Roll releases site into common cert

Now that the static.o.o SSL cert has been renewed, additional
CNs have been included in the SAN set for it. As a result, we can
simplify configuration for the newer sites added since the prior
renewal.

Change-Id: I77f49cea53b0a06ce4399d46b00806a2cbd7e509

manifests/site.pp

@@ -763,19 +763,16 @@ node 'static.openstack.org' {
     sysadmins                 => hiera('sysadmins', []),
   }
   class { 'openstack_project::static':
-    project_config_repo          => 'https://git.openstack.org/openstack-infra/project-config',
+    project_config_repo     => 'https://git.openstack.org/openstack-infra/project-config',
-    swift_authurl                => 'https://identity.api.rackspacecloud.com/v2.0/',
+    swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',
-    swift_user                   => 'infra-files-ro',
+    swift_user              => 'infra-files-ro',
-    swift_key                    => hiera('infra_files_ro_password'),
+    swift_key               => hiera('infra_files_ro_password'),
-    swift_tenant_name            => hiera('infra_files_tenant_name', 'tenantname'),
+    swift_tenant_name       => hiera('infra_files_tenant_name', 'tenantname'),
-    swift_region_name            => 'DFW',
+    swift_region_name       => 'DFW',
-    swift_default_container      => 'infra-files',
+    swift_default_container => 'infra-files',
-    ssl_cert_file_contents       => hiera('static_ssl_cert_file_contents'),
+    ssl_cert_file_contents  => hiera('static_ssl_cert_file_contents'),
-    ssl_key_file_contents        => hiera('static_ssl_key_file_contents'),
+    ssl_key_file_contents   => hiera('static_ssl_key_file_contents'),
-    ssl_chain_file_contents      => hiera('static_ssl_chain_file_contents'),
+    ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
-    releases_cert_file_contents  => hiera('releases_ssl_cert_file_contents'),
-    releases_key_file_contents   => hiera('releases_ssl_key_file_contents'),
-    releases_chain_file_contents => hiera('releases_ssl_chain_file_contents'),
   }
 }
 

modules/openstack_project/manifests/static.pp

@@ -14,9 +14,6 @@ class openstack_project::static (
   $ssl_key_file_contents = '',
   $ssl_chain_file = '',
   $ssl_chain_file_contents = '',
-  $releases_cert_file_contents = '',
-  $releases_key_file_contents = '',
-  $releases_chain_file_contents = '',
   $jenkins_gitfullname = 'OpenStack Jenkins',
   $jenkins_gitemail = 'jenkins@openstack.org',
 ) {
@@ -435,32 +432,16 @@ class openstack_project::static (
   ###########################################################
   # Releases
 
-  # Temporary separate HTTPS cert/key/chain for releases.o.o so that we
+  # These are no longer needed now that this site shares the same
-  # don't have to renew the static.o.o cert just to add one SubjectAltName
+  # cert as the others.
   file { '/etc/ssl/certs/releases.openstack.org.pem':
-    ensure  => present,
+    ensure  => absent,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $releases_cert_file_contents,
-    require => File['/etc/ssl/certs'],
   }
   file { '/etc/ssl/private/releases.openstack.org.key':
-    ensure  => present,
+    ensure  => absent,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0600',
-    content => $releases_key_file_contents,
-    require => File['/etc/ssl/private'],
   }
   file { '/etc/ssl/certs/releases.openstack.org_intermediate.pem':
-    ensure  => present,
+    ensure  => absent,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $releases_chain_file_contents,
-    require => File['/etc/ssl/certs'],
-    before  => File['/etc/ssl/certs/releases.openstack.org.pem'],
   }
 
   ::httpd::vhost { 'releases.openstack.org':
@@ -468,12 +449,12 @@ class openstack_project::static (
     docroot    => '/srv/static/releases',
     priority   => '50',
     ssl        => true,
-    template   => 'openstack_project/static-releases.vhost.erb',
+    template   => 'openstack_project/static-https-redirect.vhost.erb',
     vhost_name => 'releases.openstack.org',
     require    => [
       File['/srv/static/releases'],
-      File['/etc/ssl/certs/releases.openstack.org.pem'],
+      File[$cert_file],
-      File['/etc/ssl/private/releases.openstack.org.key'],
+      File[$key_file],
     ],
   }
 

modules/openstack_project/templates/static-releases.vhost.erb

@@ -1,45 +0,0 @@
-# ************************************
-# Managed by Puppet
-# ************************************
-
-<VirtualHost *:80>
-  ServerName <%= @vhost_name %>
-<% if @serveraliases.is_a? Array -%>
-<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
-<% elsif @serveraliases != '' -%>
-<%= " ServerAlias #{@serveraliases}" %>
-<% end -%>
-  RewriteEngine On
-  RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
-  LogLevel warn
-  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
-  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
-  ServerSignature Off
-</VirtualHost>
-
-<IfModule mod_ssl.c>
-<VirtualHost *:443>
-  ServerName <%= @vhost_name %>
-  DocumentRoot <%= @docroot %>
-  SSLEngine on
-  SSLProtocol All -SSLv2 -SSLv3
-  # Once the machine is using something to terminate TLS that supports ECDHE
-  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
-  # only is guarenteed.
-  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
-  SSLHonorCipherOrder on
-  SSLCertificateFile /etc/ssl/certs/releases.openstack.org.pem
-  SSLCertificateKeyFile /etc/ssl/private/releases.openstack.org.key
-  SSLCertificateChainFile /etc/ssl/certs/releases.openstack.org_intermediate.pem
-  <Directory <%= @docroot %>>
-    Options Indexes FollowSymLinks MultiViews
-    AllowOverride None
-    Satisfy Any
-    Require all granted
-  </Directory>
-  LogLevel warn
-  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
-  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
-  ServerSignature Off
-</VirtualHost>
-</IfModule>