{software,stack}/caucase: Dissociate bind IP & port with CRL distribution point URL

Allows defining a domain name pointing at caucase's IP, and a custom port pointing at whatever port caucase is being made available on to all services and users. This makes it possible to change caucased's IP address without having to reissue all certificates when certificate-validating library given a caucased-issued certificate tries to access the CRL distriution point. software/caucase still pusblishes the plain IP & port allocated by slapos.

{software,stack}/caucase: Dissociate bind IP & port with CRL distribution point URL
Allows defining a domain name pointing at caucase's IP, and a custom port pointing at whatever port caucase is being made available on to all services and users. This makes it possible to change caucased's IP address without having to reissue all certificates when certificate-validating library given a caucased-issued certificate tries to access the CRL distriution point. software/caucase still pusblishes the plain IP & port allocated by slapos.
caedeaf8 · Vincent Pelletier · 104c3350 · caedeaf8 · caedeaf8 · caedeaf8
Commit caedeaf8 authored Oct 28, 2024 by Vincent Pelletier
6 changed files
--- a/software/caucase/buildout.hash.cfg
+++ b/software/caucase/buildout.hash.cfg
@@ -15,7 +15,7 @@
 # not need these here).
 [instance-caucased]
 filename = instance-caucased.cfg.jinja2
-md5sum = 2e7c1d8c553b398dd68c875a9fa38cdb
+md5sum = 9a9241dc87c9bda91ab2958bf874240a

 [instance]
 filename = instance.cfg.jinja2

--- a/software/caucase/instance-caucase-input-schema.json
+++ b/software/caucase/instance-caucase-input-schema.json
@@ -13,6 +13,12 @@
    "external-url": {
      "$comment": "(deprecated)"
    },
+    "external-netloc": {
+      "title": "External netloc",
+      "description": "When provided, this is used as netloc in the CRL distribution point extension in issued certificates. Setting up that domain and routing accesses to the IP and ports caucased binds to is outside the scope of this software-release. Otherwise, instead of the caucased bind IP and port are used (preventing caucased relocation).",
+      "type": "string",
+      "format": "uri"
+    },
    "service-auto-approve-amount": {
      "title": "Number of service certificate requests to automatically approve",
      "description": "Once that number has been reached, a user must validate further requests. Renewals do not count toward this number. Cannot be changed once set.",

--- a/software/caucase/instance-caucase-output-schema.json
+++ b/software/caucase/instance-caucase-output-schema.json
@@ -3,7 +3,8 @@
  "description": "Values returned by Caucase instantiation",
  "properties": {
    "url": {
-      "description": "Caucase URL",
+      "title": "Caucase URL",
+      "description": "This contains the plain IP and port caucasd binds to, indepencently from external-netloc parameter.",
      "type": "string"
    }
  },

--- a/software/caucase/instance-caucased.cfg.jinja2
+++ b/software/caucase/instance-caucased.cfg.jinja2
 {% import "caucase" as caucase with context %}
-{% set netloc = '[' ~ (ipv6_set | list)[0] ~ ']:' ~ slapparameter_dict.get('base-port', 8009) -%}
+{% set bind = (ipv6_set | list)[0] -%}
+{% set base_port = slapparameter_dict.get('base-port', 8009) -%}
+{% set default_netloc = '[' ~ bind ~ ']:' ~ base_port -%}

 [directory]
 recipe = slapos.cookbook:mkdirectory
@@ -13,16 +15,18 @@ tmp = ${buildout:directory}/tmp
  buildout_bin_directory=bin_directory,
  caucased_path='${directory:service-on-watch}/caucased',
  data_dir='${directory:srv}/caucased',
-  netloc=netloc,
+  netloc=slapparameter_dict.get('external-netloc', default_netloc),
  tmp='%{directory:tmp}',
  service_auto_approve_count=slapparameter_dict.get('service-auto-approve-amount', 0),
  user_auto_approve_count=slapparameter_dict.get('user-auto-approve-amount', 1),
  key_len=slapparameter_dict.get('key-length', 2048),
+  bind=bind,
+  base_port=base_port,
 ) }}

 [publish]
 recipe = slapos.cookbook:publish.serialised
-url = {{ dumps('http://' ~ netloc) }}
+url = {{ dumps('http://' ~ default_netloc) }}

 [buildout]
 parts =

--- a/stack/caucase/buildout.hash.cfg
+++ b/stack/caucase/buildout.hash.cfg
@@ -15,4 +15,4 @@

 [caucase-jinja2-library]
 filename = caucase.jinja2.library
-md5sum = a16311ab9a8965ea9020929c7100209b
+md5sum = 11807649cec3fad190e79a7e80aa6a0e
--- a/stack/caucase/caucase.jinja2.library
+++ b/stack/caucase/caucase.jinja2.library
@@ -9,6 +9,8 @@
  user_auto_approve_count=1,
  key_len=None,
  backup_dir=None,
+  bind=None,
+  base_port=None,
  promise=True
 ) -%}
 [{{ prefix }}-directory]
@@ -28,6 +30,8 @@ command-line = '{{ buildout_bin_directory }}/caucased'
  --db          '${ {{- prefix }}-directory:data-dir}/caucase.sqlite'
  --server-key  '${ {{- prefix }}-directory:data-dir}/server.key.pem'
  --netloc      '{{ netloc }}'
+  {% if bind != None %}--bind '{{ bind }}' {%- endif %}
+  {% if base_port != None %}--base-port '{{ base_port }}' {%- endif %}
  {% if key_len %}--key-len '{{ key_len }}' {%- endif %}
  {% if backup_dir %}--backup-directory {{ backup_dir }} {%- endif %}
  --service-auto-approve-count '{{ service_auto_approve_count }}'