stack/erp5: support frontend-caucase-url-list option.

software/erp5/instance-erp5-input-schema.json

@@ -453,6 +453,11 @@
         "ssl": {
           "description": "HTTPS certificate generation parameters",
           "properties": {
+            "frontend-caucase-url-list": {
+              "title": "Frontend Caucase URL List",
+              "description": "List of URLs of caucase service of frontend groups.",
+              "type": "array"
+            },
             "caucase-url": {
               "title": "Caucase URL",
               "description": "URL of caucase service to use. If not set, global setting will be used.",

stack/caucase/caucase.jinja2.library

@@ -43,9 +43,9 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
   updater_path,
   url,
   data_dir,
-  crt_path,
   ca_path,
   crl_path,
+  crt_path=None,
   key_path=None,
   on_renew=None,
   max_sleep=None,
@@ -59,24 +59,25 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
 recipe = slapos.cookbook:mkdirectory
 data-dir = {{ data_dir }}
 
-{% if template_csr_pem or template_csr -%}
+{% if crt_path %}
+{%   if template_csr_pem or template_csr -%}
 [{{ prefix }}-provided-csr-content]
-{%   if template_csr_pem %}
+{%     if template_csr_pem %}
 content = {{ dumps(template_csr_pem) }}
-{%   elif template_csr %}
+{%     elif template_csr %}
 content = {{ template_csr }}
-{%   endif %}
+{%     endif %}
 [{{ prefix }}-provided-csr]
 recipe = slapos.recipe.template:jinja2
 mode = 644
-{%   if template_csr_pem %}
+{%     if template_csr_pem %}
 template = inline:{{ '{{ content }}' }}
 rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
 context = key content {{ prefix }}-provided-csr-content:content
-{%   elif template_csr %}
+{%     elif template_csr %}
 template = {{ '${' + prefix }}-provided-csr-content:content}
 rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
-{%   endif %}
+{%     endif %}
 {{   rerequest(
        prefix=prefix ~ '-csr',
        buildout_bin_directory=buildout_bin_directory,
@@ -84,12 +85,13 @@ rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
        csr='${:csr}',
        key=key_path,
 )}}
-{%- else -%}
+{%-   else -%}
 [{{ prefix }}-csr]
 recipe = plone.recipe.command
 command = '{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
-{%- endif %}
+{%-   endif %}
 csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem
+{%- endif %}
 
 [{{ prefix }}]
 recipe = slapos.cookbook:wrapper
@@ -98,8 +100,8 @@ command-line = '{{ buildout_bin_directory }}/caucase-updater'
   --ca-url '{{ url }}'
   --cas-ca '${ {{- prefix }}-directory:data-dir}/cas.crt.pem'
   --mode '{{ mode }}'
-  --csr '${ {{- prefix }}-csr:csr}'
-  --crt '{{ crt_path }}'
+  {% if crt_path %}--csr '${ {{- prefix }}-csr:csr}'
+  --crt '{{ crt_path }}' {%- endif %}
   --ca '{{ ca_path }}'
   --crl '{{ crl_path }}'
   {% if key_path %}--key '{{ key_path }}' {%- endif %}

stack/erp5/buildout.hash.cfg

@@ -78,7 +78,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e
 
 [template-erp5]
 filename = instance-erp5.cfg.in
-md5sum = 82dc695e212be124d60ceb1143e56b0d
+md5sum = 038c367b7c4249d854bb0535891f29b3
 
 [template-zeo]
 filename = instance-zeo.cfg.in
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
 
 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 6851e0c28a025bd26a4d3450204ae335
+md5sum = d375f1a15bade233fa134dcb05380f52
 
 [template-haproxy-cfg]
 filename = haproxy.cfg.in

stack/erp5/instance-balancer.cfg.in

@@ -21,22 +21,40 @@ recipe = slapos.recipe.template:jinja2
 mode = 644
 
 {{ caucase.updater(
-     prefix='caucase-updater',
+     prefix='caucase-updater-0',
      buildout_bin_directory=parameter_dict['bin-directory'],
-     updater_path='${directory:services-on-watch}/caucase-updater',
+     updater_path='${directory:services-on-watch}/caucase-updater-0',
      url=ssl_parameter_dict['caucase-url'],
-     data_dir='${directory:srv}/caucase-updater',
+     data_dir='${directory:srv}/caucase-updater-0',
      crt_path='${apache-conf-ssl:caucase-cert}',
-     ca_path='${apache-conf-ssl:ca-cert}',
-     crl_path='${apache-conf-ssl:crl}',
+     ca_path='${directory:srv}/caucase-updater-0/ca.crt',
+     crl_path='${directory:srv}/caucase-updater-0/crl.pem',
      key_path='${apache-conf-ssl:caucase-key}',
      on_renew='${apache-graceful:output}',
      max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
      template_csr_pem=ssl_parameter_dict.get('csr'),
      openssl=parameter_dict['openssl'] ~ '/bin/openssl',
 )}}
-{% do section('caucase-updater') -%}
-{% do section('caucase-updater-promise') -%}
+{% do section('caucase-updater-0') -%}
+{% do section('caucase-updater-0-promise') -%}
+
+{% for idx, frontend_caucase_url in enumerate(ssl_parameter_dict['frontend-caucase-url-list']) -%}
+{{   caucase.updater(
+       prefix='caucase-updater-%s' % (idx + 1),
+       buildout_bin_directory=parameter_dict['bin-directory'],
+       updater_path='${directory:services-on-watch}/caucase-updater-%s' % (idx + 1),
+       url=frontend_caucase_url,
+       data_dir='${directory:srv}/caucase-updater-%s' % (idx + 1),
+       ca_path='${directory:srv}/caucase-updater-%s/ca.crt' % (idx + 1),
+       crl_path='${directory:srv}/caucase-updater-%s/crl.pem' % (idx + 1),
+       on_renew='${apache-graceful:output}',
+       max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
+       template_csr_pem=ssl_parameter_dict.get('csr'),
+       openssl=parameter_dict['openssl'] ~ '/bin/openssl',
+     )}}
+{%   do section('caucase-updater-%s' % (idx + 1)) -%}
+{%   do section('caucase-updater-%s-promise' % (idx + 1)) -%}
+{% endfor -%}
 
 {% set haproxy_dict = {} -%}
 {% set apache_dict = {} -%}
@@ -176,9 +194,22 @@ wait-for-files =
 recipe = collective.recipe.template
 output = ${directory:bin}/apache-httpd-graceful
 mode = 700
-input = inline:
-  #!/bin/sh
-  kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')"
+input =
+  inline:
+  #!{{parameter_dict['bin-directory']}}/python2.7
+  from lock_file import LockFile
+  import os
+  import subprocess
+  with LockFile('${apache-conf-ssl:ca-cert}.lock', wait = True):
+    ca_path_list = [{% for idx in range(len(frontend_caucase_url_list) + 1) -%} '{{ '${directory:srv}/caucase-updater-%s/ca.crt' % idx }}', {% endfor -%}]
+    valid_ca_path_list = [path for path in ca_path_list
+                          if os.path.isfile(path) and subprocess.call(['openssl', 'x509', '-in', path], stdout=subprocess.PIPE) == 0]
+    file('${apache-conf-ssl:ca-cert}', 'w').write('\n'.join(file(path).read() for path in valid_ca_path_list))
+    crl_path_list = [{% for idx in range(len(frontend_caucase_url_list) + 1) -%} '{{ '${directory:srv}/caucase-updater-%s/crl.pem' % idx }}', {% endfor -%}]
+    valid_crl_path_list = [path for path in crl_path_list
+                          if os.path.isfile(path) and subprocess.call(['openssl', 'crl', '-in', path], stdout=subprocess.PIPE) == 0]
+    file('${apache-conf-ssl:crl}', 'w').write('\n'.join(file(path).read() for path in valid_crl_path_list))
+    subprocess.call(['kill',  '-USR1', file('${apache-conf-parameter-dict:pid-file}').read().strip()])
 
 [{{ section('apache-promise') }}]
 <= monitor-promise-base

stack/erp5/instance-erp5.cfg.in

@@ -98,6 +98,7 @@ backup-caucased = ${:srv}/backup/caucased
 {% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
 {% set balancer_dict = slapparameter_dict.get('balancer', {}) -%}
 {% do balancer_dict.setdefault('ssl', {}).setdefault('caucase-url', caucase_url) -%}
+{% do balancer_dict['ssl'].setdefault('frontend-caucase-url-list', []) -%}
 
 {{ request('memcached-persistent', 'kumofs', 'kumofs', {'tcpv4-port': 2000}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
 {{ request('memcached-volatile', 'kumofs', 'memcached', {'tcpv4-port': 2010, 'ram-storage-size': 64}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}

[Vincent Pelletier]

See review on ec721490 .

[Vincent Pelletier]

(the whole diff on this file) Good change, thanks. Please put in a separate commit.

[Kazuhiko Shiozaki]

Done. 877f8339

Do you think it is better to reorder arguments in all existing caucase.update(...) usages ? All are currently using named parameters thus no strict need to reorder.

[Vincent Pelletier]

Do you think it is better to reorder arguments in all existing caucase.update(...) usages ? All are currently using named parameters thus no strict need to reorder.

I don't think it is necessary.

It is good practice that callers use all-named arguments for this macro (and probably any SR library macro), even without refactoring in mind there are enough arguments that it could get quite confusing very quickly.

[Vincent Pelletier]

See review on ec721490 .

[Vincent Pelletier]

See review on ec721490 .

[Vincent Pelletier]

See review on ec721490 . Otherwise, please explain why this it still needed (but I do not think it is).