opendev/system-config
Code Issues Proposed changes

Fix zuul-ci.org vhost cert paths

Browse Source 
We were setting the cert file contents to the paths rather than updating
the paths to point at the new LE certs. Fix this by setting the _file
vars which update the path.

This includes a partial revert of the previous change to not switch
git.zuul-ci.org over to LE as we haven't provisioned an LE cert for it
yet.

Change-Id: I41c2aa1d03afba4ebf6378e9abf8276154666df7
This commit is contained in:
Clark Boylan 2020-01-08 10:03:05 -08:00
parent 44ca7193ea
commit 42c0d0696c
2 changed files with 47 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
manifests/site.pp
View File

@ -442,6 +442,9 @@ node /^files\d*\.open.*\.org$/ {
git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
require => Class['Openstack_project::Server'],
}
@ -481,22 +484,12 @@ node /^files\d*\.open.*\.org$/ {
}
openstack_project::website { 'zuul-ci.org':
aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
ssl_cert => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer',
ssl_key => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key',
ssl_intermediate => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer',
require => Class['openstack_project::files'],
aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
ssl_cert_file => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer',
ssl_key_file => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key',
ssl_chain_file => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer',
require => Class['openstack_project::files'],
}
openstack_project::website { 'git.zuul-ci.org':
docroot => "/var/www/git-redirect",
allow_override_list => "Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule",
ssl_cert => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.cer',
ssl_key => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.key',
ssl_intermediate => '/etc/letsencrypt-certs/git.zuul-ci.org/ca.cer',
require => Class['openstack_project::files'],
}
}
# Node-OS: trusty

39
modules/openstack_project/manifests/files.pp
View File

@ -17,6 +17,9 @@ class openstack_project::files (
$git_starlingx_cert_file_contents,
$git_starlingx_key_file_contents,
$git_starlingx_chain_file_contents,
$git_zuul_cert_file_contents,
$git_zuul_key_file_contents,
$git_zuul_chain_file_contents,
) {
$afs_root = '/afs/openstack.org/'
@ -327,4 +330,40 @@ class openstack_project::files (
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.starlingx.io.pem'],
}
###########################################################
# git.zuul-ci.org
::httpd::vhost { 'git.zuul-ci.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.zuul-ci.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.zuul-ci.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_zuul_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.zuul-ci.org.pem'],
}
}