Add tarballs.<openstack|opendev>.org to static.opendev.org

Add these hosts to static.opendev.org, serving from AFS. Note that tarballs.openstack.org just redirects to static.opendev.org/openstack. This should have no effect currently, it will only become live when we switch DNS. For more details see the thread at: http://lists.openstack.org/pipermail/openstack-infra/2020-January/006584.html Change-Id: Ie56fac17ffaa91ee55be986de636485a58125a02
2020-01-30 11:40:17 +11:00 · 2020-01-30 11:40:17 +11:00 · 3fd6e16077
commit 3fd6e16077
parent 7227bcf879
6 changed files with 134 additions and 1 deletions
--- a/playbooks/host_vars/static01.opendev.org.yaml
+++ b/playbooks/host_vars/static01.opendev.org.yaml
@ -7,4 +7,7 @@ letsencrypt_certs:
    - governance.openstack.org
  static01-security-openstack-org:
    - security.openstack.org
-
+  static01-tarballs-opendev-org:
+    - tarballs.opendev.org
+  static01-tarballs-openstack-org:
+    - tarballs.openstack.org
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@ -44,6 +44,12 @@
 - name: letsencrypt updated static01-security-openstack-org
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml

+- name: letsencrypt updated static01-tarballs-opendev-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated static01-tarballs-openstack-org
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
 # review-dev

 - name: letsencrypt updated review-dev01-opendev-org-main
--- a/playbooks/roles/static/files/50-tarballs.opendev.org.conf
+++ b/playbooks/roles/static/files/50-tarballs.opendev.org.conf
@ -0,0 +1,41 @@
+Define AFS_ROOT /afs/openstack.org/project/tarballs.opendev.org
+
+<VirtualHost *:80>
+  ServerName tarballs.opendev.org
+  RewriteEngine On
+  RewriteRule ^/(.*) https://tarballs.opendev.org/$1 [last,redirect=permanent]
+  LogLevel warn
+  ErrorLog /var/log/apache2/tarballs.opendev.org_error.log
+  CustomLog /var/log/apache2/tarballs.opendev.org_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+
+  ServerName tarballs.opendev.org
+
+  DocumentRoot ${AFS_ROOT}
+
+  SSLCertificateFile      /etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/tarballs.opendev.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  <Directory ${AFS_ROOT}>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverrideList Redirect RedirectMatch
+    Satisfy Any
+    Require all granted
+  </Directory>
+
+  LogLevel warn
+  ErrorLog /var/log/apache2/tarballs.opendev.org_error.log
+  CustomLog /var/log/apache2/tarballs.opendev.org_access.log combined
+  ServerSignature Off
+
+</VirtualHost>
+</IfModule>
--- a/playbooks/roles/static/files/50-tarballs.openstack.org.conf
+++ b/playbooks/roles/static/files/50-tarballs.openstack.org.conf
@ -0,0 +1,35 @@
+<VirtualHost *:80>
+  ServerName tarballs.openstack.org
+  RewriteEngine On
+  RewriteRule ^/(.*) https://tarballs.openstack.org/$1 [last,redirect=permanent]
+  LogLevel warn
+  ErrorLog /var/log/apache2/tarballs.openstack.org_error.log
+  CustomLog /var/log/apache2/tarballs.openstack.org_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+
+  ServerName tarballs.openstack.org
+
+  DocumentRoot ${AFS_ROOT}
+
+  SSLCertificateFile      /etc/letsencrypt-certs/tarballs.openstack.org/tarballs.openstack.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/tarballs.openstack.org/tarballs.openstack.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/tarballs.openstack.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  RewriteEngine On
+  RewriteRule ^/?(.*)$ https://tarballs.opendev.org/openstack/$1 [L]
+
+  LogLevel warn
+  ErrorLog /var/log/apache2/tarballs.openstack.org_error.log
+  CustomLog /var/log/apache2/tarballs.openstack.org_access.log combined
+  ServerSignature Off
+
+</VirtualHost>
+</IfModule>
--- a/playbooks/roles/static/tasks/main.yaml
+++ b/playbooks/roles/static/tasks/main.yaml
@ -86,3 +86,35 @@
    creates: /etc/apache2/sites-enabled/50-security.openstack.org
  notify:
    - Reload apache2
+
+# tarballs.opendev.org
+- name: Install tarballs.opendev.org
+  copy:
+    src: 50-tarballs.opendev.org.conf
+    dest: /etc/apache2/sites-available/
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Enable tarballs.opendev.org
+  command: a2ensite 50-tarballs.opendev.org
+  args:
+    creates: /etc/apache2/sites-enabled/50-tarballs.opendev.org
+  notify:
+    - Reload apache2
+
+# tarballs.openstack.org
+- name: Install tarballs.openstack.org
+  copy:
+    src: 50-tarballs.openstack.org.conf
+    dest: /etc/apache2/sites-available/
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Enable tarballs.openstack.org
+  command: a2ensite 50-tarballs.openstack.org
+  args:
+    creates: /etc/apache2/sites-enabled/50-tarballs.openstack.org
+  notify:
+    - Reload apache2
--- a/testinfra/test_static.py
+++ b/testinfra/test_static.py
@ -31,3 +31,19 @@ def test_security_openstack_org(host):
                   '--resolve security.openstack.org:443:127.0.0.1 '
                   'https://security.openstack.org/')
    assert 'OpenStack Security Project' in cmd.stdout
+
+def test_tarballs_openstack_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve tarballs.openstack.org:443:127.0.0.1 '
+                   '--resolve tarballs.opendev.org:443:127.0.0.1 '
+                   'https://tarballs.openstack.org/nova/')
+    # The redirect page should send us to tarballs.opendev.org
+    assert '302 Found' in cmd.stdout
+    assert 'https://tarballs.opendev.org/openstack/nova/' in cmd.stdout
+
+def test_tarballs_opendev_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve tarballs.opendev.org:443:127.0.0.1 '
+                   'https://tarballs.opendev.org/openstack/nova/')
+    # An old file that should be present
+    assert 'nova-12.0.0.tar.gz' in cmd.stdout