From 42c0d0696c738b701e486c2f7b3fc7069fa724bb Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 8 Jan 2020 10:03:05 -0800 Subject: [PATCH] Fix zuul-ci.org vhost cert paths We were setting the cert file contents to the paths rather than updating the paths to point at the new LE certs. Fix this by setting the _file vars which update the path. This includes a partial revert of the previous change to not switch git.zuul-ci.org over to LE as we haven't provisioned an LE cert for it yet. Change-Id: I41c2aa1d03afba4ebf6378e9abf8276154666df7 --- manifests/site.pp | 23 ++++-------- modules/openstack_project/manifests/files.pp | 39 ++++++++++++++++++++ 2 files changed, 47 insertions(+), 15 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index b955a998db..0773d3a210 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -442,6 +442,9 @@ node /^files\d*\.open.*\.org$/ { git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'), git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'), git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'), + git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'), + git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'), + git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'), require => Class['Openstack_project::Server'], } @@ -481,22 +484,12 @@ node /^files\d*\.open.*\.org$/ { } openstack_project::website { 'zuul-ci.org': - aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'], - ssl_cert => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer', - ssl_key => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key', - ssl_intermediate => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer', - require => Class['openstack_project::files'], + aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'], + ssl_cert_file => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer', + ssl_key_file => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key', + ssl_chain_file => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer', + require => Class['openstack_project::files'], } - - openstack_project::website { 'git.zuul-ci.org': - docroot => "/var/www/git-redirect", - allow_override_list => "Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule", - ssl_cert => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.cer', - ssl_key => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.key', - ssl_intermediate => '/etc/letsencrypt-certs/git.zuul-ci.org/ca.cer', - require => Class['openstack_project::files'], - } - } # Node-OS: trusty diff --git a/modules/openstack_project/manifests/files.pp b/modules/openstack_project/manifests/files.pp index ae4ac9a1b3..724f53f96a 100644 --- a/modules/openstack_project/manifests/files.pp +++ b/modules/openstack_project/manifests/files.pp @@ -17,6 +17,9 @@ class openstack_project::files ( $git_starlingx_cert_file_contents, $git_starlingx_key_file_contents, $git_starlingx_chain_file_contents, + $git_zuul_cert_file_contents, + $git_zuul_key_file_contents, + $git_zuul_chain_file_contents, ) { $afs_root = '/afs/openstack.org/' @@ -327,4 +330,40 @@ class openstack_project::files ( require => File['/etc/ssl/certs'], before => File['/etc/ssl/certs/git.starlingx.io.pem'], } + + ########################################################### + # git.zuul-ci.org + + ::httpd::vhost { 'git.zuul-ci.org': + port => 443, # Is required despite not being used. + docroot => "${www_base}/git-redirect", + priority => '50', + template => 'openstack_project/git-redirect.vhost.erb', + require => File["${www_base}/git-redirect"], + } + file { '/etc/ssl/certs/git.zuul-ci.org.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_zuul_cert_file_contents, + require => File['/etc/ssl/certs'], + } + file { '/etc/ssl/private/git.zuul-ci.org.key': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $git_zuul_key_file_contents, + require => File['/etc/ssl/private'], + } + file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_zuul_chain_file_contents, + require => File['/etc/ssl/certs'], + before => File['/etc/ssl/certs/git.zuul-ci.org.pem'], + } }