssl_reload_on_change"></a>`ssl_reload_on_change`
+
+Data type: `Boolean`
+
+Enable reloading of apache if the content of ssl files have changed. It only affects ssl files configured here and not vhost ones.
+
+Default value: ``false``
+
 ##### <a name="apache_version"></a>`apache_version`
 
 Data type: `Any`
@@ -7789,6 +7808,7 @@ The following parameters are available in the `apache::vhost` defined type:
 * [`ssl_stapling_timeout`](#ssl_stapling_timeout)
 * [`ssl_stapling_return_errors`](#ssl_stapling_return_errors)
 * [`ssl_user_name`](#ssl_user_name)
+* [`ssl_reload_on_change`](#ssl_reload_on_change)
 * [`use_canonical_name`](#use_canonical_name)
 * [`define`](#define)
 * [`auth_oidc`](#auth_oidc)
@@ -10638,6 +10658,14 @@ Sets the [SSLUserName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ss
 
 Default value: ``undef``
 
+##### <a name="ssl_reload_on_change"></a>`ssl_reload_on_change`
+
+Data type: `Boolean`
+
+Enable reloading of apache if the content of ssl files have changed.
+
+Default value: `$apache::default_ssl_reload_on_change`
+
 ##### <a name="use_canonical_name"></a>`use_canonical_name`
 
 Data type: `Optional[Enum['On', 'on', 'Off', 'off', 'DNS', 'dns']]`

manifests/init.pp

@@ -91,6 +91,9 @@
 #   this parameter with your SSL key's location before deploying this server in a production 
 #   environment.
 #
+# @param default_ssl_reload_on_change
+#   Enable reloading of apache if the content of ssl files have changed.
+#
 # @param default_ssl_vhost
 #   Configures a default SSL virtual host.
 #   If `true`, Puppet automatically configures the following virtual host using the 
@@ -472,6 +475,7 @@
   $default_ssl_crl_path                                                 = undef,
   $default_ssl_crl                                                      = undef,
   $default_ssl_crl_check                                                = undef,
+  Boolean $default_ssl_reload_on_change                                 = false,
   $default_type                                                         = 'none',
   $dev_packages                                                         = $apache::params::dev_packages,
   $ip                                                                   = undef,

manifests/mod/ssl.pp

@@ -62,6 +62,9 @@
 #   - Debian/Ubuntu + Apache >= 2.4: 'default'.
 #   - Debian/Ubuntu + Apache < 2.4: 'file:${APACHE_RUN_DIR}/ssl_mutex'.
 #
+# @param ssl_reload_on_change
+#   Enable reloading of apache if the content of ssl files have changed. It only affects ssl files configured here and not vhost ones.
+#
 # @param apache_version
 #   Used to verify that the Apache version you have requested is compatible with the module.
 #
@@ -97,6 +100,7 @@
   Optional[String] $stapling_cache                          = undef,
   Optional[Boolean] $ssl_stapling_return_errors             = undef,
   $ssl_mutex                                                = undef,
+  Boolean $ssl_reload_on_change                             = false,
   $apache_version                                           = undef,
   $package_name                                             = undef,
 ) inherits ::apache::params {
@@ -174,6 +178,24 @@
     include apache::mod::socache_shmcb
   }
 
+  if $ssl_reload_on_change {
+    [$ssl_cert, $ssl_key, $ssl_ca].each |$ssl_file| {
+      if $ssl_file {
+        include apache::mod::ssl::reload
+        $_ssl_file_copy = regsubst($ssl_file, '/', '_', 'G')
+        file { $_ssl_file_copy:
+          path    => "${apache::params::puppet_ssl_dir}/${_ssl_file_copy}",
+          source  => "file://${ssl_file}",
+          owner   => 'root',
+          group   => $apache::params::root_group,
+          mode    => '0640',
+          seltype => 'cert_t',
+          notify  => Class['apache::service'],
+        }
+      }
+    }
+  }
+
   # Template uses
   #
   # $ssl_compression

manifests/mod/ssl/reload.pp

@@ -0,0 +1,17 @@
+# @summary
+#   Manages the puppet_ssl folder for ssl file copies, which is needed to track changes for reloading service on changes
+#
+# @api private
+class apache::mod::ssl::reload () inherits ::apache::params {
+  file { $apache::params::puppet_ssl_dir:
+    ensure  => directory,
+    purge   => true,
+    recurse => true,
+    require => Package['httpd'],
+  }
+  file { 'README.txt':
+    path    => "${apache::params::puppet_ssl_dir}/README.txt",
+    content => 'This directory contains puppet managed copies of ssl files, so it can track changes and reload apache on changes.',
+    seltype => 'etc_t',
+  }
+}

manifests/params.pp

@@ -63,6 +63,7 @@
     $server_root          = "${httpd_root}/etc/httpd"
     $conf_dir             = "${httpd_dir}/conf"
     $confd_dir            = "${httpd_dir}/conf.d"
+    $puppet_ssl_dir       = "${httpd_dir}/puppet_ssl"
     $mod_dir              = $facts['operatingsystemmajrelease'] ? {
       '7'     => "${httpd_dir}/conf.modules.d",
       default => "${httpd_dir}/conf.d",
@@ -169,6 +170,7 @@
     $server_root          = '/etc/httpd'
     $conf_dir             = "${httpd_dir}/conf"
     $confd_dir            = "${httpd_dir}/conf.d"
+    $puppet_ssl_dir       = "${httpd_dir}/puppet_ssl"
     $conf_enabled         = undef
     if $::operatingsystem =~ /^[Aa]mazon$/ and $::operatingsystemmajrelease == '2' {
       # Amazon Linux 2 uses the /conf.modules.d/ dir
@@ -341,6 +343,7 @@
     $confd_dir           = "${httpd_dir}/conf.d"
     # Overwrite conf_enabled causes errors with Shibboleth when enabled on Ubuntu 18.04
     $conf_enabled        = undef #"${httpd_dir}/conf-enabled.d"
+    $puppet_ssl_dir      = "${httpd_dir}/puppet_ssl"
     $mod_dir             = "${httpd_dir}/mods-available"
     $mod_enable_dir      = "${httpd_dir}/mods-enabled"
     $vhost_dir           = "${httpd_dir}/sites-available"
@@ -544,6 +547,7 @@
     $conf_dir         = $httpd_dir
     $confd_dir        = "${httpd_dir}/Includes"
     $conf_enabled     = undef
+    $puppet_ssl_dir   = "${httpd_dir}/puppet_ssl"
     $mod_dir          = "${httpd_dir}/Modules"
     $mod_enable_dir   = undef
     $vhost_dir        = "${httpd_dir}/Vhosts"
@@ -617,6 +621,7 @@
     $conf_dir         = $httpd_dir
     $confd_dir        = "${httpd_dir}/conf.d"
     $conf_enabled     = undef
+    $puppet_ssl_dir   = "${httpd_dir}/puppet_ssl"
     $mod_dir          = "${httpd_dir}/modules.d"
     $mod_enable_dir   = undef
     $vhost_dir        = "${httpd_dir}/vhosts.d"
@@ -687,6 +692,7 @@
     $conf_dir            = $httpd_dir
     $confd_dir           = "${httpd_dir}/conf.d"
     $conf_enabled        = undef
+    $puppet_ssl_dir      = "${httpd_dir}/puppet_ssl"
     $mod_dir             = "${httpd_dir}/mods-available"
     $mod_enable_dir      = "${httpd_dir}/mods-enabled"
     $vhost_dir           = "${httpd_dir}/sites-available"

manifests/vhost.pp

@@ -1679,6 +1679,9 @@
 # @param ssl_user_name
 #   Sets the [SSLUserName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusername) directive.
 #
+# @param ssl_reload_on_change
+#   Enable reloading of apache if the content of ssl files have changed.
+#
 # @param use_canonical_name
 #   Specifies whether to use the [`UseCanonicalName directive`](https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname),
 #   which allows you to configure how the server determines it's own name and port.
@@ -1762,6 +1765,7 @@
   $ssl_crl                                                                          = $apache::default_ssl_crl,
   $ssl_crl_check                                                                    = $apache::default_ssl_crl_check,
   $ssl_certs_dir                                                                    = $apache::params::ssl_certs_dir,
+  Boolean $ssl_reload_on_change                                                     = $apache::default_ssl_reload_on_change,
   $ssl_protocol                                                                     = undef,
   $ssl_cipher                                                                       = undef,
   Variant[Boolean, Enum['on', 'On', 'off', 'Off'], Undef] $ssl_honorcipherorder     = undef,
@@ -2706,12 +2710,30 @@
   # - $ssl_openssl_conf_cmd
   # - $ssl_stapling
   # - $apache_version
-  if $ssl {
+  if $ssl and $ensure == 'present' {
     concat::fragment { "${name}-ssl":
       target  => "${priority_real}${filename}.conf",
       order   => 230,
       content => template('apache/vhost/_ssl.erb'),
     }
+
+    if $ssl_reload_on_change {
+      [$ssl_cert, $ssl_key, $ssl_ca, $ssl_chain, $ssl_crl].each |$ssl_file| {
+        if $ssl_file {
+          include apache::mod::ssl::reload
+          $_ssl_file_copy = regsubst($ssl_file, '/', '_', 'G')
+          file { "${filename}${_ssl_file_copy}":
+            path    => "${apache::params::puppet_ssl_dir}/${filename}${_ssl_file_copy}",
+            source  => "file://${ssl_file}",
+            owner   => 'root',
+            group   => $apache::params::root_group,
+            mode    => '0640',
+            seltype => 'cert_t',
+            notify  => Class['apache::service'],
+          }
+        }
+      }
+    }
   }
 
   # Template uses:

spec/acceptance/apache_ssl_spec.rb

@@ -48,6 +48,17 @@ class { 'apache':
 
   describe 'vhost ssl parameters' do
     pp = <<-MANIFEST
+        file { [
+          '/tmp/ssl_cert',
+          '/tmp/ssl_key',
+          '/tmp/ssl_chain',
+          '/tmp/ssl_ca',
+          '/tmp/ssl_crl',
+          ]:
+            ensure             => file,
+            before             => Class['apache']
+        }
+
         class { 'apache':
           service_ensure       => stopped,
         }
@@ -63,6 +74,7 @@ class { 'apache':
           ssl_crl              => '/tmp/ssl_crl',
           ssl_crl_check        => 'chain flag',
           ssl_certs_dir        => '/tmp',
+          ssl_reload_on_change => true,
           ssl_protocol         => 'test',
           ssl_cipher           => 'test',
           ssl_honorcipherorder => true,
@@ -99,6 +111,26 @@ class { 'apache':
         it { is_expected.not_to contain 'SSLCARevocationCheck' }
       end
     end
+
+    describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_cert") do
+      it { is_expected.to be_file }
+    end
+
+    describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_key") do
+      it { is_expected.to be_file }
+    end
+
+    describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_chain") do
+      it { is_expected.to be_file }
+    end
+
+    describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_ca") do
+      it { is_expected.to be_file }
+    end
+
+    describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_crl") do
+      it { is_expected.to be_file }
+    end
   end
 
   describe 'vhost ssl ssl_ca only' do

spec/classes/mod/ssl_spec.rb

@@ -127,6 +127,18 @@
       it { is_expected.to contain_file('ssl.conf').with_content(%r{^  SSLCACertificateFile}) }
     end
 
+    context 'setting ssl_cert with reload' do
+      let :params do
+        {
+          ssl_cert: '/etc/pki/some/path/localhost.crt',
+          ssl_reload_on_change: true,
+        }
+      end
+
+      it { is_expected.to contain_file('ssl.conf').with_content(%r{^  SSLCertificateFile}) }
+      it { is_expected.to contain_file('_etc_pki_some_path_localhost.crt') }
+    end
+
     context 'with Apache version < 2.4 - ssl_compression with default value' do
       let :params do
         {

spec/defines/vhost_spec.rb

@@ -71,7 +71,7 @@
               'ssl_key'                     => '/ssl/key',
               'ssl_chain'                   => '/ssl/chain',
               'ssl_crl_path'                => '/ssl/crl',
-              'ssl_crl'                     => 'foo.crl',
+              'ssl_crl'                     => '/ssl/foo.crl',
               'ssl_certs_dir'               => '/ssl/certs',
               'ssl_protocol'                => 'SSLv2',
               'ssl_cipher'                  => 'HIGH',
@@ -88,6 +88,7 @@
               'ssl_proxy_cipher_suite'      => 'HIGH',
               'ssl_proxy_protocol'          => 'TLSv1.2',
               'ssl_user_name'               => 'SSL_CLIENT_S_DN_CN',
+              'ssl_reload_on_change'        => true,
               'priority'                    => '30',
               'default_vhost'               => true,
               'servername'                  => 'example.com',
@@ -516,6 +517,10 @@
               content: %r{^\s+SSLSessionCacheTimeout 300$},
             )
           }
+          it { is_expected.to contain_file('rspec.example.com_ssl_cert') }
+          it { is_expected.to contain_file('rspec.example.com_ssl_key') }
+          it { is_expected.to contain_file('rspec.example.com_ssl_chain') }
+          it { is_expected.to contain_file('rspec.example.com_ssl_foo.crl') }
           it { is_expected.to contain_class('apache::mod::mime') }
           it { is_expected.to contain_class('apache::mod::vhost_alias') }
           it { is_expected.to contain_class('apache::mod::wsgi') }
@@ -1859,6 +1864,10 @@
           it { is_expected.not_to contain_class('apache::mod::proxy') }
           it { is_expected.not_to contain_class('apache::mod::proxy_http') }
           it { is_expected.not_to contain_class('apache::mod::headers') }
+          it { is_expected.not_to contain_file('rspec.example.com_ssl_cert') }
+          it { is_expected.not_to contain_file('rspec.example.com_ssl_key') }
+          it { is_expected.not_to contain_file('rspec.example.com_ssl_chain') }
+          it { is_expected.not_to contain_file('rspec.example.com_ssl_foo.crl') }
           it { is_expected.to contain_file('/var/www/foo') }
           it {
             is_expected.to contain_file('/tmp/logroot').with('ensure' => 'absent')