Juju Charms Collection
contrail-analytics package

Merge lp:~ivoks/charms/trusty/contrail-analytics/openstack-ssl into lp:~sdn-charmers/charms/trusty/contrail-analytics/trunk

  1. Trusty Tahr (14.04)
  2. openstack-ssl
  3. Merge into trunk
Proposed by Ante Karamatić
Status: Merged
Merged at revision: 37
Proposed branch: lp:~ivoks/charms/trusty/contrail-analytics/openstack-ssl
Merge into: lp:~sdn-charmers/charms/trusty/contrail-analytics/trunk
Diff against target: 263 lines (+134/-7)
11 files modified
charm-helpers-sync.yaml (+1/-0)
config.yaml (+6/-0)
hooks/charmhelpers/contrib/hahelpers/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+95/-0)
hooks/contrail_analytics_utils.py (+12/-0)
templates/contrail-alarm-gen.conf (+1/-1)
templates/contrail-analytics-api.conf (+1/-1)
templates/contrail-collector.conf (+2/-2)
templates/contrail-snmp-collector.conf (+1/-1)
templates/contrail-topology.conf (+1/-1)
templates/vnc_api_lib.ini (+1/-1)
To merge this branch: bzr merge lp:~ivoks/charms/trusty/contrail-analytics/openstack-ssl
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Review via email: mp+315998@code.launchpad.net

Description of the change

This patch allows contrail-analytics to connect to OpenStack services using TLS/SSL protocol.

It doesn't, yet, add functionality of exposing contrail-analytics endopint as https. This will be done in another patch.

To post a comment you must log in.
Revision history for this message
Robert Ayres (robert-ayres) wrote :

Apologies for the delay. I am actively reviewing/testing some modifications to this patch.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'charm-helpers-sync.yaml'
2--- charm-helpers-sync.yaml 2016-10-25 20:12:33 +0000
3+++ charm-helpers-sync.yaml 2017-01-31 12:56:23 +0000
4@@ -3,5 +3,6 @@
5 include:
6 - core
7 - fetch
8+ - contrib.hahelpers.apache
9 - osplatform
10 - contrib.network
11
12=== modified file 'config.yaml'
13--- config.yaml 2016-11-10 17:54:05 +0000
14+++ config.yaml 2017-01-31 12:56:23 +0000
15@@ -31,3 +31,9 @@
16 type: int
17 default: 1
18 description: Minimum number of units required in kafka relation
19+ ssl_ca:
20+ type: string
21+ default:
22+ description: |
23+ SSL CA used to sign certificates of OpenStack services. It should be
24+ provided in base64 format.
25
26=== added directory 'hooks/charmhelpers/contrib/hahelpers'
27=== added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
28--- hooks/charmhelpers/contrib/hahelpers/__init__.py 1970-01-01 00:00:00 +0000
29+++ hooks/charmhelpers/contrib/hahelpers/__init__.py 2017-01-31 12:56:23 +0000
30@@ -0,0 +1,13 @@
31+# Copyright 2014-2015 Canonical Limited.
32+#
33+# Licensed under the Apache License, Version 2.0 (the "License");
34+# you may not use this file except in compliance with the License.
35+# You may obtain a copy of the License at
36+#
37+# http://www.apache.org/licenses/LICENSE-2.0
38+#
39+# Unless required by applicable law or agreed to in writing, software
40+# distributed under the License is distributed on an "AS IS" BASIS,
41+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
42+# See the License for the specific language governing permissions and
43+# limitations under the License.
44
45=== added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
46--- hooks/charmhelpers/contrib/hahelpers/apache.py 1970-01-01 00:00:00 +0000
47+++ hooks/charmhelpers/contrib/hahelpers/apache.py 2017-01-31 12:56:23 +0000
48@@ -0,0 +1,95 @@
49+# Copyright 2014-2015 Canonical Limited.
50+#
51+# Licensed under the Apache License, Version 2.0 (the "License");
52+# you may not use this file except in compliance with the License.
53+# You may obtain a copy of the License at
54+#
55+# http://www.apache.org/licenses/LICENSE-2.0
56+#
57+# Unless required by applicable law or agreed to in writing, software
58+# distributed under the License is distributed on an "AS IS" BASIS,
59+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
60+# See the License for the specific language governing permissions and
61+# limitations under the License.
62+
63+#
64+# Copyright 2012 Canonical Ltd.
65+#
66+# This file is sourced from lp:openstack-charm-helpers
67+#
68+# Authors:
69+# James Page <james.page@ubuntu.com>
70+# Adam Gandelman <adamg@ubuntu.com>
71+#
72+
73+import os
74+import subprocess
75+
76+from charmhelpers.core.hookenv import (
77+ config as config_get,
78+ relation_get,
79+ relation_ids,
80+ related_units as relation_list,
81+ log,
82+ INFO,
83+)
84+
85+
86+def get_cert(cn=None):
87+ # TODO: deal with multiple https endpoints via charm config
88+ cert = config_get('ssl_cert')
89+ key = config_get('ssl_key')
90+ if not (cert and key):
91+ log("Inspecting identity-service relations for SSL certificate.",
92+ level=INFO)
93+ cert = key = None
94+ if cn:
95+ ssl_cert_attr = 'ssl_cert_{}'.format(cn)
96+ ssl_key_attr = 'ssl_key_{}'.format(cn)
97+ else:
98+ ssl_cert_attr = 'ssl_cert'
99+ ssl_key_attr = 'ssl_key'
100+ for r_id in relation_ids('identity-service'):
101+ for unit in relation_list(r_id):
102+ if not cert:
103+ cert = relation_get(ssl_cert_attr,
104+ rid=r_id, unit=unit)
105+ if not key:
106+ key = relation_get(ssl_key_attr,
107+ rid=r_id, unit=unit)
108+ return (cert, key)
109+
110+
111+def get_ca_cert():
112+ ca_cert = config_get('ssl_ca')
113+ if ca_cert is None:
114+ log("Inspecting identity-service relations for CA SSL certificate.",
115+ level=INFO)
116+ for r_id in relation_ids('identity-service'):
117+ for unit in relation_list(r_id):
118+ if ca_cert is None:
119+ ca_cert = relation_get('ca_cert',
120+ rid=r_id, unit=unit)
121+ return ca_cert
122+
123+
124+def retrieve_ca_cert(cert_file):
125+ cert = None
126+ if os.path.isfile(cert_file):
127+ with open(cert_file, 'r') as crt:
128+ cert = crt.read()
129+ return cert
130+
131+
132+def install_ca_cert(ca_cert):
133+ if ca_cert:
134+ cert_file = ('/usr/local/share/ca-certificates/'
135+ 'keystone_juju_ca_cert.crt')
136+ old_cert = retrieve_ca_cert(cert_file)
137+ if old_cert and old_cert == ca_cert:
138+ log("CA cert is the same as installed version", level=INFO)
139+ else:
140+ log("Installing new CA cert", level=INFO)
141+ with open(cert_file, 'w') as crt:
142+ crt.write(ca_cert)
143+ subprocess.check_call(['update-ca-certificates', '--fresh'])
144
145=== modified file 'hooks/contrail_analytics_utils.py'
146--- hooks/contrail_analytics_utils.py 2016-10-27 15:26:53 +0000
147+++ hooks/contrail_analytics_utils.py 2017-01-31 12:56:23 +0000
148@@ -11,6 +11,11 @@
149 import apt_pkg
150 from apt_pkg import version_compare
151
152+from charmhelpers.contrib.hahelpers.apache import (
153+ get_ca_cert,
154+ install_ca_cert
155+)
156+
157 from charmhelpers.contrib.network.ip import get_address_in_network
158
159 from charmhelpers.core.hookenv import (
160@@ -141,6 +146,7 @@
161 def identity_admin_ctx():
162 ctxs = [ { "auth_host": gethostbyname(hostname),
163 "auth_port": relation_get("service_port", unit, rid),
164+ "auth_protocol": relation_get("service_protocol", unit, rid),
165 "admin_user": relation_get("service_username", unit, rid),
166 "admin_password": relation_get("service_password", unit, rid),
167 "admin_tenant_name": relation_get("service_tenant_name", unit, rid) }
168@@ -148,8 +154,14 @@
169 for unit, hostname in
170 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
171 if hostname ]
172+ install_certificates()
173 return ctxs[0] if ctxs else {}
174
175+def install_certificates():
176+ CAcert = get_ca_cert()
177+ if CAcert is not None:
178+ install_ca_cert(CAcert)
179+
180 def is_container():
181 """Return boolean determining if inside container"""
182 try:
183
184=== modified file 'templates/contrail-alarm-gen.conf'
185--- templates/contrail-alarm-gen.conf 2016-10-27 15:26:53 +0000
186+++ templates/contrail-alarm-gen.conf 2017-01-31 12:56:23 +0000
187@@ -24,7 +24,7 @@
188
189 [KEYSTONE]
190 auth_host = {{ auth_host }}
191-auth_protocol = http
192+auth_protocol = {{ auth_protocol }}
193 auth_port = {{ auth_port }}
194 admin_user = {{ admin_user }}
195 admin_password = {{ admin_password }}
196
197=== modified file 'templates/contrail-analytics-api.conf'
198--- templates/contrail-analytics-api.conf 2016-10-27 15:26:53 +0000
199+++ templates/contrail-analytics-api.conf 2017-01-31 12:56:23 +0000
200@@ -30,7 +30,7 @@
201
202 [KEYSTONE]
203 auth_host = {{ auth_host }}
204-auth_protocol = http
205+auth_protocol = {{ auth_protocol }}
206 auth_port = {{ auth_port }}
207 admin_user = {{ admin_user }}
208 admin_password = {{ admin_password }}
209
210=== modified file 'templates/contrail-collector.conf'
211--- templates/contrail-collector.conf 2016-10-27 15:26:53 +0000
212+++ templates/contrail-collector.conf 2017-01-31 12:56:23 +0000
213@@ -32,9 +32,9 @@
214 {%- if keystone %}
215
216 [KEYSTONE]
217-auth_url = http://{{ auth_host }}:{{ auth_port }}/v2.0
218+auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}/v2.0
219 auth_host = {{ auth_host }}
220-auth_protocol = http
221+auth_protocol = {{ auth_protocol }}
222 auth_port = {{ auth_port }}
223 admin_user = {{ admin_user }}
224 admin_password = {{ admin_password }}
225
226=== modified file 'templates/contrail-snmp-collector.conf'
227--- templates/contrail-snmp-collector.conf 2016-03-23 19:33:19 +0000
228+++ templates/contrail-snmp-collector.conf 2017-01-31 12:56:23 +0000
229@@ -20,7 +20,7 @@
230
231 [KEYSTONE]
232 auth_host = {{ auth_host }}
233-auth_protocol = http
234+auth_protocol = {{ auth_protocol }}
235 auth_port = {{ auth_port }}
236 admin_user = {{ admin_user }}
237 admin_password = {{ admin_password }}
238
239=== modified file 'templates/contrail-topology.conf'
240--- templates/contrail-topology.conf 2016-10-27 15:26:53 +0000
241+++ templates/contrail-topology.conf 2017-01-31 12:56:23 +0000
242@@ -21,7 +21,7 @@
243
244 [KEYSTONE]
245 auth_host = {{ auth_host }}
246-auth_protocol = http
247+auth_protocol = {{ auth_protocol }}
248 auth_port = {{ auth_port }}
249 admin_user = {{ admin_user }}
250 admin_password = {{ admin_password }}
251
252=== modified file 'templates/vnc_api_lib.ini'
253--- templates/vnc_api_lib.ini 2016-03-23 15:38:12 +0000
254+++ templates/vnc_api_lib.ini 2017-01-31 12:56:23 +0000
255@@ -9,7 +9,7 @@
256
257 [auth]
258 AUTHN_TYPE = keystone
259-AUTHN_PROTOCOL = http
260+AUTHN_PROTOCOL = {{ auth_protocol }}
261 AUTHN_SERVER = {{ auth_host }}
262 AUTHN_PORT = {{ auth_port }}
263 AUTHN_URL = /v2.0/tokens

Subscribers

People subscribed via source and target branches