Allow to setup certificate authority path

797e3954 · Alain Takoudjou · 1d0f62dc · 797e3954 · 797e3954 · 797e3954
Commit 797e3954 authored Oct 16, 2014 by Alain Takoudjou
4 changed files
--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
@@ -3,6 +3,7 @@
 {% set ssl_parameter_dict = slapparameter_dict.get('ssl', {}) %}
 {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
 {% set use_ipv6 = slapparameter_dict.get('use-ipv6', False) -%}
+{% set ca_path = slapparameter_dict['certificate-authority-path'] -%}
 {#
 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
 per partition. No more (undefined result), no less (IndexError).
@@ -76,22 +77,6 @@ ipv6 = {{ zope_address.split(']:')[0][1:] }}
 {%   set next_port = next_port + 1 -%}
 {% endfor -%}

-[apache-certificate-authority]
-recipe = slapos.cookbook:certificate_authority
-openssl-binary = {{ parameter_dict['openssl'] }}/bin/openssl
-ca-dir = ${directory:ca-dir}
-requests-directory = ${directory:requests}
-wrapper = ${directory:services}/apache-ca
-ca-private = ${directory:private}
-ca-certs = ${directory:certs}
-ca-newcerts = ${directory:newcerts}
-ca-crl = ${directory:crl}
-country-code = {{ slapparameter_dict['country-code'] }}
-email = {{ slapparameter_dict['email'] }}
-state = {{ slapparameter_dict['state'] }}
-city = {{ slapparameter_dict['city'] }}
-company = {{ slapparameter_dict['company'] }}
-
 [haproxy-cfg-parameter-dict]
 socket-path = ${directory:run}/haproxy.sock
 server-check-path = {{ dumps(slapparameter_dict['haproxy-server-check-path']) }}
@@ -136,8 +121,8 @@ ssl-session-cache = ${directory:log}/apache-ssl-session-cache
 ca-cert = {{ dumps(ssl_parameter_dict.get('ca-cert')) }}
 crl = {{ dumps(ssl_parameter_dict.get('ca-crl')) }}
 {% else -%}
-ca-cert = ${apache-certificate-authority:ca-dir}/cacert.pem
-crl = ${apache-certificate-authority:ca-crl}
+ca-cert = {{ ca_path }}/cacert.pem
+crl = {{ ca_path }}/crl
 {% endif -%}

 [apache-conf]
@@ -189,19 +174,12 @@ services = ${:etc}/run
 var = ${buildout:directory}/var
 run = ${:var}/run
 log = ${:var}/log
-ca-dir = ${buildout:directory}/srv/ssl
-requests = ${:ca-dir}/requests
-private = ${:ca-dir}/private
-certs = ${:ca-dir}/certs
-newcerts = ${:ca-dir}/newcerts
-crl = ${:ca-dir}/crl

 [buildout]
 extends = {{ parameter_dict['instance-logrotate-cfg'] }}
 parts +=
  publish
  logrotate-apache
-  apache-certificate-authority
  {{ part_list | join('\n  ') }}
 eggs-directory = {{ eggs_directory }}
 develop-eggs-directory = {{ develop_eggs_directory }}

--- a/software/slapos-master/instance-erp5.cfg.in
+++ b/software/slapos-master/instance-erp5.cfg.in
@@ -71,6 +71,7 @@ return =
 extra-config =
  bt5
  bt5-repository-url
+  ca-path
  cloudooo-url
  deadlock-debugger-password
  developer-list
@@ -98,6 +99,7 @@ extra-config =
  zodb-storage-type
 config-bt5 = {{ dumps(slapparameter_dict.get('bt5', 'erp5_full_text_myisam_catalog erp5_configurator_standard erp5_configurator_maxma_demo erp5_configurator_ung erp5_configurator_run_my_doc slapos_configurator')) }}
 config-bt5-repository-url = {{ dumps(slapparameter_dict.get('bt5-repository-url', local_bt5_repository)) }}
+config-ca-path = ${directory:ca-dir}
 config-cloudooo-url = ${request-cloudooo:connection-url}
 config-deadlock-debugger-password = ${deadlock-debugger-password:passwd}
 config-developer-list = {{ dumps(slapparameter_dict.get('developer-list', [inituser_login])) }}
@@ -176,11 +178,7 @@ extra-config =
  ssl-authentication-dict
  ssl
  zope-family-dict
-  country-code
-  email
-  state
-  city
-  company
+  certificate-authority-path
  {{ zope_address_list_id_dict.values() | join(' ') }}
 return =
 {%- for family in zope_family_dict %}
@@ -197,11 +195,7 @@ config-{{ name }} = {{ ' ${' ~ zope_section_id ~ ':connection-zope-address-list}
 # XXX: should those really be same for all families ?
 config-haproxy-server-check-path = {{ dumps(balancer_dict.get('haproxy-server-check-path', '/') % {'site-id': site_id}) }}
 config-ssl = {{ dumps(balancer_dict.get('ssl', {})) }}
-config-country-code = {{ slapparameter_dict.get('country-code', 'ZZ') }}
-config-email = {{ slapparameter_dict.get('email', 'nobody@example.com') }}
-config-state = {{ slapparameter_dict.get('state', "('State',)") }}
-config-city = {{ slapparameter_dict.get('city', 'City') }}
-config-company = {{ slapparameter_dict.get('company', 'Compagny') }}
+config-certificate-authority-path = ${directory:ca-dir}

 [request-frontend-base]
 {% if has_frontend -%}
@@ -224,6 +218,39 @@ config-{{ name }} = {{ value }}
 return = site_url
 {% endif -%}

+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+{% if slapparameter_dict.get('certificate-authority-path', '') -%}
+ca-dir = {{ slapparameter_dict.get('certificate-authority-path') }}
+{% else -%}
+ca-dir = ${buildout:directory}/srv/ssl
+{% endif -%}
+bin = ${buildout:directory}/bin
+etc = ${buildout:directory}/etc
+services = ${:etc}/run
+requests = ${:ca-dir}/requests
+private = ${:ca-dir}/private
+certs = ${:ca-dir}/certs
+newcerts = ${:ca-dir}/newcerts
+crl = ${:ca-dir}/crl
+
+[apache-certificate-authority]
+recipe = slapos.cookbook:certificate_authority
+openssl-binary = {{ openssl_location }}/bin/openssl
+ca-dir = ${directory:ca-dir}
+requests-directory = ${directory:requests}
+wrapper = ${directory:services}/service-ca
+ca-private = ${directory:private}
+ca-certs = ${directory:certs}
+ca-newcerts = ${directory:newcerts}
+ca-crl = ${directory:crl}
+country-code = {{ dumps(slapparameter_dict.get('country-code', 'ZZ')) }}
+email = {{ dumps(slapparameter_dict.get('email', 'nobody@example.com')) }}
+state = {{ dumps(slapparameter_dict.get('state', "('State',)")) }}
+city = {{ dumps(slapparameter_dict.get('city', 'City')) }}
+company = {{ dumps(slapparameter_dict.get('company', 'Compagny')) }}
+
 [publish]
 recipe = slapos.cookbook:publish.serialised
 deadlock-debugger-password = ${deadlock-debugger-password:passwd}
@@ -238,7 +265,9 @@ hosts-dict = {{ '${' ~ zope_address_list_id_dict.keys()[0] ~ ':connection-hosts-
 {% endfor -%}

 [buildout]
-parts = publish
+parts = 
+  apache-certificate-authority
+  publish
 eggs-directory = {{ eggs_directory }}
 develop-eggs-directory = {{ develop_eggs_directory }}
 {% endif %}
--- a/software/slapos-master/instance-zope.cfg.in
+++ b/software/slapos-master/instance-zope.cfg.in
--- a/software/slapos-master/software.cfg
+++ b/software/slapos-master/software.cfg
@@ -34,6 +34,12 @@ repository = http://git.erp5.org/repos/slapos.core.git
 branch = operation-control
 git-executable = ${git:location}/bin/git

+[slapos.cookbook-repository]
+recipe = slapos.recipe.build:gitclone
+repository = http://git.erp5.org/repos/slapos.git
+branch = slapos-master-cluster
+git-executable = ${git:location}/bin/git
+
 [vifib-fix-products-paths]
 recipe = plone.recipe.command
 stop-on-error = true
@@ -64,12 +70,17 @@ mode = 644
 [template-erp5]
 < = download-base-part
 filename = instance-erp5.cfg.in
-md5sum = e6e7e8add73df0bc7823dee2dd916d62
+md5sum = 4f271175389a2e67f2092885b69c0208

 [template-balancer]
 < = download-base-part
 filename = instance-balancer.cfg.in
-md5sum = 08b9ef093af926378b58d384539b3417
+md5sum = b4120ea2d07af771aeaa2ffe38d3bef9
+
+[template-zope]
+< = download-base-part
+filename = instance-zope.cfg.in
+md5sum = b1bf0f082a63530970e3e25ef256ff4f

 [template-apache-conf]
 < = download-base-part
@@ -86,6 +97,7 @@ md5sum = 61824aab2172d21f1d6403a35cab47cd
 python-memcached = 1.47
 facebook-sdk = 0.4.0
 google-api-python-client = 1.2
+jsonschema = 2.4.0

 # stick to Zope 2.12.22 because Zope 2.12.23's
 # ObjectManager.__getitem__ is much slower for a module having lots of