Juju Charms Collection
contrail-webui package

Merge lp:~ivoks/charms/trusty/contrail-webui/openstack-ssl into lp:~sdn-charmers/charms/trusty/contrail-webui/trunk

Proposed by Ante Karamatić on 2017-01-31

Status:	Merged
Merged at revision:	39
Proposed branch:	lp:~ivoks/charms/trusty/contrail-webui/openstack-ssl
Merge into:	lp:~sdn-charmers/charms/trusty/contrail-webui/trunk
Diff against target:	210 lines (+139/-2) 7 files modified charm-helpers-sync.yaml (+1/-0) config.yaml (+6/-0) hooks/charmhelpers/contrib/__init__.py (+13/-0) hooks/charmhelpers/contrib/hahelpers/__init__.py (+13/-0) hooks/charmhelpers/contrib/hahelpers/apache.py (+95/-0) hooks/services.py (+10/-1) templates/config.global.js.j2 (+1/-1)
To merge this branch:	bzr merge lp:~ivoks/charms/trusty/contrail-webui/openstack-ssl
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Robert Ayres (community)		2017-01-31	Approve on 2017-03-10
Review via email: mp+316005@code.launchpad.net

Description of the change

This patch allows contrail-webui to connect to OpenStack services using TLS/SSL protocol.

Revision history for this message

Robert Ayres (robert-ayres) wrote on 2017-03-02:

Apologies for the delay. I am actively reviewing/testing some modifications to this patch.

Revision history for this message

Robert Ayres (robert-ayres) on 2017-03-10:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Ante Karamatić

SDN Charmers

 === modified file 'charm-helpers-sync.yaml'
 --- charm-helpers-sync.yaml	2016-10-10 21:00:20 +0000
 +++ charm-helpers-sync.yaml	2017-01-31 13:12:03 +0000
@@ -3,4 +3,5 @@
  include:
    - core
    - fetch
++  - contrib.hahelpers.apache
    - osplatform
 === modified file 'config.yaml'
 --- config.yaml	2015-12-17 20:29:12 +0000
 +++ config.yaml	2017-01-31 13:12:03 +0000
@@ -50,3 +50,9 @@
        NOTE: it will get downloaded and cached every time
        the config is updated. If empty, the default will
        be used.
++  ssl_ca:
++    type: string
++    default:
++    description: |
++      SSL CA used to sign certificates of OpenStack services. It should be
++      provided in base64 format.
 === added directory 'hooks/charmhelpers/contrib'
 === added file 'hooks/charmhelpers/contrib/__init__.py'
 --- hooks/charmhelpers/contrib/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/__init__.py	2017-01-31 13:12:03 +0000
@@ -0,0 +1,13 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
 === added directory 'hooks/charmhelpers/contrib/hahelpers'
 === added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
 --- hooks/charmhelpers/contrib/hahelpers/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/__init__.py	2017-01-31 13:12:03 +0000
@@ -0,0 +1,13 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
 === added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
 --- hooks/charmhelpers/contrib/hahelpers/apache.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/apache.py	2017-01-31 13:12:03 +0000
@@ -0,0 +1,95 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++#
++# Copyright 2012 Canonical Ltd.
++#
++# This file is sourced from lp:openstack-charm-helpers
++#
++# Authors:
++#  James Page <james.page@ubuntu.com>
++#  Adam Gandelman <adamg@ubuntu.com>
++#
++
++import os
++import subprocess
++
++from charmhelpers.core.hookenv import (
++    config as config_get,
++    relation_get,
++    relation_ids,
++    related_units as relation_list,
++    log,
++    INFO,
++)
++
++
++def get_cert(cn=None):
++    # TODO: deal with multiple https endpoints via charm config
++    cert = config_get('ssl_cert')
++    key = config_get('ssl_key')
++    if not (cert and key):
++        log("Inspecting identity-service relations for SSL certificate.",
++            level=INFO)
++        cert = key = None
++        if cn:
++            ssl_cert_attr = 'ssl_cert_{}'.format(cn)
++            ssl_key_attr = 'ssl_key_{}'.format(cn)
++        else:
++            ssl_cert_attr = 'ssl_cert'
++            ssl_key_attr = 'ssl_key'
++        for r_id in relation_ids('identity-service'):
++            for unit in relation_list(r_id):
++                if not cert:
++                    cert = relation_get(ssl_cert_attr,
++                                        rid=r_id, unit=unit)
++                if not key:
++                    key = relation_get(ssl_key_attr,
++                                       rid=r_id, unit=unit)
++    return (cert, key)
++
++
++def get_ca_cert():
++    ca_cert = config_get('ssl_ca')
++    if ca_cert is None:
++        log("Inspecting identity-service relations for CA SSL certificate.",
++            level=INFO)
++        for r_id in relation_ids('identity-service'):
++            for unit in relation_list(r_id):
++                if ca_cert is None:
++                    ca_cert = relation_get('ca_cert',
++                                           rid=r_id, unit=unit)
++    return ca_cert
++
++
++def retrieve_ca_cert(cert_file):
++    cert = None
++    if os.path.isfile(cert_file):
++        with open(cert_file, 'r') as crt:
++            cert = crt.read()
++    return cert
++
++
++def install_ca_cert(ca_cert):
++    if ca_cert:
++        cert_file = ('/usr/local/share/ca-certificates/'
++                     'keystone_juju_ca_cert.crt')
++        old_cert = retrieve_ca_cert(cert_file)
++        if old_cert and old_cert == ca_cert:
++            log("CA cert is the same as installed version", level=INFO)
++        else:
++            log("Installing new CA cert", level=INFO)
++            with open(cert_file, 'w') as crt:
++                crt.write(ca_cert)
++            subprocess.check_call(['update-ca-certificates', '--fresh'])
 === modified file 'hooks/services.py'
 --- hooks/services.py	2016-11-14 20:48:45 +0000
 +++ hooks/services.py	2017-01-31 13:12:03 +0000
@@ -6,6 +6,12 @@
  import yaml
  import actions
++
++from charmhelpers.contrib.hahelpers.apache import (
++    get_ca_cert,
++    install_ca_cert
++)
++
  from charmhelpers.core import hookenv
  from charmhelpers.core import services
  from charmhelpers.core import templating
@@ -43,7 +49,7 @@
      name = 'identity_admin'
      interface = 'keystone-admin'
      required_keys = ['service_hostname', 'service_port', 'service_username',
--            'service_tenant_name', 'service_password']
++            'service_tenant_name', 'service_password', 'service_protocol']
  class RedisRelation(services.RelationContext):
@@ -150,6 +156,9 @@
  class SSLConfig(services.ManagerCallback):
      def __call__(self, manager, service_name, event_name):
++        CAcert = get_ca_cert()
++        if CAcert is not None:
++            install_ca_cert(CAcert)
          if hookenv.is_leader():
              config = hookenv.config()
              cert = config.get('ssl-cert')
 === modified file 'templates/config.global.js.j2'
 --- templates/config.global.js.j2	2016-11-14 20:48:45 +0000
 +++ templates/config.global.js.j2	2017-01-31 13:12:03 +0000
@@ -28,7 +28,7 @@
  config.identityManager = {};
  config.identityManager.ip = '{{ identity_admin[0]['service_hostname'] }}';
  config.identityManager.port = '{{ identity_admin[0]['service_port'] }}';
--config.identityManager.authProtocol = 'http';
++config.identityManager.authProtocol = '{{ identity_admin[0]['service_protocol'] }}';
  config.identityManager.apiVersion = ['v2.0'];
  config.identityManager.strictSSL = false;
  config.identityManager.ca = '';

Juju Charms Collectioncontrail-webui package

Merge lp:~ivoks/charms/trusty/contrail-webui/openstack-ssl into lp:~sdn-charmers/charms/trusty/contrail-webui/trunk

Commit message

Description of the change

Preview Diff

Subscribers

Juju Charms Collection
contrail-webui package