.fixtures.yml

@@ -8,5 +8,9 @@ fixtures:
     extlib:           'https://github.com/voxpupuli/puppet-extlib'
     postgresql:       'https://github.com/puppetlabs/puppetlabs-postgresql'
     redis:            'https://github.com/voxpupuli/puppet-redis'
+    selinux:          'https://github.com/voxpupuli/puppet-selinux'
+    selinux_core:
+      repo:           'https://github.com/puppetlabs/puppetlabs-selinux_core'
+      puppet_version: '>= 6.0.0'
     stdlib:           'https://github.com/puppetlabs/puppetlabs-stdlib'
     systemd:          'https://github.com/camptocamp/puppet-systemd'

CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [0.2.0](https://github.com/theforeman/puppet-pulpcore/tree/0.2.0) (2020-03-19)
+
+[Full Changelog](https://github.com/theforeman/puppet-pulpcore/compare/0.1.0...0.2.0)
+
+**Implemented enhancements:**
+
+- Fixes [\#29069](https://projects.theforeman.org/issues/29069) - Apply selinux labels to pulpcore ports [\#72](https://github.com/theforeman/puppet-pulpcore/pull/72) ([wbclark](https://github.com/wbclark))
+- Refs [\#28901](https://projects.theforeman.org/issues/28901) - Support SSL connection for external postgresql database [\#71](https://github.com/theforeman/puppet-pulpcore/pull/71) ([wbclark](https://github.com/wbclark))
+
+**Merged pull requests:**
+
+- Pin Facter to \< 4 [\#81](https://github.com/theforeman/puppet-pulpcore/pull/81) ([ekohl](https://github.com/ekohl))
+- enable httpd\_can\_network\_connect selinux boolean [\#76](https://github.com/theforeman/puppet-pulpcore/pull/76) ([wbclark](https://github.com/wbclark))
+- Prepare acceptance tests for EL8 [\#75](https://github.com/theforeman/puppet-pulpcore/pull/75) ([ekohl](https://github.com/ekohl))
+- Fixes [\#28996](https://projects.theforeman.org/issues/28996) - Set PULP\_STATIC\_ROOT [\#69](https://github.com/theforeman/puppet-pulpcore/pull/69) ([wbclark](https://github.com/wbclark))
+
 ## [0.1.0](https://github.com/theforeman/puppet-pulpcore/tree/0.1.0) (2020-02-13)
 
 [Full Changelog](https://github.com/theforeman/puppet-pulpcore/compare/41659cd46708a5a3ce9bdc5e9071f93fb994161c...0.1.0)
@@ -10,27 +26,25 @@
 - configurable REMOTE\_USER\_ENVIRON\_NAME [\#58](https://github.com/theforeman/puppet-pulpcore/issues/58)
 - Pulp 2 and 3 API calls through Apache don't play nice [\#49](https://github.com/theforeman/puppet-pulpcore/issues/49)
 - Add smoke tests to nightly installer pipelines [\#42](https://github.com/theforeman/puppet-pulpcore/issues/42)
-- Update to use django-admin solution for pulpcore [\#39](https://github.com/theforeman/puppet-pulpcore/issues/39)
 - Check on pulpcore-resource-manager naming and configuration form latest ansible-pulp [\#36](https://github.com/theforeman/puppet-pulpcore/issues/36)
 - Update CONTENT\_ORIGIN to match proper value ansible-pulp [\#35](https://github.com/theforeman/puppet-pulpcore/issues/35)
-- Update Redis database number to '8' [\#34](https://github.com/theforeman/puppet-pulpcore/issues/34)
 - Make PULP2 mongodb settings configurable [\#33](https://github.com/theforeman/puppet-pulpcore/issues/33)
+- Add database migration command  [\#23](https://github.com/theforeman/puppet-pulpcore/issues/23)
+- Allow disabling management of Apache via a paramter [\#11](https://github.com/theforeman/puppet-pulpcore/issues/11)
+- Support external postgresql [\#10](https://github.com/theforeman/puppet-pulpcore/issues/10)
+- Allow specification of externally managed PostgreSQl instance [\#4](https://github.com/theforeman/puppet-pulpcore/issues/4)
+- Update to use django-admin solution for pulpcore [\#39](https://github.com/theforeman/puppet-pulpcore/issues/39)
+- Update Redis database number to '8' [\#34](https://github.com/theforeman/puppet-pulpcore/issues/34)
 - Drop Ansible settings [\#32](https://github.com/theforeman/puppet-pulpcore/issues/32)
 - Secret key handling [\#31](https://github.com/theforeman/puppet-pulpcore/issues/31)
-- Add database migration command  [\#23](https://github.com/theforeman/puppet-pulpcore/issues/23)
 - pulp-api fails to start due to permission denied on key [\#22](https://github.com/theforeman/puppet-pulpcore/issues/22)
-- Service files are all readonly but should be 644 [\#21](https://github.com/theforeman/puppet-pulpcore/issues/21)
 - The 'gunicorn' command is located at /usr/bin [\#20](https://github.com/theforeman/puppet-pulpcore/issues/20)
 - The 'rq' command is located at /usr/bin [\#19](https://github.com/theforeman/puppet-pulpcore/issues/19)
 - Manage of user\_home "/var/lib/pulp" clashes with dependency in Katello [\#17](https://github.com/theforeman/puppet-pulpcore/issues/17)
 - Drop settings PostgreSQL globals [\#16](https://github.com/theforeman/puppet-pulpcore/issues/16)
-- Allow disabling management of Apache via a paramter [\#11](https://github.com/theforeman/puppet-pulpcore/issues/11)
-- Support external postgresql [\#10](https://github.com/theforeman/puppet-pulpcore/issues/10)
 - Install from RPM repos rather than PyPI [\#9](https://github.com/theforeman/puppet-pulpcore/issues/9)
 - Allow using Redis configured by Foreman [\#7](https://github.com/theforeman/puppet-pulpcore/issues/7)
-- Deploy Apache configuration to Smart proxy reverse proxy [\#6](https://github.com/theforeman/puppet-pulpcore/issues/6)
 - Deploy Apache configurations to Foreman vhost [\#5](https://github.com/theforeman/puppet-pulpcore/issues/5)
-- Allow specification of externally managed PostgreSQl instance [\#4](https://github.com/theforeman/puppet-pulpcore/issues/4)
 
 **Merged pull requests:**
 
@@ -51,7 +65,6 @@
 - make servername configurable [\#45](https://github.com/theforeman/puppet-pulpcore/pull/45) ([wbclark](https://github.com/wbclark))
 - Improve settings. [\#44](https://github.com/theforeman/puppet-pulpcore/pull/44) ([wbclark](https://github.com/wbclark))
 - Introduce a pulpcore::admin define [\#43](https://github.com/theforeman/puppet-pulpcore/pull/43) ([ekohl](https://github.com/ekohl))
-- Add file and container plugins [\#30](https://github.com/theforeman/puppet-pulpcore/pull/30) ([ekohl](https://github.com/ekohl))
 - Refresh collectstatic on the settings file [\#29](https://github.com/theforeman/puppet-pulpcore/pull/29) ([ekohl](https://github.com/ekohl))
 - collectstatic needs --noinput to avoid waiting on user input [\#28](https://github.com/theforeman/puppet-pulpcore/pull/28) ([ehelms](https://github.com/ehelms))
 - fixes [\#16](https://projects.theforeman.org/issues/16): Drop postgresql globals [\#26](https://github.com/theforeman/puppet-pulpcore/pull/26) ([ehelms](https://github.com/ehelms))
@@ -64,6 +77,7 @@
 - fixed default params [\#8](https://github.com/theforeman/puppet-pulpcore/pull/8) ([wbclark](https://github.com/wbclark))
 - Creation of initial classes [\#2](https://github.com/theforeman/puppet-pulpcore/pull/2) ([wbclark](https://github.com/wbclark))
 - initial setup via modulesync [\#1](https://github.com/theforeman/puppet-pulpcore/pull/1) ([wbclark](https://github.com/wbclark))
+- Add file and container plugins [\#30](https://github.com/theforeman/puppet-pulpcore/pull/30) ([ekohl](https://github.com/ekohl))
 
 
 

Gemfile

@@ -5,6 +5,9 @@ source 'https://rubygems.org'
 
 gem 'puppet', ENV.key?('PUPPET_VERSION') ? "~> #{ENV['PUPPET_VERSION']}" : '>= 5.5'
 
+# https://github.com/voxpupuli/puppet-selinux/issues/318
+gem 'facter', '< 4'
+
 gem 'rake'
 gem 'rspec', '~> 3.0'
 gem 'rspec-puppet', '~> 2.3'

manifests/admin.pp

@@ -17,20 +17,25 @@
 # @param pulp_settings
 #   The pulp settings file to use
 #
+# @param static_root
+#   Root directory for static content
+#
 # @see exec
 define pulpcore::admin(
   String $command = $title,
   Boolean $refreshonly = false,
   Optional[String] $unless = undef,
   Array[Stdlib::Absolutepath] $path = ['/usr/bin'],
   Stdlib::Absolutepath $pulp_settings = $pulpcore::settings_file,
+  Stdlib::Absolutepath $static_root = $pulpcore::pulp_static_root,
 ) {
   Concat <| title == 'pulpcore settings' |>
   -> exec { "python3-django-admin ${title}":
     path        => $path,
     environment => [
       'DJANGO_SETTINGS_MODULE=pulpcore.app.settings',
       "PULP_SETTINGS=${pulp_settings}",
+      "PULP_STATIC_ROOT=${static_root}",
     ],
     refreshonly => $refreshonly,
     unless      => $unless,

manifests/apache.pp

@@ -26,5 +26,9 @@
         },
       ],
     }
+
+    if $facts['os']['selinux']['enabled'] {
+      selinux::boolean { 'httpd_can_network_connect': }
+    }
   }
 }

manifests/config.pp

@@ -32,4 +32,17 @@
     subscribe   => Concat['pulpcore settings'],
   }
 
+  selinux::port { 'pulpcore-api-port':
+    ensure   => 'present',
+    seltype  => 'pulpcore_port_t',
+    protocol => 'tcp',
+    port     => $pulpcore::api_port,
+  }
+
+  selinux::port { 'pulpcore-content-port':
+    ensure   => 'present',
+    seltype  => 'pulpcore_port_t',
+    protocol => 'tcp',
+    port     => $pulpcore::content_port,
+  }
 }

manifests/init.pp

@@ -33,24 +33,42 @@
 # @param webserver_static_dir
 #   Directory for Pulp webserver static content
 #
+# @param pulp_static_root
+#   Root directory for collected static content
+#
 # @param postgresql_db_name
-#   Name of Pulp database
+#   Name of Pulp PostgreSQL database
 #
 # @param postgresql_db_user
-#   Pulp database user
+#   Pulp PostgreSQL database user
 #
 # @param postgresql_db_password
-#   Password of Pulp database
+#   Password of Pulp PostgreSQL database
 #
 # @param postgresql_db_host
-#   Host to connect to Pulp database
+#   Host to connect to Pulp PostgreSQL database
 #
 # @param postgresql_db_port
-#   Port to connect to Pulp database
+#   Port to connect to Pulp PostgreSQL database
 #
 # @param postgresql_manage_db
 #   Whether or not to manage the PostgreSQL installation. If false, a database at the specified host and port is expected to exist and the user should have sufficient permissions.
 #
+# @param postgresql_db_ssl
+#   Whether to configure SSL connection for PostgresQL database. The configuration is only applied if the PostgresQL database is unmanaged.
+#
+# @param postgresql_db_ssl_require
+#   Specifies whether pulpcore is configured to require an encrypted connection to the unmanaged PostgreSQL database server.
+#
+# @param postgresql_db_ssl_cert
+#   Path to the SSL certificate to be used for the SSL connection to PostgreSQL.
+#
+# @param postgresql_db_ssl_key
+#   Path to the key to be used for the SSL connection to PostgreSQL.
+#
+# @param postgresql_db_ssl_root_ca
+#   Path to the root certificate authority to validate the certificate supplied by the PostgreSQL database server.
+#
 # @param django_secret_key
 #   SECRET_KEY for Django
 #
@@ -77,12 +95,18 @@
   Stdlib::Host $content_host = '127.0.0.1',
   Stdlib::Port $content_port = 24816,
   Stdlib::Absolutepath $webserver_static_dir = '/var/lib/pulp/docroot',
+  Stdlib::Absolutepath $pulp_static_root = '/var/lib/pulp/assets',
   String $postgresql_db_name = 'pulpcore',
   String $postgresql_db_user = 'pulp',
   String $postgresql_db_password = extlib::cache_data('pulpcore_cache_data', 'db_password', extlib::random_password(32)),
   Stdlib::Host $postgresql_db_host = 'localhost',
   Stdlib::Port $postgresql_db_port = 5432,
   Boolean $postgresql_manage_db = true,
+  Boolean $postgresql_db_ssl = false,
+  Optional[Boolean] $postgresql_db_ssl_require = undef,
+  Optional[Stdlib::Absolutepath] $postgresql_db_ssl_cert = undef,
+  Optional[Stdlib::Absolutepath] $postgresql_db_ssl_key = undef,
+  Optional[Stdlib::Absolutepath] $postgresql_db_ssl_root_ca = undef,
   String $django_secret_key = extlib::cache_data('pulpcore_cache_data', 'secret_key', extlib::random_password(32)),
   Integer[0] $redis_db = 8,
   Stdlib::Fqdn $servername = $facts['fqdn'],

manifests/install.pp

@@ -1,12 +1,18 @@
-# @summary Install pulpcore packages
-# Currently this is done with pip3. This should have the option to also install via RPMs.
+# @summary Install pulpcore packages, configure user and group
+#
 # @api private
 class pulpcore::install {
 
   package { 'python3-pulpcore':
     ensure => present,
   }
 
+  if $facts['os']['selinux']['enabled'] {
+    package { 'pulpcore-selinux':
+      ensure => present,
+    }
+  }
+
   user { $pulpcore::user:
     ensure     => present,
     gid        => $pulpcore::group,
@@ -17,5 +23,4 @@
   group { $pulpcore::group:
     ensure => present,
   }
-
 }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "theforeman-pulpcore",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "author": "theforeman",
   "summary": "Installs next generation Pulp server",
   "license": "GPL-3.0-or-later",
@@ -33,6 +33,10 @@
     {
       "name": "puppet/extlib",
       "version_requirement": ">= 3.0.0 < 5.0.0"
+    },
+    {
+      "name": "puppet/selinux",
+      "version_requirement": ">= 3.1.0 < 4.0.0" 
     }
   ],
   "operatingsystem_support": [

spec/acceptance/basic_spec.rb

@@ -3,22 +3,23 @@
 describe 'basic installation' do
   let(:pp) {
     <<-PUPPET
-    class { 'postgresql::globals':
-      version              => '10',
-      client_package_name  => 'rh-postgresql10-postgresql-syspaths',
-      server_package_name  => 'rh-postgresql10-postgresql-server-syspaths',
-      contrib_package_name => 'rh-postgresql10-postgresql-contrib-syspaths',
-      service_name         => 'postgresql',
-      datadir              => '/var/lib/pgsql/data',
-      confdir              => '/var/lib/pgsql/data',
-      bindir               => '/usr/bin',
-    }
-    class { 'redis::globals':
-      scl => 'rh-redis5',
-    }
-    class { 'pulpcore':
-      postgresql_db_user => 'pulp',
+    if $facts['os']['release']['major'] == '7' {
+      class { 'postgresql::globals':
+        version              => '12',
+        client_package_name  => 'rh-postgresql12-postgresql-syspaths',
+        server_package_name  => 'rh-postgresql12-postgresql-server-syspaths',
+        contrib_package_name => 'rh-postgresql12-postgresql-contrib-syspaths',
+        service_name         => 'postgresql',
+        datadir              => '/var/lib/pgsql/data',
+        confdir              => '/var/lib/pgsql/data',
+        bindir               => '/usr/bin',
+      }
+      class { 'redis::globals':
+        scl => 'rh-redis5',
+      }
     }
+
+    include pulpcore
     PUPPET
   }
 

spec/acceptance/plugins_spec.rb

@@ -3,19 +3,22 @@
 describe 'basic installation' do
   let(:pp) {
     <<-PUPPET
-    class { 'postgresql::globals':
-      version              => '10',
-      client_package_name  => 'rh-postgresql10-postgresql-syspaths',
-      server_package_name  => 'rh-postgresql10-postgresql-server-syspaths',
-      contrib_package_name => 'rh-postgresql10-postgresql-contrib-syspaths',
-      service_name         => 'postgresql',
-      datadir              => '/var/lib/pgsql/data',
-      confdir              => '/var/lib/pgsql/data',
-      bindir               => '/usr/bin',
-    }
-    class { 'redis::globals':
-      scl => 'rh-redis5',
+    if $facts['os']['release']['major'] == '7' {
+      class { 'postgresql::globals':
+        version              => '12',
+        client_package_name  => 'rh-postgresql12-postgresql-syspaths',
+        server_package_name  => 'rh-postgresql12-postgresql-server-syspaths',
+        contrib_package_name => 'rh-postgresql12-postgresql-contrib-syspaths',
+        service_name         => 'postgresql',
+        datadir              => '/var/lib/pgsql/data',
+        confdir              => '/var/lib/pgsql/data',
+        bindir               => '/usr/bin',
+      }
+      class { 'redis::globals':
+        scl => 'rh-redis5',
+      }
     }
+
     include pulpcore
     include pulpcore::plugin::file
     include pulpcore::plugin::container