Commit e1236eea authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

stack/erp5: support frontend-caucase-url-list option.

parent 921a98a0
......@@ -453,6 +453,11 @@
"ssl": {
"description": "HTTPS certificate generation parameters",
"properties": {
"frontend-caucase-url-list": {
Please register or sign in to reply
"title": "Frontend Caucase URL List",
"description": "List of URLs of caucase service of frontend groups.",
"type": "array"
},
"caucase-url": {
"title": "Caucase URL",
"description": "URL of caucase service to use. If not set, global setting will be used.",
......
......@@ -43,9 +43,9 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
updater_path,
url,
data_dir,
crt_path,
ca_path,
crl_path,
crt_path=None,
  • (the whole diff on this file) Good change, thanks. Please put in a separate commit.

  • Done. 877f8339

    Do you think it is better to reorder arguments in all existing caucase.update(...) usages ? All are currently using named parameters thus no strict need to reorder.

  • Do you think it is better to reorder arguments in all existing caucase.update(...) usages ? All are currently using named parameters thus no strict need to reorder.

    I don't think it is necessary.

    It is good practice that callers use all-named arguments for this macro (and probably any SR library macro), even without refactoring in mind there are enough arguments that it could get quite confusing very quickly.

Please register or sign in to reply
key_path=None,
on_renew=None,
max_sleep=None,
......@@ -59,24 +59,25 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
recipe = slapos.cookbook:mkdirectory
data-dir = {{ data_dir }}
{% if template_csr_pem or template_csr -%}
{% if crt_path %}
{% if template_csr_pem or template_csr -%}
[{{ prefix }}-provided-csr-content]
{% if template_csr_pem %}
{% if template_csr_pem %}
content = {{ dumps(template_csr_pem) }}
{% elif template_csr %}
{% elif template_csr %}
content = {{ template_csr }}
{% endif %}
{% endif %}
[{{ prefix }}-provided-csr]
recipe = slapos.recipe.template:jinja2
mode = 644
{% if template_csr_pem %}
{% if template_csr_pem %}
template = inline:{{ '{{ content }}' }}
rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
context = key content {{ prefix }}-provided-csr-content:content
{% elif template_csr %}
{% elif template_csr %}
template = {{ '${' + prefix }}-provided-csr-content:content}
rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
{% endif %}
{% endif %}
{{ rerequest(
prefix=prefix ~ '-csr',
buildout_bin_directory=buildout_bin_directory,
......@@ -84,12 +85,13 @@ rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
csr='${:csr}',
key=key_path,
)}}
{%- else -%}
{%- else -%}
[{{ prefix }}-csr]
recipe = plone.recipe.command
command = '{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
{%- endif %}
{%- endif %}
csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem
{%- endif %}
[{{ prefix }}]
recipe = slapos.cookbook:wrapper
......@@ -98,8 +100,8 @@ command-line = '{{ buildout_bin_directory }}/caucase-updater'
--ca-url '{{ url }}'
--cas-ca '${ {{- prefix }}-directory:data-dir}/cas.crt.pem'
--mode '{{ mode }}'
--csr '${ {{- prefix }}-csr:csr}'
--crt '{{ crt_path }}'
{% if crt_path %}--csr '${ {{- prefix }}-csr:csr}'
--crt '{{ crt_path }}' {%- endif %}
--ca '{{ ca_path }}'
--crl '{{ crl_path }}'
{% if key_path %}--key '{{ key_path }}' {%- endif %}
......
......@@ -78,7 +78,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e
[template-erp5]
filename = instance-erp5.cfg.in
md5sum = 82dc695e212be124d60ceb1143e56b0d
md5sum = 038c367b7c4249d854bb0535891f29b3
[template-zeo]
filename = instance-zeo.cfg.in
......@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
[template-balancer]
filename = instance-balancer.cfg.in
md5sum = 6851e0c28a025bd26a4d3450204ae335
md5sum = d375f1a15bade233fa134dcb05380f52
[template-haproxy-cfg]
filename = haproxy.cfg.in
......
......@@ -21,22 +21,40 @@ recipe = slapos.recipe.template:jinja2
mode = 644
{{ caucase.updater(
prefix='caucase-updater',
prefix='caucase-updater-0',
Please register or sign in to reply
buildout_bin_directory=parameter_dict['bin-directory'],
updater_path='${directory:services-on-watch}/caucase-updater',
updater_path='${directory:services-on-watch}/caucase-updater-0',
url=ssl_parameter_dict['caucase-url'],
data_dir='${directory:srv}/caucase-updater',
data_dir='${directory:srv}/caucase-updater-0',
Please register or sign in to reply
crt_path='${apache-conf-ssl:caucase-cert}',
ca_path='${apache-conf-ssl:ca-cert}',
crl_path='${apache-conf-ssl:crl}',
ca_path='${directory:srv}/caucase-updater-0/ca.crt',
crl_path='${directory:srv}/caucase-updater-0/crl.pem',
key_path='${apache-conf-ssl:caucase-key}',
on_renew='${apache-graceful:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
template_csr_pem=ssl_parameter_dict.get('csr'),
openssl=parameter_dict['openssl'] ~ '/bin/openssl',
)}}
{% do section('caucase-updater') -%}
{% do section('caucase-updater-promise') -%}
{% do section('caucase-updater-0') -%}
{% do section('caucase-updater-0-promise') -%}
{% for idx, frontend_caucase_url in enumerate(ssl_parameter_dict['frontend-caucase-url-list']) -%}
{{ caucase.updater(
prefix='caucase-updater-%s' % (idx + 1),
buildout_bin_directory=parameter_dict['bin-directory'],
updater_path='${directory:services-on-watch}/caucase-updater-%s' % (idx + 1),
url=frontend_caucase_url,
data_dir='${directory:srv}/caucase-updater-%s' % (idx + 1),
ca_path='${directory:srv}/caucase-updater-%s/ca.crt' % (idx + 1),
crl_path='${directory:srv}/caucase-updater-%s/crl.pem' % (idx + 1),
on_renew='${apache-graceful:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
template_csr_pem=ssl_parameter_dict.get('csr'),
openssl=parameter_dict['openssl'] ~ '/bin/openssl',
)}}
{% do section('caucase-updater-%s' % (idx + 1)) -%}
{% do section('caucase-updater-%s-promise' % (idx + 1)) -%}
{% endfor -%}
{% set haproxy_dict = {} -%}
{% set apache_dict = {} -%}
......@@ -176,9 +194,22 @@ wait-for-files =
recipe = collective.recipe.template
output = ${directory:bin}/apache-httpd-graceful
mode = 700
input = inline:
#!/bin/sh
kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')"
input =
inline:
#!{{parameter_dict['bin-directory']}}/python2.7
from lock_file import LockFile
import os
import subprocess
with LockFile('${apache-conf-ssl:ca-cert}.lock', wait = True):
ca_path_list = [{% for idx in range(len(frontend_caucase_url_list) + 1) -%} '{{ '${directory:srv}/caucase-updater-%s/ca.crt' % idx }}', {% endfor -%}]
valid_ca_path_list = [path for path in ca_path_list
if os.path.isfile(path) and subprocess.call(['openssl', 'x509', '-in', path], stdout=subprocess.PIPE) == 0]
file('${apache-conf-ssl:ca-cert}', 'w').write('\n'.join(file(path).read() for path in valid_ca_path_list))
crl_path_list = [{% for idx in range(len(frontend_caucase_url_list) + 1) -%} '{{ '${directory:srv}/caucase-updater-%s/crl.pem' % idx }}', {% endfor -%}]
valid_crl_path_list = [path for path in crl_path_list
if os.path.isfile(path) and subprocess.call(['openssl', 'crl', '-in', path], stdout=subprocess.PIPE) == 0]
file('${apache-conf-ssl:crl}', 'w').write('\n'.join(file(path).read() for path in valid_crl_path_list))
subprocess.call(['kill', '-USR1', file('${apache-conf-parameter-dict:pid-file}').read().strip()])
  • See review on ec721490 . Otherwise, please explain why this it still needed (but I do not think it is).

Please register or sign in to reply
[{{ section('apache-promise') }}]
<= monitor-promise-base
......
......@@ -98,6 +98,7 @@ backup-caucased = ${:srv}/backup/caucased
{% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
{% set balancer_dict = slapparameter_dict.get('balancer', {}) -%}
{% do balancer_dict.setdefault('ssl', {}).setdefault('caucase-url', caucase_url) -%}
{% do balancer_dict['ssl'].setdefault('frontend-caucase-url-list', []) -%}
{{ request('memcached-persistent', 'kumofs', 'kumofs', {'tcpv4-port': 2000}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
{{ request('memcached-volatile', 'kumofs', 'memcached', {'tcpv4-port': 2010, 'ram-storage-size': 64}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment