Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
slapos
Commits
27ce939c
Commit
27ce939c
authored
Dec 10, 2021
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
repman: Use caucase for repman and mariadb ssl certificate
parent
3d49e677
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
168 additions
and
38 deletions
+168
-38
software/repman/buildout.hash.cfg
software/repman/buildout.hash.cfg
+3
-3
software/repman/instance-mariadb.cfg.jinja2.in
software/repman/instance-mariadb.cfg.jinja2.in
+56
-11
software/repman/instance-repman.cfg.jinja2.in
software/repman/instance-repman.cfg.jinja2.in
+99
-22
software/repman/instance.cfg.in
software/repman/instance.cfg.in
+4
-0
software/repman/software.cfg
software/repman/software.cfg
+6
-2
No files found.
software/repman/buildout.hash.cfg
View file @
27ce939c
...
...
@@ -14,11 +14,11 @@
# not need these here).
[instance.cfg]
filename = instance.cfg.in
md5sum =
9aeb37bd4590aa7fa746ef70d78cc0d0
md5sum =
af2fc4a7a0f782fed2cb1112ef3cb397
[instance-repman.cfg]
_update_hash_filename_ = instance-repman.cfg.jinja2.in
md5sum =
e5b2d17e6ef5448e851521fee612f0c4
md5sum =
d9151fe9f86fb1700c6c33d30a750837
[config-toml.in]
_update_hash_filename_ = templates/config.toml.in
...
...
@@ -34,7 +34,7 @@ md5sum = 0eeb24c6aa0760f0d33c4cc2828ddf30
[template-mariadb.cfg]
_update_hash_filename_ = instance-mariadb.cfg.jinja2.in
md5sum =
284cf030eeba4bdcc884908b2d730e47
md5sum =
cfbbf574c1f755855022b1bcd6e6ff64
[template-my-cnf]
_update_hash_filename_ = templates/my.cnf.in
...
...
software/repman/instance-mariadb.cfg.jinja2.in
View file @
27ce939c
...
...
@@ -21,6 +21,7 @@ database-host = {{ host }}:{{ port }}
monitor-base-url = ${monitor-publish-parameters:monitor-base-url}
partition-path = ${buildout:directory}
receiver-port = ${dbjob-parameter:socat-port}
csr-id = ${caucase-csr-id:csr-id}
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
...
...
@@ -62,6 +63,50 @@ context = key content {{content_section_name}}:content
mode = {{ mode }}
{%- endmacro %}
{% import "caucase" as caucase with context %}
{{ caucase.updater(
prefix='caucase-updater',
buildout_bin_directory=buildout_bin_directory,
updater_path='${directory:services}/caucase-updater',
url=slapparameter_dict['caucase-url'],
data_dir='${directory:srv}/caucase-updater',
crt_path='${directory:ssl}/mariadb-cert.crt',
ca_path='${directory:srv}/caucase-updater/ca.crt',
crl_path='${directory:srv}/caucase-updater/crl.pem',
key_path='${directory:ssl}/mariadb-cert.key',
on_renew=None,
max_sleep=None,
template_csr_pem=None,
openssl=openssl_bin,
)}}
{% do part_list.append('caucase-updater') -%}
{% do part_list.append('caucase-updater-promise') -%}
[get-csr-id]
recipe = plone.recipe.command
output = ${directory:tmp}/csr_id
command =
if [ -s "${directory:ssl}/mariadb-cert.crt" ]; then
RESULT="None";
else
if [ -f "${caucase-updater-csr:csr}" ]; then
RESULT=$({{ caucase_bin_client }} --ca-url {{ slapparameter_dict['caucase-url'] }} --send-csr ${caucase-updater-csr:csr} | cut -d ' ' -f1)
if [ ! $? -eq 0 ]; then
RESULT="None";
fi
fi
fi
cat <<EOF > ${:output}
[caucase]
csr-id = $(echo $RESULT)
EOF
update-command = ${:command}
[caucase-csr-id]
recipe = slapos.cookbook:zero-knowledge.read
file-path = ${get-csr-id:output}
csr-id =
[my-cnf-parameters]
socket = ${directory:run}/mariadb.sock
ip = {{ ip }}
...
...
@@ -75,9 +120,9 @@ innodb-log-file-size = {{ dumps(slapparameter_dict.get('innodb-log-file-size', 0
innodb-file-per-table = {{ dumps(slapparameter_dict.get('innodb-file-per-table', 0)) }}
innodb-log-buffer-size = {{ dumps(slapparameter_dict.get('innodb-log-buffer-size', 0)) }}
relaxed-writes = {{ dumps(slapparameter_dict.get('relaxed-writes', False)) }}
ssl-crt = ${directory:
mariadb-ssl}/crt.pem
ssl-key = ${directory:
mariadb-ssl}/key.pem
ssl-ca-crt = ${
certificate-authority:ca-dir}/cacert.pem
ssl-crt = ${directory:
ssl}/mariadb-cert.crt
ssl-key = ${directory:
ssl}/mariadb-cert.key
ssl-ca-crt = ${
directory:srv}/caucase-updater/ca.crt
[my-cnf]
< = jinja2-template-base
...
...
@@ -152,18 +197,17 @@ environ =
{{ variable }}
{%- endfor %}
[ca-mysqld]
<= certificate-authority
recipe = slapos.cookbook:certificate_authority.request
key-file = ${my-cnf-parameters:ssl-key}
cert-file = ${my-cnf-parameters:ssl-crt}
executable = ${mysqld:rendered}
wrapper = ${directory:controller}/mariadb
[mysqld-launcher]
recipe = slapos.cookbook:wrapper
command-line = ${mysqld:rendered}
wrapper-path = ${directory:controller}/mariadb
wait-for-files =
${directory:ssl}/mariadb-cert.crt
{% import "supervisord_lib" as supervisord_lib with context %}
{{ supervisord_lib.supervisord("mariadb-ctl", buildout_bin_directory, supervisord_conf, use_service_hash=False) }}
{% do part_list.append("supervisord-mariadb-ctl") -%}
{% set maradb_program_dict = {"name": "mariadb", "command": "${
ca-mysqld:wrapper
}",
{% set maradb_program_dict = {"name": "mariadb", "command": "${
mysqld-launcher:wrapper-path
}",
"stopwaitsecs": 86400, "environment": [],
"stdout_logfile": "${directory:log}/mariadb_stdout.log",
"stderr_logfile": "${directory:log}/mariadb_stdout.log" } %}
...
...
@@ -262,6 +306,7 @@ log = ${:var}/log
run = ${:var}/run
config-tmp = ${:tmp}/config
custom = ${directory:etc}/mysql/custom
ssl = ${:etc}/ssl
[dbjob-parameter]
bash-bin = {{ bash_bin }}
...
...
software/repman/instance-repman.cfg.jinja2.in
View file @
27ce939c
...
...
@@ -12,6 +12,10 @@
{% set frontend_parameter_dict = slapparameter_dict.get('slave-frontend', {}) -%}
{% set database_slave_list = [] -%}
{% set db_name_list = [] -%}
{% set count = namespace(value=1) %}
{% set caucase_bind = '[' ~ ip ~ ']:8890' -%}
{% set caucase_url = 'http://' ~ caucase_bind -%}
{% set csrid_list = [] -%}
{% macro password(name) -%}
[{{ name }}-password]
...
...
@@ -34,6 +38,9 @@ log = ${:var}/log
data = ${:var}/lib
nginx-prefix = ${:var}/nginx
tmp = ${:home}/tmp
backup-caucased = ${:srv}/backup-caucased
caucased = ${:srv}/caucased
ssl = ${:etc}/ssl
{% import "supervisord_lib" as supervisord_lib with context %}
{% set proxysql_controller = "proxysql-ctl" -%}
...
...
@@ -48,6 +55,7 @@ key-file = ${slap-connection:key-file}
cert-file = ${slap-connection:cert-file}
computer-id = ${slap-connection:computer-id}
partition-id = ${slap-connection:partition-id}
config-caucase-url = {{ caucase_url }}
[download-proxy-config]
recipe = slapos.recipe.template:jinja2
...
...
@@ -100,6 +108,7 @@ mode = 755
{% set db_amount = 2 -%}
{% endif -%}
{% set count.value = count.value + db_amount %}
{% for i in range(0, db_amount) -%}
{% do mariadb_dict.__setitem__('tcp-port', 2099 + (i * 100)) -%}
{% set section = 'request-mariadb-' ~ i -%}
...
...
@@ -125,17 +134,19 @@ config-cluster = {{ name }}
config-name = {{ dbname }}
config-database-list = !py!{{ database_slave_list }}
config-database-name = {{ dumps(db_list) }}
return =
return =
database-host
receiver-port
monitor-base-url
partition-path
csr-id
{% do part_list.append(section) -%}
{% do mariadb_server_list.append('${' ~ section ~ ':connection-database-host}') -%}
{% do receiver_port_list.append('${' ~ section ~ ':connection-receiver-port}') -%}
{% do mariadb_path_list.append('${' ~ section ~ ':connection-partition-path}') -%}
{% do monitor_base_url_dict.__setitem__('mariadb' ~ i, '${' ~ section ~ ':connection-monitor-base-url}') -%}
{% do csrid_list.append('${' ~ section ~ ':connection-csr-id}') -%}
{% endfor -%}
...
...
@@ -299,6 +310,84 @@ context =
{% do part_list.append(name ~ '-publish-slave-information') -%}
{% endfor -%}
# deploy caucase
{% import "caucase" as caucase with context %}
{{ caucase.caucased(
prefix='caucased',
buildout_bin_directory=buildout_bin_directory,
caucased_path='${directory:service}/caucased',
backup_dir='${directory:backup-caucased}',
data_dir='${directory:caucased}',
netloc=caucase_bind,
tmp='${directory:tmp}',
service_auto_approve_count=count.value,
user_auto_approve_count=1,
key_len=2048,
)}}
{% do part_list.append('caucased') -%}
{% do part_list.append('caucased-promise') -%}
{% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
{{ caucase.updater(
prefix='caucase-updater',
buildout_bin_directory=buildout_bin_directory,
updater_path='${directory:services}/caucase-updater',
url=caucase_url,
data_dir='${directory:srv}/caucase-updater',
crt_path='${directory:ssl}/repman-cert.crt',
ca_path='${directory:srv}/caucase-updater/ca.crt',
crl_path='${directory:srv}/caucase-updater/crl.pem',
key_path='${directory:ssl}/repman-cert.key',
on_renew=None,
max_sleep=None,
template_csr_pem=None,
openssl=openssl_bin,
)}}
{% do part_list.append('caucase-updater') -%}
{% do part_list.append('caucase-updater-promise') -%}
#caucase user certificate
{{ caucase.updater(
prefix='caucase-user-updater',
buildout_bin_directory=buildout_bin_directory,
updater_path='${directory:services}/caucase-user-updater',
url=caucase_url,
data_dir='${directory:srv}/caucase-user-updater',
crt_path='${directory:ssl}/caucase.user.crt',
ca_path='${directory:srv}/caucase-user-updater/ca.crt',
crl_path='${directory:srv}/caucase-user-updater/crl.pem',
key_path='${directory:ssl}/caucase.user.key',
on_renew=None,
max_sleep=None,
template_csr_pem=None,
openssl=openssl_bin,
mode='user',
)}}
{% do part_list.append('caucase-user-updater') -%}
{% do part_list.append('caucase-user-updater-promise') -%}
[caucase-sign-csr]
recipe = slapos.recipe.template:jinja2
mode = 755
rendered = ${directory:bin}/caucase-sign
template =
inline:#!/bin/sh
cp ${directory:ssl}/caucase.user.key ${directory:ssl}/caucase-full.key
cat ${directory:ssl}/caucase.user.crt >> ${directory:ssl}/caucase-full.key
for csr_id in {{ csrid_list | join(' ') }}; do
if [ "$csr_id" = "None" ] || [ -z "$csr_id"]; then
continue
fi
{{ buildout_bin_directory }}/caucase --ca-url {{ caucase_url }} --user-key ${directory:ssl}/caucase-full.key --sign-csr $csr_id
done
[cron-caucase-sign-csr]
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = caucase-sign-csr
frequency = * * * * *
command = ${caucase-sign-csr:rendered}
{% do part_list.append('cron-caucase-sign-csr') -%}
[slap-configuration]
recipe = slapos.cookbook:slapconfiguration
computer = ${slap-connection:computer-id}
...
...
@@ -332,8 +421,9 @@ proxies-log = ${directory:log}/proxy
ipv6 = ${instance-parameter:ipv6-random}
port = ${instance-parameter:nginx-port}
ssl-port = ${instance-parameter:nginx-ssl-port}
ssl-certificate = ${ca-nginx:cert-file}
ssl-key = ${ca-nginx:key-file}
ssl-certificate = ${directory:ssl}/repman-cert.crt
ca-certificate = ${directory:srv}/caucase-updater/ca.crt
ssl-key = ${directory:ssl}/repman-cert.key
pid-file = ${directory:run}/nginx.pid
access-log = ${directory:log}/nginx_access.log
error-log = ${directory:log}/nginx_error.log
...
...
@@ -464,11 +554,12 @@ command-line =
{{ nginx_bin }}
-p ${directory:nginx-prefix}
-c ${nginx-conf:rendered}
wrapper-path = ${directory:
bin}/nginx-start
wrapper-path = ${directory:
services}/nginx
wait-for-files =
${ca-directory:certs}/nginx.key
${ca-directory:certs}/nginx.crt
${nginx-graceful-wrapper:rendered}
${directory:ssl}/repman-cert.crt
${directory:srv}/caucase-updater/ca.crt
${directory:ssl}/repman-cert.key
[nginx-graceful-wrapper]
recipe = slapos.recipe.template:jinja2
...
...
@@ -478,20 +569,6 @@ rendered = ${directory:scripts}/nginx-graceful
context =
mode = 755
[ca-nginx]
<= certificate-authority
recipe = slapos.cookbook:certificate_authority.request
cert-file = ${ca-directory:certs}/nginx.crt
key-file = ${ca-directory:certs}/nginx.key
executable = ${nginx-launcher:wrapper-path}
wrapper = ${directory:bin}/ca-nginx
[ca-nginx-service]
recipe = slapos.cookbook:wrapper
command-line = ${ca-nginx:wrapper}
wrapper-path = ${directory:services}/nginx
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
[logrotate-entry-nginx]
<= logrotate-entry-base
name = nginx
...
...
@@ -599,7 +676,7 @@ parts =
replication-manager
monitor-base
logrotate-entry-nginx
ca-nginx-service
nginx-launcher
publish-connection-parameter
repman-frontend-promise
repman-backend-promise
...
...
software/repman/instance.cfg.in
View file @
27ce939c
...
...
@@ -28,8 +28,10 @@ mode = 0644
extensions = jinja2.ext.do
rendered= ${buildout:directory}/${:_buildout_section_name_}
supervisord-lib = {{ supervisord_lib }}
causace-lib = {{ caucase_library }}
import-list =
file supervisord_lib :supervisord-lib
file caucase :causace-lib
context =
key slapparameter_dict slap-configuration:configuration
key computer_id slap-configuration:computer
...
...
@@ -48,6 +50,8 @@ context =
raw bash_bin {{ bash_location }}/bin/bash
raw jq_bin {{ jq_location }}/bin/jq
raw curl_bin {{ curl_location }}/bin/curl
raw openssl_bin {{ openssl_location }}/bin/openssl
raw caucase_bin_client {{ caucase_bin_client }}
${:extra-context}
extra-context =
...
...
software/repman/software.cfg
View file @
27ce939c
...
...
@@ -18,8 +18,10 @@ extends =
../../component/socat/buildout.cfg
../../component/rsync/buildout.cfg
../../component/jq/buildout.cfg
../../component/openssl/buildout.cfg
../../stack/supervisord/buildout.cfg
../../stack/monitor/buildout.cfg
../../stack/caucase/buildout.cfg
parts =
slapos-cookbook
...
...
@@ -27,6 +29,7 @@ parts =
instance.cfg
template-mariadb.cfg
template-mysqld-wrapper
caucase-eggs
gowork
[mariadb]
...
...
@@ -39,7 +42,6 @@ part = python3
# replication-manager does not build on golang 1.17
golang = ${golang1.16:location}
[template-mysqld-wrapper]
recipe = slapos.recipe.template:jinja2
rendered = ${buildout:parts-directory}/${:_buildout_section_name_}/mysqld.in
...
...
@@ -76,6 +78,7 @@ mode = 0644
context =
key bash_location bash:location
key bin_directory buildout:bin-directory
key caucase_library caucase-jinja2-library:target
key config_toml_in config-toml.in:target
key config_cluster_toml_in config-cluster-toml.in:target
key coreutils_location coreutils:location
...
...
@@ -101,6 +104,7 @@ context =
key groonga_mysql_normalizer_plugin_dir groonga-normalizer-mysql:groonga-plugin-dir
key nginx_conf_in nginx.conf.in:target
key nginx_location nginx:location
key openssl_location openssl:location
key percona_toolkit_location percona-toolkit:location
key proxy_need_stop_start_template proxy-need-start-stop.sh.in:target
key repman_src_location git.signal18.io_signal18_repman:location
...
...
@@ -123,7 +127,7 @@ context =
key unixodbc_location unixodbc:location
key sysbench_location sysbench:location
key proxysql_location proxysql:location
raw caucase_bin_client ${buildout:bin-directory}/caucase
[download-file]
recipe = slapos.recipe.build:download
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment