1. 13 Mar, 2019 3 commits
    • Łukasz Nowak's avatar
      caddy-frontend: Implement KeDiFa SSL information · bc2b1742
      Łukasz Nowak authored
      Use KeDiFa to store keys, and transmit the url to the requester for master
      and slave partitions.
      
      Download keys on the slave partitions level.
      
      Use caucase to fetch main caucase CA.
      
      kedifa-caucase-url is published in order to have access to it.
      
      Note: caucase is prepended with kedifa, as this is that one.
      
      Use kedifa-csr tool to generate CSR and use caucase-updater macro.
      
      Switch to KeDiFa with SSL Auth and updated goodies.
      
      KeDiFa endpoint URLs are randomised.
      
      Only one (first) user certificate is going to be automatically accepted. This
      one shall be operated by the cluster owner, the requester of frontend master
      partition.
      
      Then he will be able to sign certificates for other users and also for
      services - so each node in the cluster.
      
      Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line
      is used for one command generation of extensions in the certificate.
      Note: We could upgrade to openssl 1.1.1 in order to have it really
      simplified (see https://security.stackexchange.com/a/183973 )
      
      Improve CSR readability by creating cluster-identification, which is master
      partition title, and use it as Organization of the CSR.
      
      Reserve slots for data exchange in KeDiFa.
      bc2b1742
    • Łukasz Nowak's avatar
      fb37422b
    • Łukasz Nowak's avatar
      stack/caucase: Improve library · 1cc80dd4
      Łukasz Nowak authored
      Improvements:
      
       * support CSR as a file
         Allow to pass template_csr as a file, as it is useful for some cases.
      
       * use dumps where needed, as it is available
      
       * fix rerequest internal call
      1cc80dd4
  2. 12 Mar, 2019 4 commits
  3. 11 Mar, 2019 5 commits
  4. 09 Mar, 2019 1 commit
  5. 08 Mar, 2019 4 commits
  6. 07 Mar, 2019 6 commits
  7. 06 Mar, 2019 7 commits
  8. 05 Mar, 2019 6 commits
  9. 04 Mar, 2019 3 commits
  10. 01 Mar, 2019 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Publish only active slaves from main partition · 9714a74c
      Łukasz Nowak authored
      As some of the nodes can lag behind, the system can be in state, that those
      nodes will send inactive (also destroyed) slave publish information. Before
      publishing it to master, check if each of slaves is really present on master.
      
      Tasks:
      
       - [x] prove it really works on simulated environment
       - [x] check impact on massive simulated environment
       - [x] cover with a test (optionally)
       - [ ] check test results with this change
      
      /reviewed-on nexedi/slapos!519
      9714a74c