Update Release Candidate

6345aeed · Thomas Gambier · 4074105b · 55171b94 · 6345aeed · 6345aeed
Commit 6345aeed authored 6 years ago by Thomas Gambier
20 changed files
--- a/component/babeld/buildout.cfg
+++ b/component/babeld/buildout.cfg
@@ -4,7 +4,7 @@ parts = babeld
 [babeld]
 recipe = slapos.recipe.cmmi
 url = https://lab.nexedi.com/nexedi/babeld/repository/archive.tar.gz?ref=v1.8.4-nxd1
-md5sum = 00fb984503f4fa65de9244226dc11c13
+md5sum = 536cca6abe34eb9faeda8682b80ee7bc
 configure-command =
  echo "No configure.."


--- a/component/bison/01_inhibit_example_generation
+++ b/component/bison/01_inhibit_example_generation
+From: Chuan-kai Lin <cklin@debian.org>
+Date: Sun, 18 Nov 2018 16:03:20 -0800
+Subject: Inhibit example code extraction
+
+The Debian bison package cannot extract example code from info documentation
+because said documentation is moved into the bison-doc package due to DFSG
+non-compliance.  Leaving example code extraction in the build process breaks
+parallel builds, so this patch is necessary to make parallel builds work.
+
+Bug-Debian: http://bugs.debian.org/732034
+Forwarded: not-needed
+Last-Update: 2013-12-16
+---
+ Makefile.in       | 3 +--
+ examples/local.mk | 3 +--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 02444e8..6a64845 100644
+--- a/Makefile.in
+++ b/Makefile.in
+@@ -6645,8 +6645,7 @@ examples/extracted.stamp: $(doc) doc/version.texi $(extexi)
+ 	$(AM_V_at)mv $@.tmp $@
+ 
+ $(extracted): examples/extracted.stamp
+-	@test -f $@ || rm -f examples/extracted.stamp
+-	@test -f $@ || $(MAKE) $(AM_MAKEFLAGS) examples/extracted.stamp
+	touch $@
+ 
+ # Suppress the #lines from the examples when rolling the tarball, so
+ # that regular users have readable examples even before installing
+diff --git a/examples/local.mk b/examples/local.mk
+index a35c082..8af27e6 100644
+--- a/examples/local.mk
+++ b/examples/local.mk
+@@ -41,8 +41,7 @@ MAINTAINERCLEANFILES += $(extracted) %D%/extracted.stamp
+ 	$(AM_V_at)mv $@.tmp $@
+ 
+ $(extracted): %D%/extracted.stamp
+-	@test -f $@ || rm -f %D%/extracted.stamp
+-	@test -f $@ || $(MAKE) $(AM_MAKEFLAGS) %D%/extracted.stamp
+	touch $@
+ 
+ 
+ ## ------ ##
--- a/component/bison/buildout.cfg
+++ b/component/bison/buildout.cfg
 [buildout]
 extends =
+  ../automake/buildout.cfg
  ../m4/buildout.cfg
  ../perl/buildout.cfg
  ../xz-utils/buildout.cfg
@@ -9,8 +10,12 @@ parts =
 [bison]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://ftp.gnu.org/gnu/bison/bison-3.0.2.tar.xz
-md5sum = 146be9ff9fbd27497f0bf2286a5a2082
+url = http://ftp.gnu.org/gnu/bison/bison-3.3.2.tar.xz
+md5sum = c9b552dee234b2f6b66e56b27e5234c9
 environment =
+  AUTOMAKE=${automake:location}/bin/automake
  M4=${m4:location}/bin/m4
  PATH=${perl:location}/bin:${xz-utils:location}/bin:%(PATH)s
+patch-options = -p1
+patches =
+  ${:_profile_base_location_}/01_inhibit_example_generation#ee2df22601a56d738939fa760f9dc19b
--- a/component/caddy/buildout.cfg
+++ b/component/caddy/buildout.cfg
@@ -8,6 +8,7 @@ parts =
  caddy

 [gowork]
+golang  = ${golang1.12:location}
 install =
  github.com/mholt/caddy


--- a/component/geoip2/buildout.cfg
+++ b/component/geoip2/buildout.cfg
@@ -17,5 +17,5 @@ rpath = ${:library-dirs}
 [geolite2-country]
 recipe = slapos.recipe.build:download-unpacked
 url = http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz#${:md5sum}
-md5sum = d77df0f613c542af8122a78c03d53a27
+md5sum = 2e92c3567aaad25e0f1cc8ce2c1f920d
 strip-top-level-dir = true
--- a/component/golang/buildout.cfg
+++ b/component/golang/buildout.cfg
@@ -58,6 +58,15 @@ environment-extra =
 url = https://dl.google.com/go/go1.11.4.src.tar.gz
 md5sum = a77697673215be465d1b583680ef2318

+# go1.11 needs go1.4 to bootstrap
+environment-extra =
+  GOROOT_BOOTSTRAP=${golang14:location}
+
+[golang1.12]
+<= golang-common
+url = https://dl.google.com/go/go1.12.src.tar.gz
+md5sum = b3332feba8a945a193b47a52d9981bb9
+
 # go1.11 needs go1.4 to bootstrap
 environment-extra =
  GOROOT_BOOTSTRAP=${golang14:location}

--- a/component/m4/01-fix-ftbfs-with-glibc-2.28.patch
+++ b/component/m4/01-fix-ftbfs-with-glibc-2.28.patch
+From: Santiago Vila <sanvila@debian.org>
+Subject: Fix FTBFS with glibc 2.28
+Bug-Debian: https://bugs.debian.org/915152
+X-Debian-version: 1.4.18-2
+
+Based on this gnulib commit by Paul Eggert:
+
+https://lists.gnu.org/r/bug-gnulib/2018-03/msg00002.html
+
+--- a/lib/fflush.c
+++ b/lib/fflush.c
+@@ -33,7 +33,7 @@
+ #undef fflush
+ 
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+ /* Clear the stream's ungetc buffer, preserving the value of ftello (fp).  */
+ static void
+@@ -72,7 +72,7 @@
+ 
+ #endif
+ 
+-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+#if ! (defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+ 
+ # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
+ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
+@@ -148,7 +148,7 @@
+   if (stream == NULL || ! freading (stream))
+     return fflush (stream);
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+   clear_ungetc_buffer_preserving_position (stream);
+ 
+--- a/lib/fpending.c
+++ b/lib/fpending.c
+@@ -32,7 +32,7 @@
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return fp->_IO_write_ptr - fp->_IO_write_base;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+   /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
+--- a/lib/fpurge.c
+++ b/lib/fpurge.c
+@@ -62,7 +62,7 @@
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   fp->_IO_read_end = fp->_IO_read_ptr;
+   fp->_IO_write_ptr = fp->_IO_write_base;
+   /* Avoid memory leak when there is an active ungetc buffer.  */
+--- a/lib/freadahead.c
+++ b/lib/freadahead.c
+@@ -25,7 +25,7 @@
+ size_t
+ freadahead (FILE *fp)
+ {
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_write_ptr > fp->_IO_write_base)
+     return 0;
+   return (fp->_IO_read_end - fp->_IO_read_ptr)
+--- a/lib/freading.c
+++ b/lib/freading.c
+@@ -31,7 +31,7 @@
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return ((fp->_flags & _IO_NO_WRITES) != 0
+           || ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
+               && fp->_IO_read_base != NULL));
+--- a/lib/fseeko.c
+++ b/lib/fseeko.c
+@@ -47,7 +47,7 @@
+ #endif
+ 
+   /* These tests are based on fpurge.c.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_read_end == fp->_IO_read_ptr
+       && fp->_IO_write_ptr == fp->_IO_write_base
+       && fp->_IO_save_base == NULL)
+@@ -123,7 +123,7 @@
+           return -1;
+         }
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+       fp->_flags &= ~_IO_EOF_SEEN;
+       fp->_offset = pos;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+--- a/lib/stdio-impl.h
+++ b/lib/stdio-impl.h
+@@ -18,6 +18,12 @@
+    the same implementation of stdio extension API, except that some fields
+    have different naming conventions, or their access requires some casts.  */
+ 
+/* Glibc 2.28 made _IO_IN_BACKUP private.  For now, work around this
+   problem by defining it ourselves.  FIXME: Do not rely on glibc
+   internals.  */
+#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
+# define _IO_IN_BACKUP 0x100
+#endif
+ 
+ /* BSD stdio derived implementations.  */
+ 
--- a/component/m4/buildout.cfg
+++ b/component/m4/buildout.cfg
@@ -7,7 +7,10 @@ parts =
 [m4]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://ftp.gnu.org/gnu/m4/m4-1.4.17.tar.xz
-md5sum = 12a3c829301a4fd6586a57d3fcf196dc
+url = http://ftp.gnu.org/gnu/m4/m4-1.4.18.tar.xz
+md5sum = 730bb15d96fffe47e148d1e09235af82
 environment =
  PATH=${xz-utils:location}/bin:%(PATH)s
+patch-options = -p1
+patches =
+  ${:_profile_base_location_}/01-fix-ftbfs-with-glibc-2.28.patch#058a786425e507f911649205b61ffcac
--- a/component/openvpn/buildout.cfg
+++ b/component/openvpn/buildout.cfg
@@ -16,6 +16,7 @@ md5sum = 4ad8a008e1e7f261b3aa0024e79e7fb7
 configure-options =
  --disable-dependency-tracking
  --disable-plugin-auth-pam
+  --enable-iproute2
 environment =
  PATH=${xz-utils:location}/bin:%(PATH)s
  LZO_LIBS=-L${lzo:location}/lib -llzo2

--- a/component/rsync/buildout.cfg
+++ b/component/rsync/buildout.cfg
@@ -7,8 +7,8 @@ parts =

 [rsync]
 recipe = slapos.recipe.cmmi
-url = https://download.samba.org/pub/rsync/rsync-3.1.2.tar.gz
-md5sum = 0f758d7e000c0f7f7d3792610fad70cb
+url = https://download.samba.org/pub/rsync/src/rsync-3.1.3.tar.gz
+md5sum = 1581a588fde9d89f6bc6201e8129afaf
 make-options =
  PREFIX=${buildout:parts-directory}/${:_buildout_section_name_}
 environment =

--- a/component/trafficserver/buildout.cfg
+++ b/component/trafficserver/buildout.cfg
@@ -36,3 +36,24 @@ environment =
 make-target =
  check
  install
+
+[trafficserver7]
+recipe = slapos.recipe.cmmi
+url = http://apache.claz.org/trafficserver/trafficserver-7.1.6.tar.bz2
+md5sum = 45f67cd652fa3481f76ff92213325c84
+configure-options =
+  --with-openssl=${openssl:location}
+  --with-pcre=${pcre:location}
+  --with-ncurses=${ncurses:location}
+  --with-tcl=${tcl:location}/lib/
+  --with-lzma=${xz-utils:location}
+  --with-zlib=${zlib:location}
+  --disable-curl
+  --disable-hwloc
+  --enable-experimental-plugins
+environment =
+  PATH=${libtool:location}/bin:${make:location}/bin:${perl:location}/bin:${pkgconfig:location}/bin:%(PATH)s
+  LDFLAGS =-L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib -L${tcl:location}/lib -Wl,-rpath=${tcl:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
+make-target =
+  check
+  install
--- a/software/caddy-frontend/README.caddy_frontend.rst
+++ b/software/caddy-frontend/README.caddy_frontend.rst
@@ -30,7 +30,7 @@ These parameters are :
  * ``-frontend-software-release-url``: Software release to be used for frontends, default to the current software release
  * ``-sla-i-foo`` : where "i" is the number of the concerned frontend (between 1 and "-frontend-quantity") and "foo" a sla parameter.

-ex::
+for example::

  <parameter id="-frontend-quantity">3</parameter>
  <parameter id="-frontend-type">custom-personal</parameter>
@@ -83,13 +83,70 @@ Those slave instances will be redirected to the "master" instance, and you will

 Finally, the slave instance will be accessible from: https://someidentifier.moulefrite.org.

-About SSL
-=========
-
-``default`` and ``custom-personl`` software type can handle specific ssl for one slave instance.
+About SSL and SlapOS Master Zero Knowledge
+==========================================

 **IMPORTANT**: One Caddy can not serve more than one specific SSL site and be compatible with obsolete browser (i.e.: IE8). See http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

+SSL keys and certificates are directly send to the frontend cluster in order to follow zero knowledge principle of SlapOS Master.
+
+Master partition
+----------------
+
+After requesting master partition it will return ``master-key-generate-auth-url`` and ``master-key-upload-url``.
+
+Doing HTTP GET on ``master-key-generate-auth-url`` will return authentication token, which is used to communicate with ``master-key-upload-url``. This token shall be stored securely.
+
+By doing HTTP PUT to ``master-key-upload-url`` with appended authentication token it is possible to upload PEM bundle of certificate, key and any accompanying CA certificates to the master.
+
+Example sessions is::
+
+  request(...)
+
+  curl -X GET master-key-generate-auth-url
+  > authtoken
+
+  cat certificate.pem key.pem ca-bundle.pem > master.pem
+
+  curl -X PUT --data-binary @master.pem master-key-upload-url+authtoken
+
+This replaces old request parameters:
+
+ * ``apache-certificate``
+ * ``apache-key``
+ * ``apache-ca-certificate``
+
+(*Note*: They are still supported for backward compatibility, but any value send to the ``master-key-upload-url`` will supersede information from SlapOS Master.)
+
+Slave partition
+---------------
+
+After requesting slave partition it will return ``key-generate-auth-url`` and ``key-upload-url``.
+
+Doing HTTP GET on ``key-generate-auth-url`` will return authentication token, which is used to communicate with ``key-upload-url``. This token shall be stored securely.
+
+By doing HTTP PUT to ``key-upload-url`` with appended authentication token it is possible to upload PEM bundle of certificate, key and any accompanying CA certificates to the master.
+
+Example sessions is::
+
+  request(...)
+
+  curl -X GET key-generate-auth-url
+  > authtoken
+
+  cat certificate.pem key.pem ca-bundle.pem > master.pem
+
+  curl -X PUT --data-binary @master.pem key-upload-url+authtoken
+
+This replaces old request parameters:
+
+ * ``ssl_crt``
+ * ``ssl_key``
+ * ``ssl_ca_crt``
+
+(*Note*: They are still supported for backward compatibility, but any value send to the ``key-upload-url`` will supersede information from SlapOS Master.)
+
+
 How to have custom configuration in frontend server - XXX - to be written
 =========================================================================

@@ -195,13 +252,6 @@ Necessary to activate cache.

 ``enable_cache`` is an optional parameter.

-ssl_key, ssl_crt, ssl_ca_crt
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-SSL certificates of the slave.
-
-They are optional.
-
 Functionalities for Caddy configuration
 ---------------------------------------

@@ -210,7 +260,7 @@ In the slave Caddy configuration you can use parameters that will be replaced du
  * ``cache_access`` : url of the cache. Should replace backend url in configuration to use the cache
  * ``access_log`` : path of the slave error log in order to log in a file.
  * ``error_log`` : path of the slave access log in order to log in a file.
-  * ``ssl_key``, ``ssl_crt``, ``ssl_ca_crt``, ``ssl_crs`` : paths of the certificates given in slave instance parameters
+  * ``certificate`` : path to the certificate


 Examples
@@ -293,7 +343,7 @@ Request slave frontend instance so that https://[1:2:3:4:5:6:7:8]:1234 will be::
        "caddy_custom_https":'
  https://www.example.com:%(https_port)s, https://example.com:%(https_port)s {
    bind %(local_ipv4)s
-    tls %(ssl_crt)s %(ssl_key)s
+    tls %%(certificate)s %%(certificate)s

    log / %(access_log)s {combined}
    errors %(error_log)s
@@ -479,6 +529,13 @@ Note that in some cases promises will fail:

 This is known issue and shall be tackled soon.

+KeDiFa
+======
+
+Additional partition with KeDiFa (Key Distribution Facility) is by default requested on the same computer as master frontend partition.
+
+By adding to the request keys like ``-sla-kedifa-<key>`` it is possible to provide SLA information for kedifa partition. Eg to put it on computer ``couscous`` it shall be ``-sla-kedifa-computer_guid: couscous``.
+
 Notes
 =====


--- a/software/caddy-frontend/TODO.rst
+++ b/software/caddy-frontend/TODO.rst
@@ -3,13 +3,11 @@ Generally things to be done with ``caddy-frontend``:
 * tests: add assertion with results of promises in etc/promise for each partition
 * README: cleanup the documentation, explain various specifics
 * check the whole frontend slave snippet with ``caddy -validate`` during buildout run, and reject if does not pass validation
- * BUG?? check that changing ``apache-certificate`` on master partition results in reloading slave partition
 * (new) ``type:websocket`` slave
 * ``type:eventsource``:

   * **Jérome Perrin**: *For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?*
 * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
-
 * move out ``test/utils.py`` and use it from shared python distribution
 * reduce the time of configuration validation (in ``instance-apache-frontend.cfg.in`` sections ``[configtest]``, ``[caddy-configuration]``, ``[nginx-configuration]``), as it is not scalable on frontend with 2000+ slaves (takes few minutes instead of few, < 5, seconds), issue posted `upstream <https://github.com/mholt/caddy/issues/2220>`_
 * drop ``6tunnel`` and use ``bind`` in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream `bind: support multiple values <https://github.com/mholt/caddy/pull/2128>`_ and `ipv6: does not bind on ipv4 and ipv6 for sites that resolve to both <https://github.com/mholt/caddy/issues/864>`_

--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = 2747f9125c8dffa0c27b79a6902a55cb
+md5sum = 111ff0794c90657b658e3d50525e7fed

 [template-common]
 filename = instance-common.cfg.in
@@ -22,15 +22,15 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b

 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = 6fd023f0d29421d8579f0b3351473bb0
+md5sum = abbbc8f24cdef389b9b2859b0ef8dd0e

 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 5c5462ccc327fe109e0c102f0d3e7e53
+md5sum = 81ad603fe0a1e29948bd81b457e8d7a4

 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 028ca41fdf7a758ba701ccc5e449419a
+md5sum = dfbe4378610aa42f2cbc2a55d386324e

 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
@@ -38,11 +38,11 @@ md5sum = 54ae95597a126ae552c3a913ddf29e5e

 [template-replicate-publish-slave-information]
 filename = templates/replicate-publish-slave-information.cfg.in
-md5sum = 696ef7690f51a521cc6f6c9d9d5d844e
+md5sum = 38e9994be01ea1b8a379f8ff7aa05438

 [template-caddy-frontend-configuration]
 filename = templates/Caddyfile.in
-md5sum = 0134a1586f15cd5665069d6d81a505be
+md5sum = df8c08c9aecb48fdbcdfca40f9cf74a4

 [caddy-backend-url-validator]
 filename = templates/caddy-backend-url-validator.in
@@ -58,7 +58,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b

 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = e57b9ae012f777482295698a23b7e850
+md5sum = 4308b63820d3682511ce54040d1ae60e

 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in
@@ -66,7 +66,7 @@ md5sum = 907372828d1ceb05c41240078196f439

 [template-log-access]
 filename = templates/template-log-access.conf.in
-md5sum = 122b05829ecc4c0ad4e47e7d1c21166b
+md5sum = 704f37bfdd52fe628ae81d41abba8d7a

 [template-empty]
 filename = templates/empty.in
@@ -78,23 +78,27 @@ md5sum = 8cde04bfd0c0e9bd56744b988275cfd8

 [template-trafficserver-records-config]
 filename = templates/trafficserver/records.config.jinja2
-md5sum = 84baef0a49c9a65e8f2d2ffdb8c1d39c
+md5sum = 15cbdba7ab7fe3c3d7c26c1718e47bbd

 [template-trafficserver-storage-config]
 filename = templates/trafficserver/storage.config.jinja2
-md5sum = 117238225b3fc3c5b5be381815f44c67
+md5sum = baf7b89cc9ab5506100b0c900808c1ea
+
+[template-trafficserver-logging-config]
+filename = templates/trafficserver/logging.config.jinja2
+md5sum = cd6bb9bd0734f17469b0ca88f8b1a531

 [template-nginx-configuration]
 filename = templates/nginx.cfg.in
-md5sum = fadb2fcaf0f2b4fe735617fac222f7ed
+md5sum = 30f30ef3539fe6b7ab99162ae8e71a87

 [template-nginx-eventsource-slave-virtualhost]
 filename = templates/nginx-eventsource-slave.conf.in
-md5sum = 176cbca2070734a185a7ae5a4d1181c5
+md5sum = 217a6c801b8330b0b825f7b8b4c77184

 [template-nginx-notebook-slave-virtualhost]
 filename = templates/nginx-notebook-slave.conf.in
-md5sum = ee3b5c23f1c81aa43ce7cd8f8e327f70
+md5sum = ac17212a53be2c08ab84682ec665148d

 [template-apache-lazy-script-call]
 filename = templates/apache-lazy-script-call.sh.in
@@ -115,3 +119,7 @@ md5sum = d9b6476bb0b36cf463fddb00d41dfbaa
 [caddyprofiledeps-dummy]
 filename = caddyprofiledummy.py
 md5sum = 38792c2dceae38ab411592ec36fff6a8
+
+[template-kedifa]
+filename = instance-kedifa.cfg.in
+md5sum = 5597b2184b445af69ad6d517d0729ad6
--- a/software/caddy-frontend/common.cfg
+++ b/software/caddy-frontend/common.cfg
@@ -5,13 +5,13 @@ extends =
  ../../component/dash/buildout.cfg
  ../../component/caddy/buildout.cfg
  ../../component/gzip/buildout.cfg
-  ../../component/dcron/buildout.cfg
  ../../component/logrotate/buildout.cfg
  ../../component/rdiff-backup/buildout.cfg
  ../../component/trafficserver/buildout.cfg
  ../../component/6tunnel/buildout.cfg

  ../../stack/nodejs.cfg
+  ../../stack/caucase/buildout.cfg
 # Monitoring stack (keep on bottom)
  ../../stack/monitor/buildout.cfg

@@ -21,7 +21,6 @@ parts +=
  template-caddy-replicate
  caddy

-  dcron
  logrotate
  rdiff-backup
  npm-modules
@@ -29,6 +28,25 @@ parts +=
  http-proxy
  caddyprofiledeps

+  kedifa-develop
+  kedifa
+
+[kedifa-repository]
+recipe = slapos.recipe.build:gitclone
+repository = https://lab.nexedi.com/nexedi/kedifa.git
+git-executable = ${git:location}/bin/git
+revision = 67bd60ea1bfb4fc6aafdfe4fa204f725731f20cf
+
+[kedifa-develop]
+recipe = zc.recipe.egg:develop
+setup = ${kedifa-repository:location}
+
+[kedifa]
+recipe = zc.recipe.egg
+eggs =
+  ${python-cryptography:egg}
+  kedifa
+
 [caddyprofiledeps-setup]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/setup.py
@@ -63,6 +81,8 @@ eggs =
 eggs +=
  websockify
  erp5.util
+  ${caucase-eggs:eggs}
+  collective.recipe.shelloutput

 [template-common]
 recipe = slapos.recipe.template:jinja2
@@ -75,6 +95,7 @@ context =

 [template-frontend-parameter-section]
 common_profile = ${template-common:rendered}
+logrotate_base_instance = ${template-logrotate-base:rendered}

 bin_directory = ${buildout:bin-directory}

@@ -83,12 +104,15 @@ caddy = ${caddy:output}
 caddy_location = ${caddy:location}
 curl = ${curl:location}
 dash = ${dash:location}
-dcron = ${dcron:location}
 gzip = ${gzip:location}
 logrotate = ${logrotate:location}
-openssl = ${openssl:location}
-trafficserver = ${trafficserver:location}
+openssl = ${openssl:location}/bin/openssl
+openssl_cnf = ${openssl:location}/etc/ssl/openssl.cnf
+trafficserver = ${trafficserver7:location}
 sha256sum = ${coreutils:location}/bin/sha256sum
+kedifa = ${:bin_directory}/kedifa
+kedifa-getter = ${:bin_directory}/kedifa-getter
+kedifa-csr = ${:bin_directory}/kedifa-csr

 monitor_template = ${monitor-template:output}
 template_cached_slave_virtualhost = ${template-cached-slave-virtualhost:target}
@@ -110,6 +134,8 @@ template_trafficserver_records_config_filename = ${template-trafficserver-record
 template_trafficserver_records_config_location = ${template-trafficserver-records-config:location}
 template_trafficserver_storage_config_filename = ${template-trafficserver-storage-config:filename}
 template_trafficserver_storage_config_location = ${template-trafficserver-storage-config:location}
+template_trafficserver_logging_config_filename = ${template-trafficserver-logging-config:filename}
+template_trafficserver_logging_config_location = ${template-trafficserver-logging-config:location}
 template_wrapper = ${template-wrapper:output}

 [template]
@@ -123,11 +149,13 @@ context =
  key monitor2_template monitor2-template:rendered
  key template_caddy_frontend template-caddy-frontend:target
  key template_caddy_replicate template-caddy-replicate:target
+  key template_kedifa template-kedifa:target
  key template_replicate_publish_slave_information template-replicate-publish-slave-information:target
  key caddy_backend_url_validator caddy-backend-url-validator:output
  key caddy_custom_http_validator caddy-custom-http-validator:output

  section template_frontend_parameter_dict template-frontend-parameter-section
+  key caucase_jinja2_library caucase-jinja2-library:target

 [template-caddy-frontend]
 recipe = slapos.recipe.build:download
@@ -153,6 +181,11 @@ recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/instance-apache-replicate.cfg.in
 mode = 0644

+[template-kedifa]
+recipe = slapos.recipe.build:download
+url = ${:_profile_base_location_}/instance-kedifa.cfg.in
+mode = 0644
+
 [download-template]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/${:filename}
@@ -210,6 +243,11 @@ filename = records.config.jinja2
 url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
 filename = storage.config.jinja2

+[template-trafficserver-logging-config]
+<=download-template
+url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
+filename = logging.config.jinja2
+
 # NGINX Configuration
 [template-nginx-configuration]
 recipe = slapos.recipe.template

--- a/software/caddy-frontend/instance-apache-frontend.cfg.in
+++ b/software/caddy-frontend/instance-apache-frontend.cfg.in
--- a/software/caddy-frontend/instance-apache-replicate.cfg.in
+++ b/software/caddy-frontend/instance-apache-replicate.cfg.in
 {% if slap_software_type in software_type %}
-
+{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
+{% set aikc_enabled = slapparameter_dict.get('automatic-internal-kedifa-caucase-csr', 'true').lower() in TRUE_VALUES %}
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 rendered = ${buildout:directory}/${:filename}
@@ -30,6 +31,10 @@ context =
 {% if not sla_computer_caddy_1_key in slapparameter_dict %}
 {%   do slapparameter_dict.__setitem__(sla_computer_caddy_1_key, '${slap-connection:computer-id}') %}
 {% endif %}
+{% set sla_computer_kedifa_key = '-sla-kedifa-computer_guid' %}
+{% if not sla_computer_kedifa_key in slapparameter_dict %}
+{%   do slapparameter_dict.__setitem__(sla_computer_kedifa_key, '${slap-connection:computer-id}') %}
+{% endif %}

 # Here we request individually each frontend.
 # The presence of sla parameters is checked and added if found
@@ -67,10 +72,12 @@ context =
 {% set authorized_slave_string_list = slapparameter_dict.pop('-frontend-authorized-slave-string', '').split() %}
 {% set authorized_slave_list = [] %}
 {% set rejected_slave_dict = {} %}
+{% set warning_slave_dict = {} %}
 {% set used_host_list = [] %}
 {% set unauthorized_message = 'slave not authorized' %}
 {% for slave in slave_instance_list %}
 {%   set slave_error_list = [] %}
+{%   set slave_warning_list = [] %}
 {%   set slave_server_alias_unclashed = [] %}
 {#   BBB: apache_custom_https AND apache_custom_http #}
 {%   set custom_domain = slave.get('custom_domain') %}
@@ -122,18 +129,25 @@ context =
 {%       do slave_error_list.append('slave https-url %r invalid' % (slave['https-url'],)) %}
 {%     endif %}
 {%   endif %}
+{# BBB: SlapOS Master non-zero knowledge BEGIN #}
+{%   for key in ['ssl_key', 'ssl_crt', 'ssl_ca_crt'] %}
+{%     if key in slave %}
+{%       do slave_warning_list.append('%s is obsolete, please use key-upload-url' % (key,)) %}
+{%     endif %}
+{%   endfor %}
 {%   if slave.get('ssl_ca_crt') and not (slave.get('ssl_crt') and slave.get('ssl_key')) %}
 {%     do slave_error_list.append('ssl_ca_crt is present, so ssl_crt and ssl_key are required')  %}
 {%   endif %}
 {%   if slave.get('ssl_key') and slave.get('ssl_crt') %}
-{%     set key_popen = popen([openssl, 'rsa', '-noout', '-modulus']) %}
-{%     set crt_popen = popen([openssl, 'x509', '-noout', '-modulus']) %}
-{%     set key_modulus = key_popen.communicate('' ~ slave['ssl_key'])[0] | trim %}
-{%     set crt_modulus = crt_popen.communicate('' ~ slave['ssl_crt'])[0] | trim %}
+{%     set key_popen = popen([parameter_dict['openssl'], 'rsa', '-noout', '-modulus']) %}
+{%     set crt_popen = popen([parameter_dict['openssl'], 'x509', '-noout', '-modulus']) %}
+{%     set key_modulus = key_popen.communicate(slave['ssl_key'])[0] | trim %}
+{%     set crt_modulus = crt_popen.communicate(slave['ssl_crt'])[0] | trim %}
 {%     if not key_modulus or key_modulus != crt_modulus  %}
 {%       do slave_error_list.append('slave ssl_key and ssl_crt does not match')  %}
 {%     endif %}
 {%   endif %}
+{# BBB: SlapOS Master non-zero knowledge END #}
 {%   if slave.get('custom_domain') %}
 {%     set slave_custom_domain = '' ~ slave['custom_domain'] %}
 {%     if slave_custom_domain.startswith('*.') %}
@@ -150,6 +164,9 @@ context =
 {%   else %}
 {%     do rejected_slave_dict.__setitem__(slave.get('slave_reference'), slave_error_list) %}
 {%   endif %}
+{%   if len(slave_warning_list) > 0 %}
+{%     do warning_slave_dict.__setitem__(slave.get('slave_reference'), slave_warning_list) %}
+{%   endif %}
 {% endfor %}

 [monitor-instance-parameter]
@@ -169,7 +186,7 @@ software-url = {{ slapparameter_dict.pop(frontend_software_url_key) }}
 software-url = ${slap-connection:software-release-url}
 {% endif %}
 software-type = {{frontend_type}}
-return = private-ipv4 public-ipv4 slave-instance-information-list monitor-base-url
+return = private-ipv4 public-ipv4 slave-instance-information-list monitor-base-url csr_id-url csr_id-certificate

 {% for section, frontend_request in request_dict.iteritems() %}
 [{{section}}]
@@ -178,6 +195,10 @@ name = {{ frontend_request.get('name') }}
 {%   if frontend_request.get('state') %}
 state = {{ frontend_request.get('state') }}
 {%   endif%}
+config-slave-kedifa-information = ${request-kedifa:connection-slave-kedifa-information}
+config-kedifa-caucase-url = ${request-kedifa:connection-caucase-url}
+config-master-key-download-url = ${request-kedifa:connection-master-key-download-url}
+config-cluster-identification = {{ cluster_identification }}
 {%   set slave_configuration_dict = slapparameter_dict %}
 {%   do slave_configuration_dict.update(frontend_request.get('config')) %}
 {%   do slave_configuration_dict.__setitem__(slave_list_name, json_module.dumps(authorized_slave_list)) %}
@@ -192,6 +213,12 @@ sla-{{ parameter }} = {{ value }}
 {%   endif %}
 {% endfor %}

+{%  set warning_list = [] %}
+{%  for key in ['apache-certificate', 'apache-key'] %}
+{%    if key in slapparameter_dict %}
+{%      do warning_list.append('%s is obsolete, please use master-key-upload-url' % (key, )) %}
+{%    endif %}
+{%  endfor %}

 [publish-information]
 <= monitor-publish
@@ -201,6 +228,24 @@ slave-amount = {{ slave_instance_list | length }}
 accepted-slave-amount = {{ authorized_slave_list | length }}
 rejected-slave-amount = {{ rejected_slave_dict | length }}
 rejected-slave-dict = {{ dumps(json_module.dumps(rejected_slave_dict)) }}
+master-key-upload-url = ${request-kedifa:connection-master-key-upload-url}
+master-key-generate-auth-url = ${request-kedifa:connection-master-key-generate-auth-url}
+kedifa-caucase-url = ${request-kedifa:connection-caucase-url}
+{% if len(warning_list) > 0 %}
+warning-list = {{ dumps(json_module.dumps(warning_list)) }}
+{% endif %}
+{% if len(warning_slave_dict) > 0 %}
+warning-slave-dict = {{ dumps(json_module.dumps(warning_slave_dict)) }}
+{% endif %}
+{% if not aikc_enabled %}
+kedifa-csr_id-url = ${request-kedifa:connection-csr_id-url}
+kedifa-csr_id-certificate = ${request-kedifa:connection-csr_id-certificate}
+{% for frontend in frontend_list %}
+  {% set section_part = '${request-' + frontend %}
+{{ frontend }}-csr_id-url = {{ section_part }}:connection-csr_id-url}
+{{ frontend }}-csr_id-certificate = {{ section_part }}:connection-csr_id-certificate}
+{% endfor %}
+{% endif %}

 #----------------------------
 #--
@@ -213,11 +258,47 @@ replicate = ${dynamic-publish-slave-information:rendered}
 custom-personal = ${dynamic-publish-slave-information:rendered}
 custom-group = ${dynamic-publish-slave-information:rendered}

+[request-kedifa]
+<= slap-connection
+recipe = slapos.cookbook:requestoptional.serialised
+config-monitor-cors-domains = {{ slapparameter_dict.get('monitor-cors-domains', 'monitor.app.officejs.com') }}
+config-monitor-username = ${monitor-instance-parameter:username}
+config-monitor-password = ${monitor-htpasswd:passwd}
+{% for key in ['kedifa_port', 'caucase_port'] -%}
+{%-   if key in slapparameter_dict %}
+config-{{ key }} = {{ dumps(slapparameter_dict[key]) }}
+{%-   endif %}
+{%- endfor %}
+config-slave-list = {{ dumps(slave_instance_list) }}
+config-cluster-identification = {{ cluster_identification }}
+
+{% set frontend_software_url_key = "-frontend-software-release-url" %}
+{% if slapparameter_dict.has_key(frontend_software_url_key) %}
+software-url = {{ slapparameter_dict.pop(frontend_software_url_key) }}
+{% else %}
+software-url = ${slap-connection:software-release-url}
+{% endif %}
+software-type = kedifa
+name = kedifa
+return = slave-kedifa-information master-key-generate-auth-url master-key-upload-url master-key-download-url caucase-url csr_id-url csr_id-certificate
+{% set sla_kedifa_key = "-sla-kedifa-" %}
+{% set sla_kedifa_key_length = sla_kedifa_key | length %}
+{% for key in slapparameter_dict.keys() %}
+{%   if key.startswith(sla_kedifa_key) %}
+sla-{{ key[sla_kedifa_key_length:] }} = {{ slapparameter_dict.pop(key) }}
+{%   endif %}
+{% endfor %}
+
 [rejected-slave-information]
 {% for slave_id, rejected_list in rejected_slave_dict.iteritems() %}
 {{ slave_id }} = {{ dumps(json_module.dumps(rejected_list)) }}
 {% endfor %}

+[warning-slave-information]
+{% for slave_id, warning_list in warning_slave_dict.iteritems() %}
+{{ slave_id }} = {{ dumps(json_module.dumps(warning_list)) }}
+{% endfor %}
+
 [slave-information]
 {% for frontend_section in frontend_section_list %}
 {{ frontend_section }} = {{ "${%s:connection-slave-instance-information-list}" % frontend_section }}
@@ -241,6 +322,8 @@ extra-context =
    section slave_information slave-information
    section rejected_slave_information rejected-slave-information
    section active_slave_instance_dict active-slave-instance
+    section warning_slave_information warning-slave-information
+    key slave_kedifa_information request-kedifa:connection-slave-kedifa-information

 [monitor-conf-parameters]
 monitor-url-list +=
@@ -248,6 +331,126 @@ monitor-url-list +=
 {{ '  ${' + frontend + ':connection-monitor-base-url}' }}
 {% endfor %}

+{% if aikc_enabled %}
+[directory]
+recipe = slapos.cookbook:mkdirectory
+
+bin = ${buildout:directory}/bin/
+srv = ${buildout:directory}/srv/
+aikc = ${:srv}/aikc
+
+[aikc-config]
+caucase-url = ${request-kedifa:connection-caucase-url}
+
+csr = ${directory:aikc}/csr.pem
+key = ${directory:aikc}/key.pem
+ca-certificate = ${directory:aikc}/cas-ca-certificate.pem
+crl = ${directory:aikc}/crl.pem
+user-ca-certificate = ${directory:aikc}/user-ca-certificate.pem
+user-crl = ${directory:aikc}/user-crl.pem
+user-created = ${directory:aikc}/user-created
+csr_id = ${directory:aikc}/csr_id
+
+[aikc-user-csr]
+recipe = plone.recipe.command
+organization = {{ cluster_identification }}
+organizational_unit = Automatic Internal Kedifa Caucase CSR
+command =
+  if [ ! -f ${:csr} ] && [ ! -f ${:key} ]  ; then
+    {{ parameter_dict['openssl'] }} req -new -sha256 \
+      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -subj "/O=${:organization}/OU=${:organizational_unit}" \
+      -out ${:csr}
+  fi
+update-command = ${:command}
+csr = ${aikc-config:csr}
+key = ${aikc-config:key}
+stop-on-error = True
+
+
+[aikc-caucase-wrapper]
+{# jinja2 instead of wrapper is used with context to remove py'u' #}
+recipe = slapos.recipe.template:jinja2
+context =
+  key caucase_url aikc-config:caucase-url
+template = inline:#!{{ parameter_dict['dash'] }}/bin/dash
+  exec {{ parameter_dict['bin_directory'] }}/caucase \
+{# raw block to use context #}
+{% raw %}
+  --ca-url {{ caucase_url }} \
+{% endraw %}
+  --ca-crt ${aikc-config:ca-certificate} \
+  --user-ca-crt ${aikc-config:user-ca-certificate} \
+  --user-crl ${aikc-config:user-crl} \
+  --crl ${aikc-config:crl} \
+  "$@"
+
+rendered = ${directory:bin}/aikc-caucase-wrapper
+mode = 0700
+
+{% do part_list.append('aikc-create-user') %}
+[aikc-create-user]
+recipe = plone.recipe.command
+stop-on-error = True
+update-command = ${:command}
+command =
+  if ! [ -f ${aikc-config:user-created} ] ; then
+    ${aikc-caucase-wrapper:rendered} --mode user --send-csr ${aikc-user-csr:csr} > ${aikc-config:csr_id} || exit 1
+    cut -d ' ' -f 1 ${aikc-config:csr_id} || exit 1
+    csr_id=`cut -d ' ' -f 1 ${aikc-config:csr_id}`
+    sleep 1
+    ${aikc-caucase-wrapper:rendered} --mode user --get-crt $csr_id ${aikc-config:key} || exit 1
+    touch ${aikc-config:user-created}
+  fi
+
+[aikc-check-certificate]
+recipe = slapos.recipe.template:jinja2
+rendered = ${directory:bin}/aikc-check-certificate
+template = inline:
+  import sys
+  import ssl
+  import urlparse
+  certificate = sys.argv[2]
+  parsed = urlparse.urlparse(sys.argv[1])
+  got_certificate = ssl.get_server_certificate((parsed.hostname, parsed.port))
+  sys.exit(0) if certificate.strip() == got_certificate.strip() else sys.exit(1)
+
+{% for csr in frontend_list + ['kedifa'] %}
+[aikc-{{ csr }}-wrapper]
+{# jinja2 instead of wrapper is used with context to remove py'u' #}
+recipe = slapos.recipe.template:jinja2
+context =
+  key csr_id_url request-{{ csr }}:connection-csr_id-url
+  key csr_id_certificate request-{{ csr }}:connection-csr_id-certificate
+template = inline:#!{{ parameter_dict['dash'] }}/bin/dash
+  test -f ${directory:aikc}/{{ csr }}-done && exit 0
+  ${buildout:executable} ${aikc-check-certificate:rendered} \
+{# raw block to use context #}
+{% raw %}
+  {{ csr_id_url }} \
+  """{{ csr_id_certificate }}"""
+{% endraw %}
+  if [ $? = 0 ]; then
+    csr_id=`{{ parameter_dict['curl'] }}/bin/curl -s -k -g \
+{% raw %}
+  {{ csr_id_url }} \
+{% endraw %}
+  ` || exit 1
+    ${aikc-caucase-wrapper:rendered} --user-key ${aikc-config:key} --sign-csr $csr_id && touch ${directory:aikc}/{{ csr }}-done
+  fi
+rendered = ${directory:bin}/aikc-{{ csr }}-wrapper
+mode = 0700
+
+{% do part_list.append('aikc-%s' % (csr,)) %}
+[aikc-{{ csr }}]
+recipe = plone.recipe.command
+stop-on-error = True
+command =
+  ${aikc-{{ csr }}-wrapper:rendered}
+update-command = ${:command}
+{% endfor %}
+{% endif %}
+
 [buildout]
 extends =
  {{ common_profile }}
@@ -256,6 +459,7 @@ parts =
  monitor-base
  publish-slave-information
  publish-information
+  request-kedifa
 {% for part in part_list %}
 {{ '  %s' % part }}
 {% endfor %}

--- a/software/caddy-frontend/instance-caddy-input-schema.json
+++ b/software/caddy-frontend/instance-caddy-input-schema.json
@@ -11,24 +11,6 @@
      "title": "Frontend Replication Quantity",
      "type": "integer"
    },
-    "apache-ca-certificate": {
-      "description": "[NOT IMPLEMENTED] SSL CA Certificate used by the server. You can append it to 'apache-certificate'.",
-      "textarea": true,
-      "title": "[NOT IMPLEMENTED] SSL CA Certificate",
-      "type": "string"
-    },
-    "apache-certificate": {
-      "description": "SSL Certificate used by the server.",
-      "textarea": true,
-      "title": "SSL Certificate",
-      "type": "string"
-    },
-    "apache-key": {
-      "description": "SSL Key used by the server.",
-      "textarea": true,
-      "title": "SSL Key",
-      "type": "string"
-    },
    "domain": {
      "description": "Base Domain for create subdomains (ie.: example.com).",
      "pattern": "^([a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,6}$",
@@ -98,6 +80,16 @@
      "description": "How often Caddy will try to establish connection with a backend during proxy-try-duration. More info in https://caddyserver.com/docs/proxy try_interval",
      "title": "Interval in milliseconds of tries during proxy-try-duration",
      "type": "integer"
+    },
+    "automatic-internal-kedifa-caucase-csr": {
+      "default": "true",
+      "description": "Automatically signs CSRs sent to KeDiFa's caucase, based on csr_id and matching certificate.",
+      "enum": [
+        "true",
+        "false"
+      ],
+      "title": "Automatic Internal KeDiFa's Caucase CSR",
+      "type": "string"
    }
  },
  "title": "Input Parameters",

--- a/software/caddy-frontend/instance-kedifa.cfg.in
+++ b/software/caddy-frontend/instance-kedifa.cfg.in
+{%- if slap_software_type == software_type -%}
+{% import "caucase" as caucase with context %}
+# KeDiFa instance profile
+[buildout]
+extends =
+  {{ parameter_dict['common_profile'] }}
+  {{ parameter_dict['monitor_template'] }}
+
+parts =
+  directory
+  kedifa
+  slave-kedifa-information
+  caucased
+  caucased-promise
+  caucase-updater
+  expose-csr_id
+
+[caucased]
+hash-files = ${buildout:directory}/software_release/buildout.cfg
+
+{%  set caucase_host = '[' ~ instance_parameter['ipv6-random'] ~ ']' %}
+{%  set caucase_netloc = caucase_host ~ ':' ~ instance_parameter['configuration.caucase_port'] -%}
+{%  set caucase_url = 'http://' ~ caucase_netloc -%}
+{{  caucase.caucased(
+      prefix='caucased',
+      buildout_bin_directory=parameter_dict['bin_directory'],
+      caucased_path='${directory:service}/caucased',
+      backup_dir='${directory:backup-caucased}',
+      data_dir='${directory:caucased}',
+      netloc=caucase_netloc,
+      service_auto_approve_count=0,
+      user_auto_approve_count=1,
+      key_len=2048,
+      promise='${directory:promise}/caucased',
+)}}
+
+# Create all needed directories
+[directory]
+recipe = slapos.cookbook:mkdirectory
+
+bin = ${buildout:directory}/bin/
+etc = ${buildout:directory}/etc/
+srv = ${buildout:directory}/srv/
+var = ${buildout:directory}/var/
+tmp = ${buildout:directory}/tmp/
+
+backup = ${:srv}/backup
+log = ${:var}/log
+run = ${:var}/run
+service = ${:etc}/service
+etc-run = ${:etc}/run
+promise = ${:etc}/promise
+
+# KeDiFa directories
+kedifa = ${:srv}/kedifa
+etc-kedifa = ${:etc}/kedifa
+
+# CAUCASE directories
+caucased = ${:srv}/caucased
+backup-caucased = ${:backup}/caucased
+
+# reservation
+reservation = ${:srv}/reservation
+
+# csr_id publication
+csr_id = ${:srv}/csr_id
+caddy-csr_id = ${:etc}/caddy-csr_id
+
+[kedifa-csr]
+recipe = plone.recipe.command
+organization = {{ slapparameter_dict['cluster-identification'] }}
+organizational_unit = Kedifa Partition
+command =
+  if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ]  ; then
+    /bin/bash -c '{{ parameter_dict['openssl'] }} req -new -sha256 \
+      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -subj "/O=${:organization}/OU=${:organizational_unit}" \
+      -reqexts SAN \
+      -config <(cat {{ parameter_dict['openssl_cnf'] }} \
+      <(printf "\n[SAN]\nsubjectAltName=IP:${kedifa-config:ip}")) \
+      -out ${:template-csr}'
+  fi
+update-command = ${:command}
+template-csr = ${kedifa-config:template-csr}
+key = ${kedifa-config:key}
+stop-on-error = True
+
+{{ caucase.updater(
+     prefix='caucase-updater',
+     buildout_bin_directory=parameter_dict['bin_directory'],
+     updater_path='${directory:service}/caucase-updater',
+     url=caucase_url,
+     data_dir='${directory:srv}/caucase-updater',
+     crt_path='${kedifa-config:certificate}',
+     ca_path='${kedifa-config:ca-certificate}',
+     crl_path='${kedifa-config:crl}',
+     key_path='${kedifa-csr:key}',
+     on_renew='${kedifa-reloader:wrapper-path}',
+     template_csr='${kedifa-csr:template-csr}',
+     openssl=parameter_dict['openssl'] ~ '/bin/openssl',
+)}}
+
+[store-csr_id]
+recipe = plone.recipe.command
+
+csr_id_path = ${directory:csr_id}/csr_id.txt
+csr_work_path = ${directory:tmp}/${:_buildout_section_name_}
+
+stop-on-error = False
+update-command = ${:command}
+command =
+  {{ parameter_dict['bin_directory'] }}/caucase \
+    --ca-url {{ caucase_url }} \
+    --ca-crt ${kedifa-config:ca-certificate} \
+    --crl ${kedifa-config:crl} \
+    --mode service \
+{#- XXX: Need to use caucase-updater-csr:csr, as there is no way to obatin csr_id from caucase-updater -#}
+{#- XXX: nor directly path to the generated CSR #}
+    --send-csr ${caucase-updater-csr:csr} > ${:csr_work_path} && \
+  cut -d ' ' -f 1 ${:csr_work_path} > ${:csr_id_path}
+
+[certificate-csr_id]
+recipe = plone.recipe.command
+certificate = ${directory:caddy-csr_id}/certificate.pem
+key = ${directory:caddy-csr_id}/key.pem
+
+stop-on-error = True
+update-command = ${:command}
+command =
+  if ! [ -f ${:key} ] && ! [ -f ${:certificate} ] ; then
+    openssl req -new -newkey rsa:2048 -sha256 -subj \
+      "/O=${kedifa-csr:organization}/OU=${kedifa-csr:organizational_unit}/CN={{ instance_parameter['ipv6-random'] }}" \
+      -days 5 -nodes -x509 -keyout ${:key} -out ${:certificate}
+  fi
+
+[expose-csr_id-configuration]
+ip = {{ instance_parameter['ipv6-random'] }}
+port = 17000
+key = ${certificate-csr_id:key}
+certificate = ${certificate-csr_id:certificate}
+error-log = ${directory:log}/expose-csr_id.log
+
+[expose-csr_id-template]
+recipe = slapos.recipe.template:jinja2
+template = inline:
+  https://:${expose-csr_id-configuration:port}/ {
+    bind ${expose-csr_id-configuration:ip}
+    tls ${expose-csr_id-configuration:certificate} ${expose-csr_id-configuration:key}
+    log ${expose-csr_id-configuration:error-log}
+  }
+
+rendered = ${directory:caddy-csr_id}/Caddyfile
+
+[expose-csr_id]
+depends = ${store-csr_id:command}
+recipe = slapos.cookbook:wrapper
+command-line = {{ parameter_dict['caddy'] }}
+  -conf ${expose-csr_id-template:rendered}
+  -log ${expose-csr_id-configuration:error-log}
+  -http2=true
+  -disable-http-challenge
+  -disable-tls-sni-challenge
+  -root ${directory:csr_id}
+
+wrapper-path = ${directory:service}/expose-csr_id
+hash-files = ${buildout:directory}/software_release/buildout.cfg
+
+[get-csr_id-certificate]
+recipe = collective.recipe.shelloutput
+commands =
+  certificate = cat ${certificate-csr_id:certificate}
+
+[jinja2-template-base]
+recipe = slapos.recipe.template:jinja2
+rendered = ${buildout:directory}/${:filename}
+extra-context =
+slapparameter_dict = {{ dumps(instance_parameter['configuration']) }}
+slap_software_type = {{ dumps(instance_parameter['slap-software-type']) }}
+context =
+    import json_module json
+    raw common_profile {{ parameter_dict['common_profile'] }}
+    key slap_software_type :slap_software_type
+    key slapparameter_dict :slapparameter_dict
+    section directory directory
+    ${:extra-context}
+
+[kedifa-config]
+ip = {{ instance_parameter['ipv6-random'] }}
+port = {{ instance_parameter['configuration.kedifa_port'] }}
+db = ${directory:kedifa}/kedifa.sqlite
+certificate = ${directory:etc-kedifa}/certificate.pem
+key = ${:certificate}
+ca-certificate = ${directory:etc-kedifa}/ca-certificate.pem
+crl = ${directory:etc-kedifa}/crl.pem
+template-csr = ${directory:etc-kedifa}/template-csr.pem
+pidfile = ${directory:run}/kedifa.pid
+
+[kedifa-reloader]
+recipe = slapos.cookbook:wrapper
+command-line = kill -SIGHUP `cat ${kedifa-config:pidfile}`
+wrapper-path = ${directory:etc-run}/kedifa-reloader
+
+[kedifa]
+recipe = slapos.cookbook:wrapper
+command-line = {{ parameter_dict['kedifa'] }}
+  --ip ${kedifa-config:ip}
+  --port ${kedifa-config:port}
+  --db ${kedifa-config:db}
+  --certificate ${kedifa-config:certificate}
+  --ca-certificate ${kedifa-config:ca-certificate}
+  --crl ${kedifa-config:crl}
+  --pidfile ${kedifa-config:pidfile}
+
+wrapper-path = ${directory:service}/kedifa
+hash-files = ${buildout:directory}/software_release/buildout.cfg
+
+# Publish KeDiFa configuration for upload and download for each slave
+{%- set slave_kedifa_information = {} -%}
+{%- for slave in slapparameter_dict['slave-list'] -%}
+{%-   set slave_reference = slave['slave_reference'] -%}
+{%-   set slave_dict = {} -%}
+{%-   do slave_dict.__setitem__('key-generate-auth-url', 'https://[${kedifa-config:ip}]:${kedifa-config:port}/${%s-auth-random:passwd}/generateauth' % (slave_reference,)) -%}
+{%-   do slave_dict.__setitem__('key-upload-url', 'https://[${kedifa-config:ip}]:${kedifa-config:port}/${%s-auth-random:passwd}?auth=' % (slave_reference,)) -%}
+{%-   do slave_dict.__setitem__('key-download-url', 'https://[${kedifa-config:ip}]:${kedifa-config:port}/${%s-auth-random:passwd}' % (slave_reference,)) -%}
+{%-   do slave_kedifa_information.__setitem__(slave_reference, slave_dict) %}
+[{{ slave_reference }}-auth-random-generate]
+recipe = plone.recipe.command
+file = ${directory:reservation}/${:_buildout_section_name_}
+command =
+  [ ! -f ${:file} ] && {{ parameter_dict['curl'] }}/bin/curl -s -g -X POST https://[${kedifa-config:ip}]:${kedifa-config:port}/reserve-id --cert ${kedifa-config:certificate} --cacert ${kedifa-config:ca-certificate} > ${:file}.tmp && mv ${:file}.tmp ${:file}
+update-command = ${:command}
+
+[{{ slave_reference }}-auth-random]
+recipe = collective.recipe.shelloutput
+file = {{ '${' + slave_reference }}-auth-random-generate:file}
+commands =
+  passwd = cat ${:file} 2>/dev/null || echo "NotReadyYet"
+
+{% endfor %}
+
+[master-auth-random-generate]
+recipe = plone.recipe.command
+file = ${directory:reservation}/${:_buildout_section_name_}
+command =
+  [ ! -f ${:file} ] && {{ parameter_dict['curl'] }}/bin/curl -s -g -X POST https://[${kedifa-config:ip}]:${kedifa-config:port}/reserve-id --cert ${kedifa-config:certificate} --cacert ${kedifa-config:ca-certificate} > ${:file}.tmp && mv ${:file}.tmp ${:file}
+update-command = ${:command}
+
+[master-auth-random]
+recipe = collective.recipe.shelloutput
+file = ${master-auth-random-generate:file}
+commands =
+  passwd = cat ${:file} 2>/dev/null || echo "NotReadyYet"
+
+[slave-kedifa-information]
+recipe = slapos.cookbook:publish.serialised
+slave-kedifa-information = {{ json_module.dumps(slave_kedifa_information) }}
+caucase-url = {{ caucase_url }}
+master-key-generate-auth-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}/generateauth
+master-key-upload-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}?auth=
+master-key-download-url = https://[${kedifa-config:ip}]:${kedifa-config:port}/${master-auth-random:passwd}
+csr_id-url = https://[${expose-csr_id-configuration:ip}]:${expose-csr_id-configuration:port}/csr_id.txt
+csr_id-certificate = ${get-csr_id-certificate:certificate}
+{%- endif -%} {# if slap_software_type in software_type #}
--- a/software/caddy-frontend/instance-output-schema.json
+++ b/software/caddy-frontend/instance-output-schema.json
@@ -10,6 +10,14 @@
      "description": "Base domain used by the instance",
      "type": "string"
    },
+    "master-key-generate-auth-url": {
+      "description": "URL to GET once auth for master-key-upload-url",
+      "type": "string"
+    },
+    "master-key-upload-url": {
+      "description": "URL to PUT PEM bundle of main certificate and key",
+      "type": "string"
+    },
    "monitor-base-url": {
      "description": "Base url for monitor",
      "type": "string"
@@ -37,6 +45,22 @@
    "slave-amount": {
      "description": "Total amount of Slaves allocated to the Instance (include blocked ones)",
      "type": "integer"
+    },
+    "kedifa-csr_id-url": {
+      "description": "URL on which KeDiFa publishes its csr_id sent to caucase.",
+      "type": "string"
+    },
+    "kedifa-csr_id-certificate": {
+      "description": "Certificate used to serve data on kedifa-csr_id-url.",
+      "type": "string"
+    },
+    "caddy-frontend-N-csr_id-url": {
+      "description": "URL on which frontend node number N publishes its csr_id sent to caucase.",
+      "type": "string"
+    },
+    "caddy-frontend-N-csr_id-certificate": {
+      "description": "Certificate used to serve data on caddy-frontend-N-csr_id-url.",
+      "type": "string"
    }
  },
  "type": "object"