Use SSO certs on jenkins

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 3d1702126198a36bba68fe37f9e8f7e95bf12aad..d1e83aa66107e17600a835f9c729b9d5d43931de 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -110,6 +110,7 @@ roles:
   # single sign on relying party (host) - also required apache2 module enabled on that host via other means
   sso_rp:
     - diabelli.debian.org
+    - jerea.debian.org
     - nono.debian.org
     - ticharich.debian.org
   static_master:

diff --git a/modules/roles/files/jenkins/jenkins.debian.org b/modules/roles/files/jenkins/jenkins.debian.org
index b5ccc6b04f0081e961781bff5f19733a591519df..e8d9ebed55eb968b5d0ccec94ea0233182df60e1 100644 (file)
--- a/modules/roles/files/jenkins/jenkins.debian.org
+++ b/modules/roles/files/jenkins/jenkins.debian.org
@@ -7,6 +7,13 @@ Use common-debian-service-https-redirect * jenkins.debian.org
        Use common-debian-service-ssl jenkins.debian.org
        Use common-ssl-HSTS
 
+       SSLCACertificateFile /var/lib/dsa/sso/ca.crt
+       SSLCARevocationCheck chain
+       SSLCARevocationFile /var/lib/dsa/sso/ca.crl
+       SSLVerifyClient optional
+
+       SSLOptions +StdEnvVars
+
        <IfModule mod_userdir.c>
                UserDir disabled
        </IfModule>
@@ -14,6 +21,8 @@ Use common-debian-service-https-redirect * jenkins.debian.org
        CustomLog /var/log/apache2/jenkins.debian.org-access.log privacy
        ServerSignature On
        <IfModule mod_proxy.c>
+               RequestHeader unset X-Forwarded-User
+               RequestHeader set X-Forwarded-User "%{SSL_CLIENT_S_DN_CN}e" env=SSL_CLIENT_S_DN_CN
                <Proxy *>
                        Order deny,allow
                        Allow from all