add certs to navi

Author: Anandkumar Patel

ansible/delta-hosts/docks.js

@@ -18,8 +18,8 @@ var params = {
     },
     // Only fetch instances that are tagged as docks
     {
-      Name: 'tag:role',
-      Values: ['dock']
+      Name: 'tag:org',
+      Values: ['2335750']
     },
     // Only fetch running instances
     {

ansible/group_vars/all.yml

@@ -126,7 +126,8 @@ mongo_hosts: "{% for host in groups['mongodb'] %}{{ hostvars[host]['ansible_defa
 
 # navi
 navi_host_address: "{{ hostvars[groups['navi'][0]]['ansible_default_ipv4']['address'] }}"
-navi_port: 3567
+navi_http_port: 3567
+navi_https_port: 443
 navi_rollbar_token: 719269e87b9b42848472542a8b2059ae
 
 # neo4j

ansible/group_vars/alpha-navi.yml

@@ -3,13 +3,16 @@ name: navi
 container_image: registry.runnable.com/runnable/{{ name }}
 container_tag: "{{ git_branch }}"
 repo: git@github.com:CodeNow/{{ name }}.git
-hosted_ports: [ "{{ navi_port }}" ]
+hosted_ports: [ "{{ navi_http_port }}", "{{ navi_https_port }}" ]
 node_version: "4.2.4"
 npm_version: "2.8.3"
 
 redis_ca_cert_path: /opt/ssl/{{ name }}/redis/ca.pem
+content_domain_certs: /opt/ssl/{{ user_content_domain }}
+
 container_envs: >
   -e API_URL={{ api_url }}
+  -e CERT_PATH={{ content_domain_certs }}
   -e COOKIE_DOMAIN=.{{ user_content_domain }}
   -e COOKIE_SECRET={{ navi_cookie_secret }}
   -e DATADOG_HOST={{ datadog_host_address }}
@@ -20,10 +23,6 @@ container_envs: >
   -e HTTP_PORT={{ hosted_ports[0] }}
   -e LOG_LEVEL_STDOUT=trace
   -e MONGO=mongodb://{{ navi_mongo_host_address }}:{{ navi_mongo_port }}/{{ navi_mongo_database }}
-  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_APP_NAME={{ navi_new_relic_app_name }} {% endif %}
-  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_LICENSE_KEY={{ new_relic_license_key }} {% endif %}
-  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_LOG_LEVEL=fatal {% endif %}
-  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_NO_CONFIG_FILE=true {% endif %}
   -e NODE_ENV={{ node_env }}
   -e RABBITMQ_HOSTNAME={{ rabbit_host_address }}
   -e RABBITMQ_PASSWORD={{ rabbit_password }}
@@ -32,12 +31,18 @@ container_envs: >
   -e REDIS_CACERT={{ redis_ca_cert_path }}
   -e REDIS_IPADDRESS={{ redis_host_address }}
   -e REDIS_PORT={{ redis_tls_port }}
-  {% if navi_intercom_app_id is defined %} -e INTERCOM_APP_ID={{ navi_intercom_app_id }} {% endif %}
   {% if navi_intercom_api_key is defined %} -e INTERCOM_API_KEY={{ navi_intercom_api_key }} {% endif %}
+  {% if navi_intercom_app_id is defined %} -e INTERCOM_APP_ID={{ navi_intercom_app_id }} {% endif %}
+  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_APP_NAME={{ navi_new_relic_app_name }} {% endif %}
+  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_LICENSE_KEY={{ new_relic_license_key }} {% endif %}
+  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_LOG_LEVEL=fatal {% endif %}
+  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_NO_CONFIG_FILE=true {% endif %}
 
 container_run_opts: >
   -h {{ name }}
   -d
   -p {{ hosted_ports[0] }}:{{ hosted_ports[0] }}
+  -p {{ hosted_ports[1] }}:{{ hosted_ports[1] }}
   -v {{ redis_ca_cert_path }}:{{ redis_ca_cert_path }}
+  -v {{ content_domain_certs }}:{{ content_domain_certs }}
   {{ container_envs }}

ansible/navi.yml

@@ -13,5 +13,6 @@
     rollbar_token: "{{ navi_rollbar_token }}"
     tags: [ notify ]
   - { role: builder, tags: [ build ] }
+  - { role: content-domain-certs }
   - { role: tls-server-ca, ca_dest: "{{ redis_ca_cert_path }}" }
   - { role: container_kill_start }

ansible/roles/content-domain-certs/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: make sure cert directory is in place
+  tags: [ certs ]
+  when: ca_dest is defined
+  become: true
+  file:
+    dest: /opt/ssl/{{ user_content_domain }}
+    state: directory
+
+- name: put certs in place
+  tags: [ certs ]
+  become: true
+  copy:
+    src: "{{ user_content_domain }}/{{ item }}"
+    dest: /opt/ssl/{{ user_content_domain }}/{{ item }}
+    mode: 0400
+    owner: root
+    group: root
+  with_items:
+  - ca.pem
+  - key.pem
+  - cert.pem