Add option for LE provisioned certs to zuul::web

We need to communicate to apache vhost config that we want LE certs to
be used in some cases. Add a vhosts_flags flag to signal this then plumb
the correct data into the vhost when set.

Note this requires the vhost name and the le cert name to match as that
is our mapping between puppet and ansibe here.

Change-Id: I40131525c10152ebb0a7495588f137e3c019bbc5

manifests/status_backups.pp

@@ -15,6 +15,7 @@
 define zuul::status_backups (
   $tenant_name,
   $ssl,
+  $use_le = undef, # Unused here
   $status_uri = undef,
 ) {
   if $status_uri == undef {

manifests/web.pp

@@ -74,6 +74,7 @@ class zuul::web (
       "${vhost_name}" => {
         tenant_name => $tenant_name,
         ssl         => $use_ssl,
+        use_le      => false,
       }
     }
   }

templates/zuulv3.vhost.erb

@@ -6,11 +6,17 @@
 <% if @ssl -%>
   SSLEngine on
   SSLProtocol All -SSLv2 -SSLv3
+<% if ! [false, '', nil].include?(scope.lookupvar('::zuul::web::vhosts_flags_int')[@vhost_name]['use_le']) -%>
+  SSLCertificateFile /etc/letsencrypt-certs/<%= @vhost_name %>/<%= @vhost_name %>.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/<%= @vhost_name %>/<%= @vhost_name %>.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/<%= @vhost_name %>/ca.cer
+<% else -%>
   SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
   SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
 <% if scope.lookupvar('::zuul::web::vhosts_ssl_int')[@vhost_name]['ssl_chain_file_contents'] != '' -%>
   SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
 <% end -%>
+<% end -%>
 <% end -%>
 
   ServerName <%= @vhost_name %>