(#51) Add option to disable SSL in Jetty

This patch introduces the optional parameter $disable_ssl, which defaults to false. If set to true, the settings ssl-host and ssl-port are completely removed from the Jetty section of the PuppetDB config files. This disables serving of HTTPS requests by PuppetDB, which can be useful when SSL handling is offloaded to a reverse proxy server like Apache or Nginx, as suggested in the PuppetDB documentation (see http://docs.puppetlabs.com/puppetdb/1.2/connect_puppet_apply.html#option-a-set-up-an-ssl-proxy-for-puppetdb).
2013-04-09 00:39:04 +02:00 · 2013-04-09 00:39:04 +02:00 · 28e23581c7
commit 28e23581c7
parent 994e226743
4 changed files with 19 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -27,6 +27,8 @@
 #                            Set to '0.0.0.0' to listen on all addresses.
 #   ['ssl_listen_port']    - The port on which the puppetdb web server should
 #                            accept HTTPS requests (defaults to 8081).
+#   ['disable_ssl']        - If true, disable HTTPS and only serve
+#                            HTTP requests. Defaults to false.
 #   ['open_ssl_listen_port'] - If true, open the ssl listen port on the firewall. 
 #                            (defaults to true).
 #   ['database']           - Which database backend to use; legal values are
@ -89,6 +91,7 @@ class puppetdb(
  $open_listen_port          = $puppetdb::params::open_listen_port,
  $ssl_listen_address        = $puppetdb::params::ssl_listen_address,
  $ssl_listen_port           = $puppetdb::params::ssl_listen_port,
+  $disable_ssl               = $puppetdb::params::disable_ssl,
  $open_ssl_listen_port      = $puppetdb::params::open_ssl_listen_port,
  $database                  = $puppetdb::params::database,
  $database_port             = $puppetdb::params::database_port,
@ -116,6 +119,7 @@ class puppetdb(
    open_listen_port        => $open_listen_port,
    ssl_listen_address      => $ssl_listen_address,
    ssl_listen_port         => $ssl_listen_port,
+    disable_ssl             => $disable_ssl,
    open_ssl_listen_port    => $open_ssl_listen_port,
    database                => $database,
    database_port           => $database_port,
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -16,6 +16,7 @@ class puppetdb::params {
  $open_listen_port          = false
  $ssl_listen_address        = $::clientcert
  $ssl_listen_port           = '8081'
+  $disable_ssl               = false
  # This technically defaults to 'true', but in order to preserve backwards
  # compatibility with the deprecated 'manage_redhat_firewall' parameter, we
  # need to specify 'undef' as the default so that we can tell whether or
--- a/manifests/server.pp
+++ b/manifests/server.pp
@ -34,6 +34,8 @@
 #                            Set to '0.0.0.0' to listen on all addresses.
 #   ['ssl_listen_port']    - The port on which the puppetdb web server should
 #                            accept HTTPS requests (defaults to 8081).
+#   ['disable_ssl']        - If true, disable HTTPS and only serve
+#                            HTTP requests. Defaults to false.
 #   ['open_ssl_listen_port'] - If true, open the ssl listen port on the firewall. 
 #                            (defaults to true).
 #   ['database']           - Which database backend to use; legal values are
@ -98,6 +100,7 @@ class puppetdb::server(
  $open_listen_port        = $puppetdb::params::open_listen_port,
  $ssl_listen_address      = $puppetdb::params::ssl_listen_address,
  $ssl_listen_port         = $puppetdb::params::ssl_listen_port,
+  $disable_ssl             = $puppetdb::params::disable_ssl,
  $open_ssl_listen_port    = $puppetdb::params::open_ssl_listen_port,
  $database                = $puppetdb::params::database,
  $database_host           = $puppetdb::params::database_host,
@ -144,6 +147,7 @@ class puppetdb::server(
    listen_port         => $listen_port,
    ssl_listen_address  => $ssl_listen_address,
    ssl_listen_port     => $ssl_listen_port,
+    disable_ssl         => $disable_ssl,
    confdir             => $confdir,
    notify              => Service[$puppetdb_service],
  }
--- a/manifests/server/jetty_ini.pp
+++ b/manifests/server/jetty_ini.pp
@ -12,6 +12,8 @@
 #                            for HTTPS requests.  (defaults to `$::clientcert`.)
 #   ['ssl_listen_port']    - The port on which the puppetdb web server should
 #                            accept HTTPS requests.
+#   ['disable_ssl']        - If true, disable HTTPS and only serve
+#                            HTTP requests. Defaults to false.
 #   ['database_name']   - The name of the database instance to connect to.
 #                         (defaults to `puppetdb`; ignored for `embedded` db)
 #   ['confdir']         - The puppetdb configuration directory; defaults to
@ -34,6 +36,7 @@ class puppetdb::server::jetty_ini(
  $listen_port        = $puppetdb::params::listen_port,  
  $ssl_listen_address = $puppetdb::params::ssl_listen_address,
  $ssl_listen_port    = $puppetdb::params::ssl_listen_port,
+  $disable_ssl        = $puppetdb::params::disable_ssl,
  $confdir            = $puppetdb::params::confdir,
 ) inherits puppetdb::params {

@ -57,12 +60,19 @@ class puppetdb::server::jetty_ini(
    value   => $listen_port,
  }

+  $ssl_setting_ensure = $disable_ssl ? {
+    true    => 'absent',
+    default => 'present',
+  }
+
  ini_setting {'puppetdb_sslhost':
+    ensure  => $ssl_setting_ensure,
    setting => 'ssl-host',
    value   => $ssl_listen_address,
  }

  ini_setting {'puppetdb_sslport':
+    ensure  => $ssl_setting_ensure,
    setting => 'ssl-port',
    value   => $ssl_listen_port,
  }