From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 11 Oct 2015 11:01:22 +0000 (+0200)
Subject: Use SSO certs on jenkins
X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=commitdiff_plain;h=32cc0ca47da8021103744f26d3ced982ea0c22ad

Use SSO certs on jenkins
---

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 3d170212..d1e83aa6 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -110,6 +110,7 @@ roles:
   # single sign on relying party (host) - also required apache2 module enabled on that host via other means
   sso_rp:
     - diabelli.debian.org
+    - jerea.debian.org
     - nono.debian.org
     - ticharich.debian.org
   static_master:
diff --git a/modules/roles/files/jenkins/jenkins.debian.org b/modules/roles/files/jenkins/jenkins.debian.org
index b5ccc6b0..e8d9ebed 100644
--- a/modules/roles/files/jenkins/jenkins.debian.org
+++ b/modules/roles/files/jenkins/jenkins.debian.org
@@ -7,6 +7,13 @@ Use common-debian-service-https-redirect * jenkins.debian.org
 	Use common-debian-service-ssl jenkins.debian.org
 	Use common-ssl-HSTS
 
+	SSLCACertificateFile /var/lib/dsa/sso/ca.crt
+	SSLCARevocationCheck chain
+	SSLCARevocationFile /var/lib/dsa/sso/ca.crl
+	SSLVerifyClient optional
+
+	SSLOptions +StdEnvVars
+
 	<IfModule mod_userdir.c>
 		UserDir disabled
 	</IfModule>
@@ -14,6 +21,8 @@ Use common-debian-service-https-redirect * jenkins.debian.org
 	CustomLog /var/log/apache2/jenkins.debian.org-access.log privacy
 	ServerSignature On
 	<IfModule mod_proxy.c>
+		RequestHeader unset X-Forwarded-User
+		RequestHeader set X-Forwarded-User "%{SSL_CLIENT_S_DN_CN}e" env=SSL_CLIENT_S_DN_CN
 		<Proxy *>
 			Order deny,allow
 			Allow from all