From 9fead304423c53385e5fbc45041f4815c1ce8b87 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Tue, 7 Jan 2020 14:44:18 -0800 Subject: [PATCH] Use LE certs for zuul-ci.org This switches the zuul-ci.org/zuulci.org vhost to use newly issued letsencrypt certs. It also does the same for git.zuul-ci.org, which is a different vhost. Since that vhost is tied into a configuration which can't accept cert file paths (only content), adjust it to use the newer "website" manifest pattern which can. Change-Id: I0cd0407754466327147917390c578da336e61269 --- manifests/site.pp | 18 ++++++--- modules/openstack_project/manifests/files.pp | 40 ------------------- .../openstack_project/manifests/website.pp | 7 ++++ .../templates/website.vhost.erb | 2 +- 4 files changed, 20 insertions(+), 47 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index 16f3fd90b8..b955a998db 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -442,9 +442,6 @@ node /^files\d*\.open.*\.org$/ { git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'), git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'), git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'), - git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'), - git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'), - git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'), require => Class['Openstack_project::Server'], } @@ -485,12 +482,21 @@ node /^files\d*\.open.*\.org$/ { openstack_project::website { 'zuul-ci.org': aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'], - ssl_cert => hiera('zuul-ci_org_ssl_cert'), - ssl_key => hiera('zuul-ci_org_ssl_key'), - ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'), + ssl_cert => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer', + ssl_key => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key', + ssl_intermediate => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer', require => Class['openstack_project::files'], } + openstack_project::website { 'git.zuul-ci.org': + docroot => "/var/www/git-redirect", + allow_override_list => "Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule", + ssl_cert => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.cer', + ssl_key => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.key', + ssl_intermediate => '/etc/letsencrypt-certs/git.zuul-ci.org/ca.cer', + require => Class['openstack_project::files'], + } + } # Node-OS: trusty diff --git a/modules/openstack_project/manifests/files.pp b/modules/openstack_project/manifests/files.pp index acb61c137c..ae4ac9a1b3 100644 --- a/modules/openstack_project/manifests/files.pp +++ b/modules/openstack_project/manifests/files.pp @@ -17,9 +17,6 @@ class openstack_project::files ( $git_starlingx_cert_file_contents, $git_starlingx_key_file_contents, $git_starlingx_chain_file_contents, - $git_zuul_cert_file_contents, - $git_zuul_key_file_contents, - $git_zuul_chain_file_contents, ) { $afs_root = '/afs/openstack.org/' @@ -330,41 +327,4 @@ class openstack_project::files ( require => File['/etc/ssl/certs'], before => File['/etc/ssl/certs/git.starlingx.io.pem'], } - - - ########################################################### - # git.zuul-ci.org - - ::httpd::vhost { 'git.zuul-ci.org': - port => 443, # Is required despite not being used. - docroot => "${www_base}/git-redirect", - priority => '50', - template => 'openstack_project/git-redirect.vhost.erb', - require => File["${www_base}/git-redirect"], - } - file { '/etc/ssl/certs/git.zuul-ci.org.pem': - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - content => $git_zuul_cert_file_contents, - require => File['/etc/ssl/certs'], - } - file { '/etc/ssl/private/git.zuul-ci.org.key': - ensure => present, - owner => 'root', - group => 'root', - mode => '0600', - content => $git_zuul_key_file_contents, - require => File['/etc/ssl/private'], - } - file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem': - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - content => $git_zuul_chain_file_contents, - require => File['/etc/ssl/certs'], - before => File['/etc/ssl/certs/git.zuul-ci.org.pem'], - } } diff --git a/modules/openstack_project/manifests/website.pp b/modules/openstack_project/manifests/website.pp index 252692a0dc..df8a279c3f 100644 --- a/modules/openstack_project/manifests/website.pp +++ b/modules/openstack_project/manifests/website.pp @@ -23,6 +23,7 @@ define openstack_project::website ( $ssl_chain_file = undef, $template = 'openstack_project/website.vhost.erb', $docroot = undef, + $allow_override_list = undef, ) { $afs_root = '/afs/openstack.org/' @@ -39,6 +40,12 @@ define openstack_project::website ( $docroot_ = $docroot } + if $allow_override_list == undef { + $allow_override_list_ = "Redirect RedirectMatch" + } else { + $allow_override_list_ = $allow_override_list + } + if ($ssl_cert != undef) { $ssl_cert_file_ = "/etc/ssl/certs/${name}.pem" file { "${ssl_cert_file_}": diff --git a/modules/openstack_project/templates/website.vhost.erb b/modules/openstack_project/templates/website.vhost.erb index de94c696a6..7eb898dc79 100644 --- a/modules/openstack_project/templates/website.vhost.erb +++ b/modules/openstack_project/templates/website.vhost.erb @@ -48,7 +48,7 @@ Require all granted AllowOverride None # Allow mod_rewrite rules - AllowOverrideList Redirect RedirectMatch + AllowOverrideList <%= @allow_override_list_ %> ErrorDocument 404 /errorpage.html