Merge "Use LE certs for Apache"

playbooks/host_vars/review-dev01.opendev.org.yaml

@@ -9,5 +9,4 @@ letsencrypt_certs:
 letsencrypt_gid: 3001
 gerrit_storyboard_url: https://storyboard-dev.openstack.org
 gerrit_vhost_name: review-dev.opendev.org
-gerrit_ssl_cert_file: /etc/letsencrypt-certs/review-dev.opendev.org/review-dev.opendev.org.cer
-gerrit_ssl_key_file: /etc/letsencrypt-certs/review-dev.opendev.org/review-dev.opendev.org.key
+gerrit_redirect_vhost: review-dev.openstack.org

playbooks/host_vars/review01.opendev.org.yaml

@@ -72,6 +72,7 @@ gerrit_replication:
     mirror: true
 gerrit_storyboard_url: https://storyboard.openstack.org
 gerrit_vhost_name: review.opendev.org
+gerrit_redirect_vhost: review.openstack.org
 letsencrypt_certs:
   review01-opendev-org-main:
     - review.opendev.org

playbooks/roles/gerrit/tasks/main.yaml

@@ -256,6 +256,16 @@
     mode: 0644
   notify: gerrit Reload apache2
 
+- name: Copy redirect config
+  template:
+    src: redirect.vhost.j2
+    dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf"
+    owner: root
+    group: root
+    mode: 0644
+  when: gerrit_redirect_vhost is defined
+  notify: gerrit Reload apache2
+
 - name: Install podman-compose
   pip:
     name: podman-compose

playbooks/roles/gerrit/templates/gerrit.vhost.j2

@@ -31,11 +31,9 @@
   SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
   SSLHonorCipherOrder on
 
-  SSLCertificateFile      {{ gerrit_ssl_cert_file }}
-  SSLCertificateKeyFile   {{ gerrit_ssl_key_file }}
-{% if gerrit_ssl_chain_file is defined %}
-  SSLCertificateChainFile {{ gerrit_ssl_chain_file }}
-{% endif %}
+  SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer
 
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars

playbooks/roles/gerrit/templates/redirect.vhost.j2

@@ -0,0 +1,37 @@
+# ************************************
+# Managed by Ansible
+# ************************************
+
+<VirtualHost *:80>
+  ServerName {{ gerrit_redirect_vhost }}
+
+  LogLevel warn
+  ErrorLog /var/log/apache2/{{ gerrit_redirect_vhost }}_error.log
+  CustomLog /var/log/apache2/{{ gerrit_redirect_vhost }}_access.log combined
+  ServerSignature Off
+
+  Redirect / https://{{ gerrit_vhost_name }}/
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName {{ gerrit_redirect_vhost }}
+
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer
+
+  LogLevel warn
+  ErrorLog /var/log/apache2/{{ gerrit_redirect_vhost }}_error.log
+  CustomLog /var/log/apache2/{{ gerrit_redirect_vhost }}_access.log combined
+  ServerSignature Off
+
+  Redirect / https://{{ gerrit_vhost_name }}/
+</VirtualHost>
+</IfModule>

playbooks/zuul/run-base.yaml

@@ -92,7 +92,6 @@
         - host_vars/mirror-update01.opendev.org.yaml
         - host_vars/backup-test01.opendev.org.yaml
         - host_vars/backup-test02.opendev.org.yaml
-        - host_vars/review01.opendev.org.yaml
     - name: Display group membership
       command: ansible localhost -m debug -a 'var=groups'
     - name: Run base.yaml

playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2

@@ -1,3 +0,0 @@
-# TODO(mordred) Replace this with LE certs
-gerrit_ssl_cert_file: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
-gerrit_ssl_key_file: '/etc/ssl/private/ssl-cert-snakeoil.key'