Juju Charms Collection
neutron-contrail package

Merge lp:~ivoks/charms/trusty/neutron-contrail/openstack-ssl into lp:~sdn-charmers/charms/trusty/neutron-contrail/trunk

  1. Trusty Tahr (14.04)
  2. openstack-ssl
  3. Merge into trunk
Proposed by Ante Karamatić
Status: Merged
Merged at revision: 65
Proposed branch: lp:~ivoks/charms/trusty/neutron-contrail/openstack-ssl
Merge into: lp:~sdn-charmers/charms/trusty/neutron-contrail/trunk
Diff against target: 256 lines (+152/-1)
8 files modified
charm-helpers-sync.yaml (+1/-0)
config.yaml (+6/-0)
hooks/charmhelpers/contrib/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+95/-0)
hooks/neutron_contrail_hooks.py (+2/-0)
hooks/neutron_contrail_utils.py (+21/-0)
templates/vnc_api_lib.ini (+1/-1)
To merge this branch: bzr merge lp:~ivoks/charms/trusty/neutron-contrail/openstack-ssl
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Review via email: mp+316008@code.launchpad.net

Description of the change

This patch allows neutron's contrail vrouter to connect to OpenStack services using TLS/SSL protocol.

To post a comment you must log in.
Revision history for this message
Robert Ayres (robert-ayres) wrote :

Apologies for the delay. I am actively reviewing/testing some modifications to this patch.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'charm-helpers-sync.yaml'
2--- charm-helpers-sync.yaml 2016-10-10 20:55:32 +0000
3+++ charm-helpers-sync.yaml 2017-01-31 13:09:17 +0000
4@@ -3,4 +3,5 @@
5 include:
6 - core
7 - fetch
8+ - contrib.hahelpers.apache
9 - osplatform
10
11=== modified file 'config.yaml'
12--- config.yaml 2016-10-06 04:38:30 +0000
13+++ config.yaml 2017-01-31 13:09:17 +0000
14@@ -69,3 +69,9 @@
15 discovery-server-ip:
16 type: string
17 description: Specify discovery server ip manually
18+ ssl_ca:
19+ type: string
20+ default:
21+ description: |
22+ SSL CA used to sign certificates of OpenStack services. It should be
23+ provided in base64 format.
24
25=== added directory 'hooks/charmhelpers/contrib'
26=== added file 'hooks/charmhelpers/contrib/__init__.py'
27--- hooks/charmhelpers/contrib/__init__.py 1970-01-01 00:00:00 +0000
28+++ hooks/charmhelpers/contrib/__init__.py 2017-01-31 13:09:17 +0000
29@@ -0,0 +1,13 @@
30+# Copyright 2014-2015 Canonical Limited.
31+#
32+# Licensed under the Apache License, Version 2.0 (the "License");
33+# you may not use this file except in compliance with the License.
34+# You may obtain a copy of the License at
35+#
36+# http://www.apache.org/licenses/LICENSE-2.0
37+#
38+# Unless required by applicable law or agreed to in writing, software
39+# distributed under the License is distributed on an "AS IS" BASIS,
40+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
41+# See the License for the specific language governing permissions and
42+# limitations under the License.
43
44=== added directory 'hooks/charmhelpers/contrib/hahelpers'
45=== added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
46--- hooks/charmhelpers/contrib/hahelpers/__init__.py 1970-01-01 00:00:00 +0000
47+++ hooks/charmhelpers/contrib/hahelpers/__init__.py 2017-01-31 13:09:17 +0000
48@@ -0,0 +1,13 @@
49+# Copyright 2014-2015 Canonical Limited.
50+#
51+# Licensed under the Apache License, Version 2.0 (the "License");
52+# you may not use this file except in compliance with the License.
53+# You may obtain a copy of the License at
54+#
55+# http://www.apache.org/licenses/LICENSE-2.0
56+#
57+# Unless required by applicable law or agreed to in writing, software
58+# distributed under the License is distributed on an "AS IS" BASIS,
59+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
60+# See the License for the specific language governing permissions and
61+# limitations under the License.
62
63=== added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
64--- hooks/charmhelpers/contrib/hahelpers/apache.py 1970-01-01 00:00:00 +0000
65+++ hooks/charmhelpers/contrib/hahelpers/apache.py 2017-01-31 13:09:17 +0000
66@@ -0,0 +1,95 @@
67+# Copyright 2014-2015 Canonical Limited.
68+#
69+# Licensed under the Apache License, Version 2.0 (the "License");
70+# you may not use this file except in compliance with the License.
71+# You may obtain a copy of the License at
72+#
73+# http://www.apache.org/licenses/LICENSE-2.0
74+#
75+# Unless required by applicable law or agreed to in writing, software
76+# distributed under the License is distributed on an "AS IS" BASIS,
77+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
78+# See the License for the specific language governing permissions and
79+# limitations under the License.
80+
81+#
82+# Copyright 2012 Canonical Ltd.
83+#
84+# This file is sourced from lp:openstack-charm-helpers
85+#
86+# Authors:
87+# James Page <james.page@ubuntu.com>
88+# Adam Gandelman <adamg@ubuntu.com>
89+#
90+
91+import os
92+import subprocess
93+
94+from charmhelpers.core.hookenv import (
95+ config as config_get,
96+ relation_get,
97+ relation_ids,
98+ related_units as relation_list,
99+ log,
100+ INFO,
101+)
102+
103+
104+def get_cert(cn=None):
105+ # TODO: deal with multiple https endpoints via charm config
106+ cert = config_get('ssl_cert')
107+ key = config_get('ssl_key')
108+ if not (cert and key):
109+ log("Inspecting identity-service relations for SSL certificate.",
110+ level=INFO)
111+ cert = key = None
112+ if cn:
113+ ssl_cert_attr = 'ssl_cert_{}'.format(cn)
114+ ssl_key_attr = 'ssl_key_{}'.format(cn)
115+ else:
116+ ssl_cert_attr = 'ssl_cert'
117+ ssl_key_attr = 'ssl_key'
118+ for r_id in relation_ids('identity-service'):
119+ for unit in relation_list(r_id):
120+ if not cert:
121+ cert = relation_get(ssl_cert_attr,
122+ rid=r_id, unit=unit)
123+ if not key:
124+ key = relation_get(ssl_key_attr,
125+ rid=r_id, unit=unit)
126+ return (cert, key)
127+
128+
129+def get_ca_cert():
130+ ca_cert = config_get('ssl_ca')
131+ if ca_cert is None:
132+ log("Inspecting identity-service relations for CA SSL certificate.",
133+ level=INFO)
134+ for r_id in relation_ids('identity-service'):
135+ for unit in relation_list(r_id):
136+ if ca_cert is None:
137+ ca_cert = relation_get('ca_cert',
138+ rid=r_id, unit=unit)
139+ return ca_cert
140+
141+
142+def retrieve_ca_cert(cert_file):
143+ cert = None
144+ if os.path.isfile(cert_file):
145+ with open(cert_file, 'r') as crt:
146+ cert = crt.read()
147+ return cert
148+
149+
150+def install_ca_cert(ca_cert):
151+ if ca_cert:
152+ cert_file = ('/usr/local/share/ca-certificates/'
153+ 'keystone_juju_ca_cert.crt')
154+ old_cert = retrieve_ca_cert(cert_file)
155+ if old_cert and old_cert == ca_cert:
156+ log("CA cert is the same as installed version", level=INFO)
157+ else:
158+ log("Installing new CA cert", level=INFO)
159+ with open(cert_file, 'w') as crt:
160+ crt.write(ca_cert)
161+ subprocess.check_call(['update-ca-certificates', '--fresh'])
162
163=== modified file 'hooks/neutron_contrail_hooks.py'
164--- hooks/neutron_contrail_hooks.py 2017-01-28 04:00:28 +0000
165+++ hooks/neutron_contrail_hooks.py 2017-01-31 13:09:17 +0000
166@@ -36,6 +36,7 @@
167 from neutron_contrail_utils import (
168 CONTRAIL_VERSION,
169 OPENSTACK_VERSION,
170+ configure_kdump,
171 configure_vrouter,
172 disable_vrouter_vgw,
173 dpkg_version,
174@@ -276,6 +277,7 @@
175 apt_install(PACKAGES, fatal=True)
176 utils.CONTRAIL_VERSION = dpkg_version("contrail-vrouter-agent")
177 if version_compare(utils.CONTRAIL_VERSION, "3.2") >= 0:
178+ configure_kdump()
179 apt_install(PACKAGES_VROUTER_3_2, fatal=True)
180 else:
181 apt_install(PACKAGES_VROUTER, fatal=True)
182
183=== modified file 'hooks/neutron_contrail_utils.py'
184--- hooks/neutron_contrail_utils.py 2016-10-21 00:15:55 +0000
185+++ hooks/neutron_contrail_utils.py 2017-01-31 13:09:17 +0000
186@@ -5,6 +5,8 @@
187 from socket import gethostbyname, gethostname
188 from subprocess import (
189 CalledProcessError,
190+ PIPE,
191+ Popen,
192 check_call,
193 check_output
194 )
195@@ -17,6 +19,11 @@
196 import netaddr
197 import netifaces
198
199+from charmhelpers.contrib.hahelpers.apache import (
200+ get_ca_cert,
201+ install_ca_cert
202+)
203+
204 from charmhelpers.core.hookenv import (
205 config,
206 log,
207@@ -87,6 +94,13 @@
208 raise error
209 return func
210
211+def configure_kdump():
212+ log("Disabling kdump-tools")
213+ _echo = Popen(["echo", "kdump-tools", "kdump-tools/use_kdump", "boolean",
214+ "False"], stdout=PIPE)
215+ debconf = check_output(["debconf-set-selections"], stdin=_echo.stdout)
216+ return _echo.wait()
217+
218 def configure_vrouter():
219 # run external script to configure vrouter
220 args = ["./create-vrouter.sh"]
221@@ -219,6 +233,7 @@
222 def identity_admin_ctx():
223 ctxs = [ { "auth_host": gethostbyname(hostname),
224 "auth_port": relation_get("service_port", unit, rid),
225+ "auth_protocol": relation_get("service_protocol", unit, rid),
226 "admin_user": relation_get("service_username", unit, rid),
227 "admin_password": relation_get("service_password", unit, rid),
228 "admin_tenant_name": relation_get("service_tenant_name", unit, rid),
229@@ -227,8 +242,14 @@
230 for unit, hostname in
231 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
232 if hostname ]
233+ install_certificates()
234 return ctxs[0] if ctxs else {}
235
236+def install_certificates():
237+ CAcert = get_ca_cert()
238+ if CAcert is not None:
239+ install_ca_cert(CAcert)
240+
241 def ifdown(interfaces=None):
242 """ifdown an interface or all interfaces"""
243 log("Taking down {}".format(interfaces if interfaces else "interfaces"))
244
245=== modified file 'templates/vnc_api_lib.ini'
246--- templates/vnc_api_lib.ini 2014-10-21 12:07:30 +0000
247+++ templates/vnc_api_lib.ini 2017-01-31 13:09:17 +0000
248@@ -9,7 +9,7 @@
249
250 [auth]
251 AUTHN_TYPE = keystone
252-AUTHN_PROTOCOL = http
253+AUTHN_PROTOCOL = {{ auth_protocol }}
254 AUTHN_SERVER = {{ auth_host }}
255 AUTHN_PORT = {{ auth_port }}
256 AUTHN_URL = /v2.0/tokens

Subscribers

People subscribed via source and target branches