stack/erp5: support frontend-caucase-url-list option.
Showing
... | @@ -453,6 +453,11 @@ | ... | @@ -453,6 +453,11 @@ |
"ssl": { | "ssl": { | ||
"description": "HTTPS certificate generation parameters", | "description": "HTTPS certificate generation parameters", | ||
"properties": { | "properties": { | ||
"frontend-caucase-url-list": { | |||
|
|||
"title": "Frontend Caucase URL List", | |||
"description": "List of URLs of caucase service of frontend groups.", | |||
"type": "array" | |||
}, | |||
"caucase-url": { | "caucase-url": { | ||
"title": "Caucase URL", | "title": "Caucase URL", | ||
"description": "URL of caucase service to use. If not set, global setting will be used.", | "description": "URL of caucase service to use. If not set, global setting will be used.", | ||
... | ... |
... | @@ -21,22 +21,40 @@ recipe = slapos.recipe.template:jinja2 | ... | @@ -21,22 +21,40 @@ recipe = slapos.recipe.template:jinja2 |
mode = 644 | mode = 644 | ||
{{ caucase.updater( | {{ caucase.updater( | ||
prefix='caucase-updater', | prefix='caucase-updater-0', | ||
|
|||
buildout_bin_directory=parameter_dict['bin-directory'], | buildout_bin_directory=parameter_dict['bin-directory'], | ||
updater_path='${directory:services-on-watch}/caucase-updater', | updater_path='${directory:services-on-watch}/caucase-updater-0', | ||
url=ssl_parameter_dict['caucase-url'], | url=ssl_parameter_dict['caucase-url'], | ||
data_dir='${directory:srv}/caucase-updater', | data_dir='${directory:srv}/caucase-updater-0', | ||
|
|||
crt_path='${apache-conf-ssl:caucase-cert}', | crt_path='${apache-conf-ssl:caucase-cert}', | ||
ca_path='${apache-conf-ssl:ca-cert}', | ca_path='${directory:srv}/caucase-updater-0/ca.crt', | ||
crl_path='${apache-conf-ssl:crl}', | crl_path='${directory:srv}/caucase-updater-0/crl.pem', | ||
key_path='${apache-conf-ssl:caucase-key}', | key_path='${apache-conf-ssl:caucase-key}', | ||
on_renew='${apache-graceful:output}', | on_renew='${apache-graceful:output}', | ||
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0), | max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0), | ||
template_csr_pem=ssl_parameter_dict.get('csr'), | template_csr_pem=ssl_parameter_dict.get('csr'), | ||
openssl=parameter_dict['openssl'] ~ '/bin/openssl', | openssl=parameter_dict['openssl'] ~ '/bin/openssl', | ||
)}} | )}} | ||
{% do section('caucase-updater') -%} | {% do section('caucase-updater-0') -%} | ||
{% do section('caucase-updater-promise') -%} | {% do section('caucase-updater-0-promise') -%} | ||
{% for idx, frontend_caucase_url in enumerate(ssl_parameter_dict['frontend-caucase-url-list']) -%} | |||
{{ caucase.updater( | |||
prefix='caucase-updater-%s' % (idx + 1), | |||
buildout_bin_directory=parameter_dict['bin-directory'], | |||
updater_path='${directory:services-on-watch}/caucase-updater-%s' % (idx + 1), | |||
url=frontend_caucase_url, | |||
data_dir='${directory:srv}/caucase-updater-%s' % (idx + 1), | |||
ca_path='${directory:srv}/caucase-updater-%s/ca.crt' % (idx + 1), | |||
crl_path='${directory:srv}/caucase-updater-%s/crl.pem' % (idx + 1), | |||
on_renew='${apache-graceful:output}', | |||
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0), | |||
template_csr_pem=ssl_parameter_dict.get('csr'), | |||
openssl=parameter_dict['openssl'] ~ '/bin/openssl', | |||
)}} | |||
{% do section('caucase-updater-%s' % (idx + 1)) -%} | |||
{% do section('caucase-updater-%s-promise' % (idx + 1)) -%} | |||
{% endfor -%} | |||
{% set haproxy_dict = {} -%} | {% set haproxy_dict = {} -%} | ||
{% set apache_dict = {} -%} | {% set apache_dict = {} -%} | ||
... | @@ -176,9 +194,22 @@ wait-for-files = | ... | @@ -176,9 +194,22 @@ wait-for-files = |
recipe = collective.recipe.template | recipe = collective.recipe.template | ||
output = ${directory:bin}/apache-httpd-graceful | output = ${directory:bin}/apache-httpd-graceful | ||
mode = 700 | mode = 700 | ||
input = inline: | input = | ||
#!/bin/sh | inline: | ||
kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')" | #!{{parameter_dict['bin-directory']}}/python2.7 | ||
from lock_file import LockFile | |||
import os | |||
import subprocess | |||
with LockFile('${apache-conf-ssl:ca-cert}.lock', wait = True): | |||
ca_path_list = [{% for idx in range(len(frontend_caucase_url_list) + 1) -%} '{{ '${directory:srv}/caucase-updater-%s/ca.crt' % idx }}', {% endfor -%}] | |||
valid_ca_path_list = [path for path in ca_path_list | |||
if os.path.isfile(path) and subprocess.call(['openssl', 'x509', '-in', path], stdout=subprocess.PIPE) == 0] | |||
file('${apache-conf-ssl:ca-cert}', 'w').write('\n'.join(file(path).read() for path in valid_ca_path_list)) | |||
crl_path_list = [{% for idx in range(len(frontend_caucase_url_list) + 1) -%} '{{ '${directory:srv}/caucase-updater-%s/crl.pem' % idx }}', {% endfor -%}] | |||
valid_crl_path_list = [path for path in crl_path_list | |||
if os.path.isfile(path) and subprocess.call(['openssl', 'crl', '-in', path], stdout=subprocess.PIPE) == 0] | |||
file('${apache-conf-ssl:crl}', 'w').write('\n'.join(file(path).read() for path in valid_crl_path_list)) | |||
subprocess.call(['kill', '-USR1', file('${apache-conf-parameter-dict:pid-file}').read().strip()]) | |||
|
|||
[{{ section('apache-promise') }}] | [{{ section('apache-promise') }}] | ||
<= monitor-promise-base | <= monitor-promise-base | ||
... | ... |