[MediaWiki-commits] [Gerrit] operations/puppet[production]: Use LE for wikitech

Tue, 17 Jan 2017 09:23:44 -0800 

Andrew Bogott has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/331638 )

Change subject: Use LE for wikitech
......................................................................


Use LE for wikitech

Bug: T154913
Change-Id: I325ab9c1f2a56e42f1460435958d27445f5a1a6b
---
D files/ssl/labtestwikitech.wikimedia.org.crt
D files/ssl/wikitech.wikimedia.org.crt
M hieradata/regex.yaml
M modules/openstack/manifests/openstack_manager.pp
M modules/openstack/templates/common/wikitech.wikimedia.org.erb
M modules/role/manifests/labs/openstack/nova/manager.pp
6 files changed, 9 insertions(+), 92 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, approved
  jenkins-bot: Verified
  Dzahn: Looks good to me, but someone else must approve



diff --git a/files/ssl/labtestwikitech.wikimedia.org.crt 
b/files/ssl/labtestwikitech.wikimedia.org.crt
deleted file mode 100644
index f6adbbd..0000000
--- a/files/ssl/labtestwikitech.wikimedia.org.crt
+++ /dev/null
@@ -1,34 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIF1jCCA74CCQDKK3TuPMyhMzANBgkqhkiG9w0BAQsFADCBrDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
-HTAbBgNVBAoMFFdpa2ltZWRpYSBGb3VuZGF0aW9uMRMwEQYDVQQLDApPcGVyYXRp
-b25zMRYwFAYDVQQDDA1BbmRyZXcgQm9nb3R0MSQwIgYJKoZIhvcNAQkBFhVhYm9n
-b3R0QHdpa2ltZWRpYS5vcmcwHhcNMTYwMTE2MTQwNTIzWhcNMTcwMTE1MTQwNTIz
-WjCBrDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xHTAbBgNVBAoMFFdpa2ltZWRpYSBGb3VuZGF0aW9uMRMw
-EQYDVQQLDApPcGVyYXRpb25zMRYwFAYDVQQDDA1BbmRyZXcgQm9nb3R0MSQwIgYJ
-KoZIhvcNAQkBFhVhYm9nb3R0QHdpa2ltZWRpYS5vcmcwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQDMOc5OH9PRGSM5AKVL6F7hyNCRYJduvFva367/yAyc
-ImCPzyU8yMu/O82LQgLFR8fQS/AEnTSZT0ihIj85PJ+FHRf+gdmqmjOHr7b2bsHm
-kb77pkWNvLxkbEM4lJWq+8t5juEGf5d3hf7lIkSjISLz3aI9rQYYWYR2oEi1L9Tg
-cRfYQGJ3Zt8Npoi9Rq2JYIyKem+4+akIkvNxDIgxCi3w43U67rQuin39T9WAyhuk
-9xBZ74ACtvBBLguavpRIm2zAwm2G/uAacoYpmTB5yDmGTEnemLnc1q8Ko76T9+V2
-LrZ763LfuhsNcJZ3xXKPznqIV0LVtRco3UkuGnecs2MtMzPu4faf3qAyVGes5oae
-EiHrP7FQgLiT9YDsPL+7lXUyyKrke3QKkVj2hZJfDg4E1PUrhccwAPLih2Sqjl2y
-DuNRq8ldJdXZ3GWmnru+H7UyXd+L07utajAz857No7sBEBSDxHJMqyGmzy9x10PK
-itPpAE39u/4hJUHQhTz2S7Ujmo+X+iEeYNp48FapARMjIcoM9h8ayojxu7cEH5GA
-EL/NITu1LZW6269KFLTYagXP/pZuQCUrLoIKjPoo0S+EgER9g6HaFb/srecZWaZe
-/uEbBAffFjFwFQfxOC//WlyZA8Gz2k+DZ3isDWAJj9rczCN0hAeGALb8nrmiaGpD
-dQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQC51UH5CP76zYABj2PyZGCzLLBXDZQ1
-AW1b06McCixV8Igr3VZKQYL70Wysc9j3/iKtTVAm1grcgnPGXfB8t0hl5OZd5UVg
-/fJCN2DOBfwzLWa/7ApAILDra6ydPVbhM0+f+piqFi9wWShyC2Hi+Ew5CyhHj0P9
-V3BCqIqYQvlBex6jtHgE+FvWQC1p3TEYZ4VeM7FCBZWzVG5NWMfgZMwEnFfTUAMC
-F0ZB90FD8/EG+8SGMFqwZ3Ulk+2gt/aH4tYCbaaMJ52hemefeFx5UMRBYoXAkVEQ
-IRzKIjksLdzgoQMgQ8xfF9vOhmG5zK2RIbs/ZtqpDVr0OATmuONvR5+v/746/DMX
-dyaKPcLziM25TtOtZHCB9Uvt/yJkNzRrSDpQ8RI+Ec5p/H6QcO+58bZWg4/V/hqA
-7YX53SEQ/vMPEy7REcOrMpQPiQ/qALvolIHL+Uf6jqiBj3C7tM5HO2S6OXDDWgaN
-NPwqj6IkSzeh6THuUlsawb8XuYYzdzie0QzXUJTsUqxgSmmF0k2VVLeW6iAx9ehv
-7KMy6oauTbYoP/vx6eSYgZ/Mk73ip5JGu3T6A63+uucO6uWIEgD0+rVegIsL12TB
-mdFtZIGoCevVLLkKX4Ps4AvW3HKXRsZBKndrS2vMDimTjgVxVl5v2AV5lGHmMUJI
-Sy236b+rdcO+Gg==
------END CERTIFICATE-----
diff --git a/files/ssl/wikitech.wikimedia.org.crt 
b/files/ssl/wikitech.wikimedia.org.crt
deleted file mode 100644
index 10abaa1..0000000
--- a/files/ssl/wikitech.wikimedia.org.crt
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFTzCCBDegAwIBAgISESHOsj6ApadNbvj3xLyEHmFzMA0GCSqGSIb3DQEBCwUA
-MGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYD
-VQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hB
-MjU2IC0gRzIwHhcNMTUxMjExMjAyMTExWhcNMTcwMjI0MDQ0NDEzWjCBgDELMAkG
-A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFu
-Y2lzY28xIzAhBgNVBAoTGldpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMuMR8wHQYD
-VQQDExZ3aWtpdGVjaC53aWtpbWVkaWEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAtdROlVzflJGw1k+RxVu7HHG8QSpiPLqbardSkB63aVxlHKN7
-26K5sSS2SLYuju4a3nEIErkZBXtAMGfBlBJVFZ4/UZgD4vjaAP5HiPpUKMx4xHz/
-2OOrqF68PXc2+yTTOkEMeniH4XPRmmY/GzIIpmDRzVzlRsVBtEdqvfoyCyeC8zTb
-n+bHd6lFGK0R3sRDBO7soJXd58svcBijI1mXpDo3WT4q9O3QDfvoGZO1xK/7Jz8m
-Yk2vYt5zG+dFvqjN62fQxD8JFNdargrgfkoZxiBmskii03e6+ymxoNdQUc0T8CkZ
-l8D3IeRXb8bsXcG8O+QFiZne+yNc0kL/xwcb0wIDAQABo4IB2jCCAdYwDgYDVR0P
-AQH/BAQDAgWgMEkGA1UdIARCMEAwPgYGZ4EMAQICMDQwMgYIKwYBBQUHAgEWJmh0
-dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMCEGA1UdEQQaMBiC
-Fndpa2l0ZWNoLndpa2ltZWRpYS5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggr
-BgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5n
-bG9iYWxzaWduLmNvbS9ncy9nc29yZ2FuaXphdGlvbnZhbHNoYTJnMi5jcmwwgaAG
-CCsGAQUFBwEBBIGTMIGQME0GCCsGAQUFBzAChkFodHRwOi8vc2VjdXJlLmdsb2Jh
-bHNpZ24uY29tL2NhY2VydC9nc29yZ2FuaXphdGlvbnZhbHNoYTJnMnIxLmNydDA/
-BggrBgEFBQcwAYYzaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzb3JnYW5p
-emF0aW9udmFsc2hhMmcyMB0GA1UdDgQWBBT0xfeMunJJ2IWrUAelaPocSGrN6jAf
-BgNVHSMEGDAWgBSW3mHxvRwWKVMcwMx9O4MAQOYafDANBgkqhkiG9w0BAQsFAAOC
-AQEAMF6mlBiBOfOirbVejNcaOcwxLTBEc/WTFTvk3KDs1369sWWBrvkWebkJNRic
-DJ6PAloCwyC7qZUfbYC4g1UWVo0UrFdGOpwK7HcLWzZB6CLpAX+q3lRs8BowAExI
-ShT3WdlkG24jdGIKtCYlRAYIxCnayba5Ad/FSaiOXXzIjC998UAMaSST20ONfsEl
-mAIbgK33bI69rem7Br977Bj4nFZ4JSsqMJS7GSvmedtF7XtGCFNE0pTh+DEs6lym
-iWdS14/ywS15gDEeTsKAfHYzLpc6lawYnm05a7b+a6uuqEBtPZU4XIp3oShTUjtd
-eTtgOQNq1NXcwSKTzYAc6qFQxg==
------END CERTIFICATE-----
diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml
index 531accb..a72204a 100644
--- a/hieradata/regex.yaml
+++ b/hieradata/regex.yaml
@@ -467,7 +467,6 @@
   labs_glance_controller: &labsglancecontroller 
"labtestcontrol2001.wikimedia.org"
   labs_puppet_master: &labspuppetmaster "labtestcontrol2001.wikimedia.org"
   labs_keystone_host: &labskeystonehost "labtestcontrol2001.wikimedia.org"
-  wikitech_use_letsencrypt: true
   wikitech_db_name: 'labtestwiki'
   labsldapconfig:
     hostname: labtestservices2001.wikimedia.org
diff --git a/modules/openstack/manifests/openstack_manager.pp 
b/modules/openstack/manifests/openstack_manager.pp
index e1c32ce..aca4a05 100644
--- a/modules/openstack/manifests/openstack_manager.pp
+++ b/modules/openstack/manifests/openstack_manager.pp
@@ -59,10 +59,6 @@
         'wikitech.wikimedia.org'        => '208.80.154.136',
         'labtestwikitech.wikimedia.org' => '208.80.153.14'
     }
-    $labtest = $webserver_hostname ? {
-        'wikitech.wikimedia.org'        => false,
-        'labtestwikitech.wikimedia.org' => true
-    }
     apache::site { $webserver_hostname:
         content => template('openstack/common/wikitech.wikimedia.org.erb'),
     }
diff --git a/modules/openstack/templates/common/wikitech.wikimedia.org.erb 
b/modules/openstack/templates/common/wikitech.wikimedia.org.erb
index 29dfec1..56a01a9 100644
--- a/modules/openstack/templates/common/wikitech.wikimedia.org.erb
+++ b/modules/openstack/templates/common/wikitech.wikimedia.org.erb
@@ -31,10 +31,8 @@
 
     RewriteEngine on
     RewriteCond %{SERVER_PORT} !^443$
-<% if @labtest -%>
     Include /etc/acme/challenge-apache.conf
     RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
-<% end -%>
     RewriteRule ^/(.*)$ https://<%= @webserver_hostname %>/$1 [L,R=301]
 
     ErrorLog /var/log/apache2/error.log
@@ -56,15 +54,9 @@
 
     RewriteEngine on
     SSLEngine on
-<% if @labtest -%>
     SSLCertificateFile /etc/acme/cert/<%= @certificate %>.crt
     SSLCertificateChainFile /etc/acme/cert/<%= @certificate %>.chain.crt
     SSLCertificateKeyFile /etc/acme/key/<%= @certificate %>.key
-<% else -%>
-    SSLCertificateFile /etc/ssl/localcerts/<%= @certificate %>.crt
-    SSLCertificateChainFile /etc/ssl/localcerts/<%= @certificate %>.chain.crt
-    SSLCertificateKeyFile /etc/ssl/private/<%= @certificate %>.key
-<% end -%>
     <%= @ssl_settings.join("\n") %>
 
     RedirectMatch ^/$ https://<%= @webserver_hostname %>/wiki/
diff --git a/modules/role/manifests/labs/openstack/nova/manager.pp 
b/modules/role/manifests/labs/openstack/nova/manager.pp
index ed0647e..22fccf2 100644
--- a/modules/role/manifests/labs/openstack/nova/manager.pp
+++ b/modules/role/manifests/labs/openstack/nova/manager.pp
@@ -13,24 +13,19 @@
     $novaconfig = $role::labs::openstack::nova::common::novaconfig
 
     $sitename = hiera('labs_osm_host')
-    if hiera('wikitech_use_letsencrypt', false) {
-        $sitename_split = split($sitename, '\.')
-        $certificate = $sitename_split[0]
-        letsencrypt::cert::integrated { $certificate:
-            subjects   => $sitename,
-            puppet_svc => 'apache2',
-            system_svc => 'apache2',
-        }
-        $cert_type = '_letsencrypt'
-    } else {
-        $certificate = $sitename
-        sslcert::certificate { $sitename: }
-        $cert_type = ''
+    $sitename_split = split($sitename, '\.')
+    $certificate = $sitename_split[0]
+    letsencrypt::cert::integrated { $certificate:
+        subjects   => $sitename,
+        puppet_svc => 'apache2',
+        system_svc => 'apache2',
     }
+
+    sslcert::certificate { $sitename: ensure => absent }
 
     monitoring::service { 'https':
         description   => 'HTTPS',
-        check_command => "check_ssl_http${cert_type}!${sitename}",
+        check_command => "check_ssl_http_letsencrypt!${sitename}",
     }
 
     $ssl_settings = ssl_ciphersuite('apache', 'compat', true)

-- 
To view, visit https://gerrit.wikimedia.org/r/331638
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I325ab9c1f2a56e42f1460435958d27445f5a1a6b
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk <kren...@gmail.com>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Ema <e...@wikimedia.org>
Gerrit-Reviewer: RobH <r...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to