Merge lp:~ivoks/charms/trusty/contrail-configuration/openstack-ssl into lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk

Proposed by Ante Karamatić
Status: Merged
Merged at revision: 65
Proposed branch: lp:~ivoks/charms/trusty/contrail-configuration/openstack-ssl
Merge into: lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk
Diff against target: 222 lines (+130/-3)
8 files modified
charm-helpers-sync.yaml (+1/-0)
config.yaml (+6/-0)
hooks/charmhelpers/contrib/hahelpers/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+95/-0)
hooks/contrail_configuration_utils.py (+12/-0)
templates/contrail-api.conf (+1/-1)
templates/contrail-lbaas-auth.conf (+1/-1)
templates/vnc_api_lib.ini (+1/-1)
To merge this branch: bzr merge lp:~ivoks/charms/trusty/contrail-configuration/openstack-ssl
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Review via email: mp+315999@code.launchpad.net

Description of the change

This patch allows contrail-configuration to connect to OpenStack services using TLS/SSL protocol.

It doesn't, yet, add functionality of exposing contrail-api endopint as https. This will be done in another patch.

To post a comment you must log in.
Revision history for this message
Robert Ayres (robert-ayres) wrote :

Apologies for the delay. I am actively reviewing/testing some modifications to this patch.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'charm-helpers-sync.yaml'
2--- charm-helpers-sync.yaml 2016-10-10 20:47:56 +0000
3+++ charm-helpers-sync.yaml 2017-01-31 13:01:47 +0000
4@@ -3,6 +3,7 @@
5 include:
6 - core
7 - fetch
8+ - contrib.hahelpers.apache
9 - osplatform
10 - contrib.network
11 - contrib.openstack|inc=*
12
13=== modified file 'config.yaml'
14--- config.yaml 2016-11-10 15:47:28 +0000
15+++ config.yaml 2017-01-31 13:01:47 +0000
16@@ -56,3 +56,9 @@
17 type: int
18 default: 1
19 description: Minimum number of units required in cassandra relation
20+ ssl_ca:
21+ type: string
22+ default:
23+ description: |
24+ SSL CA used to sign certificates of OpenStack services. It should be
25+ provided in base64 format.
26
27=== added directory 'hooks/charmhelpers/contrib/hahelpers'
28=== added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
29--- hooks/charmhelpers/contrib/hahelpers/__init__.py 1970-01-01 00:00:00 +0000
30+++ hooks/charmhelpers/contrib/hahelpers/__init__.py 2017-01-31 13:01:47 +0000
31@@ -0,0 +1,13 @@
32+# Copyright 2014-2015 Canonical Limited.
33+#
34+# Licensed under the Apache License, Version 2.0 (the "License");
35+# you may not use this file except in compliance with the License.
36+# You may obtain a copy of the License at
37+#
38+# http://www.apache.org/licenses/LICENSE-2.0
39+#
40+# Unless required by applicable law or agreed to in writing, software
41+# distributed under the License is distributed on an "AS IS" BASIS,
42+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
43+# See the License for the specific language governing permissions and
44+# limitations under the License.
45
46=== added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
47--- hooks/charmhelpers/contrib/hahelpers/apache.py 1970-01-01 00:00:00 +0000
48+++ hooks/charmhelpers/contrib/hahelpers/apache.py 2017-01-31 13:01:47 +0000
49@@ -0,0 +1,95 @@
50+# Copyright 2014-2015 Canonical Limited.
51+#
52+# Licensed under the Apache License, Version 2.0 (the "License");
53+# you may not use this file except in compliance with the License.
54+# You may obtain a copy of the License at
55+#
56+# http://www.apache.org/licenses/LICENSE-2.0
57+#
58+# Unless required by applicable law or agreed to in writing, software
59+# distributed under the License is distributed on an "AS IS" BASIS,
60+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
61+# See the License for the specific language governing permissions and
62+# limitations under the License.
63+
64+#
65+# Copyright 2012 Canonical Ltd.
66+#
67+# This file is sourced from lp:openstack-charm-helpers
68+#
69+# Authors:
70+# James Page <james.page@ubuntu.com>
71+# Adam Gandelman <adamg@ubuntu.com>
72+#
73+
74+import os
75+import subprocess
76+
77+from charmhelpers.core.hookenv import (
78+ config as config_get,
79+ relation_get,
80+ relation_ids,
81+ related_units as relation_list,
82+ log,
83+ INFO,
84+)
85+
86+
87+def get_cert(cn=None):
88+ # TODO: deal with multiple https endpoints via charm config
89+ cert = config_get('ssl_cert')
90+ key = config_get('ssl_key')
91+ if not (cert and key):
92+ log("Inspecting identity-service relations for SSL certificate.",
93+ level=INFO)
94+ cert = key = None
95+ if cn:
96+ ssl_cert_attr = 'ssl_cert_{}'.format(cn)
97+ ssl_key_attr = 'ssl_key_{}'.format(cn)
98+ else:
99+ ssl_cert_attr = 'ssl_cert'
100+ ssl_key_attr = 'ssl_key'
101+ for r_id in relation_ids('identity-service'):
102+ for unit in relation_list(r_id):
103+ if not cert:
104+ cert = relation_get(ssl_cert_attr,
105+ rid=r_id, unit=unit)
106+ if not key:
107+ key = relation_get(ssl_key_attr,
108+ rid=r_id, unit=unit)
109+ return (cert, key)
110+
111+
112+def get_ca_cert():
113+ ca_cert = config_get('ssl_ca')
114+ if ca_cert is None:
115+ log("Inspecting identity-service relations for CA SSL certificate.",
116+ level=INFO)
117+ for r_id in relation_ids('identity-service'):
118+ for unit in relation_list(r_id):
119+ if ca_cert is None:
120+ ca_cert = relation_get('ca_cert',
121+ rid=r_id, unit=unit)
122+ return ca_cert
123+
124+
125+def retrieve_ca_cert(cert_file):
126+ cert = None
127+ if os.path.isfile(cert_file):
128+ with open(cert_file, 'r') as crt:
129+ cert = crt.read()
130+ return cert
131+
132+
133+def install_ca_cert(ca_cert):
134+ if ca_cert:
135+ cert_file = ('/usr/local/share/ca-certificates/'
136+ 'keystone_juju_ca_cert.crt')
137+ old_cert = retrieve_ca_cert(cert_file)
138+ if old_cert and old_cert == ca_cert:
139+ log("CA cert is the same as installed version", level=INFO)
140+ else:
141+ log("Installing new CA cert", level=INFO)
142+ with open(cert_file, 'w') as crt:
143+ crt.write(ca_cert)
144+ subprocess.check_call(['update-ca-certificates', '--fresh'])
145
146=== modified file 'hooks/contrail_configuration_utils.py'
147--- hooks/contrail_configuration_utils.py 2016-10-20 23:59:42 +0000
148+++ hooks/contrail_configuration_utils.py 2017-01-31 13:01:47 +0000
149@@ -16,6 +16,11 @@
150 import json
151 import urllib2
152
153+from charmhelpers.contrib.hahelpers.apache import (
154+ get_ca_cert,
155+ install_ca_cert
156+)
157+
158 from charmhelpers.contrib.network.ip import get_address_in_network
159
160 from charmhelpers.core.hookenv import (
161@@ -311,6 +316,7 @@
162 def identity_admin_ctx():
163 ctxs = [ { "auth_host": gethostbyname(hostname),
164 "auth_port": relation_get("service_port", unit, rid),
165+ "auth_protocol": relation_get("service_protocol", unit, rid),
166 "admin_user": relation_get("service_username", unit, rid),
167 "admin_password": relation_get("service_password", unit, rid),
168 "admin_tenant_name": relation_get("service_tenant_name", unit, rid),
169@@ -319,8 +325,14 @@
170 for unit, hostname in
171 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
172 if hostname ]
173+ install_certificates()
174 return ctxs[0] if ctxs else {}
175
176+def install_certificates():
177+ CAcert = get_ca_cert()
178+ if CAcert is not None:
179+ install_ca_cert(CAcert)
180+
181 def is_container():
182 """Return boolean determining if inside container"""
183 try:
184
185=== modified file 'templates/contrail-api.conf'
186--- templates/contrail-api.conf 2016-04-19 21:10:36 +0000
187+++ templates/contrail-api.conf 2017-01-31 13:01:47 +0000
188@@ -22,7 +22,7 @@
189 [KEYSTONE]
190 auth_host = {{ auth_host }}
191 auth_port = {{ auth_port }}
192-auth_protocol = http
193+auth_protocol = {{ auth_protocol }}
194 admin_user = {{ admin_user }}
195 admin_password = {{ admin_password }}
196 admin_token =
197
198=== modified file 'templates/contrail-lbaas-auth.conf'
199--- templates/contrail-lbaas-auth.conf 2016-07-01 11:12:27 +0000
200+++ templates/contrail-lbaas-auth.conf 2017-01-31 13:01:47 +0000
201@@ -4,7 +4,7 @@
202 ###############################################################################
203
204 [BARBICAN]
205-auth_url = http://{{ auth_host }}:{{ auth_port }}/v2.0
206+auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}/v2.0
207 auth_version = 2
208 admin_user = {{ admin_user }}
209 admin_password = {{ admin_password }}
210
211=== modified file 'templates/vnc_api_lib.ini'
212--- templates/vnc_api_lib.ini 2014-10-20 15:02:13 +0000
213+++ templates/vnc_api_lib.ini 2017-01-31 13:01:47 +0000
214@@ -9,7 +9,7 @@
215
216 [auth]
217 AUTHN_TYPE = keystone
218-AUTHN_PROTOCOL = http
219+AUTHN_PROTOCOL = {{ auth_protocol }}
220 AUTHN_SERVER = {{ auth_host }}
221 AUTHN_PORT = {{ auth_port }}
222 AUTHN_URL = /v2.0/tokens

Subscribers

People subscribed via source and target branches