Juju Charms Collection
neutron-api-contrail package

Merge lp:~ivoks/charms/trusty/neutron-api-contrail/openstack-ssl into lp:~sdn-charmers/charms/trusty/neutron-api-contrail/trunk

  1. Trusty Tahr (14.04)
  2. openstack-ssl
  3. Merge into trunk
Proposed by Ante Karamatić
Status: Merged
Merged at revision: 15
Proposed branch: lp:~ivoks/charms/trusty/neutron-api-contrail/openstack-ssl
Merge into: lp:~sdn-charmers/charms/trusty/neutron-api-contrail/trunk
Diff against target: 287 lines (+170/-4)
9 files modified
charm-helpers-sync.yaml (+1/-0)
config.yaml (+6/-0)
hooks/charmhelpers/contrib/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+95/-0)
hooks/neutron_api_contrail_hooks.py (+6/-2)
hooks/neutron_api_contrail_utils.py (+18/-0)
templates/ContrailPlugin.ini (+2/-2)
templates/vnc_api_lib.ini (+16/-0)
To merge this branch: bzr merge lp:~ivoks/charms/trusty/neutron-api-contrail/openstack-ssl
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Review via email: mp+316006@code.launchpad.net

Description of the change

This patch allows neutron's contrail plugin to connect to OpenStack services using TLS/SSL protocol.

To post a comment you must log in.
Revision history for this message
Robert Ayres (robert-ayres) wrote :

Apologies for the delay. I am actively reviewing/testing some modifications to this patch.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'charm-helpers-sync.yaml'
--- charm-helpers-sync.yaml 2016-10-10 21:02:44 +0000
+++ charm-helpers-sync.yaml 2017-01-31 13:15:22 +0000
@@ -3,4 +3,5 @@
3include:3include:
4 - core4 - core
5 - fetch5 - fetch
6 - contrib.hahelpers.apache
6 - osplatform7 - osplatform
78
=== modified file 'config.yaml'
--- config.yaml 2015-10-05 18:23:07 +0000
+++ config.yaml 2017-01-31 13:15:22 +0000
@@ -8,3 +8,9 @@
8 install-keys:8 install-keys:
9 type: string9 type: string
10 description: Apt keys for package install sources10 description: Apt keys for package install sources
11 ssl_ca:
12 type: string
13 default:
14 description: |
15 SSL CA used to sign certificates of OpenStack services. It should be
16 provided in base64 format.
1117
=== added directory 'hooks/charmhelpers/contrib'
=== added file 'hooks/charmhelpers/contrib/__init__.py'
--- hooks/charmhelpers/contrib/__init__.py 1970-01-01 00:00:00 +0000
+++ hooks/charmhelpers/contrib/__init__.py 2017-01-31 13:15:22 +0000
@@ -0,0 +1,13 @@
1# Copyright 2014-2015 Canonical Limited.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
014
=== added directory 'hooks/charmhelpers/contrib/hahelpers'
=== added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
--- hooks/charmhelpers/contrib/hahelpers/__init__.py 1970-01-01 00:00:00 +0000
+++ hooks/charmhelpers/contrib/hahelpers/__init__.py 2017-01-31 13:15:22 +0000
@@ -0,0 +1,13 @@
1# Copyright 2014-2015 Canonical Limited.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
014
=== added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
--- hooks/charmhelpers/contrib/hahelpers/apache.py 1970-01-01 00:00:00 +0000
+++ hooks/charmhelpers/contrib/hahelpers/apache.py 2017-01-31 13:15:22 +0000
@@ -0,0 +1,95 @@
1# Copyright 2014-2015 Canonical Limited.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15#
16# Copyright 2012 Canonical Ltd.
17#
18# This file is sourced from lp:openstack-charm-helpers
19#
20# Authors:
21# James Page <james.page@ubuntu.com>
22# Adam Gandelman <adamg@ubuntu.com>
23#
24
25import os
26import subprocess
27
28from charmhelpers.core.hookenv import (
29 config as config_get,
30 relation_get,
31 relation_ids,
32 related_units as relation_list,
33 log,
34 INFO,
35)
36
37
38def get_cert(cn=None):
39 # TODO: deal with multiple https endpoints via charm config
40 cert = config_get('ssl_cert')
41 key = config_get('ssl_key')
42 if not (cert and key):
43 log("Inspecting identity-service relations for SSL certificate.",
44 level=INFO)
45 cert = key = None
46 if cn:
47 ssl_cert_attr = 'ssl_cert_{}'.format(cn)
48 ssl_key_attr = 'ssl_key_{}'.format(cn)
49 else:
50 ssl_cert_attr = 'ssl_cert'
51 ssl_key_attr = 'ssl_key'
52 for r_id in relation_ids('identity-service'):
53 for unit in relation_list(r_id):
54 if not cert:
55 cert = relation_get(ssl_cert_attr,
56 rid=r_id, unit=unit)
57 if not key:
58 key = relation_get(ssl_key_attr,
59 rid=r_id, unit=unit)
60 return (cert, key)
61
62
63def get_ca_cert():
64 ca_cert = config_get('ssl_ca')
65 if ca_cert is None:
66 log("Inspecting identity-service relations for CA SSL certificate.",
67 level=INFO)
68 for r_id in relation_ids('identity-service'):
69 for unit in relation_list(r_id):
70 if ca_cert is None:
71 ca_cert = relation_get('ca_cert',
72 rid=r_id, unit=unit)
73 return ca_cert
74
75
76def retrieve_ca_cert(cert_file):
77 cert = None
78 if os.path.isfile(cert_file):
79 with open(cert_file, 'r') as crt:
80 cert = crt.read()
81 return cert
82
83
84def install_ca_cert(ca_cert):
85 if ca_cert:
86 cert_file = ('/usr/local/share/ca-certificates/'
87 'keystone_juju_ca_cert.crt')
88 old_cert = retrieve_ca_cert(cert_file)
89 if old_cert and old_cert == ca_cert:
90 log("CA cert is the same as installed version", level=INFO)
91 else:
92 log("Installing new CA cert", level=INFO)
93 with open(cert_file, 'w') as crt:
94 crt.write(ca_cert)
95 subprocess.check_call(['update-ca-certificates', '--fresh'])
096
=== modified file 'hooks/neutron_api_contrail_hooks.py'
--- hooks/neutron_api_contrail_hooks.py 2016-09-05 15:25:29 +0000
+++ hooks/neutron_api_contrail_hooks.py 2017-01-31 13:15:22 +0000
@@ -28,7 +28,8 @@
28from neutron_api_contrail_utils import (28from neutron_api_contrail_utils import (
29 CONTRAIL_VERSION,29 CONTRAIL_VERSION,
30 OPENSTACK_VERSION,30 OPENSTACK_VERSION,
31 write_plugin_config31 write_plugin_config,
32 write_vnc_api_config
32)33)
3334
34PACKAGES = [ "neutron-plugin-contrail" ]35PACKAGES = [ "neutron-plugin-contrail" ]
@@ -62,9 +63,11 @@
6263
63@hooks.hook("identity-admin-relation-departed")64@hooks.hook("identity-admin-relation-departed")
64@hooks.hook("identity-admin-relation-broken")65@hooks.hook("identity-admin-relation-broken")
65@restart_on_change({"/etc/neutron/plugins/opencontrail/ContrailPlugin.ini": ["neutron-server"]})66@restart_on_change({"/etc/neutron/plugins/opencontrail/ContrailPlugin.ini": ["neutron-server"],
67 "/etc/contrail/vnc_api_lib.ini": ["contrail-topology"]})
66def identity_admin_relation():68def identity_admin_relation():
67 write_plugin_config()69 write_plugin_config()
70 write_vnc_api_config()
6871
69@hooks.hook()72@hooks.hook()
70def install():73def install():
@@ -114,6 +117,7 @@
114@hooks.hook("upgrade-charm")117@hooks.hook("upgrade-charm")
115def upgrade_charm():118def upgrade_charm():
116 write_plugin_config()119 write_plugin_config()
120 write_vnc_api_config()
117 service_restart("neutron-server")121 service_restart("neutron-server")
118122
119if __name__ == "__main__":123if __name__ == "__main__":
120124
=== modified file 'hooks/neutron_api_contrail_utils.py'
--- hooks/neutron_api_contrail_utils.py 2016-09-05 15:25:29 +0000
+++ hooks/neutron_api_contrail_utils.py 2017-01-31 13:15:22 +0000
@@ -4,6 +4,12 @@
4import apt_pkg4import apt_pkg
5from apt_pkg import version_compare5from apt_pkg import version_compare
66
7from charmhelpers.contrib.hahelpers.apache import (
8 get_ca_cert,
9 install_ca_cert
10)
11
12
7from charmhelpers.core.hookenv import (13from charmhelpers.core.hookenv import (
8 related_units,14 related_units,
9 relation_get,15 relation_get,
@@ -37,6 +43,7 @@
37def identity_admin_ctx():43def identity_admin_ctx():
38 ctxs = [ { "auth_host": gethostbyname(hostname),44 ctxs = [ { "auth_host": gethostbyname(hostname),
39 "auth_port": relation_get("service_port", unit, rid),45 "auth_port": relation_get("service_port", unit, rid),
46 "auth_protocol": relation_get("service_protocol", unit, rid),
40 "admin_user": relation_get("service_username", unit, rid),47 "admin_user": relation_get("service_username", unit, rid),
41 "admin_password": relation_get("service_password", unit, rid),48 "admin_password": relation_get("service_password", unit, rid),
42 "admin_tenant_name": relation_get("service_tenant_name", unit, rid) }49 "admin_tenant_name": relation_get("service_tenant_name", unit, rid) }
@@ -44,8 +51,14 @@
44 for unit, hostname in51 for unit, hostname in
45 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))52 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
46 if hostname ]53 if hostname ]
54 install_certificates()
47 return ctxs[0] if ctxs else {}55 return ctxs[0] if ctxs else {}
4856
57def install_certificates():
58 CAcert = get_ca_cert()
59 if CAcert is not None:
60 install_ca_cert(CAcert)
61
49def write_plugin_config():62def write_plugin_config():
50 ctx = {}63 ctx = {}
51 ctx.update(contrail_api_ctx())64 ctx.update(contrail_api_ctx())
@@ -57,3 +70,8 @@
57 render("ContrailPlugin.ini",70 render("ContrailPlugin.ini",
58 "/etc/neutron/plugins/opencontrail/ContrailPlugin.ini",71 "/etc/neutron/plugins/opencontrail/ContrailPlugin.ini",
59 ctx, "root", "neutron", 0440)72 ctx, "root", "neutron", 0440)
73
74def write_vnc_api_config():
75 ctx = {}
76 ctx.update(identity_admin_ctx())
77 render("vnc_api_lib.ini", "/etc/contrail/vnc_api_lib.ini", ctx)
6078
=== modified file 'templates/ContrailPlugin.ini'
--- templates/ContrailPlugin.ini 2016-05-07 02:33:48 +0000
+++ templates/ContrailPlugin.ini 2017-01-31 13:15:22 +0000
@@ -12,14 +12,14 @@
12admin_user = {{ admin_user }}12admin_user = {{ admin_user }}
13admin_password = {{ admin_password }}13admin_password = {{ admin_password }}
14admin_tenant_name = {{ admin_tenant_name }}14admin_tenant_name = {{ admin_tenant_name }}
15auth_url = http://{{ auth_host }}:{{ auth_port }}/v2.015auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}/v2.0
1616
17{%- if authtoken %}17{%- if authtoken %}
1818
19[keystone_authtoken]19[keystone_authtoken]
20auth_host = {{ auth_host }}20auth_host = {{ auth_host }}
21auth_port = {{ auth_port }}21auth_port = {{ auth_port }}
22auth_protocol = http22auth_protocol = {{ auth_protocol }}
23{%- if authtoken_creds %}23{%- if authtoken_creds %}
24admin_user = {{ admin_user }}24admin_user = {{ admin_user }}
25admin_password = {{ admin_password }}25admin_password = {{ admin_password }}
2626
=== added file 'templates/vnc_api_lib.ini'
--- templates/vnc_api_lib.ini 1970-01-01 00:00:00 +0000
+++ templates/vnc_api_lib.ini 2017-01-31 13:15:22 +0000
@@ -0,0 +1,16 @@
1###############################################################################
2# [ WARNING ]
3# Configuration file maintained by Juju. Local changes may be overwritten.
4###############################################################################
5
6[global]
7WEB_SERVER = 127.0.0.1
8WEB_PORT = 8082
9BASE_URL = /
10
11[auth]
12AUTHN_TYPE = keystone
13AUTHN_PROTOCOL = {{ auth_protocol }}
14AUTHN_SERVER = {{ auth_host }}
15AUTHN_PORT = {{ auth_port }}
16AUTHN_URL = /v2.0/tokens

Subscribers

People subscribed via source and target branches