From b35ce2dcc8a9ec931ca8e14bd19c6837d11cf8ae Mon Sep 17 00:00:00 2001
From: Ee Durbin <ee@python.org>
Date: Sun, 19 Jan 2025 10:52:32 -0500
Subject: [PATCH] Pycon fr redirect (#550)

* load balancer: move from www.pycon.org/pycon.org cert to *.pycon.org cert

* add redirect from fr.pycon.org -> pycon.org
---
 pillar/base/haproxy.sls                       |  4 ++
 pillar/dev/secrets/tls/certs/loadbalancer.sls | 52 +++++++++++++++++++
 salt/haproxy/config/haproxy.cfg.jinja         | 10 ++--
 3 files changed, 61 insertions(+), 5 deletions(-)

diff --git a/pillar/base/haproxy.sls b/pillar/base/haproxy.sls
index a8dda595..c2bd10d0 100644
--- a/pillar/base/haproxy.sls
+++ b/pillar/base/haproxy.sls
@@ -149,6 +149,10 @@ haproxy:
       target: www.jython.org
       hsts_subdomains: False
       hsts_preload: False
+    fr.pycon.org:
+      target: pycon.fr
+      hsts_subdomains: False
+      hsts_preload: False
 
   listens:
     hg_ssh:
diff --git a/pillar/dev/secrets/tls/certs/loadbalancer.sls b/pillar/dev/secrets/tls/certs/loadbalancer.sls
index 3ea4aa2c..47f13562 100644
--- a/pillar/dev/secrets/tls/certs/loadbalancer.sls
+++ b/pillar/dev/secrets/tls/certs/loadbalancer.sls
@@ -106,6 +106,58 @@ tls:
       ogsOBi74M0k7Ihp96JK6lUXTY+WnlJ3C9FZdByeXq6O4HLhgq5jug7E=
       -----END CERTIFICATE-----
 
+    star.pycon.org: |
+      -----BEGIN PRIVATE KEY-----
+      MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCSNloTX8Ut5t4v
+      M8MDD0gzrRWKFwcqDbvMa/JkK89hfoSfAnZwIHtZl+PTHCOXqU4WEMvYwSIcqVlD
+      bOfTDLklwFvMxwzj4/TJbXrHtPf6wFRQa2KUrewy+KcpZBERJcEhJ1PwRHe4bY+n
+      t4L+gDcRVoLmZXUpxasMeBHXD8ZqY9v7BXS2Z4qNnKu7/nABK7yR0DF/epYXxNPf
+      aGL8qEfXsWhc3278MCsipokYFOOVhVxPyJ0xny065L1lX51GChr6kSMNAdV6/Zju
+      vDMmFJp4AbZQ8ta/QdppGEe/cFDGg4VNpinlZ8vQJ01hTON9TxlJqG0oFDmplGCU
+      a+SFiLQLAgMBAAECggEANYChDnTdlPHlvNUOl7iIXayI9Lp/eyKCZYfcr04euVjQ
+      E9WVXGtuZ7b+fZpO5ejks4ta5Iqrvlwz10nrPN3rhEZy8SinbV7VjL28j4aHtaCa
+      WcEp1ikchPxbQvikjCdKGCUpgIK1Ym3pAuDSlOl6/SOwi7l1mZ8E+++V66IQo44w
+      cP+64sm4VIS3kVNhNxB619gXcmldo7N5fC7eF8K8wNnCXSlJA8BqrW/OAAUSl4Lp
+      rn7BkxSdcISejA/n9QoGkKOd6XZ7vzMV4hseFzisn9xGkRWx6zdZsfcuzeZ10p7E
+      pxNCA1g7l1xxYTUIDNBmMImtUsbIH0INXiu2MCXJbQKBgQDC9fb0ZJCJN8hpqb3+
+      Zw1FxjNAs8eqTwaohc7H3n+DSeBLZi63wKe8gO1sPcvwFx2/8U6oQS9lo2xOaDuu
+      Fv4S57jIOoTIxt2Ax/eVTlGh/3EHXqACUQn/qXCdHLtO0sTnnr3WpA15Q8JrjTHU
+      RePRI2xqCTkC4e4GWBKN6fTwtwKBgQC//TbPlf949KI6scnh8foFXEepPelfhUl2
+      zGj78stXSOkHJ9oYWNYVBH4lL7GrsYryr+6Ndr8Di7o45FD/iHBSMWfJluRDUH42
+      yU3Ro54ECBBChI+9n+QUL9gUZBBfJgBDfiKHdbMrmD+IkD8QKFNHf7UdcgB/RG/+
+      nFjzP08bTQKBgAVPX7eOWaVzIIFIP0WDlwf0ewbjHqgT2PGUG2q0M7LmuzYyhUk5
+      9RecR1swX7KdXpEQyHyqsdjJ17RXAHEgbTEkoJLLjTxOtk/AooytgmmwJGr399G4
+      VVZiTg/pbWybLwPD/hWviDJqVwxI3zeR47+ZgGVu9N+QOcRwd6jn22UHAoGAdSTX
+      sMnhW7hI1G9us0KmP2cTAp0YLIRzUt1eoXx/vf5q0UbruDdcSO642Y/EZPKryXC3
+      qfFuk4dKVTRah9CEWGJ05XgAR2Jx4JPru6KN4//Xi/6+hgFtdTPMMITtyGCzgHsS
+      Ln0OmecHvRfmosE4L0QpCpJo4z6q5zwWujVC23ECgYAi1r+27xBjVtSvsd7xkBfY
+      R2HpqcSHaMedQZ2DY/LU6OH5O1RxQsgeSYyiiHMjN9ij3IUv+JHcxaotcSUQIWEa
+      YJmAMhl5ZEfYzpMJ9PUQymN59AAGuTr2PYjc9fhZm5/EgpxC2cl/AR2nS3U19dwf
+      N5zICLLKa7f4hPvAFf33Lg==
+      -----END PRIVATE KEY-----
+      -----BEGIN CERTIFICATE-----
+      MIIDtTCCAp2gAwIBAgIUHTES3WH58IHxo9rMUzj/DeytPc8wDQYJKoZIhvcNAQEL
+      BQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMRIwEAYDVQQHDAlCZWF2ZXJ0
+      b24xIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRUwEwYDVQQD
+      DAwqLnB5dGhvbi5vcmcwHhcNMjQwNzE3MTgyNTAxWhcNMzQwNzE1MTgyNTAxWjBq
+      MQswCQYDVQQGEwJVUzELMAkGA1UECAwCT1IxEjAQBgNVBAcMCUJlYXZlcnRvbjEj
+      MCEGA1UECgwaUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24xFTATBgNVBAMMDCou
+      cHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJI2WhNf
+      xS3m3i8zwwMPSDOtFYoXByoNu8xr8mQrz2F+hJ8CdnAge1mX49McI5epThYQy9jB
+      IhypWUNs59MMuSXAW8zHDOPj9Mltese09/rAVFBrYpSt7DL4pylkERElwSEnU/BE
+      d7htj6e3gv6ANxFWguZldSnFqwx4EdcPxmpj2/sFdLZnio2cq7v+cAErvJHQMX96
+      lhfE099oYvyoR9exaFzfbvwwKyKmiRgU45WFXE/InTGfLTrkvWVfnUYKGvqRIw0B
+      1Xr9mO68MyYUmngBtlDy1r9B2mkYR79wUMaDhU2mKeVny9AnTWFM431PGUmobSgU
+      OamUYJRr5IWItAsCAwEAAaNTMFEwHQYDVR0OBBYEFPJrXEC964Djv1KtiYGjRFpD
+      s8RvMB8GA1UdIwQYMBaAFPJrXEC964Djv1KtiYGjRFpDs8RvMA8GA1UdEwEB/wQF
+      MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGlJ+N5txBsBekRMkl2pGxUecihJWLXM
+      pwnXuhKswrsCpLiJlWijTWVBULfVn71rEfnMFNgdVn4i1TddgyK4cViHWZPBYcGd
+      SYbQK40xmLuIAJKM8uARdm99AmavKCH+ha6jFY8fZoU0+m51hOztXfGTIkLpLr2r
+      +0ydepkbAWqNH6NYNpUQKFxSlyTYvwaHUh0YzXMxgOj+foJCygyVnB/E7Fja92Ho
+      Pe93No9Ze0Jou4GsXmP2E1YY0i3jkCigmuVTQSrl85uxxHfHWNgr9OwN8ASoF9dp
+      ogsOBi74M0k7Ihp96JK6lUXTY+WnlJ3C9FZdByeXq6O4HLhgq5jug7E=
+      -----END CERTIFICATE-----
+
     star.pyfound.org: |
       -----BEGIN PRIVATE KEY-----
       MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCSNloTX8Ut5t4v
diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja
index c6d1e28f..5960c314 100644
--- a/salt/haproxy/config/haproxy.cfg.jinja
+++ b/salt/haproxy/config/haproxy.cfg.jinja
@@ -95,12 +95,12 @@ frontend main
     bind :20003 ssl alpn h2,http/1.1 crt star.python.org.pem
     bind :20005 ssl alpn h2,http/1.1 crt star.pypa.io.pem
     bind :20006 ssl alpn h2,http/1.1 crt speed.pypy.org.pem
-    bind :20007 ssl alpn h2,http/1.1 crt www.pycon.org.pem
+    bind :20007 ssl alpn h2,http/1.1 crt star.pycon.org.pem
     bind :20008 ssl alpn h2,http/1.1 crt jython.org.pem
-    bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
-    bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem  crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
-    bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
-    bind :20011 accept-proxy ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
+    bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
+    bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem  crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
+    bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
+    bind :20011 accept-proxy ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
 
     # Define a stick table for all services
     stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)