opendev/system-config
Code Issues Proposed changes

Merge "Set up legacy git redirect sites"

Browse Source
This commit is contained in:
Zuul 2019-03-20 21:06:10 +00:00 committed by Gerrit Code Review
commit a38f3e5c73
4 changed files with 395 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/site.pp
View File

@ -511,6 +511,18 @@ node /^files\d*\.open.*\.org$/ {
docs_cert_file_contents => hiera('docs_cert_file_contents'),
docs_key_file_contents => hiera('docs_key_file_contents'),
docs_chain_file_contents => hiera('docs_chain_file_contents'),
git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
require => Class['Openstack_project::Server'],
}

148
modules/openstack_project/files/git-redirect.htaccess Normal file
View File

@ -0,0 +1,148 @@
# Unescape any slashes in the branch portion of the query string so
# that we don't have to worry about whether or not they are encoded
# later. This is a recursive rule to handle multiple slashes.
RewriteCond %{QUERY_STRING} "^(.*)h=([^&]+)%2F([^&]+)(.*)$"
RewriteRule "^(.*)$" "/$1?%1h=%2/%3%4" [N]
###################################
# summary
# ignore all args
RewriteRule "^cgit/([^/]+)/([^/]+)/?$" "https://opendev.org/$1/$2/" [L,QSD]
###################################
# refs tab -> branches tab
# ignore all args
# The cgit refs tab shows tags+branches, the branches tab in gitea is
# the closest linkable url
RewriteRule "^cgit/([^/]+)/([^/]+)/refs/?" "https://opendev.org/$1/$2/branches" [L,QSD]
###################################
# log tab (with file) -> commits tab
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
#####################################################
# tree tab (with file) -> tree tab
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD]
#####################################################
# plain link without file -> tree tab
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD]
#####################################################
# plain link (with file) -> raw
# same as tree
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/master/$3" [L,QSD]
######################
# commit tab (with file) -> commit screen (without file)
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
# The commit tab in cgit will show the branch-tip commit in this case.
# There is not a comprable page in gitea, so we redirect to the branch
# log (which has the branch-tip commit at the top of the list). We
# include the file if it's there to further restrict the list of
# commits
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
# Same, but with master branch
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
######################
# diff (with file) -> commit screen (without file)
# Gitea doesn't handle arbitrary diffs, so just show the commit page for id.
# We do the same thing as for the commit tab.
# id=&id2=
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
######################
# patch (with file)
# Gitea doesn't handle generating patch files, so just show the commit page.
# We do the same thing as for the commit tab.
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
#####################
# tag
# Gitea doesn't have a dedicated tag page, but if you click a tag in
# gitea, it takes you to the source tree view for that tag, which has
# the tagged commit at the top of the table.
RewriteCond %{QUERY_STRING} h=([\w/\.]+)
RewriteRule "^cgit/(.*?)/(.*?)/tag/?" "https://opendev.org/$1/$2/src/tag/%1" [L,QSD]
#####################
# Any other unknown cgit url, redirect to /
RewriteRule "^cgit" "https://opendev.org/" [L,QSD]
#####################
# Non cgit URLs
RewriteRule "^(.*)$" "https://opendev.org/$1" [L]

178
modules/openstack_project/manifests/files.pp
View File

@ -8,6 +8,18 @@ class openstack_project::files (
$docs_cert_file_contents,
$docs_key_file_contents,
$docs_chain_file_contents,
$git_airship_cert_file_contents,
$git_airship_key_file_contents,
$git_airship_chain_file_contents,
$git_openstack_cert_file_contents,
$git_openstack_key_file_contents,
$git_openstack_chain_file_contents,
$git_starlingx_cert_file_contents,
$git_starlingx_key_file_contents,
$git_starlingx_chain_file_contents,
$git_zuul_cert_file_contents,
$git_zuul_key_file_contents,
$git_zuul_chain_file_contents,
) {
$afs_root = '/afs/openstack.org/'
@ -30,6 +42,24 @@ class openstack_project::files (
require => File["${www_base}"],
}
#####################################################
# Git Redirects Webroot
file { "${www_base}/git-redirect":
ensure => directory,
owner => root,
group => root,
require => File["${www_base}"],
}
file { "${www_base}/git-redirect/.htaccess":
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/git-redirect.htaccess',
require => File["${www_base}/git-redirect"],
}
#####################################################
# Set up directories needed by HTTPS certs/keys
file { '/etc/ssl/certs':
@ -189,4 +219,152 @@ class openstack_project::files (
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/developer.openstack.org.pem'],
}
###########################################################
# git.airshipit.org
::httpd::vhost { 'git.airshipit.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.airshipit.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_airship_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.airshipit.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_airship_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.airshipit.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_airship_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.airshipit.org.pem'],
}
###########################################################
# git.openstack.org
::httpd::vhost { 'git.openstack.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_openstack_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_openstack_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_openstack_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.openstack.org.pem'],
}
###########################################################
# git.starlingx.io
::httpd::vhost { 'git.starlingx.io':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.starlingx.io.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_starlingx_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.starlingx.io.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_starlingx_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.starlingx.io_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_starlingx_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.starlingx.io.pem'],
}
###########################################################
# git.zuul-ci.org
::httpd::vhost { 'git.zuul-ci.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.zuul-ci.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.zuul-ci.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_zuul_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.zuul-ci.org.pem'],
}
}

49
modules/openstack_project/templates/git-redirect.vhost.erb Normal file
View File

@ -0,0 +1,49 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @srvname %>
RewriteEngine On
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @srvname %>_error.log
CustomLog /var/log/apache2/<%= @srvname %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @srvname %>
RewriteEngine On
DocumentRoot <%= @docroot %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/<%= @srvname %>.pem
SSLCertificateKeyFile /etc/ssl/private/<%= @srvname %>.key
SSLCertificateChainFile /etc/ssl/certs/<%= @srvname %>_intermediate.pem
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @srvname %>_error.log
CustomLog /var/log/apache2/<%= @srvname %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>