diff --git a/manifests/site.pp b/manifests/site.pp
index 0ba1c22e58..22b1e4ec43 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -504,14 +504,26 @@ node /^files\d*\.open.*\.org$/ {
}
class { 'openstack_project::files':
- vhost_name => 'files.openstack.org',
- developer_cert_file_contents => hiera('developer_cert_file_contents'),
- developer_key_file_contents => hiera('developer_key_file_contents'),
- developer_chain_file_contents => hiera('developer_chain_file_contents'),
- docs_cert_file_contents => hiera('docs_cert_file_contents'),
- docs_key_file_contents => hiera('docs_key_file_contents'),
- docs_chain_file_contents => hiera('docs_chain_file_contents'),
- require => Class['Openstack_project::Server'],
+ vhost_name => 'files.openstack.org',
+ developer_cert_file_contents => hiera('developer_cert_file_contents'),
+ developer_key_file_contents => hiera('developer_key_file_contents'),
+ developer_chain_file_contents => hiera('developer_chain_file_contents'),
+ docs_cert_file_contents => hiera('docs_cert_file_contents'),
+ docs_key_file_contents => hiera('docs_key_file_contents'),
+ docs_chain_file_contents => hiera('docs_chain_file_contents'),
+ git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
+ git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
+ git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
+ git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
+ git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
+ git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
+ git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
+ git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
+ git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
+ git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
+ git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
+ git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
+ require => Class['Openstack_project::Server'],
}
# Temporary for evaluating htaccess rules
diff --git a/modules/openstack_project/files/git-redirect.htaccess b/modules/openstack_project/files/git-redirect.htaccess
new file mode 100644
index 0000000000..a72f6b5ca8
--- /dev/null
+++ b/modules/openstack_project/files/git-redirect.htaccess
@@ -0,0 +1,148 @@
+# Unescape any slashes in the branch portion of the query string so
+# that we don't have to worry about whether or not they are encoded
+# later. This is a recursive rule to handle multiple slashes.
+RewriteCond %{QUERY_STRING} "^(.*)h=([^&]+)%2F([^&]+)(.*)$"
+RewriteRule "^(.*)$" "/$1?%1h=%2/%3%4" [N]
+
+###################################
+# summary
+# ignore all args
+
+RewriteRule "^cgit/([^/]+)/([^/]+)/?$" "https://opendev.org/$1/$2/" [L,QSD]
+
+###################################
+# refs tab -> branches tab
+# ignore all args
+# The cgit refs tab shows tags+branches, the branches tab in gitea is
+# the closest linkable url
+
+RewriteRule "^cgit/([^/]+)/([^/]+)/refs/?" "https://opendev.org/$1/$2/branches" [L,QSD]
+
+###################################
+# log tab (with file) -> commits tab
+# h=
+
+RewriteCond %{QUERY_STRING} h=([\w/]+)
+RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
+
+# no args
+
+RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
+
+#####################################################
+# tree tab (with file) -> tree tab
+# id=
+# h=&id= (id)
+# if there's a commit, it takes precedence
+RewriteCond %{QUERY_STRING} id=([\w]+)
+RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
+
+# h=
+# if there's no commit, but a branch:
+RewriteCond %{QUERY_STRING} h=([\w/]+)
+RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD]
+
+# if there's no args:
+RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD]
+
+#####################################################
+# plain link without file -> tree tab
+# id=
+# h=&id= (id)
+# if there's a commit, it takes precedence
+RewriteCond %{QUERY_STRING} id=([\w]+)
+RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
+
+# h=
+# if there's no commit, but a branch:
+RewriteCond %{QUERY_STRING} h=([\w/]+)
+RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD]
+
+# if there's no args:
+RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD]
+
+#####################################################
+# plain link (with file) -> raw
+# same as tree
+# id=
+# h=&id= (id)
+# if there's a commit, it takes precedence
+RewriteCond %{QUERY_STRING} id=([\w]+)
+RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/commit/%1/$3" [L,QSD]
+
+# h=
+# if there's no commit, but a branch:
+RewriteCond %{QUERY_STRING} h=([\w/]+)
+RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/%1/$3" [L,QSD]
+
+# if there's no args:
+RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/master/$3" [L,QSD]
+
+######################
+# commit tab (with file) -> commit screen (without file)
+# id=
+# id=&h=
+RewriteCond %{QUERY_STRING} id=([\w]+)
+RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
+
+# h=
+# The commit tab in cgit will show the branch-tip commit in this case.
+# There is not a comprable page in gitea, so we redirect to the branch
+# log (which has the branch-tip commit at the top of the list). We
+# include the file if it's there to further restrict the list of
+# commits
+RewriteCond %{QUERY_STRING} h=([\w/]+)
+RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
+
+# no args
+# Same, but with master branch
+RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
+
+######################
+# diff (with file) -> commit screen (without file)
+# Gitea doesn't handle arbitrary diffs, so just show the commit page for id.
+# We do the same thing as for the commit tab.
+# id=&id2=
+# id=
+# id=&h=
+RewriteCond %{QUERY_STRING} id=([\w]+)
+RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
+
+# h=
+RewriteCond %{QUERY_STRING} h=([\w/]+)
+RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
+
+# no args
+RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
+
+######################
+# patch (with file)
+# Gitea doesn't handle generating patch files, so just show the commit page.
+# We do the same thing as for the commit tab.
+# id=
+# id=&h=
+RewriteCond %{QUERY_STRING} id=([\w]+)
+RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
+
+# h=
+RewriteCond %{QUERY_STRING} h=([\w/]+)
+RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
+
+# no args
+RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
+
+#####################
+# tag
+# Gitea doesn't have a dedicated tag page, but if you click a tag in
+# gitea, it takes you to the source tree view for that tag, which has
+# the tagged commit at the top of the table.
+RewriteCond %{QUERY_STRING} h=([\w/\.]+)
+RewriteRule "^cgit/(.*?)/(.*?)/tag/?" "https://opendev.org/$1/$2/src/tag/%1" [L,QSD]
+
+#####################
+# Any other unknown cgit url, redirect to /
+RewriteRule "^cgit" "https://opendev.org/" [L,QSD]
+
+#####################
+# Non cgit URLs
+RewriteRule "^(.*)$" "https://opendev.org/$1" [L]
diff --git a/modules/openstack_project/manifests/files.pp b/modules/openstack_project/manifests/files.pp
index 21c7d69da8..acb61c137c 100644
--- a/modules/openstack_project/manifests/files.pp
+++ b/modules/openstack_project/manifests/files.pp
@@ -8,6 +8,18 @@ class openstack_project::files (
$docs_cert_file_contents,
$docs_key_file_contents,
$docs_chain_file_contents,
+ $git_airship_cert_file_contents,
+ $git_airship_key_file_contents,
+ $git_airship_chain_file_contents,
+ $git_openstack_cert_file_contents,
+ $git_openstack_key_file_contents,
+ $git_openstack_chain_file_contents,
+ $git_starlingx_cert_file_contents,
+ $git_starlingx_key_file_contents,
+ $git_starlingx_chain_file_contents,
+ $git_zuul_cert_file_contents,
+ $git_zuul_key_file_contents,
+ $git_zuul_chain_file_contents,
) {
$afs_root = '/afs/openstack.org/'
@@ -30,6 +42,24 @@ class openstack_project::files (
require => File["${www_base}"],
}
+ #####################################################
+ # Git Redirects Webroot
+ file { "${www_base}/git-redirect":
+ ensure => directory,
+ owner => root,
+ group => root,
+ require => File["${www_base}"],
+ }
+
+ file { "${www_base}/git-redirect/.htaccess":
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///modules/openstack_project/git-redirect.htaccess',
+ require => File["${www_base}/git-redirect"],
+ }
+
#####################################################
# Set up directories needed by HTTPS certs/keys
file { '/etc/ssl/certs':
@@ -189,4 +219,152 @@ class openstack_project::files (
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/developer.openstack.org.pem'],
}
+
+
+ ###########################################################
+ # git.airshipit.org
+
+ ::httpd::vhost { 'git.airshipit.org':
+ port => 443, # Is required despite not being used.
+ docroot => "${www_base}/git-redirect",
+ priority => '50',
+ template => 'openstack_project/git-redirect.vhost.erb',
+ require => File["${www_base}/git-redirect"],
+ }
+ file { '/etc/ssl/certs/git.airshipit.org.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $git_airship_cert_file_contents,
+ require => File['/etc/ssl/certs'],
+ }
+ file { '/etc/ssl/private/git.airshipit.org.key':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $git_airship_key_file_contents,
+ require => File['/etc/ssl/private'],
+ }
+ file { '/etc/ssl/certs/git.airshipit.org_intermediate.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $git_airship_chain_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => File['/etc/ssl/certs/git.airshipit.org.pem'],
+ }
+
+
+ ###########################################################
+ # git.openstack.org
+
+ ::httpd::vhost { 'git.openstack.org':
+ port => 443, # Is required despite not being used.
+ docroot => "${www_base}/git-redirect",
+ priority => '50',
+ template => 'openstack_project/git-redirect.vhost.erb',
+ require => File["${www_base}/git-redirect"],
+ }
+ file { '/etc/ssl/certs/git.openstack.org.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $git_openstack_cert_file_contents,
+ require => File['/etc/ssl/certs'],
+ }
+ file { '/etc/ssl/private/git.openstack.org.key':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $git_openstack_key_file_contents,
+ require => File['/etc/ssl/private'],
+ }
+ file { '/etc/ssl/certs/git.openstack.org_intermediate.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $git_openstack_chain_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => File['/etc/ssl/certs/git.openstack.org.pem'],
+ }
+
+
+ ###########################################################
+ # git.starlingx.io
+
+ ::httpd::vhost { 'git.starlingx.io':
+ port => 443, # Is required despite not being used.
+ docroot => "${www_base}/git-redirect",
+ priority => '50',
+ template => 'openstack_project/git-redirect.vhost.erb',
+ require => File["${www_base}/git-redirect"],
+ }
+ file { '/etc/ssl/certs/git.starlingx.io.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $git_starlingx_cert_file_contents,
+ require => File['/etc/ssl/certs'],
+ }
+ file { '/etc/ssl/private/git.starlingx.io.key':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $git_starlingx_key_file_contents,
+ require => File['/etc/ssl/private'],
+ }
+ file { '/etc/ssl/certs/git.starlingx.io_intermediate.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $git_starlingx_chain_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => File['/etc/ssl/certs/git.starlingx.io.pem'],
+ }
+
+
+ ###########################################################
+ # git.zuul-ci.org
+
+ ::httpd::vhost { 'git.zuul-ci.org':
+ port => 443, # Is required despite not being used.
+ docroot => "${www_base}/git-redirect",
+ priority => '50',
+ template => 'openstack_project/git-redirect.vhost.erb',
+ require => File["${www_base}/git-redirect"],
+ }
+ file { '/etc/ssl/certs/git.zuul-ci.org.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $git_zuul_cert_file_contents,
+ require => File['/etc/ssl/certs'],
+ }
+ file { '/etc/ssl/private/git.zuul-ci.org.key':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $git_zuul_key_file_contents,
+ require => File['/etc/ssl/private'],
+ }
+ file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $git_zuul_chain_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => File['/etc/ssl/certs/git.zuul-ci.org.pem'],
+ }
}
diff --git a/modules/openstack_project/templates/git-redirect.vhost.erb b/modules/openstack_project/templates/git-redirect.vhost.erb
new file mode 100644
index 0000000000..db6fbb9d8c
--- /dev/null
+++ b/modules/openstack_project/templates/git-redirect.vhost.erb
@@ -0,0 +1,49 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+
+ ServerName <%= @srvname %>
+ RewriteEngine On
+ DocumentRoot <%= @docroot %>
+ >
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ AllowOverrideList Redirect RedirectMatch
+ Satisfy Any
+ Require all granted
+
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @srvname %>_error.log
+ CustomLog /var/log/apache2/<%= @srvname %>_access.log combined
+ ServerSignature Off
+
+
+
+
+ ServerName <%= @srvname %>
+ RewriteEngine On
+ DocumentRoot <%= @docroot %>
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ # Once the machine is using something to terminate TLS that supports ECDHE
+ # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+ # only is guarenteed.
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+ SSLCertificateFile /etc/ssl/certs/<%= @srvname %>.pem
+ SSLCertificateKeyFile /etc/ssl/private/<%= @srvname %>.key
+ SSLCertificateChainFile /etc/ssl/certs/<%= @srvname %>_intermediate.pem
+ >
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ AllowOverrideList Redirect RedirectMatch
+ Satisfy Any
+ Require all granted
+
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @srvname %>_error.log
+ CustomLog /var/log/apache2/<%= @srvname %>_access.log combined
+ ServerSignature Off
+
+