Juju Charms Collection
neutron-contrail package

Merge lp:~ivoks/charms/trusty/neutron-contrail/openstack-ssl into lp:~sdn-charmers/charms/trusty/neutron-contrail/trunk

  1. Trusty Tahr (14.04)
  2. openstack-ssl
  3. Merge into trunk
Proposed by Ante Karamatić
Status: Merged
Merged at revision: 65
Proposed branch: lp:~ivoks/charms/trusty/neutron-contrail/openstack-ssl
Merge into: lp:~sdn-charmers/charms/trusty/neutron-contrail/trunk
Diff against target: 256 lines (+152/-1)
8 files modified
charm-helpers-sync.yaml (+1/-0)
config.yaml (+6/-0)
hooks/charmhelpers/contrib/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/__init__.py (+13/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+95/-0)
hooks/neutron_contrail_hooks.py (+2/-0)
hooks/neutron_contrail_utils.py (+21/-0)
templates/vnc_api_lib.ini (+1/-1)
To merge this branch: bzr merge lp:~ivoks/charms/trusty/neutron-contrail/openstack-ssl
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Review via email: mp+316008@code.launchpad.net

Description of the change

This patch allows neutron's contrail vrouter to connect to OpenStack services using TLS/SSL protocol.

To post a comment you must log in.
Revision history for this message
Robert Ayres (robert-ayres) wrote :

Apologies for the delay. I am actively reviewing/testing some modifications to this patch.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'charm-helpers-sync.yaml'
--- charm-helpers-sync.yaml 2016-10-10 20:55:32 +0000
+++ charm-helpers-sync.yaml 2017-01-31 13:09:17 +0000
@@ -3,4 +3,5 @@
3include:3include:
4 - core4 - core
5 - fetch5 - fetch
6 - contrib.hahelpers.apache
6 - osplatform7 - osplatform
78
=== modified file 'config.yaml'
--- config.yaml 2016-10-06 04:38:30 +0000
+++ config.yaml 2017-01-31 13:09:17 +0000
@@ -69,3 +69,9 @@
69 discovery-server-ip:69 discovery-server-ip:
70 type: string70 type: string
71 description: Specify discovery server ip manually71 description: Specify discovery server ip manually
72 ssl_ca:
73 type: string
74 default:
75 description: |
76 SSL CA used to sign certificates of OpenStack services. It should be
77 provided in base64 format.
7278
=== added directory 'hooks/charmhelpers/contrib'
=== added file 'hooks/charmhelpers/contrib/__init__.py'
--- hooks/charmhelpers/contrib/__init__.py 1970-01-01 00:00:00 +0000
+++ hooks/charmhelpers/contrib/__init__.py 2017-01-31 13:09:17 +0000
@@ -0,0 +1,13 @@
1# Copyright 2014-2015 Canonical Limited.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
014
=== added directory 'hooks/charmhelpers/contrib/hahelpers'
=== added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
--- hooks/charmhelpers/contrib/hahelpers/__init__.py 1970-01-01 00:00:00 +0000
+++ hooks/charmhelpers/contrib/hahelpers/__init__.py 2017-01-31 13:09:17 +0000
@@ -0,0 +1,13 @@
1# Copyright 2014-2015 Canonical Limited.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
014
=== added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
--- hooks/charmhelpers/contrib/hahelpers/apache.py 1970-01-01 00:00:00 +0000
+++ hooks/charmhelpers/contrib/hahelpers/apache.py 2017-01-31 13:09:17 +0000
@@ -0,0 +1,95 @@
1# Copyright 2014-2015 Canonical Limited.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15#
16# Copyright 2012 Canonical Ltd.
17#
18# This file is sourced from lp:openstack-charm-helpers
19#
20# Authors:
21# James Page <james.page@ubuntu.com>
22# Adam Gandelman <adamg@ubuntu.com>
23#
24
25import os
26import subprocess
27
28from charmhelpers.core.hookenv import (
29 config as config_get,
30 relation_get,
31 relation_ids,
32 related_units as relation_list,
33 log,
34 INFO,
35)
36
37
38def get_cert(cn=None):
39 # TODO: deal with multiple https endpoints via charm config
40 cert = config_get('ssl_cert')
41 key = config_get('ssl_key')
42 if not (cert and key):
43 log("Inspecting identity-service relations for SSL certificate.",
44 level=INFO)
45 cert = key = None
46 if cn:
47 ssl_cert_attr = 'ssl_cert_{}'.format(cn)
48 ssl_key_attr = 'ssl_key_{}'.format(cn)
49 else:
50 ssl_cert_attr = 'ssl_cert'
51 ssl_key_attr = 'ssl_key'
52 for r_id in relation_ids('identity-service'):
53 for unit in relation_list(r_id):
54 if not cert:
55 cert = relation_get(ssl_cert_attr,
56 rid=r_id, unit=unit)
57 if not key:
58 key = relation_get(ssl_key_attr,
59 rid=r_id, unit=unit)
60 return (cert, key)
61
62
63def get_ca_cert():
64 ca_cert = config_get('ssl_ca')
65 if ca_cert is None:
66 log("Inspecting identity-service relations for CA SSL certificate.",
67 level=INFO)
68 for r_id in relation_ids('identity-service'):
69 for unit in relation_list(r_id):
70 if ca_cert is None:
71 ca_cert = relation_get('ca_cert',
72 rid=r_id, unit=unit)
73 return ca_cert
74
75
76def retrieve_ca_cert(cert_file):
77 cert = None
78 if os.path.isfile(cert_file):
79 with open(cert_file, 'r') as crt:
80 cert = crt.read()
81 return cert
82
83
84def install_ca_cert(ca_cert):
85 if ca_cert:
86 cert_file = ('/usr/local/share/ca-certificates/'
87 'keystone_juju_ca_cert.crt')
88 old_cert = retrieve_ca_cert(cert_file)
89 if old_cert and old_cert == ca_cert:
90 log("CA cert is the same as installed version", level=INFO)
91 else:
92 log("Installing new CA cert", level=INFO)
93 with open(cert_file, 'w') as crt:
94 crt.write(ca_cert)
95 subprocess.check_call(['update-ca-certificates', '--fresh'])
096
=== modified file 'hooks/neutron_contrail_hooks.py'
--- hooks/neutron_contrail_hooks.py 2017-01-28 04:00:28 +0000
+++ hooks/neutron_contrail_hooks.py 2017-01-31 13:09:17 +0000
@@ -36,6 +36,7 @@
36from neutron_contrail_utils import (36from neutron_contrail_utils import (
37 CONTRAIL_VERSION,37 CONTRAIL_VERSION,
38 OPENSTACK_VERSION,38 OPENSTACK_VERSION,
39 configure_kdump,
39 configure_vrouter,40 configure_vrouter,
40 disable_vrouter_vgw,41 disable_vrouter_vgw,
41 dpkg_version,42 dpkg_version,
@@ -276,6 +277,7 @@
276 apt_install(PACKAGES, fatal=True)277 apt_install(PACKAGES, fatal=True)
277 utils.CONTRAIL_VERSION = dpkg_version("contrail-vrouter-agent")278 utils.CONTRAIL_VERSION = dpkg_version("contrail-vrouter-agent")
278 if version_compare(utils.CONTRAIL_VERSION, "3.2") >= 0:279 if version_compare(utils.CONTRAIL_VERSION, "3.2") >= 0:
280 configure_kdump()
279 apt_install(PACKAGES_VROUTER_3_2, fatal=True)281 apt_install(PACKAGES_VROUTER_3_2, fatal=True)
280 else:282 else:
281 apt_install(PACKAGES_VROUTER, fatal=True)283 apt_install(PACKAGES_VROUTER, fatal=True)
282284
=== modified file 'hooks/neutron_contrail_utils.py'
--- hooks/neutron_contrail_utils.py 2016-10-21 00:15:55 +0000
+++ hooks/neutron_contrail_utils.py 2017-01-31 13:09:17 +0000
@@ -5,6 +5,8 @@
5from socket import gethostbyname, gethostname5from socket import gethostbyname, gethostname
6from subprocess import (6from subprocess import (
7 CalledProcessError,7 CalledProcessError,
8 PIPE,
9 Popen,
8 check_call,10 check_call,
9 check_output11 check_output
10)12)
@@ -17,6 +19,11 @@
17import netaddr19import netaddr
18import netifaces20import netifaces
1921
22from charmhelpers.contrib.hahelpers.apache import (
23 get_ca_cert,
24 install_ca_cert
25)
26
20from charmhelpers.core.hookenv import (27from charmhelpers.core.hookenv import (
21 config,28 config,
22 log,29 log,
@@ -87,6 +94,13 @@
87 raise error94 raise error
88 return func95 return func
8996
97def configure_kdump():
98 log("Disabling kdump-tools")
99 _echo = Popen(["echo", "kdump-tools", "kdump-tools/use_kdump", "boolean",
100 "False"], stdout=PIPE)
101 debconf = check_output(["debconf-set-selections"], stdin=_echo.stdout)
102 return _echo.wait()
103
90def configure_vrouter():104def configure_vrouter():
91 # run external script to configure vrouter105 # run external script to configure vrouter
92 args = ["./create-vrouter.sh"]106 args = ["./create-vrouter.sh"]
@@ -219,6 +233,7 @@
219def identity_admin_ctx():233def identity_admin_ctx():
220 ctxs = [ { "auth_host": gethostbyname(hostname),234 ctxs = [ { "auth_host": gethostbyname(hostname),
221 "auth_port": relation_get("service_port", unit, rid),235 "auth_port": relation_get("service_port", unit, rid),
236 "auth_protocol": relation_get("service_protocol", unit, rid),
222 "admin_user": relation_get("service_username", unit, rid),237 "admin_user": relation_get("service_username", unit, rid),
223 "admin_password": relation_get("service_password", unit, rid),238 "admin_password": relation_get("service_password", unit, rid),
224 "admin_tenant_name": relation_get("service_tenant_name", unit, rid),239 "admin_tenant_name": relation_get("service_tenant_name", unit, rid),
@@ -227,8 +242,14 @@
227 for unit, hostname in242 for unit, hostname in
228 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))243 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
229 if hostname ]244 if hostname ]
245 install_certificates()
230 return ctxs[0] if ctxs else {}246 return ctxs[0] if ctxs else {}
231247
248def install_certificates():
249 CAcert = get_ca_cert()
250 if CAcert is not None:
251 install_ca_cert(CAcert)
252
232def ifdown(interfaces=None):253def ifdown(interfaces=None):
233 """ifdown an interface or all interfaces"""254 """ifdown an interface or all interfaces"""
234 log("Taking down {}".format(interfaces if interfaces else "interfaces"))255 log("Taking down {}".format(interfaces if interfaces else "interfaces"))
235256
=== modified file 'templates/vnc_api_lib.ini'
--- templates/vnc_api_lib.ini 2014-10-21 12:07:30 +0000
+++ templates/vnc_api_lib.ini 2017-01-31 13:09:17 +0000
@@ -9,7 +9,7 @@
99
10[auth]10[auth]
11AUTHN_TYPE = keystone11AUTHN_TYPE = keystone
12AUTHN_PROTOCOL = http12AUTHN_PROTOCOL = {{ auth_protocol }}
13AUTHN_SERVER = {{ auth_host }}13AUTHN_SERVER = {{ auth_host }}
14AUTHN_PORT = {{ auth_port }}14AUTHN_PORT = {{ auth_port }}
15AUTHN_URL = /v2.0/tokens15AUTHN_URL = /v2.0/tokens

Subscribers

People subscribed via source and target branches