caddy-frontend: Cleanup CSR exposure

Cleanups:

 * simplify nginx management with real template
 * rename sections to provide explanation in their name so it's less cryptic

software/caddy-frontend/buildout.hash.cfg

@@ -22,7 +22,7 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
 
 [profile-caddy-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = 334d0613557849cdbdea769510ba0cca
+md5sum = 3e3021b86c3cfe93553489441da85496
 
 [profile-caddy-replicate]
 filename = instance-apache-replicate.cfg.in
@@ -30,7 +30,7 @@ md5sum = c028f1c5947494e7f25cf8266a3ecd2d
 
 [profile-slave-list]
 _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
-md5sum = cc3c94eefd5659c82df1c894226d6b08
+md5sum = 6b6ab13d82bf9ecff6a37c3402ddbf95
 
 [profile-replicate-publish-slave-information]
 _update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in
@@ -102,7 +102,7 @@ md5sum = b41b8de115ad815d0b0db306ad650365
 
 [profile-kedifa]
 filename = instance-kedifa.cfg.in
-md5sum = f29cf4e9591f8892430693a8915c5aba
+md5sum = 88f3a8cc30d3cf30f4bd2797f5c16221
 
 [template-backend-haproxy-rsyslogd-conf]
 _update_hash_filename_ = templates/backend-haproxy-rsyslogd.conf.in
@@ -111,3 +111,7 @@ md5sum = 3336d554661b138dcef97b1d1866803c
 [template-slave-introspection-httpd-nginx]
 _update_hash_filename_ = templates/slave-introspection-httpd-nginx.conf.in
 md5sum = 3067e6ba6c6901821d57d2109517d39c
+
+[template-expose-csr-nginx-conf]
+_update_hash_filename_ = templates/expose-csr-nginx.conf.in
+md5sum = 5620baa8819fcc8340fa6777ee551a1a

software/caddy-frontend/instance-apache-frontend.cfg.in

@@ -90,8 +90,8 @@ bbb-ssl-dir = ${:srv}/bbb-ssl
 frontend_cluster = ${:var}/frontend_cluster
 
 # CSR publication
-csr = ${:srv}/csr
-certificate-csr = ${:etc}/certificate-csr
+expose-csr = ${:srv}/expose-csr
+expose-csr-etc = ${:etc}/expose-csr
 expose-csr-var = ${:var}/expose-csr
 
 # slave introspection
@@ -179,6 +179,7 @@ template-empty = {{ software_parameter_dict['template_empty'] }}
 template-default-slave-virtualhost = {{ software_parameter_dict['template_default_slave_virtualhost'] }}
 template-backend-haproxy-configuration = {{ software_parameter_dict['template_backend_haproxy_configuration'] }}
 template-backend-haproxy-rsyslogd-conf = {{ software_parameter_dict['template_backend_haproxy_rsyslogd_conf'] }}
+template-expose-csr-nginx-conf = {{ software_parameter_dict['template_expose_csr_nginx_conf'] }}
 
 [kedifa-login-config]
 d = ${directory:ca-dir}
@@ -300,6 +301,7 @@ extra-context =
     key global_ipv6 slap-configuration:ipv6-random
     key empty_template software-release-path:template-empty
     key template_default_slave_configuration software-release-path:template-default-slave-virtualhost
+    key template_expose_csr_nginx_conf software-release-path:template-expose-csr-nginx-conf
     key software_type :software_type
     key frontend_lazy_graceful_reload frontend-caddy-lazy-graceful:rendered
     key monitor_base_url monitor-instance-parameter:monitor-base-url 

software/caddy-frontend/instance-kedifa.cfg.in

@@ -74,8 +74,8 @@ backup-caucased = ${:backup}/caucased
 reservation = ${:srv}/reservation
 
 # CSR publication
-csr = ${:srv}/csr
-certificate-csr = ${:var}/certificate-csr
+expose-csr = ${:srv}/expose-csr
+expose-csr-etc = ${:etc}/expose-csr
 expose-csr-var = ${:var}/expose-csr
 
 [kedifa-csr]
@@ -112,19 +112,19 @@ stop-on-error = True
      template_csr='${kedifa-csr:template-csr}'
 )}}
 
-[store-csr]
+[expose-csr-link-csr]
 recipe = plone.recipe.command
 filename = csr.pem
-csr_path = ${directory:csr}/${:filename}
+csr_path = ${directory:expose-csr}/${:filename}
 stop-on-error = False
 update-command = ${:command}
 command =
   ln -sf ${caucase-updater-csr:csr} ${:csr_path}
 
-[certificate-csr]
+[expose-csr-certificate]
 recipe = plone.recipe.command
-certificate = ${directory:certificate-csr}/certificate.pem
-key = ${directory:certificate-csr}/key.pem
+certificate = ${directory:expose-csr-etc}/certificate.pem
+key = ${directory:expose-csr-etc}/key.pem
 
 {#- Can be stopped on error, as does not rely on self provided service #}
 stop-on-error = True
@@ -139,46 +139,20 @@ command =
 [expose-csr-configuration]
 ip = {{ instance_parameter_dict['ipv6-random'] }}
 port = 17000
-key = ${certificate-csr:key}
-certificate = ${certificate-csr:certificate}
+key = ${expose-csr-certificate:key}
+certificate = ${expose-csr-certificate:certificate}
 error-log = ${directory:log}/expose-csr.log
+var = ${directory:expose-csr-var}
+pid = ${directory:var}/nginx-expose-csr.pid
+root = ${directory:expose-csr}
+nginx_mime = {{ software_parameter_dict['nginx_mime'] }}
 
 [expose-csr-template]
 recipe = slapos.recipe.template:jinja2
-var = ${directory:expose-csr-var}
-pid = ${directory:var}/nginx-expose-csr.pid
-rendered = ${directory:etc}/nginx-expose-csr.conf
-template = inline:
-  daemon off;
-  pid ${:pid};
-  error_log ${expose-csr-configuration:error-log};
-  events {
-  }
-  http {
-    include {{ software_parameter_dict['nginx_mime'] }};
-    server {
-      server_name_in_redirect off;
-      port_in_redirect off;
-      error_log ${expose-csr-configuration:error-log};
-      access_log /dev/null;
-      listen [${expose-csr-configuration:ip}]:${expose-csr-configuration:port} ssl;
-      ssl_certificate ${expose-csr-configuration:certificate};
-      ssl_certificate_key ${expose-csr-configuration:key};
-      default_type application/octet-stream;
-      client_body_temp_path ${:var} 1 2;
-      proxy_temp_path ${:var} 1 2;
-      fastcgi_temp_path ${:var} 1 2;
-      uwsgi_temp_path ${:var} 1 2;
-      scgi_temp_path ${:var} 1 2;
-
-      location / {
-        alias ${directory:csr}/;
-        autoindex off;
-        sendfile on;
-        sendfile_max_chunk 1m;
-      }
-    }
-  }
+rendered = ${directory:expose-csr-etc}/nginx.conf
+template = {{ software_parameter_dict['template_expose_csr_nginx_conf'] }}
+context =
+  section configuration expose-csr-configuration
 
 [promise-expose-csr-ip-port]
 <= monitor-promise-base
@@ -196,10 +170,10 @@ url = https://[${expose-csr-configuration:ip}]:${expose-csr-configuration:port}
 wrapper-path = ${directory:service}/expose-csr
 hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
 
-[get-csr-certificate]
+[expose-csr-certificate-get]
 recipe = collective.recipe.shelloutput
 commands =
-  certificate = cat ${certificate-csr:certificate}
+  certificate = cat ${expose-csr-certificate:certificate}
 
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
@@ -314,8 +288,8 @@ caucase-url = {{ caucase_url }}
 master-key-generate-auth-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}/generateauth
 master-key-upload-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}?auth=
 master-key-download-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}
-kedifa-csr-url = ${expose-csr:url}/${store-csr:filename}
-csr-certificate = ${get-csr-certificate:certificate}
+kedifa-csr-url = ${expose-csr:url}/${expose-csr-link-csr:filename}
+csr-certificate = ${expose-csr-certificate-get:certificate}
 monitor-base-url = ${monitor-instance-parameter:monitor-base-url}
 
 [promise-logrotate-setup]

software/caddy-frontend/software.cfg

@@ -99,6 +99,7 @@ template_trafficserver_records_config = ${template-trafficserver-records-config:
 template_trafficserver_storage_config = ${template-trafficserver-storage-config:target}
 template_validate_script = ${template-validate-script:target}
 template_wrapper = ${template-wrapper:output}
+template_expose_csr_nginx_conf = ${template-expose-csr-nginx-conf:target}
 
 # directories
 bin_directory = ${buildout:bin-directory}
@@ -205,6 +206,9 @@ output = ${buildout:directory}/template-wrapper.cfg
 [template-backend-haproxy-rsyslogd-conf]
 <=download-template
 
+[template-expose-csr-nginx-conf]
+<=download-template
+
 [versions]
 kedifa = 0.0.6
 # Modern KeDiFa requires zc.lockfile

software/caddy-frontend/templates/apache-custom-slave-list.cfg.in

@@ -453,9 +453,9 @@ recipe = slapos.cookbook:publish.serialised
 slave-instance-information-list = {{ json_module.dumps(slave_instance_information_list, sort_keys=True) }}
 {%- endif %}
 monitor-base-url = {{ monitor_base_url }}
-kedifa-csr-url = ${expose-csr:url}/${store-kedifa-csr:filename}
-backend-client-csr-url = ${expose-csr:url}/${store-backend-haproxy-csr:filename}
-csr-certificate = ${get-csr-certificate:certificate}
+kedifa-csr-url = ${expose-csr:url}/${expose-csr-link-csr-kedifa:filename}
+backend-client-csr-url = ${expose-csr:url}/${expose-csr-link-csr-backend-haproxy:filename}
+csr-certificate = ${expose-csr-certificate-get:certificate}
 {%-   set furled = furl_module.furl(backend_haproxy_configuration['statistic-frontend-secure_access']) %}
 {%-   do furled.set(username = backend_haproxy_configuration['statistic-username']) %}
 {%-   do furled.set(password = backend_haproxy_configuration['statistic-password']) %}
@@ -514,21 +514,21 @@ request-timeout = {{ dumps('' ~ configuration['request-timeout']) }}
 backend-connect-timeout = {{ dumps('' ~ configuration['backend-connect-timeout']) }}
 backend-connect-retries =  {{ dumps('' ~ configuration['backend-connect-retries']) }}
 
-[store-csr]
+[template-expose-csr-link-csr]
 recipe = plone.recipe.command
 stop-on-error = False
 update-command = ${:command}
-csr_path = {{ directory['csr'] }}/${:filename}
+csr_path = {{ directory['expose-csr'] }}/${:filename}
 command =
   ln -sf ${:csr} ${:csr_path}
 
-[store-backend-haproxy-csr]
-<= store-csr
+[expose-csr-link-csr-backend-haproxy]
+<= template-expose-csr-link-csr
 filename = backend-haproxy-csr.pem
 csr = {{ backend_haproxy_configuration['csr'] }}
 
-[store-kedifa-csr]
-<= store-csr
+[expose-csr-link-csr-kedifa]
+<= template-expose-csr-link-csr
 filename = kedifa-csr.pem
 csr = {{ kedifa_configuration['csr'] }}
 
@@ -555,10 +555,10 @@ parts +=
 
 cache-access = {{ cache_access }}
 
-[certificate-csr]
+[expose-csr-certificate]
 recipe = plone.recipe.command
-certificate = {{ directory['certificate-csr'] }}/certificate.pem
-key = {{ directory['certificate-csr'] }}/key.pem
+certificate = {{ directory['expose-csr-etc'] }}/certificate.pem
+key = {{ directory['expose-csr-etc'] }}/key.pem
 
 {#- Can be stopped on error, as does not rely on self provided service #}
 stop-on-error = True
@@ -573,46 +573,20 @@ command =
 [expose-csr-configuration]
 ip = ${slap-configuration:ipv6-random}
 port = 17001
-key = ${certificate-csr:key}
-certificate = ${certificate-csr:certificate}
+key = ${expose-csr-certificate:key}
+certificate = ${expose-csr-certificate:certificate}
 error-log = {{ directory['log'] }}/expose-csr.log
+var = {{ directory['expose-csr-var'] }}
+pid = {{ directory['var'] }}/nginx-expose-csr.pid
+root = {{ directory['expose-csr'] }}
+nginx_mime = {{ software_parameter_dict['nginx_mime'] }}
 
 [expose-csr-template]
 recipe = slapos.recipe.template:jinja2
-var = {{ directory['expose-csr-var'] }}
-pid = {{ directory['var'] }}/nginx-expose-csr.pid
-rendered = {{ directory['etc'] }}/nginx-expose-csr.conf
-template = inline:
-  daemon off;
-  pid ${:pid};
-  error_log ${expose-csr-configuration:error-log};
-  events {
-  }
-  http {
-    include {{ software_parameter_dict['nginx_mime'] }};
-    server {
-      server_name_in_redirect off;
-      port_in_redirect off;
-      error_log ${expose-csr-configuration:error-log};
-      access_log /dev/null;
-      listen [${expose-csr-configuration:ip}]:${expose-csr-configuration:port} ssl;                                                          
-      ssl_certificate ${expose-csr-configuration:certificate};
-      ssl_certificate_key ${expose-csr-configuration:key};
-      default_type application/octet-stream;
-      client_body_temp_path ${:var} 1 2;
-      proxy_temp_path ${:var} 1 2;
-      fastcgi_temp_path ${:var} 1 2;
-      uwsgi_temp_path ${:var} 1 2;
-      scgi_temp_path ${:var} 1 2;
-
-      location / {
-        alias {{ directory['csr'] }}/;
-        autoindex off;
-        sendfile on;
-        sendfile_max_chunk 1m;
-      }
-    }
-  }
+rendered = {{ directory['expose-csr-etc'] }}/nginx.conf
+template = {{ template_expose_csr_nginx_conf }}
+context =
+  section configuration expose-csr-configuration
 
 [promise-expose-csr-ip-port]
 <= monitor-promise-base
@@ -630,10 +604,10 @@ url = https://[${expose-csr-configuration:ip}]:${expose-csr-configuration:port}
 wrapper-path = {{ directory['service'] }}/expose-csr
 hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
 
-[get-csr-certificate]
+[expose-csr-certificate-get]
 recipe = collective.recipe.shelloutput
 commands =
-  certificate = cat ${certificate-csr:certificate}
+  certificate = cat ${expose-csr-certificate:certificate}
 
 [promise-logrotate-setup]
 <= monitor-promise-base

software/caddy-frontend/templates/expose-csr-nginx.conf.in

+daemon off;
+pid {{ configuration['pid'] }};
+error_log {{ configuration['error-log'] }};
+events {
+}
+http {
+  include {{ configuration['nginx_mime'] }};
+  server {
+    server_name_in_redirect off;
+    port_in_redirect off;
+    error_log {{ configuration['error-log'] }};
+    access_log /dev/null;
+    listen [{{ configuration['ip'] }}]:{{ configuration['port'] }} ssl;
+    ssl_certificate {{ configuration['certificate'] }};
+    ssl_certificate_key {{ configuration['key'] }};
+    default_type application/octet-stream;
+    client_body_temp_path {{ configuration['var'] }} 1 2;
+    proxy_temp_path {{ configuration['var'] }} 1 2;
+    fastcgi_temp_path {{ configuration['var'] }} 1 2;
+    uwsgi_temp_path {{ configuration['var'] }} 1 2;
+    scgi_temp_path {{ configuration['var'] }} 1 2;
+
+    location / {
+      alias {{ configuration['root'] }}/;
+      autoindex off;
+      sendfile on;
+      sendfile_max_chunk 1m;
+    }
+  }
+}