From 3206fd02b83f79c30d9539871cbe154ac46a21e4 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Fri, 21 Feb 2020 12:32:13 +1100 Subject: [PATCH] static: move afs sites from files.openstack.org to static.opendev.org This creates sites to serve developer.openstack.org docs.openstack.org docs.opendev.org docs.starlingx.io which are all just static directories underneath /afs/openstack.org/. This is currently done by files02.openstack.org, but will be better served in the future by consolidating in ansible configuration on static.opendev.org. The following dns entries need to be made before merging to ensure the certificates are provisioned _acme-challenge.developer.openstack.org _acme-challenge.docs.openstack.org _acme-challenge.docs.opendev.org _acme-challenge.docs.starlingx.io Once done, we can merge and then cut-over the main DNS entries as we like. Since there are some follow-ons, I have not removed the puppet configuration from files02.openstack.org. I think it's best we migrate everything away from that and remove it in one lot. Change-Id: I459a36f823a8868e6cc09e2b0d85f2fe05d69002 --- playbooks/host_vars/static01.opendev.org.yaml | 13 +++++ .../handlers/main.yaml | 15 ++++++ .../files/50-developer.openstack.org.conf | 42 +++++++++++++++ .../static/files/50-docs.opendev.org.conf | 44 ++++++++++++++++ .../static/files/50-docs.openstack.org.conf | 43 +++++++++++++++ .../static/files/50-docs.starlingx.io.conf | 43 +++++++++++++++ .../roles/static/files/50-zuul-ci.org.conf | 52 +++++++++++++++++++ playbooks/roles/static/tasks/main.yaml | 5 ++ testinfra/test_static.py | 43 +++++++++++++++ 9 files changed, 300 insertions(+) create mode 100755 playbooks/roles/static/files/50-developer.openstack.org.conf create mode 100755 playbooks/roles/static/files/50-docs.opendev.org.conf create mode 100755 playbooks/roles/static/files/50-docs.openstack.org.conf create mode 100755 playbooks/roles/static/files/50-docs.starlingx.io.conf create mode 100755 playbooks/roles/static/files/50-zuul-ci.org.conf diff --git a/playbooks/host_vars/static01.opendev.org.yaml b/playbooks/host_vars/static01.opendev.org.yaml index 358ee4e39b..268e7ca24f 100644 --- a/playbooks/host_vars/static01.opendev.org.yaml +++ b/playbooks/host_vars/static01.opendev.org.yaml @@ -3,6 +3,14 @@ letsencrypt_certs: static01-opendev-org-main: - static.opendev.org - static01.opendev.org + static01-developer-openstack-org: + - developer.openstack.org + static01-docs-opendev-org: + - docs.opendev.org + static01-docs-openstack-org: + - docs.openstack.org + static01-docs-starlingx-io: + - docs.starlingx.io static01-governance-openstack-org: - governance.openstack.org static01-service-types-openstack-org: @@ -17,3 +25,8 @@ letsencrypt_certs: - tarballs.opendev.org static01-tarballs-openstack-org: - tarballs.openstack.org + static01-zuul-ci-org: + - zuul-ci.org + - www.zuul-ci.org + - zuulci.org + - www.zuulci.org diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml index 32c717b2bc..e1a7b8efc6 100644 --- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml +++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml @@ -38,6 +38,18 @@ - name: letsencrypt updated static01-opendev-org-main include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml +- name: letsencrypt updated static01-developer-openstack-org + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + +- name: letsencrypt updated static01-docs-opendev-org + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + +- name: letsencrypt updated static01-docs-openstack-org + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + +- name: letsencrypt updated static01-docs-starlingx-io + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + - name: letsencrypt updated static01-governance-openstack-org include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml @@ -59,6 +71,9 @@ - name: letsencrypt updated static01-tarballs-openstack-org include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml +- name: letsencrypt updated static01-zuul-ci-org + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + # review-dev - name: letsencrypt updated review-dev01-opendev-org-main diff --git a/playbooks/roles/static/files/50-developer.openstack.org.conf b/playbooks/roles/static/files/50-developer.openstack.org.conf new file mode 100755 index 0000000000..502f430505 --- /dev/null +++ b/playbooks/roles/static/files/50-developer.openstack.org.conf @@ -0,0 +1,42 @@ + + ServerName developer.openstack.org + + RewriteEngine on + RewriteRule ^/(.*) https://developer.openstack.org/$1 [last,redirect=permanent] + + ErrorLog /var/log/apache2/developer.openstack.org_error.log + LogLevel warn + CustomLog /var/log/apache2/developer.openstack.org_access.log combined + ServerSignature Off + + + + + ServerName developer.openstack.org + + RewriteEngine on + + SSLCertificateFile /etc/letsencrypt-certs/developer.openstack.org/developer.openstack.org.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/developer.openstack.org/developer.openstack.org.key + SSLCertificateChainFile /etc/letsencrypt-certs/developer.openstack.org/ca.cer + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + DocumentRoot /afs/openstack.org/developer-docs + + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + # Allow mod_rewrite rules + AllowOverride FileInfo + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/apache2/developer.openstack.org_error.log + LogLevel warn + CustomLog /var/log/apache2/developer.openstack.org_access.log combined + ServerSignature Off + + diff --git a/playbooks/roles/static/files/50-docs.opendev.org.conf b/playbooks/roles/static/files/50-docs.opendev.org.conf new file mode 100755 index 0000000000..288a43208f --- /dev/null +++ b/playbooks/roles/static/files/50-docs.opendev.org.conf @@ -0,0 +1,44 @@ + + ServerName docs.opendev.org + + RewriteEngine on + RewriteRule ^/(.*) https://docs.opendev.org/$1 [last,redirect=permanent] + + ErrorLog /var/log/apache2/docs.opendev.org_error.log + LogLevel warn + CustomLog /var/log/apache2/docs.opendev.org_access.log combined + ServerSignature Off + + + + + ServerName docs.opendev.org + + RewriteEngine on + + SSLCertificateFile /etc/letsencrypt-certs/docs.opendev.org/docs.opendev.org.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/docs.opendev.org/docs.opendev.org.key + SSLCertificateChainFile /etc/letsencrypt-certs/docs.opendev.org/ca.cer + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + + DocumentRoot /afs/openstack.org/project/opendev.org/docs + + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + AllowOverride None + # Allow mod_rewrite rules + AllowOverrideList Redirect RedirectMatch + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/apache2/docs.opendev.org_error.log + LogLevel warn + CustomLog /var/log/apache2/docs.opendev.org_access.log combined + ServerSignature Off + + diff --git a/playbooks/roles/static/files/50-docs.openstack.org.conf b/playbooks/roles/static/files/50-docs.openstack.org.conf new file mode 100755 index 0000000000..d9812d5d09 --- /dev/null +++ b/playbooks/roles/static/files/50-docs.openstack.org.conf @@ -0,0 +1,43 @@ + + ServerName docs.openstack.org + + RewriteEngine on + RewriteRule ^/(.*) https://docs.openstack.org/$1 [last,redirect=permanent] + + ErrorLog /var/log/apache2/docs.openstack.org_error.log + LogLevel warn + CustomLog /var/log/apache2/docs.openstack.org_access.log combined + ServerSignature Off + + + + + ServerName docs.openstack.org + + RewriteEngine on + + SSLCertificateFile /etc/letsencrypt-certs/docs.openstack.org/docs.openstack.org.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/docs.openstack.org/docs.openstack.org.key + SSLCertificateChainFile /etc/letsencrypt-certs/docs.openstack.org/ca.cer + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + DocumentRoot /afs/openstack.org/docs + + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + AllowOverride None + # Allow mod_rewrite rules + AllowOverrideList Redirect RedirectMatch + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/apache2/docs.openstack.org_error.log + LogLevel warn + CustomLog /var/log/apache2/docs.openstack.org_access.log combined + ServerSignature Off + + diff --git a/playbooks/roles/static/files/50-docs.starlingx.io.conf b/playbooks/roles/static/files/50-docs.starlingx.io.conf new file mode 100755 index 0000000000..ba666dfe6c --- /dev/null +++ b/playbooks/roles/static/files/50-docs.starlingx.io.conf @@ -0,0 +1,43 @@ + + ServerName docs.starlingx.io + + RewriteEngine on + RewriteRule ^/(.*) https://docs.starlingx.io/$1 [last,redirect=permanent] + + ErrorLog /var/log/apache2/docs.starlingx.io_error.log + LogLevel warn + CustomLog /var/log/apache2/docs.starlingx.io_access.log combined + ServerSignature Off + + + + + ServerName docs.starlingx.io + + RewriteEngine on + + SSLCertificateFile /etc/letsencrypt-certs/docs.starlingx.io/docs.starlingx.io.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/docs.starlingx.io/docs.starlingx.io.key + SSLCertificateChainFile /etc/letsencrypt-certs/docs.starlingx.io/ca.cer + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + DocumentRoot /afs/openstack.org/project/starlingx.io/www + + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + AllowOverride None + # Allow mod_rewrite rules + AllowOverrideList Redirect RedirectMatch + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/apache2/docs.starlingx.io_error.log + LogLevel warn + CustomLog /var/log/apache2/docs.starlingx.io_access.log combined + ServerSignature Off + + diff --git a/playbooks/roles/static/files/50-zuul-ci.org.conf b/playbooks/roles/static/files/50-zuul-ci.org.conf new file mode 100755 index 0000000000..de195f3dcb --- /dev/null +++ b/playbooks/roles/static/files/50-zuul-ci.org.conf @@ -0,0 +1,52 @@ + + ServerName zuul-ci.org + ServerAlias www.zuul-ci.org + ServerAlias zuulci.org + ServerAlias www.zuulci.org + + RewriteEngine on + RewriteRule ^/(.*) https://zuul-ci.org/$1 [last,redirect=permanent] + + ErrorLog /var/log/apache2/zuul-ci.org_error.log + LogLevel warn + CustomLog /var/log/apache2/zuul-ci.org_access.log combined + ServerSignature Off + + + + + ServerName zuul-ci.org + ServerAlias www.zuul-ci.org + ServerAlias zuulci.org + ServerAlias www.zuulci.org + + RewriteEngine on + + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Once the machine is using something to terminate TLS that supports ECDHE + # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS + # only is guarenteed. + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + SSLCertificateFile /etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key + SSLCertificateChainFile /etc/letsencrypt-certs/zuul-ci.org/ca.cer + + DocumentRoot /afs/openstack.org/project/zuul-ci.org/www + + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + AllowOverride None + # Allow mod_rewrite rules + AllowOverrideList Redirect RedirectMatch + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/apache2/zuul-ci.org_error.log + LogLevel warn + CustomLog /var/log/apache2/zuul-ci.org_access.log combined + ServerSignature Off + + diff --git a/playbooks/roles/static/tasks/main.yaml b/playbooks/roles/static/tasks/main.yaml index 15d9d8023e..5263d312b9 100644 --- a/playbooks/roles/static/tasks/main.yaml +++ b/playbooks/roles/static/tasks/main.yaml @@ -59,6 +59,10 @@ include_tasks: enable_site.yaml loop: - 00-static.opendev.org + - 50-developer.openstack.org + - 50-docs.opendev.org + - 50-docs.openstack.org + - 50-docs.starlingx.io - 50-governance.openstack.org - 50-security.openstack.org - 50-service-types.openstack.org @@ -66,3 +70,4 @@ - 50-releases.openstack.org - 50-tarballs.opendev.org - 50-tarballs.openstack.org + - 50-zuul-ci.org diff --git a/testinfra/test_static.py b/testinfra/test_static.py index 243206c491..b3029bf59c 100644 --- a/testinfra/test_static.py +++ b/testinfra/test_static.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +import pytest testinfra_hosts = ['static01.opendev.org'] @@ -71,3 +72,45 @@ def test_releases_openstack_org(host): '--resolve releases.openstack.org:443:127.0.0.1 ' 'https://releases.openstack.org') assert 'OpenStack Releases: OpenStack Releases' in cmd.stdout + +def test_developer_openstack_org(host): + cmd = host.run('curl --insecure ' + '--resolve developer.openstack.org:443:127.0.0.1 ' + 'https://developer.openstack.org') + assert 'OpenStack Docs: Application Development' in cmd.stdout + +def test_docs_openstack_org(host): + cmd = host.run('curl --insecure ' + '--resolve docs.openstack.org:443:127.0.0.1 ' + 'https://docs.openstack.org') + # links to the latest, make sure it redirected us + assert '301 Moved Permanently' in cmd.stdout + +def test_docs_opendev_org(host): + cmd = host.run('curl --insecure ' + '--resolve docs.opendev.org:443:127.0.0.1 ' + 'https://docs.opendev.org') + assert 'Index of /' in cmd.stdout + +def test_docs_starlingx_io(host): + cmd = host.run('curl --insecure ' + '--resolve docs.starlingx.io:443:127.0.0.1 ' + 'https://docs.starlingx.io') + # links to the latest, make sure it redirected us + assert 'StarlingX Docs: Welcome to the StarlingX Documentation' \ + in cmd.stdout + +zuul_names = ( + 'zuul-ci.org', + 'www.zuul-ci.org', + 'zuulci.org', + 'www.zuulci.org', +) + +@pytest.mark.parametrize("name", zuul_names) +def test_docs_openstack_org(host, name): + + cmd = host.run('curl --insecure ' + '--resolve %s:443:127.0.0.1 https://%s/ ' % + (name, name)) + assert 'Zuul is an open source CI tool' in cmd.stdout