Use LE cert on review.open*.org

We previously had two manually issued certs (one each for opendev.org and openstack.org) but now have a single cert with all the appropriate names in it automatically issued by LE. Use this new cert before the old one expires. Change-Id: I635d2bfd820fe138ee951833dd66f157b2b7c097
2020-02-28 08:10:24 -08:00
parent d75d70b333
commit 61caec5b77
3 changed files with 10 additions and 36 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -46,9 +46,13 @@ node /^review\d*\.open.*\.org$/ {
    gerritbot_password                   => hiera('gerrit_gerritbot_password'),
    gerritbot_ssh_rsa_key_contents       => hiera('gerritbot_ssh_rsa_key_contents'),
    gerritbot_ssh_rsa_pubkey_contents    => hiera('gerritbot_ssh_rsa_pubkey_contents'),
-    ssl_cert_file_contents               => hiera('review_opendev_cert_file_contents'),
-    ssl_key_file_contents                => hiera('review_opendev_key_file_contents'),
-    ssl_chain_file_contents              => hiera('review_opendev_chain_file_contents'),
+    # Empty contents forces Puppet to not write the file.
+    ssl_cert_file_contents               => '',
+    ssl_key_file_contents                => '',
+    ssl_chain_file_contents              => '',
+    ssl_cert_file                        => '/etc/letsencrypt-certs/review.opendev.org/review.opendev.org.cer',
+    ssl_key_file                         => '/etc/letsencrypt-certs/review.opendev.org/review.opendev.org.key',
+    ssl_chain_file                       => '/etc/letsencrypt-certs/review.opendev.org/ca.cer',
    ssh_dsa_key_contents                 => hiera('gerrit_ssh_dsa_key_contents'),
    ssh_dsa_pubkey_contents              => hiera('gerrit_ssh_dsa_pubkey_contents'),
    ssh_rsa_key_contents                 => hiera('gerrit_ssh_rsa_key_contents'),
@@ -65,11 +69,6 @@ node /^review\d*\.open.*\.org$/ {
    swift_username                       => hiera('swift_store_user', 'username'),
    swift_password                       => hiera('swift_store_key'),
    storyboard_password                  => hiera('gerrit_storyboard_token'),
-    # Compatibility layer vars for the old domain name below here.
-    # TODO rename the hiera keys to reduce confusion
-    review_openstack_cert_file_contents  => hiera('gerrit_ssl_cert_file_contents'),
-    review_openstack_key_file_contents   => hiera('gerrit_ssl_key_file_contents'),
-    review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
  }
 }