(maint) Allow using mod_md for managing certificates

Add a $mdomain parameter to apache::vhost.  When set to true, the
certifcate configuration is automatically managed by mod_md.  It is also
possible to use an explicit String to fully control the Subject
Alternative Names of the requested certificate.

Author: smortex

manifests/vhost.pp

@@ -1722,6 +1722,10 @@
 #   value of the $servername parameter.
 #   When set to false (default), the existing behaviour of using the $name parameter
 #   will remain.
+#
+# @param $mdomain
+#   All the names in the list are managed as one Managed Domain (MD). mod_md will request
+#   one single certificate that is valid for all these names.
 
 define apache::vhost (
   Variant[Boolean,String] $docroot,
@@ -1971,6 +1975,7 @@
   Hash $define                                                                      = {},
   Boolean $auth_oidc                                                                = false,
   Optional[Apache::OIDCSettings] $oidc_settings                                     = undef,
+  Optional[Variant[Boolean,String]] $mdomain                                        = undef,
 ) {
   # The base class must be included first because it is used by parameter defaults
   if ! defined(Class['apache']) {
@@ -2771,6 +2776,10 @@
     }
   }
 
+  if $mdomain {
+    include apache::mod::md
+  }
+
   # Template uses:
   # - $passenger_enabled
   # - $passenger_start_timeout

spec/defines/vhost_spec.rb

@@ -484,6 +484,7 @@
                                                  'RemoteUserClaim'           => 'sub',
                                                  'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',
                                                  'CryptoPassphrase'          => '4ad1bb46-9979-450e-ae58-c696967df3cd' },
+              'mdomain'                     => 'example.com example.net auto',
             }
           end
 
@@ -1483,6 +1484,12 @@
               content: %r{^\s+OIDCCryptoPassphrase\s4ad1bb46-9979-450e-ae58-c696967df3cd$},
             )
           }
+          it { is_expected.to contain_class('apache::mod::md') }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
+              content: %r{^MDomain example\.com example\.net auto$},
+            )
+          }
         end
         context 'vhost with multiple ip addresses' do
           let :params do
@@ -2451,6 +2458,19 @@
             it { is_expected.not_to compile }
           end
         end
+        context 'mdomain' do
+          let :params do
+            default_params.merge(
+              'mdomain' => true,
+            )
+          end
+
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
+              content: %r{^MDomain rspec.example.com$},
+            )
+          }
+        end
       end
     end
   end

templates/vhost/_file_header.erb

@@ -3,6 +3,14 @@
 # Managed by Puppet
 # ************************************
 <%= [@comment].flatten.collect{|c| "# #{c}"}.join("\n") -%>
+<% if @mdomain -%>
+
+  <%- if @mdomain.is_a?(String) -%>
+MDomain <%= @mdomain %>
+  <%- else -%>
+MDomain <%= @servername %>
+  <%- end -%>
+<% end -%>
 
 <VirtualHost <%= [@nvh_addr_port].flatten.compact.join(' ') %>>
 <% @define.each do | k, v| -%>

templates/vhost/_ssl.erb

@@ -2,8 +2,10 @@
 
   ## SSL directives
   SSLEngine on
+  <%- unless @mdomain -%>
   SSLCertificateFile      "<%= @ssl_cert %>"
   SSLCertificateKeyFile   "<%= @ssl_key %>"
+  <%- end -%>
   <%- if @ssl_chain -%>
   SSLCertificateChainFile "<%= @ssl_chain %>"
   <%- end -%>