Juju Charms Collection
contrail-analytics package

Merge lp:~ivoks/charms/trusty/contrail-analytics/openstack-ssl into lp:~sdn-charmers/charms/trusty/contrail-analytics/trunk

  1. Trusty Tahr (14.04)
  2. openstack-ssl
  3. Merge into trunk
Proposed by Ante Karamatić
Status: Merged
Merged at revision: 37
Proposed branch: lp:~ivoks/charms/trusty/contrail-analytics/openstack-ssl
Merge into: lp:~sdn-charmers/charms/trusty/contrail-analytics/trunk
Diff against target: 263 lines (+134/-7)
11 files modified
charm-helpers-sync.yaml (+1/-0)
config.yaml (+6/-0)
hooks/charmhelpers/contrib/hahelpers/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+95/-0)
hooks/contrail_analytics_utils.py (+12/-0)
templates/contrail-alarm-gen.conf (+1/-1)
templates/contrail-analytics-api.conf (+1/-1)
templates/contrail-collector.conf (+2/-2)
templates/contrail-snmp-collector.conf (+1/-1)
templates/contrail-topology.conf (+1/-1)
templates/vnc_api_lib.ini (+1/-1)
To merge this branch: bzr merge lp:~ivoks/charms/trusty/contrail-analytics/openstack-ssl
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Review via email: mp+315998@code.launchpad.net

Description of the change

This patch allows contrail-analytics to connect to OpenStack services using TLS/SSL protocol.

It doesn't, yet, add functionality of exposing contrail-analytics endopint as https. This will be done in another patch.

To post a comment you must log in.
Revision history for this message
Robert Ayres (robert-ayres) wrote :

Apologies for the delay. I am actively reviewing/testing some modifications to this patch.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'charm-helpers-sync.yaml'
--- charm-helpers-sync.yaml 2016-10-25 20:12:33 +0000
+++ charm-helpers-sync.yaml 2017-01-31 12:56:23 +0000
@@ -3,5 +3,6 @@
3include:3include:
4 - core4 - core
5 - fetch5 - fetch
6 - contrib.hahelpers.apache
6 - osplatform7 - osplatform
7 - contrib.network8 - contrib.network
89
=== modified file 'config.yaml'
--- config.yaml 2016-11-10 17:54:05 +0000
+++ config.yaml 2017-01-31 12:56:23 +0000
@@ -31,3 +31,9 @@
31 type: int31 type: int
32 default: 132 default: 1
33 description: Minimum number of units required in kafka relation33 description: Minimum number of units required in kafka relation
34 ssl_ca:
35 type: string
36 default:
37 description: |
38 SSL CA used to sign certificates of OpenStack services. It should be
39 provided in base64 format.
3440
=== added directory 'hooks/charmhelpers/contrib/hahelpers'
=== added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
--- hooks/charmhelpers/contrib/hahelpers/__init__.py 1970-01-01 00:00:00 +0000
+++ hooks/charmhelpers/contrib/hahelpers/__init__.py 2017-01-31 12:56:23 +0000
@@ -0,0 +1,13 @@
1# Copyright 2014-2015 Canonical Limited.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
014
=== added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
--- hooks/charmhelpers/contrib/hahelpers/apache.py 1970-01-01 00:00:00 +0000
+++ hooks/charmhelpers/contrib/hahelpers/apache.py 2017-01-31 12:56:23 +0000
@@ -0,0 +1,95 @@
1# Copyright 2014-2015 Canonical Limited.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15#
16# Copyright 2012 Canonical Ltd.
17#
18# This file is sourced from lp:openstack-charm-helpers
19#
20# Authors:
21# James Page <james.page@ubuntu.com>
22# Adam Gandelman <adamg@ubuntu.com>
23#
24
25import os
26import subprocess
27
28from charmhelpers.core.hookenv import (
29 config as config_get,
30 relation_get,
31 relation_ids,
32 related_units as relation_list,
33 log,
34 INFO,
35)
36
37
38def get_cert(cn=None):
39 # TODO: deal with multiple https endpoints via charm config
40 cert = config_get('ssl_cert')
41 key = config_get('ssl_key')
42 if not (cert and key):
43 log("Inspecting identity-service relations for SSL certificate.",
44 level=INFO)
45 cert = key = None
46 if cn:
47 ssl_cert_attr = 'ssl_cert_{}'.format(cn)
48 ssl_key_attr = 'ssl_key_{}'.format(cn)
49 else:
50 ssl_cert_attr = 'ssl_cert'
51 ssl_key_attr = 'ssl_key'
52 for r_id in relation_ids('identity-service'):
53 for unit in relation_list(r_id):
54 if not cert:
55 cert = relation_get(ssl_cert_attr,
56 rid=r_id, unit=unit)
57 if not key:
58 key = relation_get(ssl_key_attr,
59 rid=r_id, unit=unit)
60 return (cert, key)
61
62
63def get_ca_cert():
64 ca_cert = config_get('ssl_ca')
65 if ca_cert is None:
66 log("Inspecting identity-service relations for CA SSL certificate.",
67 level=INFO)
68 for r_id in relation_ids('identity-service'):
69 for unit in relation_list(r_id):
70 if ca_cert is None:
71 ca_cert = relation_get('ca_cert',
72 rid=r_id, unit=unit)
73 return ca_cert
74
75
76def retrieve_ca_cert(cert_file):
77 cert = None
78 if os.path.isfile(cert_file):
79 with open(cert_file, 'r') as crt:
80 cert = crt.read()
81 return cert
82
83
84def install_ca_cert(ca_cert):
85 if ca_cert:
86 cert_file = ('/usr/local/share/ca-certificates/'
87 'keystone_juju_ca_cert.crt')
88 old_cert = retrieve_ca_cert(cert_file)
89 if old_cert and old_cert == ca_cert:
90 log("CA cert is the same as installed version", level=INFO)
91 else:
92 log("Installing new CA cert", level=INFO)
93 with open(cert_file, 'w') as crt:
94 crt.write(ca_cert)
95 subprocess.check_call(['update-ca-certificates', '--fresh'])
096
=== modified file 'hooks/contrail_analytics_utils.py'
--- hooks/contrail_analytics_utils.py 2016-10-27 15:26:53 +0000
+++ hooks/contrail_analytics_utils.py 2017-01-31 12:56:23 +0000
@@ -11,6 +11,11 @@
11import apt_pkg11import apt_pkg
12from apt_pkg import version_compare12from apt_pkg import version_compare
1313
14from charmhelpers.contrib.hahelpers.apache import (
15 get_ca_cert,
16 install_ca_cert
17)
18
14from charmhelpers.contrib.network.ip import get_address_in_network19from charmhelpers.contrib.network.ip import get_address_in_network
1520
16from charmhelpers.core.hookenv import (21from charmhelpers.core.hookenv import (
@@ -141,6 +146,7 @@
141def identity_admin_ctx():146def identity_admin_ctx():
142 ctxs = [ { "auth_host": gethostbyname(hostname),147 ctxs = [ { "auth_host": gethostbyname(hostname),
143 "auth_port": relation_get("service_port", unit, rid),148 "auth_port": relation_get("service_port", unit, rid),
149 "auth_protocol": relation_get("service_protocol", unit, rid),
144 "admin_user": relation_get("service_username", unit, rid),150 "admin_user": relation_get("service_username", unit, rid),
145 "admin_password": relation_get("service_password", unit, rid),151 "admin_password": relation_get("service_password", unit, rid),
146 "admin_tenant_name": relation_get("service_tenant_name", unit, rid) }152 "admin_tenant_name": relation_get("service_tenant_name", unit, rid) }
@@ -148,8 +154,14 @@
148 for unit, hostname in154 for unit, hostname in
149 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))155 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
150 if hostname ]156 if hostname ]
157 install_certificates()
151 return ctxs[0] if ctxs else {}158 return ctxs[0] if ctxs else {}
152159
160def install_certificates():
161 CAcert = get_ca_cert()
162 if CAcert is not None:
163 install_ca_cert(CAcert)
164
153def is_container():165def is_container():
154 """Return boolean determining if inside container"""166 """Return boolean determining if inside container"""
155 try:167 try:
156168
=== modified file 'templates/contrail-alarm-gen.conf'
--- templates/contrail-alarm-gen.conf 2016-10-27 15:26:53 +0000
+++ templates/contrail-alarm-gen.conf 2017-01-31 12:56:23 +0000
@@ -24,7 +24,7 @@
2424
25[KEYSTONE]25[KEYSTONE]
26auth_host = {{ auth_host }}26auth_host = {{ auth_host }}
27auth_protocol = http27auth_protocol = {{ auth_protocol }}
28auth_port = {{ auth_port }}28auth_port = {{ auth_port }}
29admin_user = {{ admin_user }}29admin_user = {{ admin_user }}
30admin_password = {{ admin_password }}30admin_password = {{ admin_password }}
3131
=== modified file 'templates/contrail-analytics-api.conf'
--- templates/contrail-analytics-api.conf 2016-10-27 15:26:53 +0000
+++ templates/contrail-analytics-api.conf 2017-01-31 12:56:23 +0000
@@ -30,7 +30,7 @@
3030
31[KEYSTONE]31[KEYSTONE]
32auth_host = {{ auth_host }}32auth_host = {{ auth_host }}
33auth_protocol = http33auth_protocol = {{ auth_protocol }}
34auth_port = {{ auth_port }}34auth_port = {{ auth_port }}
35admin_user = {{ admin_user }}35admin_user = {{ admin_user }}
36admin_password = {{ admin_password }}36admin_password = {{ admin_password }}
3737
=== modified file 'templates/contrail-collector.conf'
--- templates/contrail-collector.conf 2016-10-27 15:26:53 +0000
+++ templates/contrail-collector.conf 2017-01-31 12:56:23 +0000
@@ -32,9 +32,9 @@
32{%- if keystone %}32{%- if keystone %}
3333
34[KEYSTONE]34[KEYSTONE]
35auth_url = http://{{ auth_host }}:{{ auth_port }}/v2.035auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}/v2.0
36auth_host = {{ auth_host }}36auth_host = {{ auth_host }}
37auth_protocol = http37auth_protocol = {{ auth_protocol }}
38auth_port = {{ auth_port }}38auth_port = {{ auth_port }}
39admin_user = {{ admin_user }}39admin_user = {{ admin_user }}
40admin_password = {{ admin_password }}40admin_password = {{ admin_password }}
4141
=== modified file 'templates/contrail-snmp-collector.conf'
--- templates/contrail-snmp-collector.conf 2016-03-23 19:33:19 +0000
+++ templates/contrail-snmp-collector.conf 2017-01-31 12:56:23 +0000
@@ -20,7 +20,7 @@
2020
21[KEYSTONE]21[KEYSTONE]
22auth_host = {{ auth_host }}22auth_host = {{ auth_host }}
23auth_protocol = http23auth_protocol = {{ auth_protocol }}
24auth_port = {{ auth_port }}24auth_port = {{ auth_port }}
25admin_user = {{ admin_user }}25admin_user = {{ admin_user }}
26admin_password = {{ admin_password }}26admin_password = {{ admin_password }}
2727
=== modified file 'templates/contrail-topology.conf'
--- templates/contrail-topology.conf 2016-10-27 15:26:53 +0000
+++ templates/contrail-topology.conf 2017-01-31 12:56:23 +0000
@@ -21,7 +21,7 @@
2121
22[KEYSTONE]22[KEYSTONE]
23auth_host = {{ auth_host }}23auth_host = {{ auth_host }}
24auth_protocol = http24auth_protocol = {{ auth_protocol }}
25auth_port = {{ auth_port }}25auth_port = {{ auth_port }}
26admin_user = {{ admin_user }}26admin_user = {{ admin_user }}
27admin_password = {{ admin_password }}27admin_password = {{ admin_password }}
2828
=== modified file 'templates/vnc_api_lib.ini'
--- templates/vnc_api_lib.ini 2016-03-23 15:38:12 +0000
+++ templates/vnc_api_lib.ini 2017-01-31 12:56:23 +0000
@@ -9,7 +9,7 @@
99
10[auth]10[auth]
11AUTHN_TYPE = keystone11AUTHN_TYPE = keystone
12AUTHN_PROTOCOL = http12AUTHN_PROTOCOL = {{ auth_protocol }}
13AUTHN_SERVER = {{ auth_host }}13AUTHN_SERVER = {{ auth_host }}
14AUTHN_PORT = {{ auth_port }}14AUTHN_PORT = {{ auth_port }}
15AUTHN_URL = /v2.0/tokens15AUTHN_URL = /v2.0/tokens

Subscribers

People subscribed via source and target branches