From 61caec5b771ad194ab75c4b1551e7c8e49122258 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 28 Feb 2020 08:10:24 -0800
Subject: [PATCH] Use LE cert on review.open*.org

We previously had two manually issued certs (one each for opendev.org
and openstack.org) but now have a single cert with all the appropriate
names in it automatically issued by LE. Use this new cert before the old
one expires.

Change-Id: I635d2bfd820fe138ee951833dd66f157b2b7c097
---
 manifests/site.pp                             | 15 ++++++-----
 modules/openstack_project/manifests/review.pp | 25 -------------------
 .../review-openstack-redirect.vhost.erb       |  6 ++---
 3 files changed, 10 insertions(+), 36 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index e0c71e98e3..8ea44c82e3 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -46,9 +46,13 @@ node /^review\d*\.open.*\.org$/ {
     gerritbot_password                   => hiera('gerrit_gerritbot_password'),
     gerritbot_ssh_rsa_key_contents       => hiera('gerritbot_ssh_rsa_key_contents'),
     gerritbot_ssh_rsa_pubkey_contents    => hiera('gerritbot_ssh_rsa_pubkey_contents'),
-    ssl_cert_file_contents               => hiera('review_opendev_cert_file_contents'),
-    ssl_key_file_contents                => hiera('review_opendev_key_file_contents'),
-    ssl_chain_file_contents              => hiera('review_opendev_chain_file_contents'),
+    # Empty contents forces Puppet to not write the file.
+    ssl_cert_file_contents               => '',
+    ssl_key_file_contents                => '',
+    ssl_chain_file_contents              => '',
+    ssl_cert_file                        => '/etc/letsencrypt-certs/review.opendev.org/review.opendev.org.cer',
+    ssl_key_file                         => '/etc/letsencrypt-certs/review.opendev.org/review.opendev.org.key',
+    ssl_chain_file                       => '/etc/letsencrypt-certs/review.opendev.org/ca.cer',
     ssh_dsa_key_contents                 => hiera('gerrit_ssh_dsa_key_contents'),
     ssh_dsa_pubkey_contents              => hiera('gerrit_ssh_dsa_pubkey_contents'),
     ssh_rsa_key_contents                 => hiera('gerrit_ssh_rsa_key_contents'),
@@ -65,11 +69,6 @@ node /^review\d*\.open.*\.org$/ {
     swift_username                       => hiera('swift_store_user', 'username'),
     swift_password                       => hiera('swift_store_key'),
     storyboard_password                  => hiera('gerrit_storyboard_token'),
-    # Compatibility layer vars for the old domain name below here.
-    # TODO rename the hiera keys to reduce confusion
-    review_openstack_cert_file_contents  => hiera('gerrit_ssl_cert_file_contents'),
-    review_openstack_key_file_contents   => hiera('gerrit_ssl_key_file_contents'),
-    review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
   }
 }
 
diff --git a/modules/openstack_project/manifests/review.pp b/modules/openstack_project/manifests/review.pp
index afb590ff9b..39779511dd 100644
--- a/modules/openstack_project/manifests/review.pp
+++ b/modules/openstack_project/manifests/review.pp
@@ -81,10 +81,6 @@ class openstack_project::review (
   $project_config_repo = '',
   $projects_config = 'openstack_project/review.projects.ini.erb',
   $gerrit_configure = true,
-  # Compatibility for old domain name vars below here.
-  $review_openstack_cert_file_contents = '',
-  $review_openstack_key_file_contents = '',
-  $review_openstack_chain_file_contents = '',
 ) {
 
   class { 'project_config':
@@ -394,27 +390,6 @@ class openstack_project::review (
     }
   }
 
-  file { '/etc/ssl/certs/review-redirect.openstack.org.pem':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $review_openstack_cert_file_contents,
-  }
-  file { '/etc/ssl/private/review-redirect.openstack.org.key':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0600',
-    content => $review_openstack_key_file_contents,
-  }
-  file { '/etc/ssl/certs/review-redirect.openstack.org_intermediate.pem':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $review_openstack_chain_file_contents,
-  }
   ::httpd::vhost { 'review.openstack.org':
     port     => 443, # Is required despite not being used.
     docroot  => 'MEANINGLESS_ARGUMENT',
diff --git a/modules/openstack_project/templates/review-openstack-redirect.vhost.erb b/modules/openstack_project/templates/review-openstack-redirect.vhost.erb
index acb4f73ee6..e8e89377e1 100644
--- a/modules/openstack_project/templates/review-openstack-redirect.vhost.erb
+++ b/modules/openstack_project/templates/review-openstack-redirect.vhost.erb
@@ -24,9 +24,9 @@
   # only is guarenteed.
   SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
   SSLHonorCipherOrder on
-  SSLCertificateFile /etc/ssl/certs/review-redirect.openstack.org.pem
-  SSLCertificateKeyFile /etc/ssl/private/review-redirect.openstack.org.key
-  SSLCertificateChainFile /etc/ssl/certs/review-redirect.openstack.org_intermediate.pem
+  SSLCertificateFile /etc/letsencrypt-certs/review.opendev.org/review.opendev.org.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/review.opendev.org/review.opendev.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/review.opendev.org/ca.cer
 
   LogLevel warn
   ErrorLog /var/log/apache2/<%= @srvname %>_error.log