Commit 6a531a74 authored by Łukasz Nowak's avatar Łukasz Nowak

caddy-frontend: Cleanup CSR exposure

Cleanups:

 * simplify nginx management with real template
 * rename sections to provide explanation in their name so it's less cryptic
parent 9ff5eccf
...@@ -22,7 +22,7 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68 ...@@ -22,7 +22,7 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
[profile-caddy-frontend] [profile-caddy-frontend]
filename = instance-apache-frontend.cfg.in filename = instance-apache-frontend.cfg.in
md5sum = 334d0613557849cdbdea769510ba0cca md5sum = 3e3021b86c3cfe93553489441da85496
[profile-caddy-replicate] [profile-caddy-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
...@@ -30,7 +30,7 @@ md5sum = c028f1c5947494e7f25cf8266a3ecd2d ...@@ -30,7 +30,7 @@ md5sum = c028f1c5947494e7f25cf8266a3ecd2d
[profile-slave-list] [profile-slave-list]
_update_hash_filename_ = templates/apache-custom-slave-list.cfg.in _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
md5sum = cc3c94eefd5659c82df1c894226d6b08 md5sum = 6b6ab13d82bf9ecff6a37c3402ddbf95
[profile-replicate-publish-slave-information] [profile-replicate-publish-slave-information]
_update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in _update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in
...@@ -102,7 +102,7 @@ md5sum = b41b8de115ad815d0b0db306ad650365 ...@@ -102,7 +102,7 @@ md5sum = b41b8de115ad815d0b0db306ad650365
[profile-kedifa] [profile-kedifa]
filename = instance-kedifa.cfg.in filename = instance-kedifa.cfg.in
md5sum = f29cf4e9591f8892430693a8915c5aba md5sum = 88f3a8cc30d3cf30f4bd2797f5c16221
[template-backend-haproxy-rsyslogd-conf] [template-backend-haproxy-rsyslogd-conf]
_update_hash_filename_ = templates/backend-haproxy-rsyslogd.conf.in _update_hash_filename_ = templates/backend-haproxy-rsyslogd.conf.in
...@@ -111,3 +111,7 @@ md5sum = 3336d554661b138dcef97b1d1866803c ...@@ -111,3 +111,7 @@ md5sum = 3336d554661b138dcef97b1d1866803c
[template-slave-introspection-httpd-nginx] [template-slave-introspection-httpd-nginx]
_update_hash_filename_ = templates/slave-introspection-httpd-nginx.conf.in _update_hash_filename_ = templates/slave-introspection-httpd-nginx.conf.in
md5sum = 3067e6ba6c6901821d57d2109517d39c md5sum = 3067e6ba6c6901821d57d2109517d39c
[template-expose-csr-nginx-conf]
_update_hash_filename_ = templates/expose-csr-nginx.conf.in
md5sum = 5620baa8819fcc8340fa6777ee551a1a
...@@ -90,8 +90,8 @@ bbb-ssl-dir = ${:srv}/bbb-ssl ...@@ -90,8 +90,8 @@ bbb-ssl-dir = ${:srv}/bbb-ssl
frontend_cluster = ${:var}/frontend_cluster frontend_cluster = ${:var}/frontend_cluster
# CSR publication # CSR publication
csr = ${:srv}/csr expose-csr = ${:srv}/expose-csr
certificate-csr = ${:etc}/certificate-csr expose-csr-etc = ${:etc}/expose-csr
expose-csr-var = ${:var}/expose-csr expose-csr-var = ${:var}/expose-csr
# slave introspection # slave introspection
...@@ -179,6 +179,7 @@ template-empty = {{ software_parameter_dict['template_empty'] }} ...@@ -179,6 +179,7 @@ template-empty = {{ software_parameter_dict['template_empty'] }}
template-default-slave-virtualhost = {{ software_parameter_dict['template_default_slave_virtualhost'] }} template-default-slave-virtualhost = {{ software_parameter_dict['template_default_slave_virtualhost'] }}
template-backend-haproxy-configuration = {{ software_parameter_dict['template_backend_haproxy_configuration'] }} template-backend-haproxy-configuration = {{ software_parameter_dict['template_backend_haproxy_configuration'] }}
template-backend-haproxy-rsyslogd-conf = {{ software_parameter_dict['template_backend_haproxy_rsyslogd_conf'] }} template-backend-haproxy-rsyslogd-conf = {{ software_parameter_dict['template_backend_haproxy_rsyslogd_conf'] }}
template-expose-csr-nginx-conf = {{ software_parameter_dict['template_expose_csr_nginx_conf'] }}
[kedifa-login-config] [kedifa-login-config]
d = ${directory:ca-dir} d = ${directory:ca-dir}
...@@ -300,6 +301,7 @@ extra-context = ...@@ -300,6 +301,7 @@ extra-context =
key global_ipv6 slap-configuration:ipv6-random key global_ipv6 slap-configuration:ipv6-random
key empty_template software-release-path:template-empty key empty_template software-release-path:template-empty
key template_default_slave_configuration software-release-path:template-default-slave-virtualhost key template_default_slave_configuration software-release-path:template-default-slave-virtualhost
key template_expose_csr_nginx_conf software-release-path:template-expose-csr-nginx-conf
key software_type :software_type key software_type :software_type
key frontend_lazy_graceful_reload frontend-caddy-lazy-graceful:rendered key frontend_lazy_graceful_reload frontend-caddy-lazy-graceful:rendered
key monitor_base_url monitor-instance-parameter:monitor-base-url key monitor_base_url monitor-instance-parameter:monitor-base-url
......
...@@ -74,8 +74,8 @@ backup-caucased = ${:backup}/caucased ...@@ -74,8 +74,8 @@ backup-caucased = ${:backup}/caucased
reservation = ${:srv}/reservation reservation = ${:srv}/reservation
# CSR publication # CSR publication
csr = ${:srv}/csr expose-csr = ${:srv}/expose-csr
certificate-csr = ${:var}/certificate-csr expose-csr-etc = ${:etc}/expose-csr
expose-csr-var = ${:var}/expose-csr expose-csr-var = ${:var}/expose-csr
[kedifa-csr] [kedifa-csr]
...@@ -112,19 +112,19 @@ stop-on-error = True ...@@ -112,19 +112,19 @@ stop-on-error = True
template_csr='${kedifa-csr:template-csr}' template_csr='${kedifa-csr:template-csr}'
)}} )}}
[store-csr] [expose-csr-link-csr]
recipe = plone.recipe.command recipe = plone.recipe.command
filename = csr.pem filename = csr.pem
csr_path = ${directory:csr}/${:filename} csr_path = ${directory:expose-csr}/${:filename}
stop-on-error = False stop-on-error = False
update-command = ${:command} update-command = ${:command}
command = command =
ln -sf ${caucase-updater-csr:csr} ${:csr_path} ln -sf ${caucase-updater-csr:csr} ${:csr_path}
[certificate-csr] [expose-csr-certificate]
recipe = plone.recipe.command recipe = plone.recipe.command
certificate = ${directory:certificate-csr}/certificate.pem certificate = ${directory:expose-csr-etc}/certificate.pem
key = ${directory:certificate-csr}/key.pem key = ${directory:expose-csr-etc}/key.pem
{#- Can be stopped on error, as does not rely on self provided service #} {#- Can be stopped on error, as does not rely on self provided service #}
stop-on-error = True stop-on-error = True
...@@ -139,46 +139,20 @@ command = ...@@ -139,46 +139,20 @@ command =
[expose-csr-configuration] [expose-csr-configuration]
ip = {{ instance_parameter_dict['ipv6-random'] }} ip = {{ instance_parameter_dict['ipv6-random'] }}
port = 17000 port = 17000
key = ${certificate-csr:key} key = ${expose-csr-certificate:key}
certificate = ${certificate-csr:certificate} certificate = ${expose-csr-certificate:certificate}
error-log = ${directory:log}/expose-csr.log error-log = ${directory:log}/expose-csr.log
var = ${directory:expose-csr-var}
pid = ${directory:var}/nginx-expose-csr.pid
root = ${directory:expose-csr}
nginx_mime = {{ software_parameter_dict['nginx_mime'] }}
[expose-csr-template] [expose-csr-template]
recipe = slapos.recipe.template:jinja2 recipe = slapos.recipe.template:jinja2
var = ${directory:expose-csr-var} rendered = ${directory:expose-csr-etc}/nginx.conf
pid = ${directory:var}/nginx-expose-csr.pid template = {{ software_parameter_dict['template_expose_csr_nginx_conf'] }}
rendered = ${directory:etc}/nginx-expose-csr.conf context =
template = inline: section configuration expose-csr-configuration
daemon off;
pid ${:pid};
error_log ${expose-csr-configuration:error-log};
events {
}
http {
include {{ software_parameter_dict['nginx_mime'] }};
server {
server_name_in_redirect off;
port_in_redirect off;
error_log ${expose-csr-configuration:error-log};
access_log /dev/null;
listen [${expose-csr-configuration:ip}]:${expose-csr-configuration:port} ssl;
ssl_certificate ${expose-csr-configuration:certificate};
ssl_certificate_key ${expose-csr-configuration:key};
default_type application/octet-stream;
client_body_temp_path ${:var} 1 2;
proxy_temp_path ${:var} 1 2;
fastcgi_temp_path ${:var} 1 2;
uwsgi_temp_path ${:var} 1 2;
scgi_temp_path ${:var} 1 2;
location / {
alias ${directory:csr}/;
autoindex off;
sendfile on;
sendfile_max_chunk 1m;
}
}
}
[promise-expose-csr-ip-port] [promise-expose-csr-ip-port]
<= monitor-promise-base <= monitor-promise-base
...@@ -196,10 +170,10 @@ url = https://[${expose-csr-configuration:ip}]:${expose-csr-configuration:port} ...@@ -196,10 +170,10 @@ url = https://[${expose-csr-configuration:ip}]:${expose-csr-configuration:port}
wrapper-path = ${directory:service}/expose-csr wrapper-path = ${directory:service}/expose-csr
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
[get-csr-certificate] [expose-csr-certificate-get]
recipe = collective.recipe.shelloutput recipe = collective.recipe.shelloutput
commands = commands =
certificate = cat ${certificate-csr:certificate} certificate = cat ${expose-csr-certificate:certificate}
[jinja2-template-base] [jinja2-template-base]
recipe = slapos.recipe.template:jinja2 recipe = slapos.recipe.template:jinja2
...@@ -314,8 +288,8 @@ caucase-url = {{ caucase_url }} ...@@ -314,8 +288,8 @@ caucase-url = {{ caucase_url }}
master-key-generate-auth-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}/generateauth master-key-generate-auth-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}/generateauth
master-key-upload-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}?auth= master-key-upload-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}?auth=
master-key-download-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd} master-key-download-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}
kedifa-csr-url = ${expose-csr:url}/${store-csr:filename} kedifa-csr-url = ${expose-csr:url}/${expose-csr-link-csr:filename}
csr-certificate = ${get-csr-certificate:certificate} csr-certificate = ${expose-csr-certificate-get:certificate}
monitor-base-url = ${monitor-instance-parameter:monitor-base-url} monitor-base-url = ${monitor-instance-parameter:monitor-base-url}
[promise-logrotate-setup] [promise-logrotate-setup]
......
...@@ -99,6 +99,7 @@ template_trafficserver_records_config = ${template-trafficserver-records-config: ...@@ -99,6 +99,7 @@ template_trafficserver_records_config = ${template-trafficserver-records-config:
template_trafficserver_storage_config = ${template-trafficserver-storage-config:target} template_trafficserver_storage_config = ${template-trafficserver-storage-config:target}
template_validate_script = ${template-validate-script:target} template_validate_script = ${template-validate-script:target}
template_wrapper = ${template-wrapper:output} template_wrapper = ${template-wrapper:output}
template_expose_csr_nginx_conf = ${template-expose-csr-nginx-conf:target}
# directories # directories
bin_directory = ${buildout:bin-directory} bin_directory = ${buildout:bin-directory}
...@@ -205,6 +206,9 @@ output = ${buildout:directory}/template-wrapper.cfg ...@@ -205,6 +206,9 @@ output = ${buildout:directory}/template-wrapper.cfg
[template-backend-haproxy-rsyslogd-conf] [template-backend-haproxy-rsyslogd-conf]
<=download-template <=download-template
[template-expose-csr-nginx-conf]
<=download-template
[versions] [versions]
kedifa = 0.0.6 kedifa = 0.0.6
# Modern KeDiFa requires zc.lockfile # Modern KeDiFa requires zc.lockfile
......
...@@ -453,9 +453,9 @@ recipe = slapos.cookbook:publish.serialised ...@@ -453,9 +453,9 @@ recipe = slapos.cookbook:publish.serialised
slave-instance-information-list = {{ json_module.dumps(slave_instance_information_list, sort_keys=True) }} slave-instance-information-list = {{ json_module.dumps(slave_instance_information_list, sort_keys=True) }}
{%- endif %} {%- endif %}
monitor-base-url = {{ monitor_base_url }} monitor-base-url = {{ monitor_base_url }}
kedifa-csr-url = ${expose-csr:url}/${store-kedifa-csr:filename} kedifa-csr-url = ${expose-csr:url}/${expose-csr-link-csr-kedifa:filename}
backend-client-csr-url = ${expose-csr:url}/${store-backend-haproxy-csr:filename} backend-client-csr-url = ${expose-csr:url}/${expose-csr-link-csr-backend-haproxy:filename}
csr-certificate = ${get-csr-certificate:certificate} csr-certificate = ${expose-csr-certificate-get:certificate}
{%- set furled = furl_module.furl(backend_haproxy_configuration['statistic-frontend-secure_access']) %} {%- set furled = furl_module.furl(backend_haproxy_configuration['statistic-frontend-secure_access']) %}
{%- do furled.set(username = backend_haproxy_configuration['statistic-username']) %} {%- do furled.set(username = backend_haproxy_configuration['statistic-username']) %}
{%- do furled.set(password = backend_haproxy_configuration['statistic-password']) %} {%- do furled.set(password = backend_haproxy_configuration['statistic-password']) %}
...@@ -514,21 +514,21 @@ request-timeout = {{ dumps('' ~ configuration['request-timeout']) }} ...@@ -514,21 +514,21 @@ request-timeout = {{ dumps('' ~ configuration['request-timeout']) }}
backend-connect-timeout = {{ dumps('' ~ configuration['backend-connect-timeout']) }} backend-connect-timeout = {{ dumps('' ~ configuration['backend-connect-timeout']) }}
backend-connect-retries = {{ dumps('' ~ configuration['backend-connect-retries']) }} backend-connect-retries = {{ dumps('' ~ configuration['backend-connect-retries']) }}
[store-csr] [template-expose-csr-link-csr]
recipe = plone.recipe.command recipe = plone.recipe.command
stop-on-error = False stop-on-error = False
update-command = ${:command} update-command = ${:command}
csr_path = {{ directory['csr'] }}/${:filename} csr_path = {{ directory['expose-csr'] }}/${:filename}
command = command =
ln -sf ${:csr} ${:csr_path} ln -sf ${:csr} ${:csr_path}
[store-backend-haproxy-csr] [expose-csr-link-csr-backend-haproxy]
<= store-csr <= template-expose-csr-link-csr
filename = backend-haproxy-csr.pem filename = backend-haproxy-csr.pem
csr = {{ backend_haproxy_configuration['csr'] }} csr = {{ backend_haproxy_configuration['csr'] }}
[store-kedifa-csr] [expose-csr-link-csr-kedifa]
<= store-csr <= template-expose-csr-link-csr
filename = kedifa-csr.pem filename = kedifa-csr.pem
csr = {{ kedifa_configuration['csr'] }} csr = {{ kedifa_configuration['csr'] }}
...@@ -555,10 +555,10 @@ parts += ...@@ -555,10 +555,10 @@ parts +=
cache-access = {{ cache_access }} cache-access = {{ cache_access }}
[certificate-csr] [expose-csr-certificate]
recipe = plone.recipe.command recipe = plone.recipe.command
certificate = {{ directory['certificate-csr'] }}/certificate.pem certificate = {{ directory['expose-csr-etc'] }}/certificate.pem
key = {{ directory['certificate-csr'] }}/key.pem key = {{ directory['expose-csr-etc'] }}/key.pem
{#- Can be stopped on error, as does not rely on self provided service #} {#- Can be stopped on error, as does not rely on self provided service #}
stop-on-error = True stop-on-error = True
...@@ -573,46 +573,20 @@ command = ...@@ -573,46 +573,20 @@ command =
[expose-csr-configuration] [expose-csr-configuration]
ip = ${slap-configuration:ipv6-random} ip = ${slap-configuration:ipv6-random}
port = 17001 port = 17001
key = ${certificate-csr:key} key = ${expose-csr-certificate:key}
certificate = ${certificate-csr:certificate} certificate = ${expose-csr-certificate:certificate}
error-log = {{ directory['log'] }}/expose-csr.log error-log = {{ directory['log'] }}/expose-csr.log
var = {{ directory['expose-csr-var'] }}
pid = {{ directory['var'] }}/nginx-expose-csr.pid
root = {{ directory['expose-csr'] }}
nginx_mime = {{ software_parameter_dict['nginx_mime'] }}
[expose-csr-template] [expose-csr-template]
recipe = slapos.recipe.template:jinja2 recipe = slapos.recipe.template:jinja2
var = {{ directory['expose-csr-var'] }} rendered = {{ directory['expose-csr-etc'] }}/nginx.conf
pid = {{ directory['var'] }}/nginx-expose-csr.pid template = {{ template_expose_csr_nginx_conf }}
rendered = {{ directory['etc'] }}/nginx-expose-csr.conf context =
template = inline: section configuration expose-csr-configuration
daemon off;
pid ${:pid};
error_log ${expose-csr-configuration:error-log};
events {
}
http {
include {{ software_parameter_dict['nginx_mime'] }};
server {
server_name_in_redirect off;
port_in_redirect off;
error_log ${expose-csr-configuration:error-log};
access_log /dev/null;
listen [${expose-csr-configuration:ip}]:${expose-csr-configuration:port} ssl;
ssl_certificate ${expose-csr-configuration:certificate};
ssl_certificate_key ${expose-csr-configuration:key};
default_type application/octet-stream;
client_body_temp_path ${:var} 1 2;
proxy_temp_path ${:var} 1 2;
fastcgi_temp_path ${:var} 1 2;
uwsgi_temp_path ${:var} 1 2;
scgi_temp_path ${:var} 1 2;
location / {
alias {{ directory['csr'] }}/;
autoindex off;
sendfile on;
sendfile_max_chunk 1m;
}
}
}
[promise-expose-csr-ip-port] [promise-expose-csr-ip-port]
<= monitor-promise-base <= monitor-promise-base
...@@ -630,10 +604,10 @@ url = https://[${expose-csr-configuration:ip}]:${expose-csr-configuration:port} ...@@ -630,10 +604,10 @@ url = https://[${expose-csr-configuration:ip}]:${expose-csr-configuration:port}
wrapper-path = {{ directory['service'] }}/expose-csr wrapper-path = {{ directory['service'] }}/expose-csr
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
[get-csr-certificate] [expose-csr-certificate-get]
recipe = collective.recipe.shelloutput recipe = collective.recipe.shelloutput
commands = commands =
certificate = cat ${certificate-csr:certificate} certificate = cat ${expose-csr-certificate:certificate}
[promise-logrotate-setup] [promise-logrotate-setup]
<= monitor-promise-base <= monitor-promise-base
......
daemon off;
pid {{ configuration['pid'] }};
error_log {{ configuration['error-log'] }};
events {
}
http {
include {{ configuration['nginx_mime'] }};
server {
server_name_in_redirect off;
port_in_redirect off;
error_log {{ configuration['error-log'] }};
access_log /dev/null;
listen [{{ configuration['ip'] }}]:{{ configuration['port'] }} ssl;
ssl_certificate {{ configuration['certificate'] }};
ssl_certificate_key {{ configuration['key'] }};
default_type application/octet-stream;
client_body_temp_path {{ configuration['var'] }} 1 2;
proxy_temp_path {{ configuration['var'] }} 1 2;
fastcgi_temp_path {{ configuration['var'] }} 1 2;
uwsgi_temp_path {{ configuration['var'] }} 1 2;
scgi_temp_path {{ configuration['var'] }} 1 2;
location / {
alias {{ configuration['root'] }}/;
autoindex off;
sendfile on;
sendfile_max_chunk 1m;
}
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment