Commit 73b4ed1c authored by Jérome Perrin's avatar Jérome Perrin

stack/erp5: use new caucase data dir

Until now, caucase stack was re-generating a new key every time
software release was upgraded. That was not really a problem because
we were not using this certificate but since af7a0208 (ERP5: Test
balancer partition and use caucase certificate for balancer, 2020-11-04)
we are using caucase certificate for balancer.

Problem is that it was not possible to update old instances, since on
"very old" instances the original key was lost and also since in af7a0208
we switch to using CSR template, this also generated a new key, so updating
from "not so old" instances was not possible either.

Now we have an upgrade test that will confirm that our changes in ERP5 do
not prevent from updating old instances, so we ignore all our past mistakes
with certificate management in this software release and start over with a
new data dir.
parent 17fd6279
......@@ -78,7 +78,7 @@ md5sum = 68b329da9893e34099c7d8ad5cb9c940
[template-erp5]
filename = instance-erp5.cfg.in
md5sum = 6fdeb7f59d9f06b638cf7c81a4c38560
md5sum = 42cb8aca82729c42f415e435b7f58135
[template-zeo]
filename = instance-zeo.cfg.in
......@@ -90,7 +90,7 @@ md5sum = b246e794ef3d230e3b01ed3fc1a42d0c
[template-balancer]
filename = instance-balancer.cfg.in
md5sum = d05ebb4270d83eba1f0f11c70222cab0
md5sum = 6c422234da191bb8b7258df0b0fd8b49
[template-haproxy-cfg]
filename = haproxy.cfg.in
......
......@@ -56,10 +56,10 @@ csr = ${directory:srv}/${:_buildout_section_name_}.csr.pem
buildout_bin_directory=parameter_dict['bin-directory'],
updater_path='${directory:services-on-watch}/caucase-updater',
url=ssl_parameter_dict['caucase-url'],
data_dir='${directory:srv}/caucase-updater',
data_dir='${directory:caucase-updater}',
crt_path='${tls:certificate}',
ca_path='${directory:srv}/caucase-updater/ca.crt',
crl_path='${directory:srv}/caucase-updater/crl.pem',
ca_path='${directory:caucase-updater}/ca.crt',
crl_path='${directory:caucase-updater}/crl.pem',
key_path='${tls:certificate}',
on_renew='${haproxy-reload:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
......@@ -336,6 +336,7 @@ log = ${:var}/log
srv = ${buildout:directory}/srv
apachedex = ${monitor-directory:private}/apachedex
rsyslogd-spool = ${:run}/rsyslogd-spool
caucase-updater = ${:srv}/caucase-updater-v2
{% if frontend_caucase_url_list -%}
ca-cert = ${:etc}/ssl.crt
crl = ${:etc}/ssl.crl
......
......@@ -86,7 +86,7 @@ backup-caucased = ${:srv}/backup/caucased
buildout_bin_directory=bin_directory,
caucased_path='${directory:service-on-watch}/caucased',
backup_dir='${directory:backup-caucased}',
data_dir='${directory:srv}/caucased',
data_dir='${directory:srv}/caucased-v2',
netloc=caucase_netloc,
service_auto_approve_count=caucase_dict.get('service-auto-approve-amount', 1),
user_auto_approve_count=caucase_dict.get('user-auto-approve-amount', 0),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment