Prepare for moving Ipsilon to openshift in prod

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

playbooks/include/proxies-reverseproxy.yml

@@ -158,78 +158,41 @@
     localpath: /accounts
     proxyurl: http://localhost:10004
 
-  # Ipsilon is odd here -- it has an entry for both stg and prod.
   - role: httpd/reverseproxy
-    website: id.stg.fedoraproject.org
+    website: "id{{ env_suffix }}.fedoraproject.org"
-    destname: os-id
-    balancer_name: app-os
-    targettype: openshift
-    keephost: true
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
-  - role: httpd/reverseproxy
-    website: username.id.stg.fedoraproject.org
-    destname: os-usernameid
-    balancer_name: app-os
-    targettype: openshift
-    keephost: true
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
-  - role: httpd/reverseproxy
-    website: id.stg.fedoraproject.org
-    destname: 00-kdcproxy
-    remotepath: /KdcProxy
-    localpath: /KdcProxy
-    proxyurl: http://localhost:10053
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
-  - role: httpd/reverseproxy
-    website: id.stg.fedoraproject.org
-    destname: 00-ipa
-    remotepath: /ipa
-    localpath: /ipa
-    proxyurl: http://localhost:10061
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
-  - role: httpd/reverseproxy
-    website: id.fedoraproject.org
     destname: id
-    proxyurl: http://localhost:10020
+    balancer_name: app-os
+    targettype: openshift
+    keephost: true
     tags:
     - id.fedoraproject.org
-    when: env != "staging"
 
   - role: httpd/reverseproxy
-    website: username.id.fedoraproject.org
+    website: "username.id{{ env_suffix }}.fedoraproject.org"
     destname: usernameid
-    proxyurl: http://localhost:10020
+    balancer_name: app-os
+    targettype: openshift
+    keephost: true
     tags:
     - id.fedoraproject.org
-    when: env != "staging"
 
   - role: httpd/reverseproxy
-    website: id.fedoraproject.org
+    website: "id{{ env_suffix }}.fedoraproject.org"
     destname: 00-kdcproxy
     remotepath: /KdcProxy
     localpath: /KdcProxy
     proxyurl: http://localhost:10053
-    when: env != "staging"
+    tags:
+    - id.fedoraproject.org
 
   - role: httpd/reverseproxy
-    website: id.fedoraproject.org
+    website: "id{{ env_suffix }}.fedoraproject.org"
     destname: 00-ipa
     remotepath: /ipa
     localpath: /ipa
     proxyurl: http://localhost:10061
-    when: env != "staging"
+    tags:
+    - id.fedoraproject.org
 
   - role: httpd/reverseproxy
     website: apps.fedoraproject.org

playbooks/include/proxies-websites.yml

@@ -703,14 +703,12 @@
     cert_name: wildcard-2017.fedorahosted.org
 
   - role: httpd/website
-    site_name: id.fedoraproject.org
+    site_name: "id{{ env_suffix }}.fedoraproject.org"
     sslonly: true
     cert_name: "{{wildcard_cert_name}}"
-    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
     stssubdomains: false
     tags:
     - id.fedoraproject.org
-    when: env == "production"
 
   - role: httpd/website
     site_name: username.id.fedoraproject.org
@@ -725,21 +723,13 @@
     - id.fedoraproject.org
     when: env == "production"
 
-  - role: httpd/website
-    site_name: id.stg.fedoraproject.org
-    cert_name: "{{wildcard_cert_name}}"
-    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
-    sslonly: true
-    tags:
-    - id.fedoraproject.org
-    when: env == "staging"
-
   - role: httpd/website
     site_name: username.id.stg.fedoraproject.org
     server_aliases:
     - "*.id.stg.fedoraproject.org"
     # Must not be sslonly, because example.id.fedoraproject.org must be reachable
     # via plain http for openid identity support
+    sslonly: false
     cert_name: "{{wildcard_cert_name}}"
     SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
     tags:

roles/httpd/reverseproxy/templates/reversepassproxy.id.conf

@@ -1,25 +0,0 @@
-RequestHeader unset Expect early
-RequestHeader set X-Forwarded-Scheme https early
-RequestHeader set X-Forwarded-Proto https early
-
-# Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
-# "includeSubdomains", because relying parties need to be able to access 
-# username.id.fedoraproject.org via plain HTTP 
-Header always add Strict-Transport-Security "max-age=31536000; preload"
-
-RewriteEngine on
-
-RewriteRule ^(.+) - [PT]
-
-<Location /login>
-    # required for rewrite rule
-    Options +SymLinksIfOwnerMatch
-    RewriteEngine on
-    RewriteCond %{HTTPS} off
-    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
-</Location>
-
-
-ProxyPass {{localpath}} {{proxyurl}}{{remotepath}}
-ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}}
-

roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf

@@ -1,25 +0,0 @@
-RequestHeader unset Expect early
-RequestHeader set X-Forwarded-Scheme https early
-RequestHeader set X-Forwarded-Proto https early
-
-# Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
-# "includeSubdomains", because relying parties need to be able to access 
-# username.id.fedoraproject.org via plain HTTP 
-
-RewriteEngine on
-
-RewriteMap lowercase int:tolower
-
-{% if env == "staging" %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
-{% else %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
-{% endif %}
-
-RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-
-{% if env == "staging" %}
-RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P,L]
-{% else %}
-RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P]
-{% endif %}