Prepare for moving Ipsilon to openshift in prod

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2019-05-09 16:51:35 +02:00 · 2019-05-09 16:51:35 +02:00 · 354d53c8c2
commit 354d53c8c2
parent 06a40af89f
4 changed files with 16 additions and 113 deletions
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@ -158,78 +158,41 @@
    localpath: /accounts
    proxyurl: http://localhost:10004

-  # Ipsilon is odd here -- it has an entry for both stg and prod.
  - role: httpd/reverseproxy
-    website: id.stg.fedoraproject.org
-    destname: os-id
-    balancer_name: app-os
-    targettype: openshift
-    keephost: true
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
-  - role: httpd/reverseproxy
-    website: username.id.stg.fedoraproject.org
-    destname: os-usernameid
-    balancer_name: app-os
-    targettype: openshift
-    keephost: true
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
-  - role: httpd/reverseproxy
-    website: id.stg.fedoraproject.org
-    destname: 00-kdcproxy
-    remotepath: /KdcProxy
-    localpath: /KdcProxy
-    proxyurl: http://localhost:10053
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
-  - role: httpd/reverseproxy
-    website: id.stg.fedoraproject.org
-    destname: 00-ipa
-    remotepath: /ipa
-    localpath: /ipa
-    proxyurl: http://localhost:10061
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
-  - role: httpd/reverseproxy
-    website: id.fedoraproject.org
+    website: "id{{ env_suffix }}.fedoraproject.org"
    destname: id
-    proxyurl: http://localhost:10020
+    balancer_name: app-os
+    targettype: openshift
+    keephost: true
    tags:
    - id.fedoraproject.org
-    when: env != "staging"

  - role: httpd/reverseproxy
-    website: username.id.fedoraproject.org
+    website: "username.id{{ env_suffix }}.fedoraproject.org"
    destname: usernameid
-    proxyurl: http://localhost:10020
+    balancer_name: app-os
+    targettype: openshift
+    keephost: true
    tags:
    - id.fedoraproject.org
-    when: env != "staging"

  - role: httpd/reverseproxy
-    website: id.fedoraproject.org
+    website: "id{{ env_suffix }}.fedoraproject.org"
    destname: 00-kdcproxy
    remotepath: /KdcProxy
    localpath: /KdcProxy
    proxyurl: http://localhost:10053
-    when: env != "staging"
+    tags:
+    - id.fedoraproject.org

  - role: httpd/reverseproxy
-    website: id.fedoraproject.org
+    website: "id{{ env_suffix }}.fedoraproject.org"
    destname: 00-ipa
    remotepath: /ipa
    localpath: /ipa
    proxyurl: http://localhost:10061
-    when: env != "staging"
+    tags:
+    - id.fedoraproject.org

  - role: httpd/reverseproxy
    website: apps.fedoraproject.org
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@ -703,14 +703,12 @@
    cert_name: wildcard-2017.fedorahosted.org

  - role: httpd/website
-    site_name: id.fedoraproject.org
+    site_name: "id{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
-    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
    stssubdomains: false
    tags:
    - id.fedoraproject.org
-    when: env == "production"

  - role: httpd/website
    site_name: username.id.fedoraproject.org
@ -725,21 +723,13 @@
    - id.fedoraproject.org
    when: env == "production"

-  - role: httpd/website
-    site_name: id.stg.fedoraproject.org
-    cert_name: "{{wildcard_cert_name}}"
-    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
-    sslonly: true
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
  - role: httpd/website
    site_name: username.id.stg.fedoraproject.org
    server_aliases:
    - "*.id.stg.fedoraproject.org"
    # Must not be sslonly, because example.id.fedoraproject.org must be reachable
    # via plain http for openid identity support
+    sslonly: false
    cert_name: "{{wildcard_cert_name}}"
    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
    tags:
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
@ -1,25 +0,0 @@
-RequestHeader unset Expect early
-RequestHeader set X-Forwarded-Scheme https early
-RequestHeader set X-Forwarded-Proto https early
-
-# Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
-# "includeSubdomains", because relying parties need to be able to access 
-# username.id.fedoraproject.org via plain HTTP 
-Header always add Strict-Transport-Security "max-age=31536000; preload"
-
-RewriteEngine on
-
-RewriteRule ^(.+) - [PT]
-
-<Location /login>
-    # required for rewrite rule
-    Options +SymLinksIfOwnerMatch
-    RewriteEngine on
-    RewriteCond %{HTTPS} off
-    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
-</Location>
-
-
-ProxyPass {{localpath}} {{proxyurl}}{{remotepath}}
-ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}}
-
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf
@ -1,25 +0,0 @@
-RequestHeader unset Expect early
-RequestHeader set X-Forwarded-Scheme https early
-RequestHeader set X-Forwarded-Proto https early
-
-# Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
-# "includeSubdomains", because relying parties need to be able to access 
-# username.id.fedoraproject.org via plain HTTP 
-
-RewriteEngine on
-
-RewriteMap lowercase int:tolower
-
-{% if env == "staging" %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
-{% else %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
-{% endif %}
-
-RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-
-{% if env == "staging" %}
-RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P,L]
-{% else %}
-RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P]
-{% endif %}