From 5484442876318c00a4ad5db8864afd40a12bee66 Mon Sep 17 00:00:00 2001
From: Paul Belanger <pabelanger@redhat.com>
Date: Fri, 28 Jul 2017 15:04:00 -0400
Subject: [PATCH] Add self-signed cert for zuulv3.o.o

This was imported from local snake-oil cert generated by zuulv3.o.o.
Also open 443 on firewall.

Change-Id: Icfbf2097fd671763c5b3d2232fe77f7ff5a0cbca
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
---
 hiera/fqdn/zuulv3.openstack.org.yaml | 20 +++++++++++++++
 manifests/site.pp                    | 38 +++++++++++++++-------------
 2 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/hiera/fqdn/zuulv3.openstack.org.yaml b/hiera/fqdn/zuulv3.openstack.org.yaml
index e4e16aee11..4f61f8d2d9 100644
--- a/hiera/fqdn/zuulv3.openstack.org.yaml
+++ b/hiera/fqdn/zuulv3.openstack.org.yaml
@@ -48,3 +48,23 @@ gearman_server_ssl_cert: |
   uJziOvdg7jte0u609MWj3DOdey4HsxlEU27w13kzGI6RpPquvl/YB8Y6WMAIL8in
   1GRv9pIfENRRHOiC57p0RSQZZ/2V
   -----END CERTIFICATE-----
+
+zuul_ssl_cert_file_contents: |
+  -----BEGIN CERTIFICATE-----
+  MIICzjCCAbagAwIBAgIJAMV1mxY+iSJpMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNV
+  BAMMFHp1dWx2My5vcGVuc3RhY2sub3JnMB4XDTE3MDYwMjE5MzUwMloXDTI3MDUz
+  MTE5MzUwMlowHzEdMBsGA1UEAwwUenV1bHYzLm9wZW5zdGFjay5vcmcwggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvgAf85YVjjBTHYJnIx8VA1VvSAidD
+  LHp2Yn+7DgUfHXjNdpftTgvWxnzXMFaglNzrNrixGNlkg1sdGDJ+DB/mvptKJUEH
+  WMfOVI98Eo0dx5w+lcP8XGTg6/SY59+PiqNpCmi+T49axQO2XKNlt+ZJsSVaEhEj
+  E2OrkZY+A8RFj07TUjSMv/pmo3AxgVjFoWszDT8pj30CTT3lg3eXXJwlqrH/P9IQ
+  FnwRSt3sR60ahFFJnvHdL1FJl/I0W5nWD6LNEpX7ryaIUIqMhQpQjGDpvG77ntfW
+  A5zhBVWPC7p2k6OaUD6AjlPMJLZh5YbyGaRN4l2Z4oizBGjoq1Qv9QehAgMBAAGj
+  DTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAOFIxTTiw10jWRKQuRKU
+  KskncSNj3ZxSjwPTOQs++hLjYYYlKA4LbWwokp7u5rTpJP/NHYLHXIda6l/Ne3JG
+  +Mby/vu0TKMX2z+0IQx3MZG7b+4NkH4jg40Q+Y879n0jvOfBplHtJB1UmQYk51fs
+  Hbrb6vvxeLRJ74JZX6t756gZnagzAoLj7DtmTfruUVjD/kRJK8gUCyKMNvN6PH3u
+  5Ls4WwOME+bFdFcxBJjj1LSKGlZoE22mSVlRqHvVXVfM9XTolvw5PequFhiPXYyj
+  ESN9QfRuVeKltTl8NdDgwlYjBBUYR5omuX5LLWUSXuvQK/dYM4ahERf3ivbXMjhF
+  M+Q=
+  -----END CERTIFICATE-----
diff --git a/manifests/site.pp b/manifests/site.pp
index 7dea17e107..8072697e3f 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1186,7 +1186,7 @@ node 'zuulv3.openstack.org' {
   $iptables_rules = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
 
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80],
+    iptables_public_tcp_ports => [80, 443],
     iptables_rules6           => $iptables_rules,
     iptables_rules4           => $iptables_rules,
     sysadmins                 => hiera('sysadmins', []),
@@ -1199,23 +1199,25 @@ node 'zuulv3.openstack.org' {
   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
   # settings.
   class { '::zuul':
-    gerrit_server           => $gerrit_server,
-    gerrit_user             => $gerrit_user,
-    zuul_ssh_private_key    => $zuul_ssh_private_key,
-    git_email               => $git_email,
-    git_name                => $git_name,
-    revision                => $revision,
-    python_version          => 3,
-    zookeeper_hosts         => 'nodepool.openstack.org:2181',
-    zuulv3                  => true,
-    connections             => hiera('zuul_connections', []),
-    connection_secrets      => hiera('zuul_connection_secrets', []),
-    zuul_status_url         => 'http://127.0.0.1:8001/openstack',
-    gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
-    gearman_client_ssl_key  => hiera('gearman_client_ssl_key'),
-    gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
-    gearman_server_ssl_key  => hiera('gearman_server_ssl_key'),
-    gearman_ssl_ca          => hiera('gearman_ssl_ca'),
+    gerrit_server                => $gerrit_server,
+    gerrit_user                  => $gerrit_user,
+    zuul_ssh_private_key         => $zuul_ssh_private_key,
+    git_email                    => $git_email,
+    git_name                     => $git_name,
+    revision                     => $revision,
+    python_version               => 3,
+    zookeeper_hosts              => 'nodepool.openstack.org:2181',
+    zuulv3                       => true,
+    connections                  => hiera('zuul_connections', []),
+    connection_secrets           => hiera('zuul_connection_secrets', []),
+    zuul_status_url              => 'http://127.0.0.1:8001/openstack',
+    gearman_client_ssl_cert      => hiera('gearman_client_ssl_cert'),
+    gearman_client_ssl_key       => hiera('gearman_client_ssl_key'),
+    gearman_server_ssl_cert      => hiera('gearman_server_ssl_cert'),
+    gearman_server_ssl_key       => hiera('gearman_server_ssl_key'),
+    gearman_ssl_ca               => hiera('gearman_ssl_ca'),
+    proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
+    proxy_ssl_key_file_contents  => hiera('zuul_ssl_key_file_contents'),
   }
 
   file { "/etc/zuul/github.key":