From 3fd6e160770d7d7072184a1e5abd3dde77b7ddcb Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Thu, 30 Jan 2020 11:40:17 +1100 Subject: [PATCH] Add tarballs..org to static.opendev.org Add these hosts to static.opendev.org, serving from AFS. Note that tarballs.openstack.org just redirects to static.opendev.org/openstack. This should have no effect currently, it will only become live when we switch DNS. For more details see the thread at: http://lists.openstack.org/pipermail/openstack-infra/2020-January/006584.html Change-Id: Ie56fac17ffaa91ee55be986de636485a58125a02 --- playbooks/host_vars/static01.opendev.org.yaml | 5 ++- .../handlers/main.yaml | 6 +++ .../static/files/50-tarballs.opendev.org.conf | 41 +++++++++++++++++++ .../files/50-tarballs.openstack.org.conf | 35 ++++++++++++++++ playbooks/roles/static/tasks/main.yaml | 32 +++++++++++++++ testinfra/test_static.py | 16 ++++++++ 6 files changed, 134 insertions(+), 1 deletion(-) create mode 100755 playbooks/roles/static/files/50-tarballs.opendev.org.conf create mode 100755 playbooks/roles/static/files/50-tarballs.openstack.org.conf diff --git a/playbooks/host_vars/static01.opendev.org.yaml b/playbooks/host_vars/static01.opendev.org.yaml index a413a53626..8954391fa1 100644 --- a/playbooks/host_vars/static01.opendev.org.yaml +++ b/playbooks/host_vars/static01.opendev.org.yaml @@ -7,4 +7,7 @@ letsencrypt_certs: - governance.openstack.org static01-security-openstack-org: - security.openstack.org - + static01-tarballs-opendev-org: + - tarballs.opendev.org + static01-tarballs-openstack-org: + - tarballs.openstack.org diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml index 0068d11ca0..cac08944f6 100644 --- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml +++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml @@ -44,6 +44,12 @@ - name: letsencrypt updated static01-security-openstack-org include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml +- name: letsencrypt updated static01-tarballs-opendev-org + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + +- name: letsencrypt updated static01-tarballs-openstack-org + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + # review-dev - name: letsencrypt updated review-dev01-opendev-org-main diff --git a/playbooks/roles/static/files/50-tarballs.opendev.org.conf b/playbooks/roles/static/files/50-tarballs.opendev.org.conf new file mode 100755 index 0000000000..6d7996884c --- /dev/null +++ b/playbooks/roles/static/files/50-tarballs.opendev.org.conf @@ -0,0 +1,41 @@ +Define AFS_ROOT /afs/openstack.org/project/tarballs.opendev.org + + + ServerName tarballs.opendev.org + RewriteEngine On + RewriteRule ^/(.*) https://tarballs.opendev.org/$1 [last,redirect=permanent] + LogLevel warn + ErrorLog /var/log/apache2/tarballs.opendev.org_error.log + CustomLog /var/log/apache2/tarballs.opendev.org_access.log combined + ServerSignature Off + + + + + + ServerName tarballs.opendev.org + + DocumentRoot ${AFS_ROOT} + + SSLCertificateFile /etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key + SSLCertificateChainFile /etc/letsencrypt-certs/tarballs.opendev.org/ca.cer + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + + Options Indexes FollowSymLinks MultiViews + AllowOverrideList Redirect RedirectMatch + Satisfy Any + Require all granted + + + LogLevel warn + ErrorLog /var/log/apache2/tarballs.opendev.org_error.log + CustomLog /var/log/apache2/tarballs.opendev.org_access.log combined + ServerSignature Off + + + diff --git a/playbooks/roles/static/files/50-tarballs.openstack.org.conf b/playbooks/roles/static/files/50-tarballs.openstack.org.conf new file mode 100755 index 0000000000..fb33b8122a --- /dev/null +++ b/playbooks/roles/static/files/50-tarballs.openstack.org.conf @@ -0,0 +1,35 @@ + + ServerName tarballs.openstack.org + RewriteEngine On + RewriteRule ^/(.*) https://tarballs.openstack.org/$1 [last,redirect=permanent] + LogLevel warn + ErrorLog /var/log/apache2/tarballs.openstack.org_error.log + CustomLog /var/log/apache2/tarballs.openstack.org_access.log combined + ServerSignature Off + + + + + + ServerName tarballs.openstack.org + + DocumentRoot ${AFS_ROOT} + + SSLCertificateFile /etc/letsencrypt-certs/tarballs.openstack.org/tarballs.openstack.org.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/tarballs.openstack.org/tarballs.openstack.org.key + SSLCertificateChainFile /etc/letsencrypt-certs/tarballs.openstack.org/ca.cer + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + RewriteEngine On + RewriteRule ^/?(.*)$ https://tarballs.opendev.org/openstack/$1 [L] + + LogLevel warn + ErrorLog /var/log/apache2/tarballs.openstack.org_error.log + CustomLog /var/log/apache2/tarballs.openstack.org_access.log combined + ServerSignature Off + + + diff --git a/playbooks/roles/static/tasks/main.yaml b/playbooks/roles/static/tasks/main.yaml index 2d49faf4ac..ba1984ea6e 100644 --- a/playbooks/roles/static/tasks/main.yaml +++ b/playbooks/roles/static/tasks/main.yaml @@ -86,3 +86,35 @@ creates: /etc/apache2/sites-enabled/50-security.openstack.org notify: - Reload apache2 + +# tarballs.opendev.org +- name: Install tarballs.opendev.org + copy: + src: 50-tarballs.opendev.org.conf + dest: /etc/apache2/sites-available/ + owner: root + group: root + mode: 0644 + +- name: Enable tarballs.opendev.org + command: a2ensite 50-tarballs.opendev.org + args: + creates: /etc/apache2/sites-enabled/50-tarballs.opendev.org + notify: + - Reload apache2 + +# tarballs.openstack.org +- name: Install tarballs.openstack.org + copy: + src: 50-tarballs.openstack.org.conf + dest: /etc/apache2/sites-available/ + owner: root + group: root + mode: 0644 + +- name: Enable tarballs.openstack.org + command: a2ensite 50-tarballs.openstack.org + args: + creates: /etc/apache2/sites-enabled/50-tarballs.openstack.org + notify: + - Reload apache2 diff --git a/testinfra/test_static.py b/testinfra/test_static.py index c00d5b2375..c200d4918a 100644 --- a/testinfra/test_static.py +++ b/testinfra/test_static.py @@ -31,3 +31,19 @@ def test_security_openstack_org(host): '--resolve security.openstack.org:443:127.0.0.1 ' 'https://security.openstack.org/') assert 'OpenStack Security Project' in cmd.stdout + +def test_tarballs_openstack_org(host): + cmd = host.run('curl --insecure ' + '--resolve tarballs.openstack.org:443:127.0.0.1 ' + '--resolve tarballs.opendev.org:443:127.0.0.1 ' + 'https://tarballs.openstack.org/nova/') + # The redirect page should send us to tarballs.opendev.org + assert '302 Found' in cmd.stdout + assert 'https://tarballs.opendev.org/openstack/nova/' in cmd.stdout + +def test_tarballs_opendev_org(host): + cmd = host.run('curl --insecure ' + '--resolve tarballs.opendev.org:443:127.0.0.1 ' + 'https://tarballs.opendev.org/openstack/nova/') + # An old file that should be present + assert 'nova-12.0.0.tar.gz' in cmd.stdout