static: move afs sites from files.openstack.org to static.opendev.org

This creates sites to serve

 developer.openstack.org
 docs.openstack.org
 docs.opendev.org
 docs.starlingx.io

which are all just static directories underneath /afs/openstack.org/.

This is currently done by files02.openstack.org, but will be better
served in the future by consolidating in ansible configuration on
static.opendev.org.

The following dns entries need to be made before merging to ensure the
certificates are provisioned

 _acme-challenge.developer.openstack.org
 _acme-challenge.docs.openstack.org
 _acme-challenge.docs.opendev.org
 _acme-challenge.docs.starlingx.io

Once done, we can merge and then cut-over the main DNS entries as we
like.

Since there are some follow-ons, I have not removed the puppet
configuration from files02.openstack.org.  I think it's best we
migrate everything away from that and remove it in one lot.

Change-Id: I459a36f823a8868e6cc09e2b0d85f2fe05d69002

playbooks/host_vars/static01.opendev.org.yaml

@@ -3,6 +3,14 @@ letsencrypt_certs:
   static01-opendev-org-main:
     - static.opendev.org
     - static01.opendev.org
+  static01-developer-openstack-org:
+    - developer.openstack.org
+  static01-docs-opendev-org:
+    - docs.opendev.org
+  static01-docs-openstack-org:
+    - docs.openstack.org
+  static01-docs-starlingx-io:
+    - docs.starlingx.io
   static01-governance-openstack-org:
     - governance.openstack.org
   static01-service-types-openstack-org:
@@ -17,3 +25,8 @@ letsencrypt_certs:
     - tarballs.opendev.org
   static01-tarballs-openstack-org:
     - tarballs.openstack.org
+  static01-zuul-ci-org:
+    - zuul-ci.org
+    - www.zuul-ci.org
+    - zuulci.org
+    - www.zuulci.org

playbooks/roles/letsencrypt-create-certs/handlers/main.yaml

@@ -38,6 +38,18 @@
 - name: letsencrypt updated static01-opendev-org-main
   include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
 
+- name: letsencrypt updated static01-developer-openstack-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated static01-docs-opendev-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated static01-docs-openstack-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated static01-docs-starlingx-io
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
 - name: letsencrypt updated static01-governance-openstack-org
   include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
 
@@ -59,6 +71,9 @@
 - name: letsencrypt updated static01-tarballs-openstack-org
   include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
 
+- name: letsencrypt updated static01-zuul-ci-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
 # review-dev
 
 - name: letsencrypt updated review-dev01-opendev-org-main

playbooks/roles/static/files/50-developer.openstack.org.conf

@@ -0,0 +1,42 @@
+<VirtualHost *:80>
+    ServerName developer.openstack.org
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://developer.openstack.org/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/developer.openstack.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/developer.openstack.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName developer.openstack.org
+
+    RewriteEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/developer.openstack.org/developer.openstack.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/developer.openstack.org/developer.openstack.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/developer.openstack.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+    DocumentRoot /afs/openstack.org/developer-docs
+    <Directory /afs/openstack.org/developer-docs>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        # Allow mod_rewrite rules
+        AllowOverride FileInfo
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/developer.openstack.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/developer.openstack.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>

playbooks/roles/static/files/50-docs.opendev.org.conf

@@ -0,0 +1,44 @@
+<VirtualHost *:80>
+    ServerName docs.opendev.org
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://docs.opendev.org/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/docs.opendev.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.opendev.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName docs.opendev.org
+
+    RewriteEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/docs.opendev.org/docs.opendev.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/docs.opendev.org/docs.opendev.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/docs.opendev.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+
+    DocumentRoot /afs/openstack.org/project/opendev.org/docs
+    <Directory /afs/openstack.org/project/opendev.org/docs>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/docs.opendev.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.opendev.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>

playbooks/roles/static/files/50-docs.openstack.org.conf

@@ -0,0 +1,43 @@
+<VirtualHost *:80>
+    ServerName docs.openstack.org
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://docs.openstack.org/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/docs.openstack.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.openstack.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName docs.openstack.org
+
+    RewriteEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/docs.openstack.org/docs.openstack.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/docs.openstack.org/docs.openstack.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/docs.openstack.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+    DocumentRoot /afs/openstack.org/docs
+    <Directory /afs/openstack.org/docs>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/docs.openstack.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.openstack.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>

playbooks/roles/static/files/50-docs.starlingx.io.conf

@@ -0,0 +1,43 @@
+<VirtualHost *:80>
+    ServerName docs.starlingx.io
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://docs.starlingx.io/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/docs.starlingx.io_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.starlingx.io_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName docs.starlingx.io
+
+    RewriteEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/docs.starlingx.io/docs.starlingx.io.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/docs.starlingx.io/docs.starlingx.io.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/docs.starlingx.io/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+    DocumentRoot /afs/openstack.org/project/starlingx.io/www
+    <Directory /afs/openstack.org/project/starlingx.io/www>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/docs.starlingx.io_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/docs.starlingx.io_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>

playbooks/roles/static/files/50-zuul-ci.org.conf

@@ -0,0 +1,52 @@
+<VirtualHost *:80>
+    ServerName zuul-ci.org
+    ServerAlias www.zuul-ci.org
+    ServerAlias zuulci.org
+    ServerAlias www.zuulci.org
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://zuul-ci.org/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/apache2/zuul-ci.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/zuul-ci.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName zuul-ci.org
+    ServerAlias www.zuul-ci.org
+    ServerAlias zuulci.org
+    ServerAlias www.zuulci.org
+
+    RewriteEngine on
+
+    SSLEngine on
+    SSLProtocol All -SSLv2 -SSLv3
+    # Once the machine is using something to terminate TLS that supports ECDHE
+    # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+    # only is guarenteed.
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+    SSLHonorCipherOrder on
+    SSLCertificateFile /etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer
+    SSLCertificateKeyFile /etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key
+    SSLCertificateChainFile /etc/letsencrypt-certs/zuul-ci.org/ca.cer
+
+    DocumentRoot /afs/openstack.org/project/zuul-ci.org/www
+    <Directory /afs/openstack.org/project/zuul-ci.org/www>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/apache2/zuul-ci.org_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/zuul-ci.org_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>

playbooks/roles/static/tasks/main.yaml

@@ -59,6 +59,10 @@
   include_tasks: enable_site.yaml
   loop:
     - 00-static.opendev.org
+    - 50-developer.openstack.org
+    - 50-docs.opendev.org
+    - 50-docs.openstack.org
+    - 50-docs.starlingx.io
     - 50-governance.openstack.org
     - 50-security.openstack.org
     - 50-service-types.openstack.org
@@ -66,3 +70,4 @@
     - 50-releases.openstack.org
     - 50-tarballs.opendev.org
     - 50-tarballs.openstack.org
+    - 50-zuul-ci.org

testinfra/test_static.py

@@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import pytest
 
 testinfra_hosts = ['static01.opendev.org']
 
@@ -71,3 +72,45 @@ def test_releases_openstack_org(host):
                    '--resolve releases.openstack.org:443:127.0.0.1 '
                    'https://releases.openstack.org')
     assert 'OpenStack Releases: OpenStack Releases' in cmd.stdout
+
+def test_developer_openstack_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve developer.openstack.org:443:127.0.0.1 '
+                   'https://developer.openstack.org')
+    assert 'OpenStack Docs: Application Development' in cmd.stdout
+
+def test_docs_openstack_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve docs.openstack.org:443:127.0.0.1 '
+                   'https://docs.openstack.org')
+    # links to the latest, make sure it redirected us
+    assert '301 Moved Permanently' in cmd.stdout
+
+def test_docs_opendev_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve docs.opendev.org:443:127.0.0.1 '
+                   'https://docs.opendev.org')
+    assert 'Index of /' in cmd.stdout
+
+def test_docs_starlingx_io(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve docs.starlingx.io:443:127.0.0.1 '
+                   'https://docs.starlingx.io')
+    # links to the latest, make sure it redirected us
+    assert 'StarlingX Docs: Welcome to the StarlingX Documentation' \
+        in cmd.stdout
+
+zuul_names = (
+    'zuul-ci.org',
+    'www.zuul-ci.org',
+    'zuulci.org',
+    'www.zuulci.org',
+)
+
+@pytest.mark.parametrize("name", zuul_names)
+def test_docs_openstack_org(host, name):
+
+    cmd = host.run('curl --insecure '
+                   '--resolve %s:443:127.0.0.1 https://%s/ ' %
+                   (name, name))
+    assert 'Zuul is an open source CI tool' in cmd.stdout