NEO: enable SSL by default

6da7601a · Julien Muchembled · 3fb90dcc · 6da7601a · 6da7601a · 6da7601a
Commit 6da7601a authored Oct 01, 2015 by Julien Muchembled
11 changed files
--- a/slapos/recipe/neoppod.py
+++ b/slapos/recipe/neoppod.py
@@ -50,6 +50,12 @@ class NeoBaseRecipe(GenericBaseRecipe):
      #'-n', options['name'],
      '-c', options['cluster'],
    ]
+    if options['ssl']:
+      option_list += (
+        '--ca', '~/etc/ca.crt',
+        '--cert', '~/etc/neo.crt',
+        '--key', '~/etc/neo.key',
+        )
    option_list.extend(self._getOptionList())
    return [self.createPythonScript(
      options['wrapper'],

--- a/software/erp5/instance-erp5-input-schema.json
+++ b/software/erp5/instance-erp5-input-schema.json
@@ -220,6 +220,13 @@
          },
          "storage-dict": {
            "description": "Storage configuration. For NEO, 'logfile' is automatically set (see http://git.erp5.org/gitweb/neoppod.git/blob/HEAD:/neo/client/component.xml for other settings).",
+            "properties": {
+              "ssl": {
+                "description": "For external NEO. Pass false if you want to disable SSL or pass custom values for ca/cert/key.",
+                "default": true,
+                "type": "boolean"
+              }
+            },
            "additionalProperties": {"type": "string"},
            "type": "object"
          }

--- a/software/neoppod/instance-neo-admin.cfg.in
+++ b/software/neoppod/instance-neo-admin.cfg.in
@@ -10,6 +10,7 @@ wrapper = ${directory:etc_run}/neoadmin
 logfile = ${directory:log}/neoadmin.log
 ip = ${publish:ip}
 port = ${publish:port-admin}
+ssl = {{ dumps(slapparameter_dict['ssl']) }}
 cluster = {{ dumps(slapparameter_dict['cluster']) }}
 masters = ${publish:masters}

--- a/software/neoppod/instance-neo-input-schema.json
+++ b/software/neoppod/instance-neo-input-schema.json
@@ -35,6 +35,11 @@
      },
      "type": "object"
    },
+    "ssl": {
+      "description": "Enable SSL. All nodes look for 3 files in ~/etc: ca.crt, neo.crt, neo.key. Waiting that SlapOS provides a way to manage certificates, the user must deploy them manually.",
+      "default": true,
+      "type": "boolean"
+    },
    "node-list": {
      "description": "List of dictionaries containing parameters for each node.",
      "items": {

--- a/software/neoppod/instance-neo-master.cfg.in
+++ b/software/neoppod/instance-neo-master.cfg.in
@@ -10,6 +10,7 @@ wrapper = ${directory:etc_run}/neomaster
 logfile = ${directory:log}/neomaster.log
 ip = ${publish:ip}
 port = ${publish:port-master}
+ssl = {{ dumps(slapparameter_dict['ssl']) }}
 cluster = {{ dumps(slapparameter_dict['cluster']) }}
 partitions = {{ slapparameter_dict['partitions'] }}
 replicas = {{ slapparameter_dict['replicas'] }}

--- a/software/neoppod/instance-neo-storage-mysql.cfg.in
+++ b/software/neoppod/instance-neo-storage-mysql.cfg.in
@@ -65,6 +65,7 @@ admins = {{ ' '.join(sorted(admin_list)) }}
 recipe = slapos.cookbook:neoppod.storage
 binary = {{ bin_directory }}/neostorage
 ip = ${publish:ip}
+ssl = {{ dumps(slapparameter_dict['ssl']) }}
 cluster = {{ dumps(slapparameter_dict['cluster']) }}
 masters = ${publish:masters}
 database-adapter = MySQL

--- a/software/neoppod/root-common.cfg.in
+++ b/software/neoppod/root-common.cfg.in
@@ -42,6 +42,7 @@ config-cluster = {{ parameter_dict['cluster'] }}
 {% set replicas = parameter_dict.get('replicas', 0) -%}
 config-partitions = {{ dumps(parameter_dict.get('partitions', 12)) }}
 config-replicas = {{ dumps(replicas) }}
+config-ssl = {{ dumps(parameter_dict.get('ssl', 1)) }}
 config-upstream-cluster = {{ dumps(parameter_dict.get('upstream-cluster', '')) }}
 config-upstream-masters = {{ dumps(parameter_dict.get('upstream-masters', '')) }}
 software-type = {{ software_type }}

--- a/software/neoppod/software-common.cfg
+++ b/software/neoppod/software-common.cfg
@@ -74,19 +74,19 @@ context =
 [root-common]
 <= download-base-neo
-md5sum = 26193dbb132d340c8ba919a616449a17
+md5sum = 88c34cfa913b89b2ed4c69168965cf84
 [instance-neo-admin]
 <= download-base-neo
-md5sum = 16d11f0fe74de06aebbadcff3527db1c
+md5sum = 7bbe0285e499f011dad68825a2264cad
 [instance-neo-master]
 <= download-base-neo
-md5sum = 023f08763dbba2319f58e5c597f7761d
+md5sum = 0cf303254855c3e1a8e3819004bee70f
 [instance-neo-storage-mysql]
 <= download-base-neo
-md5sum = 14ccd057f51521f110a130f0d4aaebbd
+md5sum = 0b62b63540d1bd1a2802f44aff5d1a57
 [template-neo-my-cnf]
 <= download-base-neo

--- a/stack/erp5/buildout.cfg
+++ b/stack/erp5/buildout.cfg
@@ -317,7 +317,7 @@ rendered = ${monitor-template-dummy:target}
 [template-erp5]
 <= download-base
 filename = instance-erp5.cfg.in
-md5sum = 60cdf98d996f220d66daa11452c3f4bf
+md5sum = e8348f675195f25cf4212b72cb8a907b
 [template-zeo]
 <= download-base
@@ -327,7 +327,7 @@ md5sum = 9670cf63099e2c520017a23defff51a4
 [template-zope]
 <= download-base
 filename = instance-zope.cfg.in
-md5sum = 44c4aa068cffe2c1d8320d59e6d1c499
+md5sum = bf997f8bd9cacea96a514589bd7578a9
 link-binary =
  ${aspell:location}/bin/aspell
  ${dmtx-utils:location}/bin/dmtxwrite

--- a/stack/erp5/instance-erp5.cfg.in
+++ b/stack/erp5/instance-erp5.cfg.in
@@ -62,8 +62,11 @@ connection-url = smtp://127.0.0.2:0/
 {%   if server_type == 'neo' -%}
 {%     set ((name, server_dict),) = server_dict.items() -%}
 {%     do neo.append(server_dict.get('cluster')) -%}
-{%     do server_dict.__setitem__('cluster', '${publish-early:neo-cluster}') -%}
+{%     do server_dict.update(cluster='${publish-early:neo-cluster}') -%}
 {{     root_common.request_neo(server_dict, 'zodb-neo', 'neo-') }}
+{%     if not server_dict.get('ssl', 1) -%}
+{%       do zodb_dict[name].setdefault('storage-dict', {}).update(ssl=0) -%}
+{%     endif -%}
 {%   else -%}
 {{     assert(server_type == 'zeo', server_type) -}}
 {# BBB: for compatibility, keep 'zodb' as partition_reference for ZEO -#}

--- a/stack/erp5/instance-zope.cfg.in
+++ b/stack/erp5/instance-zope.cfg.in
@@ -192,9 +192,23 @@ bt5-repository =
 [zope-conf-parameter-base]
 ip = {{ ipv4 }}
 site-id = {{ site_id }}
-{% set storage_dict = {'neo': {}, 'zeo': slapparameter_dict.get('zodb-zeo', {})} -%}
+{% set zeo_dict = slapparameter_dict.get('zodb-zeo', {}) -%}
 {% for name, zodb in zodb_dict.iteritems() -%}
-{%   do zodb.setdefault('storage-dict', {}).update(storage_dict[zodb['type']].get(name, {})) -%}
+{%   set storage_dict = zodb.setdefault('storage-dict', {}) -%}
+{%   if zodb['type'] == 'zeo' -%}
+{%     do storage_dict.update(zeo_dict.get(name, ())) -%}
+{%   else -%}
+{%     if name == slapparameter_dict.get('neo-name') -%}
+{%       do storage_dict.update(master_nodes=slapparameter_dict['neo-masters'],
+                                name=slapparameter_dict['neo-cluster']) -%}
+{%     endif -%}
+{{     assert(storage_dict['master_nodes'], name) }}
+{%     if storage_dict.pop('ssl', 1) -%}
+{%       do storage_dict.update(ca='~/etc/ca.crt',
+                                cert='~/etc/neo.crt',
+                                key='~/etc/neo.key') -%}
+{%     endif -%}
+{%   endif -%}
 {% endfor -%}
 developer-list = {{ dumps(slapparameter_dict['developer-list']) }}
 instance = ${directory:instance}
@@ -250,14 +264,9 @@ node-id = {{ dumps(node_id_base ~ '-' ~ index) }}
 {% for db_name, zodb in zodb_dict.iteritems() -%}
 {%   if zodb['type'] == 'neo' -%}
 {%     do import_set.add('neo.client') -%}
-{%     set log = buildout_directory ~ '/var/log/' ~ name ~ '-neo-' ~ db_name ~ '.log' -%}
+{%     set log = '~/var/log/' ~ name ~ '-neo-' ~ db_name ~ '.log' -%}
 {%     do log_list.append(log) -%}
-{%     do zodb['storage-dict'].__setitem__('logfile', log) -%}
+{%     do zodb['storage-dict'].update(logfile=log) -%}
-{%     if db_name == slapparameter_dict.get('neo-name') -%}
-{%       do zodb['storage-dict'].__setitem__('name', slapparameter_dict['neo-cluster']) -%}
-{%       do zodb['storage-dict'].__setitem__('master_nodes', slapparameter_dict['neo-masters']) -%}
-{%     endif -%}
-{{     assert(zodb['storage-dict']['master_nodes'], db_name) }}
 {%   endif -%}
 {% endfor -%}
 import-list = {{ dumps(list(import_set)) }}