static: move afs sites from files.openstack.org to static.opendev.org

This creates sites to serve developer.openstack.org docs.openstack.org docs.opendev.org docs.starlingx.io which are all just static directories underneath /afs/openstack.org/. This is currently done by files02.openstack.org, but will be better served in the future by consolidating in ansible configuration on static.opendev.org. The following dns entries need to be made before merging to ensure the certificates are provisioned _acme-challenge.developer.openstack.org _acme-challenge.docs.openstack.org _acme-challenge.docs.opendev.org _acme-challenge.docs.starlingx.io Once done, we can merge and then cut-over the main DNS entries as we like. Since there are some follow-ons, I have not removed the puppet configuration from files02.openstack.org. I think it's best we migrate everything away from that and remove it in one lot. Change-Id: I459a36f823a8868e6cc09e2b0d85f2fe05d69002
2020-02-21 12:32:13 +11:00 · 2020-02-21 12:32:13 +11:00 · 3206fd02b8
parent 52ef51ca2a
commit 3206fd02b8
9 changed files with 300 additions and 0 deletions
--- a/playbooks/host_vars/static01.opendev.org.yaml
+++ b/playbooks/host_vars/static01.opendev.org.yaml
@ -3,6 +3,14 @@ letsencrypt_certs:
  static01-opendev-org-main:
    - static.opendev.org
    - static01.opendev.org
+  static01-developer-openstack-org:
+    - developer.openstack.org
+  static01-docs-opendev-org:
+    - docs.opendev.org
+  static01-docs-openstack-org:
+    - docs.openstack.org
+  static01-docs-starlingx-io:
+    - docs.starlingx.io
  static01-governance-openstack-org:
    - governance.openstack.org
  static01-service-types-openstack-org:
@ -17,3 +25,8 @@ letsencrypt_certs:
    - tarballs.opendev.org
  static01-tarballs-openstack-org:
    - tarballs.openstack.org
+  static01-zuul-ci-org:
+    - zuul-ci.org
+    - www.zuul-ci.org
+    - zuulci.org
+    - www.zuulci.org
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@ -38,6 +38,18 @@
 - name: letsencrypt updated static01-opendev-org-main
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml

+- name: letsencrypt updated static01-developer-openstack-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated static01-docs-opendev-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated static01-docs-openstack-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated static01-docs-starlingx-io
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
 - name: letsencrypt updated static01-governance-openstack-org
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml

@ -59,6 +71,9 @@
 - name: letsencrypt updated static01-tarballs-openstack-org
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml

+- name: letsencrypt updated static01-zuul-ci-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
 # review-dev

 - name: letsencrypt updated review-dev01-opendev-org-main
--- a/playbooks/roles/static/files/50-developer.openstack.org.conf
+++ b/playbooks/roles/static/files/50-developer.openstack.org.conf
@ -0,0 +1,42 @@
+<VirtualHost *:80>
+    ServerName developer.openstack.org
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://developer.openstack.org/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/developer.openstack.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/developer.openstack.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName developer.openstack.org
+
+    RewriteEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/developer.openstack.org/developer.openstack.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/developer.openstack.org/developer.openstack.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/developer.openstack.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+    DocumentRoot /afs/openstack.org/developer-docs
+    <Directory /afs/openstack.org/developer-docs>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        # Allow mod_rewrite rules
+        AllowOverride FileInfo
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/developer.openstack.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/developer.openstack.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>
--- a/playbooks/roles/static/files/50-docs.opendev.org.conf
+++ b/playbooks/roles/static/files/50-docs.opendev.org.conf
@ -0,0 +1,44 @@
+<VirtualHost *:80>
+    ServerName docs.opendev.org
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://docs.opendev.org/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/docs.opendev.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.opendev.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName docs.opendev.org
+
+    RewriteEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/docs.opendev.org/docs.opendev.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/docs.opendev.org/docs.opendev.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/docs.opendev.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+
+    DocumentRoot /afs/openstack.org/project/opendev.org/docs
+    <Directory /afs/openstack.org/project/opendev.org/docs>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/docs.opendev.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.opendev.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>
--- a/playbooks/roles/static/files/50-docs.openstack.org.conf
+++ b/playbooks/roles/static/files/50-docs.openstack.org.conf
@ -0,0 +1,43 @@
+<VirtualHost *:80>
+    ServerName docs.openstack.org
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://docs.openstack.org/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/docs.openstack.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.openstack.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName docs.openstack.org
+
+    RewriteEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/docs.openstack.org/docs.openstack.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/docs.openstack.org/docs.openstack.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/docs.openstack.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+    DocumentRoot /afs/openstack.org/docs
+    <Directory /afs/openstack.org/docs>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/docs.openstack.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.openstack.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>
--- a/playbooks/roles/static/files/50-docs.starlingx.io.conf
+++ b/playbooks/roles/static/files/50-docs.starlingx.io.conf
@ -0,0 +1,43 @@
+<VirtualHost *:80>
+    ServerName docs.starlingx.io
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://docs.starlingx.io/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/docs.starlingx.io_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.starlingx.io_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName docs.starlingx.io
+
+    RewriteEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/docs.starlingx.io/docs.starlingx.io.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/docs.starlingx.io/docs.starlingx.io.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/docs.starlingx.io/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+    DocumentRoot /afs/openstack.org/project/starlingx.io/www
+    <Directory /afs/openstack.org/project/starlingx.io/www>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/docs.starlingx.io_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.starlingx.io_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>
--- a/playbooks/roles/static/files/50-zuul-ci.org.conf
+++ b/playbooks/roles/static/files/50-zuul-ci.org.conf
@ -0,0 +1,52 @@
+<VirtualHost *:80>
+    ServerName zuul-ci.org
+    ServerAlias www.zuul-ci.org
+    ServerAlias zuulci.org
+    ServerAlias www.zuulci.org
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://zuul-ci.org/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/zuul-ci.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/zuul-ci.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName zuul-ci.org
+    ServerAlias www.zuul-ci.org
+    ServerAlias zuulci.org
+    ServerAlias www.zuulci.org
+
+    RewriteEngine on
+
+    SSLEngine on
+    SSLProtocol All -SSLv2 -SSLv3
+    # Once the machine is using something to terminate TLS that supports ECDHE
+    # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+    # only is guarenteed.
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+    SSLHonorCipherOrder on
+    SSLCertificateFile /etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer
+    SSLCertificateKeyFile /etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key
+    SSLCertificateChainFile /etc/letsencrypt-certs/zuul-ci.org/ca.cer
+
+    DocumentRoot /afs/openstack.org/project/zuul-ci.org/www
+    <Directory /afs/openstack.org/project/zuul-ci.org/www>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/zuul-ci.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/zuul-ci.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>
--- a/playbooks/roles/static/tasks/main.yaml
+++ b/playbooks/roles/static/tasks/main.yaml
@ -59,6 +59,10 @@
  include_tasks: enable_site.yaml
  loop:
    - 00-static.opendev.org
+    - 50-developer.openstack.org
+    - 50-docs.opendev.org
+    - 50-docs.openstack.org
+    - 50-docs.starlingx.io
    - 50-governance.openstack.org
    - 50-security.openstack.org
    - 50-service-types.openstack.org
@ -66,3 +70,4 @@
    - 50-releases.openstack.org
    - 50-tarballs.opendev.org
    - 50-tarballs.openstack.org
+    - 50-zuul-ci.org
--- a/testinfra/test_static.py
+++ b/testinfra/test_static.py
@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+import pytest

 testinfra_hosts = ['static01.opendev.org']

@ -71,3 +72,45 @@ def test_releases_openstack_org(host):
                   '--resolve releases.openstack.org:443:127.0.0.1 '
                   'https://releases.openstack.org')
    assert 'OpenStack Releases: OpenStack Releases' in cmd.stdout
+
+def test_developer_openstack_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve developer.openstack.org:443:127.0.0.1 '
+                   'https://developer.openstack.org')
+    assert 'OpenStack Docs: Application Development' in cmd.stdout
+
+def test_docs_openstack_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve docs.openstack.org:443:127.0.0.1 '
+                   'https://docs.openstack.org')
+    # links to the latest, make sure it redirected us
+    assert '301 Moved Permanently' in cmd.stdout
+
+def test_docs_opendev_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve docs.opendev.org:443:127.0.0.1 '
+                   'https://docs.opendev.org')
+    assert 'Index of /' in cmd.stdout
+
+def test_docs_starlingx_io(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve docs.starlingx.io:443:127.0.0.1 '
+                   'https://docs.starlingx.io')
+    # links to the latest, make sure it redirected us
+    assert 'StarlingX Docs: Welcome to the StarlingX Documentation' \
+        in cmd.stdout
+
+zuul_names = (
+    'zuul-ci.org',
+    'www.zuul-ci.org',
+    'zuulci.org',
+    'www.zuulci.org',
+)
+
+@pytest.mark.parametrize("name", zuul_names)
+def test_docs_openstack_org(host, name):
+
+    cmd = host.run('curl --insecure '
+                   '--resolve %s:443:127.0.0.1 https://%s/ ' %
+                   (name, name))
+    assert 'Zuul is an open source CI tool' in cmd.stdout