system-config/modules/openstack_project/manifests/files.pp
Clark Boylan 42c0d0696c Fix zuul-ci.org vhost cert paths
We were setting the cert file contents to the paths rather than updating
the paths to point at the new LE certs. Fix this by setting the _file
vars which update the path.

This includes a partial revert of the previous change to not switch
git.zuul-ci.org over to LE as we haven't provisioned an LE cert for it
yet.

Change-Id: I41c2aa1d03afba4ebf6378e9abf8276154666df7
2020-01-08 10:03:05 -08:00

370 lines
11 KiB
Puppet

# == Class: openstack_project::files
#
class openstack_project::files (
$vhost_name = $::fqdn,
$developer_cert_file_contents,
$developer_key_file_contents,
$developer_chain_file_contents,
$docs_cert_file_contents,
$docs_key_file_contents,
$docs_chain_file_contents,
$git_airship_cert_file_contents,
$git_airship_key_file_contents,
$git_airship_chain_file_contents,
$git_openstack_cert_file_contents,
$git_openstack_key_file_contents,
$git_openstack_chain_file_contents,
$git_starlingx_cert_file_contents,
$git_starlingx_key_file_contents,
$git_starlingx_chain_file_contents,
$git_zuul_cert_file_contents,
$git_zuul_key_file_contents,
$git_zuul_chain_file_contents,
) {
$afs_root = '/afs/openstack.org/'
$www_base = '/var/www'
#####################################################
# Build Apache Webroot
file { "${www_base}":
ensure => directory,
owner => root,
group => root,
}
file { "${www_base}/robots.txt":
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/disallow_robots.txt',
require => File["${www_base}"],
}
#####################################################
# Git Redirects Webroot
file { "${www_base}/git-redirect":
ensure => directory,
owner => root,
group => root,
require => File["${www_base}"],
}
file { "${www_base}/git-redirect/.htaccess":
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/git-redirect.htaccess',
require => File["${www_base}/git-redirect"],
}
#####################################################
# Set up directories needed by HTTPS certs/keys
file { '/etc/ssl/certs':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
#####################################################
# Build VHost
include ::httpd
::httpd::vhost { $vhost_name:
port => 80,
priority => '50',
docroot => "${afs_root}",
template => 'openstack_project/files.vhost.erb',
require => [
File["${www_base}"],
]
}
httpd_mod { 'rewrite':
ensure => present,
before => Service['httpd'],
}
class { '::httpd::logrotate':
options => [
'daily',
'missingok',
'rotate 7',
'compress',
'delaycompress',
'notifempty',
'create 640 root adm',
],
}
# Until Apache 2.4.24 the event MPM has some issues scalability
# bottlenecks that were seen to drop connections, especially on
# larger files; see
# https://httpd.apache.org/docs/2.4/mod/event.html
#
# The main advantage of event MPM is for keep-alive requests which
# are not really a big issue on this static file server. Therefore
# we switch to the threaded worker MPM as a workaround. This can be
# reconsidered when the apache version running is sufficient to
# avoid these problems.
httpd::mod { 'mpm_event': ensure => 'absent' }
httpd::mod { 'mpm_worker': ensure => 'present' }
file { '/etc/apache2/mods-available/mpm_worker.conf':
ensure => file,
source => 'puppet:///modules/openstack_project/files/mpm_worker.conf',
notify => Service['httpd'],
}
file {'/usr/local/bin/404s.sh':
ensure => present,
owner => 'root',
group => 'root',
mode => '0755',
source => 'puppet:///modules/openstack_project/files/404s.sh',
}
file {'/var/www/docs-404s':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
cron {'generate_docs_404s':
# This seems to be about half an hour after apache rotates logs.
hour => '7',
minute => '0',
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin',
command => '404s.sh /var/log/apache2/docs.openstack.org_access.log /var/www/docs-404s/',
require => File['/usr/local/bin/404s.sh'],
}
###########################################################
# docs.openstack.org
::httpd::vhost { 'docs.openstack.org':
port => 443, # Is required despite not being used.
docroot => "${afs_root}docs",
priority => '50',
template => 'openstack_project/docs.vhost.erb',
}
file { '/etc/ssl/certs/docs.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $docs_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/docs.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $docs_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/docs.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $docs_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/docs.openstack.org.pem'],
}
###########################################################
# developer.openstack.org
::httpd::vhost { 'developer.openstack.org':
port => 443, # Is required despite not being used.
docroot => "${afs_root}developer-docs",
priority => '50',
template => 'openstack_project/developer.vhost.erb',
}
file { '/etc/ssl/certs/developer.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $developer_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/developer.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $developer_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/developer.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $developer_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/developer.openstack.org.pem'],
}
###########################################################
# git.airshipit.org
::httpd::vhost { 'git.airshipit.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.airshipit.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_airship_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.airshipit.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_airship_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.airshipit.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_airship_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.airshipit.org.pem'],
}
###########################################################
# git.openstack.org
::httpd::vhost { 'git.openstack.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_openstack_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_openstack_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_openstack_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.openstack.org.pem'],
}
###########################################################
# git.starlingx.io
::httpd::vhost { 'git.starlingx.io':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.starlingx.io.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_starlingx_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.starlingx.io.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_starlingx_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.starlingx.io_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_starlingx_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.starlingx.io.pem'],
}
###########################################################
# git.zuul-ci.org
::httpd::vhost { 'git.zuul-ci.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.zuul-ci.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.zuul-ci.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_zuul_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_zuul_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.zuul-ci.org.pem'],
}
}