Use LE certs for zuul-ci.org

This switches the zuul-ci.org/zuulci.org vhost to use newly issued letsencrypt certs. It also does the same for git.zuul-ci.org, which is a different vhost. Since that vhost is tied into a configuration which can't accept cert file paths (only content), adjust it to use the newer "website" manifest pattern which can. Change-Id: I0cd0407754466327147917390c578da336e61269
2020-01-07 14:44:18 -08:00 · 2020-01-07 14:44:18 -08:00 · 9fead30442
parent 53338653fd
commit 9fead30442
4 changed files with 20 additions and 47 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -442,9 +442,6 @@ node /^files\d*\.open.*\.org$/ {
    git_starlingx_cert_file_contents  => hiera('git_starlingx_cert_file_contents'),
    git_starlingx_key_file_contents   => hiera('git_starlingx_key_file_contents'),
    git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
-    git_zuul_cert_file_contents       => hiera('git_zuul_cert_file_contents'),
-    git_zuul_key_file_contents        => hiera('git_zuul_key_file_contents'),
-    git_zuul_chain_file_contents      => hiera('git_zuul_chain_file_contents'),
    require                           => Class['Openstack_project::Server'],
  }

@ -485,12 +482,21 @@ node /^files\d*\.open.*\.org$/ {

  openstack_project::website { 'zuul-ci.org':
    aliases          => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
-    ssl_cert         => hiera('zuul-ci_org_ssl_cert'),
-    ssl_key          => hiera('zuul-ci_org_ssl_key'),
-    ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
+    ssl_cert         => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer',
+    ssl_key          => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key',
+    ssl_intermediate => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer',
    require          => Class['openstack_project::files'],
  }

+  openstack_project::website { 'git.zuul-ci.org':
+    docroot             => "/var/www/git-redirect",
+    allow_override_list => "Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule",
+    ssl_cert            => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.cer',
+    ssl_key             => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.key',
+    ssl_intermediate    => '/etc/letsencrypt-certs/git.zuul-ci.org/ca.cer',
+    require             => Class['openstack_project::files'],
+  }
+
 }

 # Node-OS: trusty
--- a/modules/openstack_project/manifests/files.pp
+++ b/modules/openstack_project/manifests/files.pp
@ -17,9 +17,6 @@ class openstack_project::files (
  $git_starlingx_cert_file_contents,
  $git_starlingx_key_file_contents,
  $git_starlingx_chain_file_contents,
-  $git_zuul_cert_file_contents,
-  $git_zuul_key_file_contents,
-  $git_zuul_chain_file_contents,
 ) {

  $afs_root = '/afs/openstack.org/'
@ -330,41 +327,4 @@ class openstack_project::files (
    require => File['/etc/ssl/certs'],
    before  => File['/etc/ssl/certs/git.starlingx.io.pem'],
  }
-
-
-  ###########################################################
-  # git.zuul-ci.org
-
-  ::httpd::vhost { 'git.zuul-ci.org':
-    port     => 443, # Is required despite not being used.
-    docroot  => "${www_base}/git-redirect",
-    priority => '50',
-    template => 'openstack_project/git-redirect.vhost.erb',
-    require  => File["${www_base}/git-redirect"],
-  }
-  file { '/etc/ssl/certs/git.zuul-ci.org.pem':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $git_zuul_cert_file_contents,
-    require => File['/etc/ssl/certs'],
-  }
-  file { '/etc/ssl/private/git.zuul-ci.org.key':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0600',
-    content => $git_zuul_key_file_contents,
-    require => File['/etc/ssl/private'],
-  }
-  file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $git_zuul_chain_file_contents,
-    require => File['/etc/ssl/certs'],
-    before  => File['/etc/ssl/certs/git.zuul-ci.org.pem'],
-  }
 }
--- a/modules/openstack_project/manifests/website.pp
+++ b/modules/openstack_project/manifests/website.pp
@ -23,6 +23,7 @@ define openstack_project::website (
  $ssl_chain_file = undef,
  $template = 'openstack_project/website.vhost.erb',
  $docroot = undef,
+  $allow_override_list = undef,
 ) {

  $afs_root = '/afs/openstack.org/'
@ -39,6 +40,12 @@ define openstack_project::website (
     $docroot_ = $docroot
  }

+  if $allow_override_list == undef {
+     $allow_override_list_ = "Redirect RedirectMatch"
+  } else {
+     $allow_override_list_ = $allow_override_list
+  }
+
  if ($ssl_cert != undef) {
    $ssl_cert_file_ = "/etc/ssl/certs/${name}.pem"
    file { "${ssl_cert_file_}":
--- a/modules/openstack_project/templates/website.vhost.erb
+++ b/modules/openstack_project/templates/website.vhost.erb
@ -48,7 +48,7 @@
        Require all granted
        AllowOverride None
        # Allow mod_rewrite rules
-        AllowOverrideList Redirect RedirectMatch
+        AllowOverrideList <%= @allow_override_list_ %>
        ErrorDocument 404 /errorpage.html
    </Directory>