James E. Blair 9fead30442 Use LE certs for zuul-ci.org
This switches the zuul-ci.org/zuulci.org vhost to use newly issued
letsencrypt certs.  It also does the same for git.zuul-ci.org, which
is a different vhost.  Since that vhost is tied into a configuration
which can't accept cert file paths (only content), adjust it to use
the newer "website" manifest pattern which can.

Change-Id: I0cd0407754466327147917390c578da336e61269
2020-01-07 15:25:32 -08:00

99 lines
2.6 KiB
Puppet

# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
define openstack_project::website (
$aliases = undef,
$volume_name = undef,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_intermediate = undef,
$ssl_cert_file = undef,
$ssl_key_file = undef,
$ssl_chain_file = undef,
$template = 'openstack_project/website.vhost.erb',
$docroot = undef,
$allow_override_list = undef,
) {
$afs_root = '/afs/openstack.org/'
if $volume_name == undef {
# Default to volume name matching vhost name
$volume_name_ = $name
} else {
$volume_name_ = $volume_name
}
if $docroot == undef {
$docroot_ = "${afs_root}/project/${volume_name_}/www"
} else {
$docroot_ = $docroot
}
if $allow_override_list == undef {
$allow_override_list_ = "Redirect RedirectMatch"
} else {
$allow_override_list_ = $allow_override_list
}
if ($ssl_cert != undef) {
$ssl_cert_file_ = "/etc/ssl/certs/${name}.pem"
file { "${ssl_cert_file_}":
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $ssl_cert,
require => File['/etc/ssl/certs'],
}
} else {
$ssl_cert_file_ = $ssl_cert_file
}
if ($ssl_key != undef) {
$ssl_key_file_ = "/etc/ssl/private/${name}.key"
file { "${ssl_key_file_}":
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $ssl_key,
require => File['/etc/ssl/private'],
}
} else {
$ssl_key_file_ = $ssl_key_file
}
if ($ssl_intermediate != undef) {
$ssl_chain_file_ = "/etc/ssl/certs/${name}_intermediate.pem"
file { "${ssl_chain_file_}":
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $ssl_intermediate,
require => File['/etc/ssl/certs'],
}
} else {
$ssl_chain_file_ = $ssl_chain_file
}
::httpd::vhost { $name:
serveraliases => $aliases,
port => 443, # Is required despite not being used.
docroot => $docroot_,
priority => '50',
content => template($template)
}
}