opendev
/
system-config
Code Issues Proposed changes

Set up legacy git redirect sites 

As part of the move to Gitea, we're creating compatibility redirects
from our old Cgit and Git HTTP backend sites to opendev.org. This
introduces Apache vhosts for each of git.airshipit.org,
git.openstack.org, git.starlingx.io and git.zuul-ci.org which all
serve the same docroot on the files.openstack.org server. This
docroot houses a single .htaccess file with the relevant redirect
rules.

Change-Id: I729fe39bcbe0a0cae237e9036ed8fa980f897e68
Co-Authored-By: James E. Blair <jeblair@redhat.com>
Task: #29705
This commit is contained in:
Jeremy Stanley 2019-03-08 15:27:42 +00:00
parent 683b73b4fb
commit 73955d55b7
4 changed files with 395 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
manifests/site.pp
View File

@ -505,14 +505,26 @@ node /^files\d*\.open.*\.org$/ {
}
class { 'openstack_project::files':
vhost_name => 'files.openstack.org',
developer_cert_file_contents => hiera('developer_cert_file_contents'),
developer_key_file_contents => hiera('developer_key_file_contents'),
developer_chain_file_contents => hiera('developer_chain_file_contents'),
docs_cert_file_contents => hiera('docs_cert_file_contents'),
docs_key_file_contents => hiera('docs_key_file_contents'),
docs_chain_file_contents => hiera('docs_chain_file_contents'),
require => Class['Openstack_project::Server'],
vhost_name => 'files.openstack.org',
developer_cert_file_contents => hiera('developer_cert_file_contents'),
developer_key_file_contents => hiera('developer_key_file_contents'),
developer_chain_file_contents => hiera('developer_chain_file_contents'),
docs_cert_file_contents => hiera('docs_cert_file_contents'),
docs_key_file_contents => hiera('docs_key_file_contents'),
docs_chain_file_contents => hiera('docs_chain_file_contents'),
git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
require => Class['Openstack_project::Server'],
}
# Temporary for evaluating htaccess rules

148
modules/openstack_project/files/git-redirect.htaccess Normal file
View File

@ -0,0 +1,148 @@
# Unescape any slashes in the branch portion of the query string so
# that we don't have to worry about whether or not they are encoded
# later. This is a recursive rule to handle multiple slashes.
RewriteCond %{QUERY_STRING} "^(.*)h=([^&]+)%2F([^&]+)(.*)$"
RewriteRule "^(.*)$" "/$1?%1h=%2/%3%4" [N]
###################################
# summary
# ignore all args
RewriteRule "^cgit/([^/]+)/([^/]+)/?$" "https://opendev.org/$1/$2/" [L,QSD]
###################################
# refs tab -> branches tab
# ignore all args
# The cgit refs tab shows tags+branches, the branches tab in gitea is
# the closest linkable url
RewriteRule "^cgit/([^/]+)/([^/]+)/refs/?" "https://opendev.org/$1/$2/branches" [L,QSD]
###################################
# log tab (with file) -> commits tab
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
#####################################################
# tree tab (with file) -> tree tab
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD]
#####################################################
# plain link without file -> tree tab
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD]
#####################################################
# plain link (with file) -> raw
# same as tree
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/master/$3" [L,QSD]
######################
# commit tab (with file) -> commit screen (without file)
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
# The commit tab in cgit will show the branch-tip commit in this case.
# There is not a comprable page in gitea, so we redirect to the branch
# log (which has the branch-tip commit at the top of the list). We
# include the file if it's there to further restrict the list of
# commits
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
# Same, but with master branch
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
######################
# diff (with file) -> commit screen (without file)
# Gitea doesn't handle arbitrary diffs, so just show the commit page for id.
# We do the same thing as for the commit tab.
# id=&id2=
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
######################
# patch (with file)
# Gitea doesn't handle generating patch files, so just show the commit page.
# We do the same thing as for the commit tab.
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
#####################
# tag
# Gitea doesn't have a dedicated tag page, but if you click a tag in
# gitea, it takes you to the source tree view for that tag, which has
# the tagged commit at the top of the table.
RewriteCond %{QUERY_STRING} h=([\w/\.]+)
RewriteRule "^cgit/(.*?)/(.*?)/tag/?" "https://opendev.org/$1/$2/src/tag/%1" [L,QSD]
#####################
# Any other unknown cgit url, redirect to /
RewriteRule "^cgit" "https://opendev.org/" [L,QSD]
#####################
# Non cgit URLs
RewriteRule "^(.*)$" "https://opendev.org/$1" [L]

178
modules/openstack_project/manifests/files.pp
View File

@ -8,6 +8,18 @@ class openstack_project::files (
$docs_cert_file_contents,
$docs_key_file_contents,
$docs_chain_file_contents,
$git_airship_cert_file_contents,
$git_airship_key_file_contents,
$git_airship_chain_file_contents,
$git_openstack_cert_file_contents,
$git_openstack_key_file_contents,
$git_openstack_chain_file_contents,
$git_starlingx_cert_file_contents,
$git_starlingx_key_file_contents,
$git_starlingx_chain_file_contents,
$git_zuul_cert_file_contents,
$git_zuul_key_file_contents,
$git_zuul_chain_file_contents,
) {
$afs_root = '/afs/openstack.org/'
@ -30,6 +42,24 @@ class openstack_project::files (
require => File["${www_base}"],
}
#####################################################
# Git Redirects Webroot
file { "${www_base}/git-redirect":
ensure => directory,
owner => root,
group => root,
require => File["${www_base}"],
}
file { "${www_base}/git-redirect/.htaccess":
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/git-redirect.htaccess',
require => File["${www_base}/git-redirect"],
}
#####################################################
# Set up directories needed by HTTPS certs/keys
file { '/etc/ssl/certs':
@ -189,4 +219,152 @@ class openstack_project::files (
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/developer.openstack.org.pem'],
}
###########################################################
# git.airshipit.org
::httpd::vhost { 'git.airshipit.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.airshipit.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_airship_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.airshipit.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_airship_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.airshipit.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_airship_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.airshipit.org.pem'],
}
###########################################################
# git.openstack.org
::httpd::vhost { 'git.openstack.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_openstack_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_openstack_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_openstack_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.openstack.org.pem'],
}
###########################################################
# git.starlingx.io
::httpd::vhost { 'git.starlingx.io':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.starlingx.io.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_starlingx_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.starlingx.io.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_starlingx_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.starlingx.io_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_starlingx_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.starlingx.io.pem'],
}
###########################################################
# git.zuul-ci.org
::httpd::vhost { 'git.zuul-ci.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.zuul-ci.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.zuul-ci.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_zuul_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.zuul-ci.org.pem'],
}
}

49
modules/openstack_project/templates/git-redirect.vhost.erb Normal file
View File

@ -0,0 +1,49 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @srvname %>
RewriteEngine On
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @srvname %>_error.log
CustomLog /var/log/apache2/<%= @srvname %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @srvname %>
RewriteEngine On
DocumentRoot <%= @docroot %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/<%= @srvname %>.pem
SSLCertificateKeyFile /etc/ssl/private/<%= @srvname %>.key
SSLCertificateChainFile /etc/ssl/certs/<%= @srvname %>_intermediate.pem
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @srvname %>_error.log
CustomLog /var/log/apache2/<%= @srvname %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>