diff --git a/manifests/package/redhat.pp b/manifests/package/redhat.pp index e415bdd69..b1816bbd0 100644 --- a/manifests/package/redhat.pp +++ b/manifests/package/redhat.pp @@ -19,17 +19,24 @@ default => 'rhel' } + $want_module_hotfixes = if versioncmp(fact('os.release.full'), '8.0') >= 0 { + '1' + } else { + 'absent' + } + if $manage_repo { case $package_source { 'nginx', 'nginx-stable': { yumrepo { 'nginx-release': - baseurl => "https://nginx.org/packages/${_os}/${facts['os']['release']['major']}/\$basearch/", - descr => 'nginx repo', - enabled => '1', - gpgcheck => '1', - priority => '1', - gpgkey => 'https://nginx.org/keys/nginx_signing.key', - before => Package['nginx'], + baseurl => "https://nginx.org/packages/${_os}/${facts['os']['release']['major']}/\$basearch/", + descr => 'nginx repo', + enabled => '1', + gpgcheck => '1', + priority => '1', + gpgkey => 'https://nginx.org/keys/nginx_signing.key', + before => Package['nginx'], + module_hotfixes => $want_module_hotfixes, } if $purge_passenger_repo { @@ -41,13 +48,14 @@ } 'nginx-mainline': { yumrepo { 'nginx-release': - baseurl => "https://nginx.org/packages/mainline/${_os}/${facts['os']['release']['major']}/\$basearch/", - descr => 'nginx repo', - enabled => '1', - gpgcheck => '1', - priority => '1', - gpgkey => 'https://nginx.org/keys/nginx_signing.key', - before => Package['nginx'], + baseurl => "https://nginx.org/packages/mainline/${_os}/${facts['os']['release']['major']}/\$basearch/", + descr => 'nginx repo', + enabled => '1', + gpgcheck => '1', + priority => '1', + gpgkey => 'https://nginx.org/keys/nginx_signing.key', + before => Package['nginx'], + module_hotfixes => $want_module_hotfixes, } if $purge_passenger_repo { @@ -58,21 +66,22 @@ } } 'passenger': { - if ($facts['os']['name'] in ['RedHat', 'CentOS', 'VirtuozzoLinux']) and ($facts['os']['release']['major'] in ['6', '7', '8']) { + if ($facts['os']['name'] in ['RedHat', 'CentOS', 'VirtuozzoLinux']) and ($facts['os']['release']['major'] in ['6', '7']) { # 2019-11: Passenger changed their gpg key from: `https://packagecloud.io/phusion/passenger/gpgkey` # to: `https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt` # Find the latest key by opening: https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo # Also note: Since 6.0.5 there are no nginx packages in the phusion EL7 repository, and nginx packages are expected to come from epel instead yumrepo { 'passenger': - baseurl => "https://oss-binaries.phusionpassenger.com/yum/passenger/el/${facts['os']['release']['major']}/\$basearch", - descr => 'passenger repo', - enabled => '1', - gpgcheck => '0', - repo_gpgcheck => '1', - priority => '1', - gpgkey => 'https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt', - before => Package['nginx'], + baseurl => "https://oss-binaries.phusionpassenger.com/yum/passenger/el/${facts['os']['release']['major']}/\$basearch", + descr => 'passenger repo', + enabled => '1', + gpgcheck => '0', + repo_gpgcheck => '1', + priority => '1', + gpgkey => 'https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt', + before => Package['nginx'], + module_hotfixes => $want_module_hotfixes, } yumrepo { 'nginx-release': diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index 10a41dd9d..d638944bb 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -3,11 +3,15 @@ require 'spec_helper_acceptance' describe 'nginx class:' do + test_passenger = true + case fact('osfamily') when 'RedHat' pkg_cmd = 'yum info nginx | grep "^From repo"' pkg_remove_cmd = 'yum -y remove nginx nginx-filesystem passenger' pkg_match = case fact('operatingsystemmajrelease') + when '8' + test_passenger = false when '7' # https://blog.phusion.nl/2020/05/29/passenger-6-0-5/ %r{epel} else @@ -24,6 +28,8 @@ else %r{Phusion} end + else + test_passenger = false end context 'default parameters' do @@ -44,7 +50,7 @@ end end - context 'nginx with package_source passenger', if: pkg_cmd do + context 'nginx with package_source passenger', if: test_passenger do it 'runs successfully' do shell(pkg_remove_cmd) pp = <<-EOS @@ -76,7 +82,7 @@ class { 'nginx': end end - context 'reset to default parameters', if: pkg_cmd do + context 'reset to default parameters', if: pkg_remove_cmd do it 'runs successfully' do shell(pkg_remove_cmd) pp = "class { 'nginx': }" diff --git a/spec/acceptance/nginx_mail_spec.rb b/spec/acceptance/nginx_mail_spec.rb index f1b7bb5c9..820faabc5 100644 --- a/spec/acceptance/nginx_mail_spec.rb +++ b/spec/acceptance/nginx_mail_spec.rb @@ -3,87 +3,118 @@ require 'spec_helper_acceptance' describe 'nginx::resource::mailhost define:' do - it 'runs successfully' do - pp = " - if fact('os.family') == 'RedHat' { - package { 'nginx-mod-mail': - ensure => installed, - } - } + has_recent_mail_module = true - class { 'nginx': - mail => true, - dynamic_modules => fact('os.family') ? { - 'RedHat' => ['/usr/lib64/nginx/modules/ngx_mail_module.so'], - default => [], - } + if fact('os.family') == 'RedHat' && fact('os.release.major') == '8' + # EPEL had recent nginx-mod-mail package for CentOS 7 but not CentOS 8 + # Stream. The base packages use an older version of nginx that does not + # work with the acceptance test configuration. + has_recent_mail_module = false + end + + it 'remove leftovers from previous tests', if: fact('os.family') == 'RedHat' do + shell('yum -y remove nginx nginx-filesystem passenger') + # nginx-mod-mail is not available for all versions of nginx, the one + # installed might be incompatible with the version of nginx-mod-mail we are + # about to install so clean everything. + pp = " + yumrepo { 'nginx-release': + ensure => absent, } - nginx::resource::mailhost { 'domain1.example': - ensure => present, - auth_http => 'localhost/cgi-bin/auth', - protocol => 'smtp', - listen_port => 587, - ssl => true, - ssl_port => 465, - ssl_cert => '/etc/pki/tls/certs/blah.cert', - ssl_key => '/etc/pki/tls/private/blah.key', - xclient => 'off', + yumrepo { 'passenger': + ensure => absent, } " - apply_manifest(pp, catch_failures: true) end - describe file('/etc/nginx/conf.mail.d/domain1.example.conf') do - it { is_expected.to be_file } - it { is_expected.to contain 'auth_http localhost/cgi-bin/auth;' } - it { is_expected.to contain 'listen *:465 ssl;' } - end - - describe port(587) do - it { is_expected.to be_listening } - end - - describe port(465) do - it { is_expected.to be_listening } - end - - context 'when configured for nginx 1.14' do + context 'actualy test the mail module', if: has_recent_mail_module do it 'runs successfully' do pp = " - if fact('os.family') == 'RedHat' { - package { 'nginx-mod-mail': - ensure => installed, + if fact('os.family') == 'RedHat' { + package { 'nginx-mod-mail': + ensure => installed, + } } - } - class { 'nginx': - mail => true, - nginx_version => '1.14.0', - dynamic_modules => fact('os.family') ? { - 'RedHat' => ['/usr/lib64/nginx/modules/ngx_mail_module.so'], - default => [], + class { 'nginx': + mail => true, + dynamic_modules => fact('os.family') ? { + 'RedHat' => ['/usr/lib64/nginx/modules/ngx_mail_module.so'], + default => [], + } + } + nginx::resource::mailhost { 'domain1.example': + ensure => present, + auth_http => 'localhost/cgi-bin/auth', + protocol => 'smtp', + listen_port => 587, + ssl => true, + ssl_port => 465, + ssl_cert => '/etc/pki/tls/certs/blah.cert', + ssl_key => '/etc/pki/tls/private/blah.key', + xclient => 'off', } - } - nginx::resource::mailhost { 'domain1.example': - ensure => present, - auth_http => 'localhost/cgi-bin/auth', - protocol => 'smtp', - listen_port => 587, - ssl => true, - ssl_port => 465, - ssl_cert => '/etc/pki/tls/certs/blah.cert', - ssl_key => '/etc/pki/tls/private/blah.key', - xclient => 'off', - } " apply_manifest(pp, catch_failures: true) + # The module produce different config when nginx is installed and when it + # is not installed prior to getting facts, so we need to re-apply the + # catalog. + apply_manifest(pp, catch_failures: true) end describe file('/etc/nginx/conf.mail.d/domain1.example.conf') do - it 'does\'t contain `ssl` on `listen` line' do - is_expected.to contain 'listen *:465;' + it { is_expected.to be_file } + it { is_expected.to contain 'auth_http localhost/cgi-bin/auth;' } + it { is_expected.to contain 'listen *:465 ssl;' } + end + + describe port(587) do + it { is_expected.to be_listening } + end + + describe port(465) do + it { is_expected.to be_listening } + end + + context 'when configured for nginx 1.14' do + it 'runs successfully' do + pp = " + if fact('os.family') == 'RedHat' { + package { 'nginx-mod-mail': + ensure => installed, + } + } + + class { 'nginx': + mail => true, + nginx_version => '1.14.0', + dynamic_modules => fact('os.family') ? { + 'RedHat' => ['/usr/lib64/nginx/modules/ngx_mail_module.so'], + default => [], + } + } + nginx::resource::mailhost { 'domain1.example': + ensure => present, + auth_http => 'localhost/cgi-bin/auth', + protocol => 'smtp', + listen_port => 587, + ssl => true, + ssl_port => 465, + ssl_cert => '/etc/pki/tls/certs/blah.cert', + ssl_key => '/etc/pki/tls/private/blah.key', + xclient => 'off', + } + " + + apply_manifest(pp, catch_failures: true) + end + + describe file('/etc/nginx/conf.mail.d/domain1.example.conf') do + it 'does\'t contain `ssl` on `listen` line' do + is_expected.to contain 'listen *:465;' + end end end end diff --git a/spec/acceptance/nginx_server_spec.rb b/spec/acceptance/nginx_server_spec.rb old mode 100755 new mode 100644 index c1fda564d..6bbc85c87 --- a/spec/acceptance/nginx_server_spec.rb +++ b/spec/acceptance/nginx_server_spec.rb @@ -51,6 +51,10 @@ class { 'nginx': } end context 'should run successfully with ssl' do + it 'remove leftovers from previous tests', if: fact('os.family') == 'RedHat' do + shell('yum -y remove nginx nginx-filesystem passenger') + end + it 'configures a nginx SSL server' do pp = " class { 'nginx': } @@ -71,7 +75,6 @@ class { 'nginx': } describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do it { is_expected.to be_file } - it { is_expected.not_to contain 'ssl on;' } # As of nginx 1.15 (1.16 stable), this will not be set. it { is_expected.to contain 'listen *:443 ssl;' } it { is_expected.not_to contain 'shared:SSL:10m;' } end diff --git a/spec/classes/nginx_spec.rb b/spec/classes/nginx_spec.rb index 0a6955133..2ae731a38 100644 --- a/spec/classes/nginx_spec.rb +++ b/spec/classes/nginx_spec.rb @@ -105,7 +105,7 @@ it { is_expected.to contain_yumrepo('passenger').that_comes_before('Package[nginx]') } end - context 'package_source => passenger' do + context 'package_source => passenger', unless: facts[:operatingsystemmajrelease] == '8' do let(:params) { { package_source: 'passenger' } } it do