Juju Charms Collection
neutron-api-contrail package

Merge lp:~ivoks/charms/trusty/neutron-api-contrail/openstack-ssl into lp:~sdn-charmers/charms/trusty/neutron-api-contrail/trunk

  1. Trusty Tahr (14.04)
  2. openstack-ssl
  3. Merge into trunk
Proposed by Ante Karamatić
Status: Merged
Merged at revision: 15
Proposed branch: lp:~ivoks/charms/trusty/neutron-api-contrail/openstack-ssl
Merge into: lp:~sdn-charmers/charms/trusty/neutron-api-contrail/trunk
Diff against target: 287 lines (+170/-4)
9 files modified
charm-helpers-sync.yaml (+1/-0)
config.yaml (+6/-0)
hooks/charmhelpers/contrib/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+95/-0)
hooks/neutron_api_contrail_hooks.py (+6/-2)
hooks/neutron_api_contrail_utils.py (+18/-0)
templates/ContrailPlugin.ini (+2/-2)
templates/vnc_api_lib.ini (+16/-0)
To merge this branch: bzr merge lp:~ivoks/charms/trusty/neutron-api-contrail/openstack-ssl
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Review via email: mp+316006@code.launchpad.net

Description of the change

This patch allows neutron's contrail plugin to connect to OpenStack services using TLS/SSL protocol.

To post a comment you must log in.
Revision history for this message
Robert Ayres (robert-ayres) wrote :

Apologies for the delay. I am actively reviewing/testing some modifications to this patch.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'charm-helpers-sync.yaml'
2--- charm-helpers-sync.yaml 2016-10-10 21:02:44 +0000
3+++ charm-helpers-sync.yaml 2017-01-31 13:15:22 +0000
4@@ -3,4 +3,5 @@
5 include:
6 - core
7 - fetch
8+ - contrib.hahelpers.apache
9 - osplatform
10
11=== modified file 'config.yaml'
12--- config.yaml 2015-10-05 18:23:07 +0000
13+++ config.yaml 2017-01-31 13:15:22 +0000
14@@ -8,3 +8,9 @@
15 install-keys:
16 type: string
17 description: Apt keys for package install sources
18+ ssl_ca:
19+ type: string
20+ default:
21+ description: |
22+ SSL CA used to sign certificates of OpenStack services. It should be
23+ provided in base64 format.
24
25=== added directory 'hooks/charmhelpers/contrib'
26=== added file 'hooks/charmhelpers/contrib/__init__.py'
27--- hooks/charmhelpers/contrib/__init__.py 1970-01-01 00:00:00 +0000
28+++ hooks/charmhelpers/contrib/__init__.py 2017-01-31 13:15:22 +0000
29@@ -0,0 +1,13 @@
30+# Copyright 2014-2015 Canonical Limited.
31+#
32+# Licensed under the Apache License, Version 2.0 (the "License");
33+# you may not use this file except in compliance with the License.
34+# You may obtain a copy of the License at
35+#
36+# http://www.apache.org/licenses/LICENSE-2.0
37+#
38+# Unless required by applicable law or agreed to in writing, software
39+# distributed under the License is distributed on an "AS IS" BASIS,
40+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
41+# See the License for the specific language governing permissions and
42+# limitations under the License.
43
44=== added directory 'hooks/charmhelpers/contrib/hahelpers'
45=== added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
46--- hooks/charmhelpers/contrib/hahelpers/__init__.py 1970-01-01 00:00:00 +0000
47+++ hooks/charmhelpers/contrib/hahelpers/__init__.py 2017-01-31 13:15:22 +0000
48@@ -0,0 +1,13 @@
49+# Copyright 2014-2015 Canonical Limited.
50+#
51+# Licensed under the Apache License, Version 2.0 (the "License");
52+# you may not use this file except in compliance with the License.
53+# You may obtain a copy of the License at
54+#
55+# http://www.apache.org/licenses/LICENSE-2.0
56+#
57+# Unless required by applicable law or agreed to in writing, software
58+# distributed under the License is distributed on an "AS IS" BASIS,
59+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
60+# See the License for the specific language governing permissions and
61+# limitations under the License.
62
63=== added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
64--- hooks/charmhelpers/contrib/hahelpers/apache.py 1970-01-01 00:00:00 +0000
65+++ hooks/charmhelpers/contrib/hahelpers/apache.py 2017-01-31 13:15:22 +0000
66@@ -0,0 +1,95 @@
67+# Copyright 2014-2015 Canonical Limited.
68+#
69+# Licensed under the Apache License, Version 2.0 (the "License");
70+# you may not use this file except in compliance with the License.
71+# You may obtain a copy of the License at
72+#
73+# http://www.apache.org/licenses/LICENSE-2.0
74+#
75+# Unless required by applicable law or agreed to in writing, software
76+# distributed under the License is distributed on an "AS IS" BASIS,
77+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
78+# See the License for the specific language governing permissions and
79+# limitations under the License.
80+
81+#
82+# Copyright 2012 Canonical Ltd.
83+#
84+# This file is sourced from lp:openstack-charm-helpers
85+#
86+# Authors:
87+# James Page <james.page@ubuntu.com>
88+# Adam Gandelman <adamg@ubuntu.com>
89+#
90+
91+import os
92+import subprocess
93+
94+from charmhelpers.core.hookenv import (
95+ config as config_get,
96+ relation_get,
97+ relation_ids,
98+ related_units as relation_list,
99+ log,
100+ INFO,
101+)
102+
103+
104+def get_cert(cn=None):
105+ # TODO: deal with multiple https endpoints via charm config
106+ cert = config_get('ssl_cert')
107+ key = config_get('ssl_key')
108+ if not (cert and key):
109+ log("Inspecting identity-service relations for SSL certificate.",
110+ level=INFO)
111+ cert = key = None
112+ if cn:
113+ ssl_cert_attr = 'ssl_cert_{}'.format(cn)
114+ ssl_key_attr = 'ssl_key_{}'.format(cn)
115+ else:
116+ ssl_cert_attr = 'ssl_cert'
117+ ssl_key_attr = 'ssl_key'
118+ for r_id in relation_ids('identity-service'):
119+ for unit in relation_list(r_id):
120+ if not cert:
121+ cert = relation_get(ssl_cert_attr,
122+ rid=r_id, unit=unit)
123+ if not key:
124+ key = relation_get(ssl_key_attr,
125+ rid=r_id, unit=unit)
126+ return (cert, key)
127+
128+
129+def get_ca_cert():
130+ ca_cert = config_get('ssl_ca')
131+ if ca_cert is None:
132+ log("Inspecting identity-service relations for CA SSL certificate.",
133+ level=INFO)
134+ for r_id in relation_ids('identity-service'):
135+ for unit in relation_list(r_id):
136+ if ca_cert is None:
137+ ca_cert = relation_get('ca_cert',
138+ rid=r_id, unit=unit)
139+ return ca_cert
140+
141+
142+def retrieve_ca_cert(cert_file):
143+ cert = None
144+ if os.path.isfile(cert_file):
145+ with open(cert_file, 'r') as crt:
146+ cert = crt.read()
147+ return cert
148+
149+
150+def install_ca_cert(ca_cert):
151+ if ca_cert:
152+ cert_file = ('/usr/local/share/ca-certificates/'
153+ 'keystone_juju_ca_cert.crt')
154+ old_cert = retrieve_ca_cert(cert_file)
155+ if old_cert and old_cert == ca_cert:
156+ log("CA cert is the same as installed version", level=INFO)
157+ else:
158+ log("Installing new CA cert", level=INFO)
159+ with open(cert_file, 'w') as crt:
160+ crt.write(ca_cert)
161+ subprocess.check_call(['update-ca-certificates', '--fresh'])
162
163=== modified file 'hooks/neutron_api_contrail_hooks.py'
164--- hooks/neutron_api_contrail_hooks.py 2016-09-05 15:25:29 +0000
165+++ hooks/neutron_api_contrail_hooks.py 2017-01-31 13:15:22 +0000
166@@ -28,7 +28,8 @@
167 from neutron_api_contrail_utils import (
168 CONTRAIL_VERSION,
169 OPENSTACK_VERSION,
170- write_plugin_config
171+ write_plugin_config,
172+ write_vnc_api_config
173 )
174
175 PACKAGES = [ "neutron-plugin-contrail" ]
176@@ -62,9 +63,11 @@
177
178 @hooks.hook("identity-admin-relation-departed")
179 @hooks.hook("identity-admin-relation-broken")
180-@restart_on_change({"/etc/neutron/plugins/opencontrail/ContrailPlugin.ini": ["neutron-server"]})
181+@restart_on_change({"/etc/neutron/plugins/opencontrail/ContrailPlugin.ini": ["neutron-server"],
182+ "/etc/contrail/vnc_api_lib.ini": ["contrail-topology"]})
183 def identity_admin_relation():
184 write_plugin_config()
185+ write_vnc_api_config()
186
187 @hooks.hook()
188 def install():
189@@ -114,6 +117,7 @@
190 @hooks.hook("upgrade-charm")
191 def upgrade_charm():
192 write_plugin_config()
193+ write_vnc_api_config()
194 service_restart("neutron-server")
195
196 if __name__ == "__main__":
197
198=== modified file 'hooks/neutron_api_contrail_utils.py'
199--- hooks/neutron_api_contrail_utils.py 2016-09-05 15:25:29 +0000
200+++ hooks/neutron_api_contrail_utils.py 2017-01-31 13:15:22 +0000
201@@ -4,6 +4,12 @@
202 import apt_pkg
203 from apt_pkg import version_compare
204
205+from charmhelpers.contrib.hahelpers.apache import (
206+ get_ca_cert,
207+ install_ca_cert
208+)
209+
210+
211 from charmhelpers.core.hookenv import (
212 related_units,
213 relation_get,
214@@ -37,6 +43,7 @@
215 def identity_admin_ctx():
216 ctxs = [ { "auth_host": gethostbyname(hostname),
217 "auth_port": relation_get("service_port", unit, rid),
218+ "auth_protocol": relation_get("service_protocol", unit, rid),
219 "admin_user": relation_get("service_username", unit, rid),
220 "admin_password": relation_get("service_password", unit, rid),
221 "admin_tenant_name": relation_get("service_tenant_name", unit, rid) }
222@@ -44,8 +51,14 @@
223 for unit, hostname in
224 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
225 if hostname ]
226+ install_certificates()
227 return ctxs[0] if ctxs else {}
228
229+def install_certificates():
230+ CAcert = get_ca_cert()
231+ if CAcert is not None:
232+ install_ca_cert(CAcert)
233+
234 def write_plugin_config():
235 ctx = {}
236 ctx.update(contrail_api_ctx())
237@@ -57,3 +70,8 @@
238 render("ContrailPlugin.ini",
239 "/etc/neutron/plugins/opencontrail/ContrailPlugin.ini",
240 ctx, "root", "neutron", 0440)
241+
242+def write_vnc_api_config():
243+ ctx = {}
244+ ctx.update(identity_admin_ctx())
245+ render("vnc_api_lib.ini", "/etc/contrail/vnc_api_lib.ini", ctx)
246
247=== modified file 'templates/ContrailPlugin.ini'
248--- templates/ContrailPlugin.ini 2016-05-07 02:33:48 +0000
249+++ templates/ContrailPlugin.ini 2017-01-31 13:15:22 +0000
250@@ -12,14 +12,14 @@
251 admin_user = {{ admin_user }}
252 admin_password = {{ admin_password }}
253 admin_tenant_name = {{ admin_tenant_name }}
254-auth_url = http://{{ auth_host }}:{{ auth_port }}/v2.0
255+auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}/v2.0
256
257 {%- if authtoken %}
258
259 [keystone_authtoken]
260 auth_host = {{ auth_host }}
261 auth_port = {{ auth_port }}
262-auth_protocol = http
263+auth_protocol = {{ auth_protocol }}
264 {%- if authtoken_creds %}
265 admin_user = {{ admin_user }}
266 admin_password = {{ admin_password }}
267
268=== added file 'templates/vnc_api_lib.ini'
269--- templates/vnc_api_lib.ini 1970-01-01 00:00:00 +0000
270+++ templates/vnc_api_lib.ini 2017-01-31 13:15:22 +0000
271@@ -0,0 +1,16 @@
272+###############################################################################
273+# [ WARNING ]
274+# Configuration file maintained by Juju. Local changes may be overwritten.
275+###############################################################################
276+
277+[global]
278+WEB_SERVER = 127.0.0.1
279+WEB_PORT = 8082
280+BASE_URL = /
281+
282+[auth]
283+AUTHN_TYPE = keystone
284+AUTHN_PROTOCOL = {{ auth_protocol }}
285+AUTHN_SERVER = {{ auth_host }}
286+AUTHN_PORT = {{ auth_port }}
287+AUTHN_URL = /v2.0/tokens

Subscribers

People subscribed via source and target branches