Commit 6a531a74 authored by Łukasz Nowak's avatar Łukasz Nowak

caddy-frontend: Cleanup CSR exposure

Cleanups:

 * simplify nginx management with real template
 * rename sections to provide explanation in their name so it's less cryptic
parent 9ff5eccf
......@@ -22,7 +22,7 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
[profile-caddy-frontend]
filename = instance-apache-frontend.cfg.in
md5sum = 334d0613557849cdbdea769510ba0cca
md5sum = 3e3021b86c3cfe93553489441da85496
[profile-caddy-replicate]
filename = instance-apache-replicate.cfg.in
......@@ -30,7 +30,7 @@ md5sum = c028f1c5947494e7f25cf8266a3ecd2d
[profile-slave-list]
_update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
md5sum = cc3c94eefd5659c82df1c894226d6b08
md5sum = 6b6ab13d82bf9ecff6a37c3402ddbf95
[profile-replicate-publish-slave-information]
_update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in
......@@ -102,7 +102,7 @@ md5sum = b41b8de115ad815d0b0db306ad650365
[profile-kedifa]
filename = instance-kedifa.cfg.in
md5sum = f29cf4e9591f8892430693a8915c5aba
md5sum = 88f3a8cc30d3cf30f4bd2797f5c16221
[template-backend-haproxy-rsyslogd-conf]
_update_hash_filename_ = templates/backend-haproxy-rsyslogd.conf.in
......@@ -111,3 +111,7 @@ md5sum = 3336d554661b138dcef97b1d1866803c
[template-slave-introspection-httpd-nginx]
_update_hash_filename_ = templates/slave-introspection-httpd-nginx.conf.in
md5sum = 3067e6ba6c6901821d57d2109517d39c
[template-expose-csr-nginx-conf]
_update_hash_filename_ = templates/expose-csr-nginx.conf.in
md5sum = 5620baa8819fcc8340fa6777ee551a1a
......@@ -90,8 +90,8 @@ bbb-ssl-dir = ${:srv}/bbb-ssl
frontend_cluster = ${:var}/frontend_cluster
# CSR publication
csr = ${:srv}/csr
certificate-csr = ${:etc}/certificate-csr
expose-csr = ${:srv}/expose-csr
expose-csr-etc = ${:etc}/expose-csr
expose-csr-var = ${:var}/expose-csr
# slave introspection
......@@ -179,6 +179,7 @@ template-empty = {{ software_parameter_dict['template_empty'] }}
template-default-slave-virtualhost = {{ software_parameter_dict['template_default_slave_virtualhost'] }}
template-backend-haproxy-configuration = {{ software_parameter_dict['template_backend_haproxy_configuration'] }}
template-backend-haproxy-rsyslogd-conf = {{ software_parameter_dict['template_backend_haproxy_rsyslogd_conf'] }}
template-expose-csr-nginx-conf = {{ software_parameter_dict['template_expose_csr_nginx_conf'] }}
[kedifa-login-config]
d = ${directory:ca-dir}
......@@ -300,6 +301,7 @@ extra-context =
key global_ipv6 slap-configuration:ipv6-random
key empty_template software-release-path:template-empty
key template_default_slave_configuration software-release-path:template-default-slave-virtualhost
key template_expose_csr_nginx_conf software-release-path:template-expose-csr-nginx-conf
key software_type :software_type
key frontend_lazy_graceful_reload frontend-caddy-lazy-graceful:rendered
key monitor_base_url monitor-instance-parameter:monitor-base-url
......
......@@ -74,8 +74,8 @@ backup-caucased = ${:backup}/caucased
reservation = ${:srv}/reservation
# CSR publication
csr = ${:srv}/csr
certificate-csr = ${:var}/certificate-csr
expose-csr = ${:srv}/expose-csr
expose-csr-etc = ${:etc}/expose-csr
expose-csr-var = ${:var}/expose-csr
[kedifa-csr]
......@@ -112,19 +112,19 @@ stop-on-error = True
template_csr='${kedifa-csr:template-csr}'
)}}
[store-csr]
[expose-csr-link-csr]
recipe = plone.recipe.command
filename = csr.pem
csr_path = ${directory:csr}/${:filename}
csr_path = ${directory:expose-csr}/${:filename}
stop-on-error = False
update-command = ${:command}
command =
ln -sf ${caucase-updater-csr:csr} ${:csr_path}
[certificate-csr]
[expose-csr-certificate]
recipe = plone.recipe.command
certificate = ${directory:certificate-csr}/certificate.pem
key = ${directory:certificate-csr}/key.pem
certificate = ${directory:expose-csr-etc}/certificate.pem
key = ${directory:expose-csr-etc}/key.pem
{#- Can be stopped on error, as does not rely on self provided service #}
stop-on-error = True
......@@ -139,46 +139,20 @@ command =
[expose-csr-configuration]
ip = {{ instance_parameter_dict['ipv6-random'] }}
port = 17000
key = ${certificate-csr:key}
certificate = ${certificate-csr:certificate}
key = ${expose-csr-certificate:key}
certificate = ${expose-csr-certificate:certificate}
error-log = ${directory:log}/expose-csr.log
var = ${directory:expose-csr-var}
pid = ${directory:var}/nginx-expose-csr.pid
root = ${directory:expose-csr}
nginx_mime = {{ software_parameter_dict['nginx_mime'] }}
[expose-csr-template]
recipe = slapos.recipe.template:jinja2
var = ${directory:expose-csr-var}
pid = ${directory:var}/nginx-expose-csr.pid
rendered = ${directory:etc}/nginx-expose-csr.conf
template = inline:
daemon off;
pid ${:pid};
error_log ${expose-csr-configuration:error-log};
events {
}
http {
include {{ software_parameter_dict['nginx_mime'] }};
server {
server_name_in_redirect off;
port_in_redirect off;
error_log ${expose-csr-configuration:error-log};
access_log /dev/null;
listen [${expose-csr-configuration:ip}]:${expose-csr-configuration:port} ssl;
ssl_certificate ${expose-csr-configuration:certificate};
ssl_certificate_key ${expose-csr-configuration:key};
default_type application/octet-stream;
client_body_temp_path ${:var} 1 2;
proxy_temp_path ${:var} 1 2;
fastcgi_temp_path ${:var} 1 2;
uwsgi_temp_path ${:var} 1 2;
scgi_temp_path ${:var} 1 2;
location / {
alias ${directory:csr}/;
autoindex off;
sendfile on;
sendfile_max_chunk 1m;
}
}
}
rendered = ${directory:expose-csr-etc}/nginx.conf
template = {{ software_parameter_dict['template_expose_csr_nginx_conf'] }}
context =
section configuration expose-csr-configuration
[promise-expose-csr-ip-port]
<= monitor-promise-base
......@@ -196,10 +170,10 @@ url = https://[${expose-csr-configuration:ip}]:${expose-csr-configuration:port}
wrapper-path = ${directory:service}/expose-csr
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
[get-csr-certificate]
[expose-csr-certificate-get]
recipe = collective.recipe.shelloutput
commands =
certificate = cat ${certificate-csr:certificate}
certificate = cat ${expose-csr-certificate:certificate}
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
......@@ -314,8 +288,8 @@ caucase-url = {{ caucase_url }}
master-key-generate-auth-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}/generateauth
master-key-upload-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}?auth=
master-key-download-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}
kedifa-csr-url = ${expose-csr:url}/${store-csr:filename}
csr-certificate = ${get-csr-certificate:certificate}
kedifa-csr-url = ${expose-csr:url}/${expose-csr-link-csr:filename}
csr-certificate = ${expose-csr-certificate-get:certificate}
monitor-base-url = ${monitor-instance-parameter:monitor-base-url}
[promise-logrotate-setup]
......
......@@ -99,6 +99,7 @@ template_trafficserver_records_config = ${template-trafficserver-records-config:
template_trafficserver_storage_config = ${template-trafficserver-storage-config:target}
template_validate_script = ${template-validate-script:target}
template_wrapper = ${template-wrapper:output}
template_expose_csr_nginx_conf = ${template-expose-csr-nginx-conf:target}
# directories
bin_directory = ${buildout:bin-directory}
......@@ -205,6 +206,9 @@ output = ${buildout:directory}/template-wrapper.cfg
[template-backend-haproxy-rsyslogd-conf]
<=download-template
[template-expose-csr-nginx-conf]
<=download-template
[versions]
kedifa = 0.0.6
# Modern KeDiFa requires zc.lockfile
......
......@@ -453,9 +453,9 @@ recipe = slapos.cookbook:publish.serialised
slave-instance-information-list = {{ json_module.dumps(slave_instance_information_list, sort_keys=True) }}
{%- endif %}
monitor-base-url = {{ monitor_base_url }}
kedifa-csr-url = ${expose-csr:url}/${store-kedifa-csr:filename}
backend-client-csr-url = ${expose-csr:url}/${store-backend-haproxy-csr:filename}
csr-certificate = ${get-csr-certificate:certificate}
kedifa-csr-url = ${expose-csr:url}/${expose-csr-link-csr-kedifa:filename}
backend-client-csr-url = ${expose-csr:url}/${expose-csr-link-csr-backend-haproxy:filename}
csr-certificate = ${expose-csr-certificate-get:certificate}
{%- set furled = furl_module.furl(backend_haproxy_configuration['statistic-frontend-secure_access']) %}
{%- do furled.set(username = backend_haproxy_configuration['statistic-username']) %}
{%- do furled.set(password = backend_haproxy_configuration['statistic-password']) %}
......@@ -514,21 +514,21 @@ request-timeout = {{ dumps('' ~ configuration['request-timeout']) }}
backend-connect-timeout = {{ dumps('' ~ configuration['backend-connect-timeout']) }}
backend-connect-retries = {{ dumps('' ~ configuration['backend-connect-retries']) }}
[store-csr]
[template-expose-csr-link-csr]
recipe = plone.recipe.command
stop-on-error = False
update-command = ${:command}
csr_path = {{ directory['csr'] }}/${:filename}
csr_path = {{ directory['expose-csr'] }}/${:filename}
command =
ln -sf ${:csr} ${:csr_path}
[store-backend-haproxy-csr]
<= store-csr
[expose-csr-link-csr-backend-haproxy]
<= template-expose-csr-link-csr
filename = backend-haproxy-csr.pem
csr = {{ backend_haproxy_configuration['csr'] }}
[store-kedifa-csr]
<= store-csr
[expose-csr-link-csr-kedifa]
<= template-expose-csr-link-csr
filename = kedifa-csr.pem
csr = {{ kedifa_configuration['csr'] }}
......@@ -555,10 +555,10 @@ parts +=
cache-access = {{ cache_access }}
[certificate-csr]
[expose-csr-certificate]
recipe = plone.recipe.command
certificate = {{ directory['certificate-csr'] }}/certificate.pem
key = {{ directory['certificate-csr'] }}/key.pem
certificate = {{ directory['expose-csr-etc'] }}/certificate.pem
key = {{ directory['expose-csr-etc'] }}/key.pem
{#- Can be stopped on error, as does not rely on self provided service #}
stop-on-error = True
......@@ -573,46 +573,20 @@ command =
[expose-csr-configuration]
ip = ${slap-configuration:ipv6-random}
port = 17001
key = ${certificate-csr:key}
certificate = ${certificate-csr:certificate}
key = ${expose-csr-certificate:key}
certificate = ${expose-csr-certificate:certificate}
error-log = {{ directory['log'] }}/expose-csr.log
var = {{ directory['expose-csr-var'] }}
pid = {{ directory['var'] }}/nginx-expose-csr.pid
root = {{ directory['expose-csr'] }}
nginx_mime = {{ software_parameter_dict['nginx_mime'] }}
[expose-csr-template]
recipe = slapos.recipe.template:jinja2
var = {{ directory['expose-csr-var'] }}
pid = {{ directory['var'] }}/nginx-expose-csr.pid
rendered = {{ directory['etc'] }}/nginx-expose-csr.conf
template = inline:
daemon off;
pid ${:pid};
error_log ${expose-csr-configuration:error-log};
events {
}
http {
include {{ software_parameter_dict['nginx_mime'] }};
server {
server_name_in_redirect off;
port_in_redirect off;
error_log ${expose-csr-configuration:error-log};
access_log /dev/null;
listen [${expose-csr-configuration:ip}]:${expose-csr-configuration:port} ssl;
ssl_certificate ${expose-csr-configuration:certificate};
ssl_certificate_key ${expose-csr-configuration:key};
default_type application/octet-stream;
client_body_temp_path ${:var} 1 2;
proxy_temp_path ${:var} 1 2;
fastcgi_temp_path ${:var} 1 2;
uwsgi_temp_path ${:var} 1 2;
scgi_temp_path ${:var} 1 2;
location / {
alias {{ directory['csr'] }}/;
autoindex off;
sendfile on;
sendfile_max_chunk 1m;
}
}
}
rendered = {{ directory['expose-csr-etc'] }}/nginx.conf
template = {{ template_expose_csr_nginx_conf }}
context =
section configuration expose-csr-configuration
[promise-expose-csr-ip-port]
<= monitor-promise-base
......@@ -630,10 +604,10 @@ url = https://[${expose-csr-configuration:ip}]:${expose-csr-configuration:port}
wrapper-path = {{ directory['service'] }}/expose-csr
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
[get-csr-certificate]
[expose-csr-certificate-get]
recipe = collective.recipe.shelloutput
commands =
certificate = cat ${certificate-csr:certificate}
certificate = cat ${expose-csr-certificate:certificate}
[promise-logrotate-setup]
<= monitor-promise-base
......
daemon off;
pid {{ configuration['pid'] }};
error_log {{ configuration['error-log'] }};
events {
}
http {
include {{ configuration['nginx_mime'] }};
server {
server_name_in_redirect off;
port_in_redirect off;
error_log {{ configuration['error-log'] }};
access_log /dev/null;
listen [{{ configuration['ip'] }}]:{{ configuration['port'] }} ssl;
ssl_certificate {{ configuration['certificate'] }};
ssl_certificate_key {{ configuration['key'] }};
default_type application/octet-stream;
client_body_temp_path {{ configuration['var'] }} 1 2;
proxy_temp_path {{ configuration['var'] }} 1 2;
fastcgi_temp_path {{ configuration['var'] }} 1 2;
uwsgi_temp_path {{ configuration['var'] }} 1 2;
scgi_temp_path {{ configuration['var'] }} 1 2;
location / {
alias {{ configuration['root'] }}/;
autoindex off;
sendfile on;
sendfile_max_chunk 1m;
}
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment