Commit 8285270c authored by Alain Takoudjou's avatar Alain Takoudjou

stack.erp5: Intergrate caucase and client-certificate-based authentication

Allows requesting a caucase partition and reusing an existing caucase instance.
For client-certificate-based authentication, client must be able to access backend
directly (frontend is not possible).
parent 25772982
...@@ -108,13 +108,17 @@ SSLProxyEngine On ...@@ -108,13 +108,17 @@ SSLProxyEngine On
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
RequestHeader unset REMOTE_USER RequestHeader unset REMOTE_USER
RequestHeader unset SSL_CLIENT_SERIAL
{% if parameter_dict['ca-cert'] -%} {% if parameter_dict['ca-cert'] -%}
SSLVerifyClient require SSLVerifyClient optional
RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s
RequestHeader set SSL_CLIENT_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
SSLCACertificateFile {{ parameter_dict['ca-cert'] }} SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
{% if parameter_dict['crl'] -%}
SSLCARevocationCheck chain SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }} SSLCARevocationFile {{ parameter_dict['crl'] }}
{%- endif %} {%- endif %}
{%- endif %}
ErrorLog "{{ parameter_dict['error-log'] }}" ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end # Default apache log format with request time in microsecond at the end
...@@ -128,12 +132,24 @@ CustomLog "{{ parameter_dict['access-log'] }}" combined ...@@ -128,12 +132,24 @@ CustomLog "{{ parameter_dict['access-log'] }}" combined
</Directory> </Directory>
RewriteEngine On RewriteEngine On
{% for port, _, backend in parameter_dict['backend-list'] -%} {% for port, _, backend, enable_authentication in parameter_dict['backend-list'] -%}
{% for ip in parameter_dict['ip-list'] -%} {% for ip in parameter_dict['ip-list'] -%}
Listen {{ ip }}:{{ port }} Listen {{ ip }}:{{ port }}
{% endfor -%} {% endfor -%}
<VirtualHost *:{{ port }}> <VirtualHost *:{{ port }}>
SSLEngine on SSLEngine on
{% if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
SSLVerifyClient require
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
# We would like to separate the the authentificated logs.
ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-error.log"
CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-access.log" combined
{% endif -%}
RewriteRule ^/(.*) {{ backend }}/$1 [L,P] RewriteRule ^/(.*) {{ backend }}/$1 [L,P]
</VirtualHost> </VirtualHost>
{% endfor -%} {% endfor -%}
...@@ -190,5 +190,5 @@ make-targets = ...@@ -190,5 +190,5 @@ make-targets =
[template-apache-backend-conf] [template-apache-backend-conf]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/apache-backend.conf.in url = ${:_profile_base_location_}/apache-backend.conf.in
md5sum = feef079241bda3407b7ceed5876cb61f md5sum = 8f1f92ad308ab6bad973c790ee583428
mode = 640 mode = 640
...@@ -111,6 +111,12 @@ ...@@ -111,6 +111,12 @@
"default": 5, "default": 5,
"type": "integer" "type": "integer"
}, },
"ssl-authentication": {
"title": "Enable SSL Client authentication on this zope instance.",
"description": "If set to true, will set SSL Client verification to required on apache VirtualHost which allow to access this zope instance.",
"type": "boolean",
"default": false
},
"webdav": { "webdav": {
"description": "Serve webdav queries, implies timerserver-interval=0 (disabled). Mixing webdav and non-webdav nodes in a single family will give unspecified results.", "description": "Serve webdav queries, implies timerserver-interval=0 (disabled). Mixing webdav and non-webdav nodes in a single family will give unspecified results.",
"default": false, "default": false,
...@@ -263,6 +269,28 @@ ...@@ -263,6 +269,28 @@
"description": "In wendelin.core there are 2 formats for storing data, so called ZBlk0 and ZBlk1. See https://lab.nexedi.com/nexedi/wendelin.core/blob/2e5e1d3d/bigfile/file_zodb.py#L19 for more details.", "description": "In wendelin.core there are 2 formats for storing data, so called ZBlk0 and ZBlk1. See https://lab.nexedi.com/nexedi/wendelin.core/blob/2e5e1d3d/bigfile/file_zodb.py#L19 for more details.",
"default": "", "default": "",
"type": "string" "type": "string"
},
"caucase": {
"description": "Caucase certificate authority parameters",
"properties": {
"url": {
"title": "Caucase URL",
"description": "URL of existing caucase instance to use. If empty, a new caucase instance will be deployed. If not empty, other properties in this section will be ignored.",
"default": "",
"type": "string",
"format": "uri"
},
"crl-update-periodicity": {
"title": "Periodicity of CRL update",
"description": "Periodicity of CRL update, in cron format. The CRL will be downloaded from caucase URL and the new content will be saved if there was a change. Everytime a new CRL is writen, Apache reload will be called.",
"type": "string",
"default": "0 0 * * *"
}
},
"additionalProperties": {
"$ref": "../caucase/instance-caucase-input-schema.json#/properties"
},
"type": "object"
} }
} }
} }
...@@ -72,6 +72,11 @@ ...@@ -72,6 +72,11 @@
"description": "Jupyter notebook web UI access information", "description": "Jupyter notebook web UI access information",
"pattern": "^https://", "pattern": "^https://",
"type": "string" "type": "string"
},
"caucase-http-url": {
"description": "Caucase url on HTTP. For HTTPS URL, uses https scheme, if port is explicitely specified in http URL, take that port and add 1 and use it as https port. If it is not specified.",
"pattern": "^http://",
"type": "string"
} }
}, },
"patternProperties": { "patternProperties": {
......
...@@ -62,6 +62,7 @@ extends = ...@@ -62,6 +62,7 @@ extends =
../../component/postfix/buildout.cfg ../../component/postfix/buildout.cfg
../monitor/buildout.cfg ../monitor/buildout.cfg
../../software/ipython_notebook/software.cfg ../../software/ipython_notebook/software.cfg
../../software/caucase/software.cfg
../../software/neoppod/software-common.cfg ../../software/neoppod/software-common.cfg
# keep neoppod extends last # keep neoppod extends last
...@@ -149,6 +150,9 @@ extra-ldflags = -Wl,-rpath=${gcc:location}/lib -Wl,-rpath=${gcc:location}/lib64 ...@@ -149,6 +150,9 @@ extra-ldflags = -Wl,-rpath=${gcc:location}/lib -Wl,-rpath=${gcc:location}/lib64
[instance-jupyter] [instance-jupyter]
rendered = ${buildout:directory}/template-jupyter.cfg rendered = ${buildout:directory}/template-jupyter.cfg
[instance-caucase]
rendered = ${buildout:directory}/instance-caucase.cfg
[download-base] [download-base]
<= download-base-neo <= download-base-neo
url = ${:_profile_base_location_}/${:filename} url = ${:_profile_base_location_}/${:filename}
...@@ -231,6 +235,7 @@ context = ...@@ -231,6 +235,7 @@ context =
key bin_directory buildout:bin-directory key bin_directory buildout:bin-directory
key buildout_bin_directory buildout:bin-directory key buildout_bin_directory buildout:bin-directory
key cairo_location cairo:location key cairo_location cairo:location
key caucase_template instance-caucase:rendered
key coreutils_location coreutils:location key coreutils_location coreutils:location
key cups_location cups:location key cups_location cups:location
key curl_location curl:location key curl_location curl:location
......
...@@ -75,7 +75,7 @@ md5sum = 0969fbb25b05c02ef3c2d437b2f4e1a0 ...@@ -75,7 +75,7 @@ md5sum = 0969fbb25b05c02ef3c2d437b2f4e1a0
[template] [template]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 09862389b2bf3da3f9387a6424329da9 md5sum = e364ea67bfe786b6b6ebd6c4f0cd628a
[monitor-template-dummy] [monitor-template-dummy]
filename = dummy.cfg filename = dummy.cfg
...@@ -83,7 +83,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e ...@@ -83,7 +83,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e
[template-erp5] [template-erp5]
filename = instance-erp5.cfg.in filename = instance-erp5.cfg.in
md5sum = 929b87c01aaf6ea1bbf6ff906ce9c0d9 md5sum = 13638031b6b6c9ad9c0a9c4e6d9a202a
[template-zeo] [template-zeo]
filename = instance-zeo.cfg.in filename = instance-zeo.cfg.in
...@@ -95,7 +95,7 @@ md5sum = 6a64d1615c3ef9f6311c863d5aa0c58f ...@@ -95,7 +95,7 @@ md5sum = 6a64d1615c3ef9f6311c863d5aa0c58f
[template-balancer] [template-balancer]
filename = instance-balancer.cfg.in filename = instance-balancer.cfg.in
md5sum = a3ad32c46bb56076895441edbd66018d md5sum = f2fb0c537c124622fe8e89afe0188519
[template-haproxy-cfg] [template-haproxy-cfg]
filename = haproxy.cfg.in filename = haproxy.cfg.in
......
{% set part_list = [] -%} {% set part_list = [] -%}
{% set ssl_parameter_dict = slapparameter_dict.get('ssl', {}) %} {% set ssl_parameter_dict = slapparameter_dict.get('ssl', {}) %}
{% set caucase_url = slapparameter_dict.get('caucase-url', '') -%}
{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%} {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
{% set use_ipv6 = slapparameter_dict.get('use-ipv6', False) -%} {% set use_ipv6 = slapparameter_dict.get('use-ipv6', False) -%}
{# {#
...@@ -36,6 +37,56 @@ context = key content {{content_section_name}}:content ...@@ -36,6 +37,56 @@ context = key content {{content_section_name}}:content
mode = {{ mode }} mode = {{ mode }}
{%- endmacro %} {%- endmacro %}
[certificate-request-base]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:bin}/request-instance-certificate
parameters-extra = true
command-line = {{ parameter_dict['bin-directory'] }}/caucase-cliweb
--crt-file ${apache-conf-ssl:cert}
--key-file ${apache-conf-ssl:key}
--crl-file ${apache-conf-ssl:crl}
--ca-url {{ caucase_url }}
--ca-crt-file ${apache-conf-ssl:ca-cert}
{% macro request_cert(name, common_name) -%}
{% set get_crl_periodicity = slapparameter_dict.get('crl-update-periodicity', 'daily') -%}
[{{ section(name ~ '-certificate-request') }}]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:services}/request-{{ name }}-certificate
command-line =
${certificate-request-base:wrapper-path}
--cn {{ common_name }}
--request
[{{ section(name ~ '-renew-cron-entry') }}]
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = {{ name }}-certificate-auto-renew
time = weekly
# 2592000 = 30*24*60*60 equivalent to one month in seconds
command = ${certificate-request-base:wrapper-path} --renew --threshold 2592000 --on-renew="${apache-graceful:output}"
[{{ section(name ~ '-download-crl') }}]
# download the crl for the first time
recipe = plone.recipe.command
command =
if [ ! -s "${apache-conf-ssl:crl}" ]; then
${certificate-request-base:wrapper-path} --update-crl
fi
update-command = ${:command}
stop-on-error = true
[{{ section(name ~ '-update-crl-cron-entry') }}]
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = {{ name }}-update-crl
time = {{ get_crl_periodicity }}
# XXX - Update crl call apache graceful restart, it's not recommended to check crl too often, Apache
# has an issue with reload and can be frozen and stop responding. Default periodicity time = daily
command = ${certificate-request-base:wrapper-path} --update-crl --on-crl-update="${apache-graceful:output}"
{%- endmacro %}
{% if use_ipv6 -%} {% if use_ipv6 -%}
[zope-tunnel-base] [zope-tunnel-base]
recipe = slapos.cookbook:ipv4toipv6 recipe = slapos.cookbook:ipv4toipv6
...@@ -81,6 +132,7 @@ ipv6 = {{ zope_address.split(']:')[0][1:] }} ...@@ -81,6 +132,7 @@ ipv6 = {{ zope_address.split(']:')[0][1:] }}
-#} -#}
{% do zope_family_address_list[0][0] -%} {% do zope_family_address_list[0][0] -%}
{% set haproxy_port = next_port() -%} {% set haproxy_port = next_port() -%}
{% set backend_path = slapparameter_dict['backend-path-dict'][family_name] -%}
{% do haproxy_dict.__setitem__(family_name, (haproxy_port, zope_family_address_list)) -%} {% do haproxy_dict.__setitem__(family_name, (haproxy_port, zope_family_address_list)) -%}
{% if has_webdav -%} {% if has_webdav -%}
{% set internal_scheme = 'http' -%}{# mod_rewrite does not recognise webdav scheme -#} {% set internal_scheme = 'http' -%}{# mod_rewrite does not recognise webdav scheme -#}
...@@ -89,7 +141,8 @@ ipv6 = {{ zope_address.split(']:')[0][1:] }} ...@@ -89,7 +141,8 @@ ipv6 = {{ zope_address.split(']:')[0][1:] }}
{% set internal_scheme = 'http' -%} {% set internal_scheme = 'http' -%}
{% set external_scheme = 'https' -%} {% set external_scheme = 'https' -%}
{% endif -%} {% endif -%}
{% do apache_dict.__setitem__(family_name, (next_port(), external_scheme, internal_scheme ~ '://' ~ ipv4 ~ ':' ~ haproxy_port ~ slapparameter_dict['backend-path'])) -%} {% set ssl_authentication = slapparameter_dict['ssl-authentication-dict'].get(family_name, False) -%}
{% do apache_dict.__setitem__(family_name, (next_port(), external_scheme, internal_scheme ~ '://' ~ ipv4 ~ ':' ~ haproxy_port ~ backend_path, ssl_authentication)) -%}
{% endfor -%} {% endfor -%}
[haproxy-cfg-parameter-dict] [haproxy-cfg-parameter-dict]
...@@ -122,6 +175,7 @@ crl = ${directory:apache-conf}/crl.pem ...@@ -122,6 +175,7 @@ crl = ${directory:apache-conf}/crl.pem
backend-list = {{ dumps(apache_dict.values()) }} backend-list = {{ dumps(apache_dict.values()) }}
ip-list = {{ dumps(apache_ip_list) }} ip-list = {{ dumps(apache_ip_list) }}
pid-file = ${directory:run}/apache.pid pid-file = ${directory:run}/apache.pid
log-dir = ${directory:log}
error-log = ${directory:log}/apache-error.log error-log = ${directory:log}/apache-error.log
access-log = ${directory:log}/apache-access.log access-log = ${directory:log}/apache-access.log
# Apache 2.4's default value (60 seconds) can be a bit too short # Apache 2.4's default value (60 seconds) can be a bit too short
...@@ -145,6 +199,18 @@ context = section parameter_dict apache-conf-parameter-dict ...@@ -145,6 +199,18 @@ context = section parameter_dict apache-conf-parameter-dict
recipe = slapos.cookbook:wrapper recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:services}/apache wrapper-path = ${directory:services}/apache
command-line = "{{ parameter_dict['apache'] }}/bin/httpd" -f "${apache-conf:rendered}" -DFOREGROUND command-line = "{{ parameter_dict['apache'] }}/bin/httpd" -f "${apache-conf:rendered}" -DFOREGROUND
wait-for-files =
${apache-conf-ssl:cert}
${apache-conf-ssl:key}
[apache-graceful]
recipe = collective.recipe.template
input = inline:
#!/bin/sh
kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')"
output = ${directory:bin}/apache-httpd-graceful
mode = 700
[{{ section('apache-promise') }}] [{{ section('apache-promise') }}]
# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently # Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
...@@ -155,7 +221,7 @@ port = {{ apache_dict.values()[0][0] }} ...@@ -155,7 +221,7 @@ port = {{ apache_dict.values()[0][0] }}
[publish] [publish]
recipe = slapos.cookbook:publish.serialised recipe = slapos.cookbook:publish.serialised
{% for family_name, (apache_port, scheme, _) in apache_dict.items() -%} {% for family_name, (apache_port, scheme, _, _) in apache_dict.items() -%}
{{ family_name ~ '-v6' }} = {% if ipv6_set %}{{ scheme ~ '://[' ~ ipv6 ~ ']:' ~ apache_port }}{% endif %} {{ family_name ~ '-v6' }} = {% if ipv6_set %}{{ scheme ~ '://[' ~ ipv6 ~ ']:' ~ apache_port }}{% endif %}
{{ family_name }} = {{ scheme ~ '://' ~ ipv4 ~ ':' ~ apache_port }} {{ family_name }} = {{ scheme ~ '://' ~ ipv4 ~ ':' ~ apache_port }}
{% endfor -%} {% endfor -%}
...@@ -167,6 +233,11 @@ key = ${apache-ssl-key:rendered} ...@@ -167,6 +233,11 @@ key = ${apache-ssl-key:rendered}
cert = ${apache-ssl-cert:rendered} cert = ${apache-ssl-cert:rendered}
{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }} {{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }} {{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
{% elif caucase_url -%}
key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert}
{{ request_cert('erp5', 'instance.apache@erp5') }}
{% else %} {% else %}
recipe = plone.recipe.command recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}" command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
...@@ -180,6 +251,10 @@ cert = ${apache-ssl-ca:rendered} ...@@ -180,6 +251,10 @@ cert = ${apache-ssl-ca:rendered}
crl = ${apache-ssl-crl:rendered} crl = ${apache-ssl-crl:rendered}
{{ simplefile('apache-ssl-ca', '${apache-conf-ssl:ca-cert}', ssl_parameter_dict['ca-cert']) }} {{ simplefile('apache-ssl-ca', '${apache-conf-ssl:ca-cert}', ssl_parameter_dict['ca-cert']) }}
{{ simplefile('apache-ssl-crl', '${apache-conf-ssl:crl}', ssl_parameter_dict['crl']) }} {{ simplefile('apache-ssl-crl', '${apache-conf-ssl:crl}', ssl_parameter_dict['crl']) }}
{% elif caucase_url -%}
cert = ${apache-conf-ssl:ca-cert}
crl = ${apache-conf-ssl:crl}
{% else %} {% else %}
cert = cert =
crl = crl =
......
...@@ -9,6 +9,8 @@ ...@@ -9,6 +9,8 @@
{% set has_jupyter = jupyter_dict.get('enable', jupyter_enable_default.lower() in ('true', 'yes')) -%} {% set has_jupyter = jupyter_dict.get('enable', jupyter_enable_default.lower() in ('true', 'yes')) -%}
{% set jupyter_zope_family = jupyter_dict.get('zope-family', '') -%} {% set jupyter_zope_family = jupyter_dict.get('zope-family', '') -%}
{% set monitor_base_url_dict = {} -%} {% set monitor_base_url_dict = {} -%}
{% set caucase_url = slapparameter_dict.get('caucase', {}).pop('url', '') -%}
{% set crl_update_period = slapparameter_dict.get('caucase', {}).pop('crl-update-periodicity', 'daily') -%}
[request-common] [request-common]
<= request-common-base <= request-common-base
config-use-ipv6 = {{ dumps(slapparameter_dict.get('use-ipv6', False)) }} config-use-ipv6 = {{ dumps(slapparameter_dict.get('use-ipv6', False)) }}
...@@ -50,6 +52,14 @@ config-{{ k }} = {{ '${' ~ v ~ '}' }} ...@@ -50,6 +52,14 @@ config-{{ k }} = {{ '${' ~ v ~ '}' }}
connection-url = smtp://127.0.0.2:0/ connection-url = smtp://127.0.0.2:0/
{%- endif %} {%- endif %}
{% if caucase_url -%}
{% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
[request-caucase]
connection-http-url = {{ caucase_url }}
{%- else %}
{{ request('caucase', 'caucase', 'caucase', {'server-port': 8890, 'server-https-port': 8891}, {'http-url': True, 'https-url': False}) }}
{% endif -%}
{# ZODB -#} {# ZODB -#}
{% set zodb_dict = {} -%} {% set zodb_dict = {} -%}
{% set storage_dict = {} -%} {% set storage_dict = {} -%}
...@@ -137,6 +147,7 @@ return = ...@@ -137,6 +147,7 @@ return =
{% endif -%} {% endif -%}
config-bt5 = {{ dumps(slapparameter_dict.get('bt5', bt5_default_list)) }} config-bt5 = {{ dumps(slapparameter_dict.get('bt5', bt5_default_list)) }}
config-bt5-repository-url = {{ dumps(slapparameter_dict.get('bt5-repository-url', local_bt5_repository)) }} config-bt5-repository-url = {{ dumps(slapparameter_dict.get('bt5-repository-url', local_bt5_repository)) }}
config-caucase-url = ${request-caucase:connection-http-url}
config-cloudooo-url = ${request-cloudooo:connection-url} config-cloudooo-url = ${request-cloudooo:connection-url}
config-deadlock-debugger-password = ${publish-early:deadlock-debugger-password} config-deadlock-debugger-password = ${publish-early:deadlock-debugger-password}
config-developer-list = {{ dumps(slapparameter_dict.get('developer-list', [inituser_login])) }} config-developer-list = {{ dumps(slapparameter_dict.get('developer-list', [inituser_login])) }}
...@@ -168,17 +179,22 @@ config-tidstorage-port = ${request-zodb:connection-tidstorage-port} ...@@ -168,17 +179,22 @@ config-tidstorage-port = ${request-zodb:connection-tidstorage-port}
software-type = zope software-type = zope
{% set zope_family_dict = {} -%} {% set zope_family_dict = {} -%}
{% set zope_backend_path_dict = {} -%}
{% set ssl_authentication_dict = {} -%}
{% set jupyter_zope_family_default = [] -%} {% set jupyter_zope_family_default = [] -%}
{% for custom_name, zope_parameter_dict in zope_partition_dict.items() -%} {% for custom_name, zope_parameter_dict in zope_partition_dict.items() -%}
{% set partition_name = 'zope-' ~ custom_name -%} {% set partition_name = 'zope-' ~ custom_name -%}
{% set section_name = 'request-' ~ partition_name -%} {% set section_name = 'request-' ~ partition_name -%}
{% set zope_family = zope_parameter_dict.get('family', 'default') -%} {% set zope_family = zope_parameter_dict.get('family', 'default') -%}
{% set backend_path = zope_parameter_dict.get('backend-path', '/') % {'site-id': site_id} %}
{# # default jupyter zope family is first zope family. -#} {# # default jupyter zope family is first zope family. -#}
{# # use list.append() to update it, because in jinja2 set changes only local scope. -#} {# # use list.append() to update it, because in jinja2 set changes only local scope. -#}
{% if not jupyter_zope_family_default -%} {% if not jupyter_zope_family_default -%}
{% do jupyter_zope_family_default.append(zope_family) -%} {% do jupyter_zope_family_default.append(zope_family) -%}
{% endif -%} {% endif -%}
{% do zope_family_dict.setdefault(zope_family, []).append(section_name) -%} {% do zope_family_dict.setdefault(zope_family, []).append(section_name) -%}
{% do zope_backend_path_dict.__setitem__(zope_family, backend_path) -%}
{% do ssl_authentication_dict.__setitem__(zope_family, zope_parameter_dict.get('ssl-authentication', False)) -%}
[{{ section_name }}] [{{ section_name }}]
<= request-zope-base <= request-zope-base
name = {{ partition_name }} name = {{ partition_name }}
...@@ -256,10 +272,12 @@ config-{{ name }} = {{ ' ${' ~ zope_section_id ~ ':connection-zope-address-list} ...@@ -256,10 +272,12 @@ config-{{ name }} = {{ ' ${' ~ zope_section_id ~ ':connection-zope-address-list}
{% endfor -%} {% endfor -%}
# XXX: should those really be same for all families ? # XXX: should those really be same for all families ?
config-haproxy-server-check-path = {{ dumps(balancer_dict.get('haproxy-server-check-path', '/') % {'site-id': site_id}) }} config-haproxy-server-check-path = {{ dumps(balancer_dict.get('haproxy-server-check-path', '/') % {'site-id': site_id}) }}
config-backend-path = {{ dumps(balancer_dict.get('apache-backend-path', '/') % {'site-id': site_id}) }}
config-ssl = {{ dumps(balancer_dict.get('ssl', {})) }} config-ssl = {{ dumps(balancer_dict.get('ssl', {})) }}
config-monitor-passwd = ${monitor-htpasswd:passwd} config-monitor-passwd = ${monitor-htpasswd:passwd}
config-caucase-url = ${request-caucase:connection-http-url}
config-crl-update-periodicity = {{ crl_update_period }}
config-backend-path-dict = {{ dumps(zope_backend_path_dict) }}
config-ssl-authentication-dict = {{ dumps(ssl_authentication_dict) }}
[request-frontend-base] [request-frontend-base]
{% if has_frontend -%} {% if has_frontend -%}
......
[buildout] [buildout]
extends = {{ instance_common_cfg }} extends =
{{ instance_common_cfg }}
{{ caucase_template }}
[jinja2-template-base] [jinja2-template-base]
mode = 644 mode = 644
...@@ -97,6 +99,7 @@ bin-directory = {{ bin_directory }} ...@@ -97,6 +99,7 @@ bin-directory = {{ bin_directory }}
apachedex-location = {{ bin_directory }}/apachedex apachedex-location = {{ bin_directory }}/apachedex
run-apachedex-location = {{ bin_directory }}/runApacheDex run-apachedex-location = {{ bin_directory }}/runApacheDex
6tunnel = {{ sixtunnel_location }} 6tunnel = {{ sixtunnel_location }}
curl-location = {{ curl_location }}
dash = {{ dash_location }} dash = {{ dash_location }}
template-haproxy-cfg = {{ template_haproxy_cfg }} template-haproxy-cfg = {{ template_haproxy_cfg }}
template-apache-conf = {{ template_apache_conf }} template-apache-conf = {{ template_apache_conf }}
...@@ -216,6 +219,7 @@ create-erp5-site = dynamic-template-create-erp5-site:rendered ...@@ -216,6 +219,7 @@ create-erp5-site = dynamic-template-create-erp5-site:rendered
RootSoftwareInstance = ${:default} RootSoftwareInstance = ${:default}
# Internal software types # Internal software types
kumofs = dynamic-template-kumofs:rendered kumofs = dynamic-template-kumofs:rendered
caucase = dynamic-template-caucase:rendered
cloudooo = dynamic-template-cloudooo:rendered cloudooo = dynamic-template-cloudooo:rendered
mariadb = dynamic-template-mariadb:rendered mariadb = dynamic-template-mariadb:rendered
balancer = dynamic-template-balancer:rendered balancer = dynamic-template-balancer:rendered
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment