Browse Source

Use LE certs for zuul-ci.org

This switches the zuul-ci.org/zuulci.org vhost to use newly issued
letsencrypt certs.  It also does the same for git.zuul-ci.org, which
is a different vhost.  Since that vhost is tied into a configuration
which can't accept cert file paths (only content), adjust it to use
the newer "website" manifest pattern which can.

Change-Id: I0cd0407754466327147917390c578da336e61269
changes/72/701472/3
James E. Blair 1 month ago
parent
commit
9fead30442
4 changed files with 20 additions and 47 deletions
  1. +12
    -6
      manifests/site.pp
  2. +0
    -40
      modules/openstack_project/manifests/files.pp
  3. +7
    -0
      modules/openstack_project/manifests/website.pp
  4. +1
    -1
      modules/openstack_project/templates/website.vhost.erb

+ 12
- 6
manifests/site.pp View File

@@ -442,9 +442,6 @@ node /^files\d*\.open.*\.org$/ {
git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
require => Class['Openstack_project::Server'],
}

@@ -485,12 +482,21 @@ node /^files\d*\.open.*\.org$/ {

openstack_project::website { 'zuul-ci.org':
aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
ssl_cert => hiera('zuul-ci_org_ssl_cert'),
ssl_key => hiera('zuul-ci_org_ssl_key'),
ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
ssl_cert => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer',
ssl_key => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key',
ssl_intermediate => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer',
require => Class['openstack_project::files'],
}

openstack_project::website { 'git.zuul-ci.org':
docroot => "/var/www/git-redirect",
allow_override_list => "Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule",
ssl_cert => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.cer',
ssl_key => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.key',
ssl_intermediate => '/etc/letsencrypt-certs/git.zuul-ci.org/ca.cer',
require => Class['openstack_project::files'],
}

}

# Node-OS: trusty

+ 0
- 40
modules/openstack_project/manifests/files.pp View File

@@ -17,9 +17,6 @@ class openstack_project::files (
$git_starlingx_cert_file_contents,
$git_starlingx_key_file_contents,
$git_starlingx_chain_file_contents,
$git_zuul_cert_file_contents,
$git_zuul_key_file_contents,
$git_zuul_chain_file_contents,
) {

$afs_root = '/afs/openstack.org/'
@@ -330,41 +327,4 @@ class openstack_project::files (
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.starlingx.io.pem'],
}


###########################################################
# git.zuul-ci.org

::httpd::vhost { 'git.zuul-ci.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.zuul-ci.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.zuul-ci.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_zuul_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.zuul-ci.org.pem'],
}
}

+ 7
- 0
modules/openstack_project/manifests/website.pp View File

@@ -23,6 +23,7 @@ define openstack_project::website (
$ssl_chain_file = undef,
$template = 'openstack_project/website.vhost.erb',
$docroot = undef,
$allow_override_list = undef,
) {

$afs_root = '/afs/openstack.org/'
@@ -39,6 +40,12 @@ define openstack_project::website (
$docroot_ = $docroot
}

if $allow_override_list == undef {
$allow_override_list_ = "Redirect RedirectMatch"
} else {
$allow_override_list_ = $allow_override_list
}

if ($ssl_cert != undef) {
$ssl_cert_file_ = "/etc/ssl/certs/${name}.pem"
file { "${ssl_cert_file_}":

+ 1
- 1
modules/openstack_project/templates/website.vhost.erb View File

@@ -48,7 +48,7 @@
Require all granted
AllowOverride None
# Allow mod_rewrite rules
AllowOverrideList Redirect RedirectMatch
AllowOverrideList <%= @allow_override_list_ %>
ErrorDocument 404 /errorpage.html
</Directory>


Loading…
Cancel
Save