Commit 706801f2 authored by Julien Muchembled's avatar Julien Muchembled

NEO: hack to deploy SSL certs via instance parameters

parent 761583fd
...@@ -10,7 +10,7 @@ wrapper = ${directory:etc_run}/neoadmin ...@@ -10,7 +10,7 @@ wrapper = ${directory:etc_run}/neoadmin
logfile = ${directory:log}/neoadmin.log logfile = ${directory:log}/neoadmin.log
ip = ${publish:ip} ip = ${publish:ip}
port = ${publish:port-admin} port = ${publish:port-admin}
ssl = {{ dumps(slapparameter_dict['ssl']) }} ssl = {{ dumps(bool(slapparameter_dict['ssl'])) }}
cluster = {{ dumps(slapparameter_dict['cluster']) }} cluster = {{ dumps(slapparameter_dict['cluster']) }}
masters = ${publish:masters} masters = ${publish:masters}
......
...@@ -36,10 +36,19 @@ ...@@ -36,10 +36,19 @@
"type": "object" "type": "object"
}, },
"ssl": { "ssl": {
"description": "Enable SSL. All nodes look for 3 files in ~/etc: ca.crt, neo.crt, neo.key. Waiting that SlapOS provides a way to manage certificates, the user must deploy them manually.", "description": "Enable SSL. All nodes look for 3 files in ~/etc: ca.crt, neo.crt, neo.key. Waiting that SlapOS provides a way to manage certificates, the user must deploy them manually, or use the temporary _ca/_cert/_key parameters.",
"default": true, "default": true,
"type": "boolean" "type": "boolean"
}, },
"_ca": {
"type": "string"
},
"_cert": {
"type": "string"
},
"_key": {
"type": "string"
},
"node-list": { "node-list": {
"description": "List of dictionaries containing parameters for each node.", "description": "List of dictionaries containing parameters for each node.",
"items": { "items": {
......
...@@ -10,7 +10,7 @@ wrapper = ${directory:etc_run}/neomaster ...@@ -10,7 +10,7 @@ wrapper = ${directory:etc_run}/neomaster
logfile = ${directory:log}/neomaster.log logfile = ${directory:log}/neomaster.log
ip = ${publish:ip} ip = ${publish:ip}
port = ${publish:port-master} port = ${publish:port-master}
ssl = {{ dumps(slapparameter_dict['ssl']) }} ssl = {{ dumps(bool(slapparameter_dict['ssl'])) }}
cluster = {{ dumps(slapparameter_dict['cluster']) }} cluster = {{ dumps(slapparameter_dict['cluster']) }}
partitions = {{ slapparameter_dict['partitions'] }} partitions = {{ slapparameter_dict['partitions'] }}
replicas = {{ slapparameter_dict['replicas'] }} replicas = {{ slapparameter_dict['replicas'] }}
......
...@@ -61,11 +61,26 @@ masters = {{ ' '.join(sorted(master_list)) }} ...@@ -61,11 +61,26 @@ masters = {{ ' '.join(sorted(master_list)) }}
admins = {{ ' '.join(sorted(admin_list)) }} admins = {{ ' '.join(sorted(admin_list)) }}
{%- endif %} {%- endif %}
{#- Hack to deploy SSL certs via instance parameters #}
{%- for name, pem in zip(('ca.crt', 'neo.crt', 'neo.key'),
slapparameter_dict['ssl']) %}
{%- if pem %}
[{{ section(name) }}]
recipe = slapos.recipe.template:jinja2
rendered = ${directory:etc}/{{name}}
template = inline:{{'{{'}}pem}}
context = key pem :pem
pem = {{dumps(pem)}}
{%- endif %}
{%- endfor %}
{#- endhack #}
[neo-storage] [neo-storage]
recipe = slapos.cookbook:neoppod.storage recipe = slapos.cookbook:neoppod.storage
binary = {{ bin_directory }}/neostorage binary = {{ bin_directory }}/neostorage
ip = ${publish:ip} ip = ${publish:ip}
ssl = {{ dumps(slapparameter_dict['ssl']) }} ssl = {{ dumps(bool(slapparameter_dict['ssl'])) }}
cluster = {{ dumps(slapparameter_dict['cluster']) }} cluster = {{ dumps(slapparameter_dict['cluster']) }}
masters = ${publish:masters} masters = ${publish:masters}
database-adapter = MySQL database-adapter = MySQL
......
...@@ -42,7 +42,11 @@ config-cluster = {{ parameter_dict['cluster'] }} ...@@ -42,7 +42,11 @@ config-cluster = {{ parameter_dict['cluster'] }}
{% set replicas = parameter_dict.get('replicas', 0) -%} {% set replicas = parameter_dict.get('replicas', 0) -%}
config-partitions = {{ dumps(parameter_dict.get('partitions', 12)) }} config-partitions = {{ dumps(parameter_dict.get('partitions', 12)) }}
config-replicas = {{ dumps(replicas) }} config-replicas = {{ dumps(replicas) }}
config-ssl = {{ dumps(parameter_dict.get('ssl', 1)) }} config-ssl = {{ dumps((
parameter_dict.get('_ca'),
parameter_dict.get('_cert'),
parameter_dict.get('_key'),
) if parameter_dict.get('ssl', 1) else ()) }}
config-upstream-cluster = {{ dumps(parameter_dict.get('upstream-cluster', '')) }} config-upstream-cluster = {{ dumps(parameter_dict.get('upstream-cluster', '')) }}
config-upstream-masters = {{ dumps(parameter_dict.get('upstream-masters', '')) }} config-upstream-masters = {{ dumps(parameter_dict.get('upstream-masters', '')) }}
software-type = {{ software_type }} software-type = {{ software_type }}
......
...@@ -74,19 +74,19 @@ context = ...@@ -74,19 +74,19 @@ context =
[root-common] [root-common]
<= download-base-neo <= download-base-neo
md5sum = 88c34cfa913b89b2ed4c69168965cf84 md5sum = f3259726bd5d824c569dc7db6b7d26a0
[instance-neo-admin] [instance-neo-admin]
<= download-base-neo <= download-base-neo
md5sum = 7bbe0285e499f011dad68825a2264cad md5sum = f030a25d320f2edf0186b69bfa521228
[instance-neo-master] [instance-neo-master]
<= download-base-neo <= download-base-neo
md5sum = 0cf303254855c3e1a8e3819004bee70f md5sum = 82f3f76f54ee9db355966a7ada61f56e
[instance-neo-storage-mysql] [instance-neo-storage-mysql]
<= download-base-neo <= download-base-neo
md5sum = 0b62b63540d1bd1a2802f44aff5d1a57 md5sum = 84b1150ce30ec827485f9c17debd6b44
[template-neo-my-cnf] [template-neo-my-cnf]
<= download-base-neo <= download-base-neo
......
...@@ -316,7 +316,7 @@ rendered = ${monitor-template-dummy:target} ...@@ -316,7 +316,7 @@ rendered = ${monitor-template-dummy:target}
[template-erp5] [template-erp5]
<= download-base <= download-base
filename = instance-erp5.cfg.in filename = instance-erp5.cfg.in
md5sum = e8348f675195f25cf4212b72cb8a907b md5sum = 78c2db733e72c4197a90e8be1ff15098
[template-zeo] [template-zeo]
<= download-base <= download-base
...@@ -326,7 +326,7 @@ md5sum = 9670cf63099e2c520017a23defff51a4 ...@@ -326,7 +326,7 @@ md5sum = 9670cf63099e2c520017a23defff51a4
[template-zope] [template-zope]
<= download-base <= download-base
filename = instance-zope.cfg.in filename = instance-zope.cfg.in
md5sum = bf997f8bd9cacea96a514589bd7578a9 md5sum = f11c877cf2fd9b03aa2687cec017a87b
link-binary = link-binary =
${aspell:location}/bin/aspell ${aspell:location}/bin/aspell
${dmtx-utils:location}/bin/dmtxwrite ${dmtx-utils:location}/bin/dmtxwrite
......
...@@ -64,9 +64,10 @@ connection-url = smtp://127.0.0.2:0/ ...@@ -64,9 +64,10 @@ connection-url = smtp://127.0.0.2:0/
{% do neo.append(server_dict.get('cluster')) -%} {% do neo.append(server_dict.get('cluster')) -%}
{% do server_dict.update(cluster='${publish-early:neo-cluster}') -%} {% do server_dict.update(cluster='${publish-early:neo-cluster}') -%}
{{ root_common.request_neo(server_dict, 'zodb-neo', 'neo-') }} {{ root_common.request_neo(server_dict, 'zodb-neo', 'neo-') }}
{% if not server_dict.get('ssl', 1) -%} {% set client_dict = zodb_dict[name].setdefault('storage-dict', {}) -%}
{% do zodb_dict[name].setdefault('storage-dict', {}).update(ssl=0) -%} {% for k in 'ssl', '_ca', '_cert', '_key' -%}
{% endif -%} {% do k in server_dict and client_dict.setdefault(k, server_dict[k]) -%}
{% endfor -%}
{% else -%} {% else -%}
{{ assert(server_type == 'zeo', server_type) -}} {{ assert(server_type == 'zeo', server_type) -}}
{# BBB: for compatibility, keep 'zodb' as partition_reference for ZEO -#} {# BBB: for compatibility, keep 'zodb' as partition_reference for ZEO -#}
......
...@@ -175,6 +175,27 @@ context = section parameter_dict preload-userhosts-runzope-parameter ...@@ -175,6 +175,27 @@ context = section parameter_dict preload-userhosts-runzope-parameter
template = {{ parameter_dict['runzope-userhosts-preloaded-template'] }} template = {{ parameter_dict['runzope-userhosts-preloaded-template'] }}
mode = 755 mode = 755
{# Hack to deploy SSL certs via instance parameters -#}
{% for zodb in zodb_dict.itervalues() -%}
{% set storage_dict = zodb.setdefault('storage-dict', {}) -%}
{% if zodb['type'] == 'neo' and storage_dict.get('ssl', 1) -%}
{% for k, v in (('_ca', 'ca.crt'),
('_cert', 'neo.crt'),
('_key', 'neo.key')) -%}
{% if k in storage_dict -%}
[{{ section('neo-ssl-' + k[1:]) }}]
recipe = slapos.recipe.template:jinja2
rendered = ${directory:etc}/{{v}}
template = inline:{{'{{'}}pem}}
context = key pem :pem
pem = {{dumps(storage_dict.pop(k))}}
{% endif -%}
{% endfor -%}
{% endif -%}
{% endfor -%}
{# endhack -#}
[zope-base] [zope-base]
recipe = slapos.cookbook:generic.zope.zeo.client recipe = slapos.cookbook:generic.zope.zeo.client
inituser = ${directory:instance}/inituser inituser = ${directory:instance}/inituser
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment