Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Thomas Gambier
slapos
Commits
757c1a4d
Commit
757c1a4d
authored
May 27, 2020
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
stack/erp5: support frontend-caucase-url-list option.
parent
c8034ac7
Changes
5
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
402 additions
and
4 deletions
+402
-4
software/erp5/instance-erp5-input-schema.json
software/erp5/instance-erp5-input-schema.json
+10
-0
software/erp5/test/test/test_balancer.py
software/erp5/test/test/test_balancer.py
+301
-0
stack/erp5/buildout.hash.cfg
stack/erp5/buildout.hash.cfg
+2
-2
stack/erp5/instance-balancer.cfg.in
stack/erp5/instance-balancer.cfg.in
+88
-2
stack/erp5/instance.cfg.in
stack/erp5/instance.cfg.in
+1
-0
No files found.
software/erp5/instance-erp5-input-schema.json
View file @
757c1a4d
...
@@ -455,6 +455,16 @@
...
@@ -455,6 +455,16 @@
"ssl"
:
{
"ssl"
:
{
"description"
:
"HTTPS certificate generation parameters"
,
"description"
:
"HTTPS certificate generation parameters"
,
"properties"
:
{
"properties"
:
{
"frontend-caucase-url-list"
:
{
"title"
:
"Frontend Caucase URL List"
,
"description"
:
"List of URLs of caucase service of frontend groups to authenticate access from them."
,
"type"
:
"array"
,
"items"
:
{
"type"
:
"string"
,
"format"
:
"uri"
},
"uniqueItems"
:
true
},
"caucase-url"
:
{
"caucase-url"
:
{
"title"
:
"Caucase URL"
,
"title"
:
"Caucase URL"
,
"description"
:
"URL of caucase service to use. If not set, global setting will be used."
,
"description"
:
"URL of caucase service to use. If not set, global setting will be used."
,
...
...
software/erp5/test/test/test_balancer.py
0 → 100644
View file @
757c1a4d
This diff is collapsed.
Click to expand it.
stack/erp5/buildout.hash.cfg
View file @
757c1a4d
...
@@ -70,7 +70,7 @@ md5sum = cc19560b9400cecbd23064d55c501eec
...
@@ -70,7 +70,7 @@ md5sum = cc19560b9400cecbd23064d55c501eec
[template]
[template]
filename = instance.cfg.in
filename = instance.cfg.in
md5sum =
f0f3b18f9963b137e366752886591fc3
md5sum =
328ea2bb5f2bff18f8be8c541c01f260
[monitor-template-dummy]
[monitor-template-dummy]
filename = dummy.cfg
filename = dummy.cfg
...
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
...
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
[template-balancer]
[template-balancer]
filename = instance-balancer.cfg.in
filename = instance-balancer.cfg.in
md5sum =
28b68d6eb1af5a48b25b05a21919db2a
md5sum =
0097e49b5bd7ad4978c722c1cdd27d6c
[template-haproxy-cfg]
[template-haproxy-cfg]
filename = haproxy.cfg.in
filename = haproxy.cfg.in
...
...
stack/erp5/instance-balancer.cfg.in
View file @
757c1a4d
...
@@ -2,6 +2,7 @@
...
@@ -2,6 +2,7 @@
{% set part_list = [] -%}
{% set part_list = [] -%}
{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
{% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
{% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
{#
{#
XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
per partition. No more (undefined result), no less (IndexError).
per partition. No more (undefined result), no less (IndexError).
...
@@ -38,6 +39,64 @@ mode = 644
...
@@ -38,6 +39,64 @@ mode = 644
{% do section('caucase-updater') -%}
{% do section('caucase-updater') -%}
{% do section('caucase-updater-promise') -%}
{% do section('caucase-updater-promise') -%}
{% set frontend_caucase_url_hash_list = [] -%}
{% for frontend_caucase_url in frontend_caucase_url_list -%}
{% set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
{% do frontend_caucase_url_hash_list.append(hash) -%}
{% set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
{{ caucase.updater(
prefix='caucase-updater-%s' % hash,
buildout_bin_directory=parameter_dict['bin-directory'],
updater_path='${directory:services-on-watch}/caucase-updater-%s' % hash,
url=frontend_caucase_url,
data_dir=data_dir,
ca_path='%s/ca.crt' % data_dir,
crl_path='%s/crl.pem' % data_dir,
on_renew='${caucase-updater-housekeeper:output}; ${apache-graceful:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
openssl=parameter_dict['openssl'] ~ '/bin/openssl',
)}}
{% do section('caucase-updater-%s' % hash) -%}
{% endfor -%}
{% if frontend_caucase_url_hash_list -%}
[caucase-updater-housekeeper]
recipe = collective.recipe.template
output = ${directory:bin}/caucase-updater-housekeeper
mode = 700
input =
inline:
#!${buildout:executable}
import glob
import os
import subprocess
hash_list = {{ repr(frontend_caucase_url_hash_list) }}
crt_list = ['%s.crt' % e for e in hash_list]
crl_list = ['%s.crl' % e for e in hash_list]
for path in glob.glob('${apache-conf-ssl:ca-cert-dir}/*.crt'):
if os.path.basename(path) not in crt_list:
os.unlink(path)
for path in glob.glob('${apache-conf-ssl:crl-dir}/*.crl'):
if os.path.basename(path) not in crl_list:
os.unlink(path)
for hash in hash_list:
crt = '${directory:srv}/client-cert-ca/%s/ca.crt' % hash
crt_link = '${apache-conf-ssl:ca-cert-dir}/%s.crt' % hash
crl = '${directory:srv}/client-cert-ca/%s/crl.pem' % hash
crl_link = '${apache-conf-ssl:crl-dir}/%s.crl' % hash
if os.path.isfile(crt) and not os.path.islink(crt_link):
os.symlink(crt, crt_link)
if os.path.isfile(crl) and not os.path.islink(crl_link):
os.symlink(crl, crl_link)
subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:ca-cert-dir}'])
subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:crl-dir}'])
[caucase-updater-housekeeper-run]
recipe = plone.recipe.command
command = ${caucase-updater-housekeeper:output}
update-command = ${:command}
{% endif -%}
{% set haproxy_dict = {} -%}
{% set haproxy_dict = {} -%}
{% set apache_dict = {} -%}
{% set apache_dict = {} -%}
{% set zope_virtualhost_monster_backend_dict = {} %}
{% set zope_virtualhost_monster_backend_dict = {} %}
...
@@ -123,6 +182,27 @@ key = ${directory:apache-conf}/apache.pem
...
@@ -123,6 +182,27 @@ key = ${directory:apache-conf}/apache.pem
# XXX caucase certificate is not supported by caddy for now
# XXX caucase certificate is not supported by caddy for now
caucase-cert = ${directory:apache-conf}/apache-caucase.crt
caucase-cert = ${directory:apache-conf}/apache-caucase.crt
caucase-key = ${directory:apache-conf}/apache-caucase.pem
caucase-key = ${directory:apache-conf}/apache-caucase.pem
{% if frontend_caucase_url_list -%}
depends = ${caucase-updater-housekeeper-run:recipe}
ca-cert-dir = ${directory:apache-ca-cert-dir}
crl-dir = ${directory:apache-crl-dir}
{%- endif %}
[simplefile]
< = jinja2-template-base
template = inline:{{ '{{ content }}' }}
{% macro simplefile(section_name, file_path, content, mode='') -%}
{% set content_section_name = section_name ~ '-content' -%}
[{{ content_section_name }}]
content = {{ dumps(content) }}
[{{ section(section_name) }}]
< = simplefile
rendered = {{ file_path }}
context = key content {{content_section_name}}:content
mode = {{ mode }}
{%- endmacro %}
[apache-ssl]
[apache-ssl]
{% if ssl_parameter_dict.get('key') -%}
{% if ssl_parameter_dict.get('key') -%}
...
@@ -152,9 +232,11 @@ cert = ${apache-ssl:cert}
...
@@ -152,9 +232,11 @@ cert = ${apache-ssl:cert}
key = ${apache-ssl:key}
key = ${apache-ssl:key}
cipher =
cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
{% if frontend_caucase_url_list -%}
# Client x509 auth
# Client x509 auth
ca-cert = ${apache-conf-ssl:ca-cert}
ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
crl = ${apache-conf-ssl:crl}
crl-dir = ${apache-conf-ssl:crl-dir}
{%- endif %}
[apache-conf]
[apache-conf]
< = jinja2-template-base
< = jinja2-template-base
...
@@ -207,6 +289,10 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
...
@@ -207,6 +289,10 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
[directory]
[directory]
recipe = slapos.cookbook:mkdirectory
recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache
apache-conf = ${:etc}/apache
{% if frontend_caucase_url_list -%}
apache-ca-cert-dir = ${:apache-conf}/ssl.crt
apache-crl-dir = ${:apache-conf}/ssl.crl
{% endif -%}
bin = ${buildout:directory}/bin
bin = ${buildout:directory}/bin
etc = ${buildout:directory}/etc
etc = ${buildout:directory}/etc
services = ${:etc}/run
services = ${:etc}/run
...
...
stack/erp5/instance.cfg.in
View file @
757c1a4d
...
@@ -72,6 +72,7 @@ filename = instance-balancer.cfg
...
@@ -72,6 +72,7 @@ filename = instance-balancer.cfg
extra-context =
extra-context =
section parameter_dict dynamic-template-balancer-parameters
section parameter_dict dynamic-template-balancer-parameters
import itertools itertools
import itertools itertools
import hashlib hashlib
import-list =
import-list =
file caucase context:caucase-jinja2-library
file caucase context:caucase-jinja2-library
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment