Use apache mod classes

Requires puppetlabs-apache 7301123aa51afe696f129988482889f61aa4f0d0
which is shipped since 2.0.0 so we bump the required version.

[1] puppetlabs/puppetlabs-apache@7301123

manifests/config/passenger.pp

@@ -44,6 +44,9 @@
 #
 # $start_timeout::            Amount of seconds to wait for Ruby application boot.
 #
+# $foreman_url::              The URL Foreman should be reachable under. Used for loading the application
+#                             on startup rather than on demand.
+#
 # $keepalive::                Enable KeepAlive setting of Apache?
 #
 # $max_keepalive_requests::   MaxKeepAliveRequests setting of Apache
@@ -54,6 +57,8 @@
 #
 # $access_log_format::        Apache log format to use
 #
+# $ipa_authentication::       Whether to install support for IPA authentication
+#
 class foreman::config::passenger(
   Stdlib::Absolutepath $app_root = $::foreman::app_root,
   Optional[String] $listen_on_interface = $::foreman::passenger_interface,
@@ -80,6 +85,7 @@
   Integer[0] $max_keepalive_requests = $::foreman::max_keepalive_requests,
   Integer[0] $keepalive_timeout = $::foreman::keepalive_timeout,
   Optional[String] $access_log_format = undef,
+  Boolean $ipa_authentication = $::foreman::ipa_authentication,
 ) {
   $docroot = "${app_root}/public"
   $suburi_parts = split($foreman_url, '/')
@@ -95,6 +101,13 @@
   include ::apache::mod::headers
   include ::apache::mod::passenger
 
+  if $ipa_authentication {
+    include ::apache::mod::authnz_pam
+    include ::apache::mod::intercept_form_submit
+    include ::apache::mod::lookup_identity
+    include ::apache::mod::auth_kerb
+  }
+
   if $use_vhost {
     # Check the value in case the interface doesn't exist, otherwise listen on all interfaces
     if $listen_on_interface and $listen_on_interface in split($::interfaces, ',') {

manifests/install.pp

@@ -37,24 +37,9 @@
     }
   }
 
-  if $::foreman::ipa_authentication {
-    case $::osfamily {
-      'RedHat': {
-        # The apache::mod's need to be in install to break circular dependencies
-        ::apache::mod { 'authnz_pam': package => 'mod_authnz_pam' }
-        ::apache::mod { 'intercept_form_submit': package => 'mod_intercept_form_submit' }
-        ::apache::mod { 'lookup_identity': package => 'mod_lookup_identity' }
-        include ::apache::mod::auth_kerb
-      }
-      default: {
-        fail("${::hostname}: ipa_authentication is not supported on osfamily ${::osfamily}")
-      }
-    }
-
-    if $::foreman::ipa_manage_sssd {
-      package { 'sssd-dbus':
-        ensure => installed,
-      }
+  if $::foreman::ipa_authentication and $::foreman::ipa_manage_sssd {
+    package { 'sssd-dbus':
+      ensure => installed,
     }
   }
 }

metadata.json

@@ -18,7 +18,7 @@
     },
     {
       "name": "puppetlabs/apache",
-      "version_requirement": ">= 1.10.0 < 2.0.0"
+      "version_requirement": ">= 2.0.0 < 3.0.0"
     },
     {
       "name": "puppetlabs/apt",

spec/classes/foreman_config_passenger_spec.rb

@@ -32,6 +32,7 @@
           :keepalive_timeout      => 5,
           :server_port            => 80,
           :server_ssl_port        => 443,
+          :ipa_authentication     => false,
         } end
 
         it 'should include apache with modules' do
@@ -72,6 +73,7 @@
           :keepalive_timeout      => 5,
           :server_port            => 80,
           :server_ssl_port        => 443,
+          :ipa_authentication     => false,
         } end
 
         case facts[:osfamily]
@@ -173,6 +175,7 @@
           :keepalive_timeout      => 5,
           :server_port            => 80,
           :server_ssl_port        => 443,
+          :ipa_authentication     => false,
         } end
 
         it do
@@ -207,6 +210,7 @@
             :keepalive_timeout      => 15,
             :server_port            => 80,
             :server_ssl_port        => 443,
+            :ipa_authentication     => false,
         } end
 
         it 'should set the respective parameters' do
@@ -245,6 +249,7 @@
           :keepalive_timeout      => 5,
           :server_port            => 80,
           :server_ssl_port        => 443,
+          :ipa_authentication     => false,
         } end
 
         case facts[:osfamily]
@@ -278,7 +283,6 @@
         end
       end
 
-
       describe 'with different ports set' do
         let :params do {
           :app_root               => '/usr/share/foreman',
@@ -305,6 +309,7 @@
           :keepalive_timeout      => 5,
           :server_port            => 8080,
           :server_ssl_port        => 8443,
+          :ipa_authentication     => false,
         } end
 
         it 'should set the respective parameters' do
@@ -314,6 +319,41 @@
           should contain_apache__vhost('foreman-ssl').with_passenger_pre_start("https://#{facts[:fqdn]}:8443")
         end
       end
+
+      describe 'with ipa_authentication' do
+        let :params do {
+          :app_root               => '/usr/share/foreman',
+          :use_vhost              => true,
+          :listen_on_interface    => '192.168.0.1',
+          :ruby                   => '/usr/bin/tfm-ruby',
+          :priority               => '15',
+          :servername             => facts[:fqdn],
+          :serveraliases          => ['foreman'],
+          :ssl                    => false,
+          :ssl_cert               => '/cert.pem',
+          :ssl_certs_dir          => '',
+          :ssl_key                => '/key.pem',
+          :ssl_ca                 => '/ca.pem',
+          :ssl_chain              => '/ca.pem',
+          :ssl_crl                => '/crl.pem',
+          :user                   => 'foreman',
+          :prestart               => true,
+          :min_instances          => 1,
+          :start_timeout          => 600,
+          :foreman_url            => "https://#{facts[:fqdn]}",
+          :keepalive              => true,
+          :max_keepalive_requests => 100,
+          :keepalive_timeout      => 5,
+          :server_port            => 80,
+          :server_ssl_port        => 443,
+          :ipa_authentication     => true,
+        } end
+
+        it { should contain_class('apache::mod::authnz_pam') }
+        it { should contain_class('apache::mod::intercept_form_submit') }
+        it { should contain_class('apache::mod::lookup_identity') }
+        it { should contain_class('apache::mod::auth_kerb') }
+      end
     end
   end
 end

spec/defines/foreman_config_passenger_fragment_spec.rb

@@ -41,6 +41,7 @@
               keepalive_timeout       => 5,
               server_port             => 80,
               server_ssl_port         => 443,
+              ipa_authentication      => false,
           }"
         end
 
@@ -95,6 +96,7 @@
               keepalive_timeout       => 5,
               server_port             => 80,
               server_ssl_port         => 443,
+              ipa_authentication      => false,
           }"
         end