Add option for LE provisioned certs to zuul::web

We need to communicate to apache vhost config that we want LE certs to be used in some cases. Add a vhosts_flags flag to signal this then plumb the correct data into the vhost when set. Note this requires the vhost name and the le cert name to match as that is our mapping between puppet and ansibe here. Change-Id: I40131525c10152ebb0a7495588f137e3c019bbc5
2020-01-06 11:17:29 -08:00 · 2020-01-06 11:17:29 -08:00 · fb45aaaeec
parent b7d49bf548
commit fb45aaaeec
3 changed files with 8 additions and 0 deletions
--- a/manifests/status_backups.pp
+++ b/manifests/status_backups.pp
@ -15,6 +15,7 @@
 define zuul::status_backups (
  $tenant_name,
  $ssl,
+  $use_le = undef, # Unused here
  $status_uri = undef,
 ) {
  if $status_uri == undef {
--- a/manifests/web.pp
+++ b/manifests/web.pp
@ -74,6 +74,7 @@ class zuul::web (
      "${vhost_name}" => {
        tenant_name => $tenant_name,
        ssl         => $use_ssl,
+        use_le      => false,
      }
    }
  }
--- a/templates/zuulv3.vhost.erb
+++ b/templates/zuulv3.vhost.erb
@ -6,11 +6,17 @@
 <% if @ssl -%>
  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
+<% if ! [false, '', nil].include?(scope.lookupvar('::zuul::web::vhosts_flags_int')[@vhost_name]['use_le']) -%>
+  SSLCertificateFile /etc/letsencrypt-certs/<%= @vhost_name %>/<%= @vhost_name %>.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/<%= @vhost_name %>/<%= @vhost_name %>.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/<%= @vhost_name %>/ca.cer
+<% else -%>
  SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
  SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
 <% if scope.lookupvar('::zuul::web::vhosts_ssl_int')[@vhost_name]['ssl_chain_file_contents'] != '' -%>
  SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
 <% end -%>
+<% end -%>
 <% end -%>

  ServerName <%= @vhost_name %>