Generate HTTPS certs for Mailman sites

We're going to want Mailman 3 served over HTTPS for security reasons, so start by generating certificates for each of the sites we have in v2. Also collect the acme.sh logs for verification. Change-Id: I261ae55c6bc0a414beb473abcb30f9a86c63db85
2021-12-17 19:00:09 +00:00 · 2021-12-17 19:00:09 +00:00 · fa0c1b495c
parent 6324944318
commit fa0c1b495c
6 changed files with 25 additions and 0 deletions
--- a/inventory/service/groups.yaml
+++ b/inventory/service/groups.yaml
@ -95,6 +95,8 @@ groups:
    - graphite[0-9]*.opendev.org
    - insecure-ci-registry[0-9]*.opendev.org
    - keycloak[0-9]*.opendev.org
    - lists.katacontainers.io
    - lists.openstack.org
    - meetpad[0-9]*.opendev.org
    - mirror[0-9]*.opendev.org
    - nb[0-9]*.opendev.org
--- a/inventory/service/host_vars/lists.katacontainers.io.yaml
+++ b/inventory/service/host_vars/lists.katacontainers.io.yaml
@ -58,6 +58,9 @@ exim_transports:
      headers_add = Errors-To: ${return_path}
 extra_users:
  - jbryce
 letsencrypt_certs:
  lists-katacontainers-io-main:
    - lists.katacontainers.io
 mailman_multihost: false
 mailman_listdomain: 'lists.katacontainers.io'
 mailman_lists:
--- a/inventory/service/host_vars/lists.openstack.org.yaml
+++ b/inventory/service/host_vars/lists.openstack.org.yaml
@ -102,6 +102,15 @@ exim_transports:
      headers_remove = Errors-To
      max_rcpt = 1
      return_path = ${local_part:$return_path}+$local_part=$domain@${domain:$return_path}
 # We put lists.openstack.org first as it's the current servername
 letsencrypt_certs:
  lists-openstack-org-main:
    - lists.openstack.org
    - lists.airshipit.org
    - lists.opendev.org
    - lists.openinfra.dev
    - lists.starlingx.io
    - lists.zuul-ci.org
 mailman_multihost: true
 mailman_sites:
  - name: airship
--- a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
+++ b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
@ -19,6 +19,7 @@ results:
    - webservers
  lists.katacontainers.io:
    - letsencrypt
    - mailman
  logstash-worker02.openstack.org:
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@ -41,6 +41,13 @@
 - name: letsencrypt updated meetpad01-main
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_jitsi_meet.yaml
 # mailman
 - name: letsencrypt updated lists-katacontainers-io-main
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
 - name: letsencrypt updated lists-openstack-org-main
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
 # Static
 - name: letsencrypt updated static01-opendev-org-main
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
--- a/zuul.d/system-config-run.yaml
+++ b/zuul.d/system-config-run.yaml
@ -260,6 +260,7 @@
      - playbooks/zuul/run-lists-post.yaml
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-lists.yaml
        # Run this twice to check idempotency
        - playbooks/service-lists.yaml
@ -267,10 +268,12 @@
    host-vars:
      lists.katacontainers.io:
        host_copy_output:
          '/var/log/acme.sh': logs
          '/var/log/mailman': logs
      lists.openstack.org:
        host_copy_output:
          '/etc/aliases.domain': logs_txt
          '/var/log/acme.sh': logs
          '/var/log/mailman': logs
 - job: