Juju Charms Collection
cinder package

Merge lp:~openstack-charmers/charms/precise/cinder/ssl-everywhere into lp:~openstack-charmers-archive/charms/precise/cinder/trunk

  1. Precise Pangolin (12.04)
  2. ssl-everywhere
  3. Merge into trunk
Proposed by Kapil Thangavelu
Status: Merged
Merged at revision: 33
Proposed branch: lp:~openstack-charmers/charms/precise/cinder/ssl-everywhere
Merge into: lp:~openstack-charmers-archive/charms/precise/cinder/trunk
Diff against target: 391 lines (+130/-41)
9 files modified
charm-helpers.yaml (+1/-1)
config.yaml (+5/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+9/-8)
hooks/charmhelpers/contrib/openstack/context.py (+88/-23)
hooks/charmhelpers/contrib/openstack/templates/ceph.conf (+3/-0)
hooks/charmhelpers/contrib/storage/linux/ceph.py (+6/-2)
hooks/cinder_utils.py (+5/-4)
templates/cinder.conf (+10/-3)
templates/havana/api-paste.ini (+3/-0)
To merge this branch: bzr merge lp:~openstack-charmers/charms/precise/cinder/ssl-everywhere
Reviewer Review Type Date Requested Status
Marco Ceppi Pending
Edward Hope-Morley Pending
Review via email: mp+209300@code.launchpad.net

Description of the change

SSL client support for mysql and rabbitmq

Sync of charm helpers and config template changes

https://codereview.appspot.com/68100043/

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'charm-helpers.yaml'
--- charm-helpers.yaml 2013-10-17 21:48:08 +0000
+++ charm-helpers.yaml 2014-03-04 16:53:59 +0000
@@ -1,4 +1,4 @@
1branch: lp:charm-helpers1branch: lp:~openstack-charmers/charm-helpers/ssl-everywhere
2destination: hooks/charmhelpers2destination: hooks/charmhelpers
3include:3include:
4 - core4 - core
55
=== modified file 'config.yaml'
--- config.yaml 2014-02-03 10:44:24 +0000
+++ config.yaml 2014-03-04 16:53:59 +0000
@@ -121,6 +121,11 @@
121 ssl_key:121 ssl_key:
122 type: string122 type: string
123 description: SSL key to use with certificate specified as ssl_cert.123 description: SSL key to use with certificate specified as ssl_cert.
124 ssl_ca:
125 type: string
126 description: |
127 SSL CA to use with the certificate and key provided - this is only
128 required if you are providing a privately signed ssl_cert and ssl_key.
124 config-flags:129 config-flags:
125 type: string130 type: string
126 description: Comma separated list of key=value config flags to be set in cinder.conf.131 description: Comma separated list of key=value config flags to be set in cinder.conf.
127132
=== modified file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
--- hooks/charmhelpers/contrib/hahelpers/apache.py 2013-10-17 21:48:08 +0000
+++ hooks/charmhelpers/contrib/hahelpers/apache.py 2014-03-04 16:53:59 +0000
@@ -39,14 +39,15 @@
3939
4040
41def get_ca_cert():41def get_ca_cert():
42 ca_cert = None42 ca_cert = config_get('ssl_ca')
43 log("Inspecting identity-service relations for CA SSL certificate.",43 if ca_cert is None:
44 level=INFO)44 log("Inspecting identity-service relations for CA SSL certificate.",
45 for r_id in relation_ids('identity-service'):45 level=INFO)
46 for unit in relation_list(r_id):46 for r_id in relation_ids('identity-service'):
47 if not ca_cert:47 for unit in relation_list(r_id):
48 ca_cert = relation_get('ca_cert',48 if ca_cert is None:
49 rid=r_id, unit=unit)49 ca_cert = relation_get('ca_cert',
50 rid=r_id, unit=unit)
50 return ca_cert51 return ca_cert
5152
5253
5354
=== modified file 'hooks/charmhelpers/contrib/openstack/context.py'
--- hooks/charmhelpers/contrib/openstack/context.py 2014-02-19 10:44:30 +0000
+++ hooks/charmhelpers/contrib/openstack/context.py 2014-03-04 16:53:59 +0000
@@ -1,5 +1,6 @@
1import json1import json
2import os2import os
3import time
34
4from base64 import b64decode5from base64 import b64decode
56
@@ -29,6 +30,7 @@
29 determine_apache_port,30 determine_apache_port,
30 determine_api_port,31 determine_api_port,
31 https,32 https,
33 is_clustered
32)34)
3335
34from charmhelpers.contrib.hahelpers.apache import (36from charmhelpers.contrib.hahelpers.apache import (
@@ -112,7 +114,8 @@
112class SharedDBContext(OSContextGenerator):114class SharedDBContext(OSContextGenerator):
113 interfaces = ['shared-db']115 interfaces = ['shared-db']
114116
115 def __init__(self, database=None, user=None, relation_prefix=None):117 def __init__(self,
118 database=None, user=None, relation_prefix=None, ssl_dir=None):
116 '''119 '''
117 Allows inspecting relation for settings prefixed with relation_prefix.120 Allows inspecting relation for settings prefixed with relation_prefix.
118 This is useful for parsing access for multiple databases returned via121 This is useful for parsing access for multiple databases returned via
@@ -121,6 +124,7 @@
121 self.relation_prefix = relation_prefix124 self.relation_prefix = relation_prefix
122 self.database = database125 self.database = database
123 self.user = user126 self.user = user
127 self.ssl_dir = ssl_dir
124128
125 def __call__(self):129 def __call__(self):
126 self.database = self.database or config('database')130 self.database = self.database or config('database')
@@ -138,19 +142,44 @@
138142
139 for rid in relation_ids('shared-db'):143 for rid in relation_ids('shared-db'):
140 for unit in related_units(rid):144 for unit in related_units(rid):
141 passwd = relation_get(password_setting, rid=rid, unit=unit)145 rdata = relation_get(rid=rid, unit=unit)
142 ctxt = {146 ctxt = {
143 'database_host': relation_get('db_host', rid=rid,147 'database_host': rdata.get('db_host'),
144 unit=unit),
145 'database': self.database,148 'database': self.database,
146 'database_user': self.user,149 'database_user': self.user,
147 'database_password': passwd,150 'database_password': rdata.get(password_setting)
148 }151 }
149 if context_complete(ctxt):152 if context_complete(ctxt):
153 db_ssl(rdata, ctxt, self.ssl_dir)
150 return ctxt154 return ctxt
151 return {}155 return {}
152156
153157
158def db_ssl(rdata, ctxt, ssl_dir):
159 if 'ssl_ca' in rdata and ssl_dir:
160 ca_path = os.path.join(ssl_dir, 'db-client.ca')
161 with open(ca_path, 'w') as fh:
162 fh.write(b64decode(rdata['ssl_ca']))
163 ctxt['database_ssl_ca'] = ca_path
164 elif 'ssl_ca' in rdata:
165 log("Charm not setup for ssl support but ssl ca found")
166 return ctxt
167 if 'ssl_cert' in rdata:
168 cert_path = os.path.join(
169 ssl_dir, 'db-client.cert')
170 if not os.path.exists(cert_path):
171 log("Waiting 1m for ssl client cert validity")
172 time.sleep(60)
173 with open(cert_path, 'w') as fh:
174 fh.write(b64decode(rdata['ssl_cert']))
175 ctxt['database_ssl_cert'] = cert_path
176 key_path = os.path.join(ssl_dir, 'db-client.key')
177 with open(key_path, 'w') as fh:
178 fh.write(b64decode(rdata['ssl_key']))
179 ctxt['database_ssl_key'] = key_path
180 return ctxt
181
182
154class IdentityServiceContext(OSContextGenerator):183class IdentityServiceContext(OSContextGenerator):
155 interfaces = ['identity-service']184 interfaces = ['identity-service']
156185
@@ -160,22 +189,19 @@
160189
161 for rid in relation_ids('identity-service'):190 for rid in relation_ids('identity-service'):
162 for unit in related_units(rid):191 for unit in related_units(rid):
192 rdata = relation_get(rid=rid, unit=unit)
163 ctxt = {193 ctxt = {
164 'service_port': relation_get('service_port', rid=rid,194 'service_port': rdata.get('service_port'),
165 unit=unit),195 'service_host': rdata.get('service_host'),
166 'service_host': relation_get('service_host', rid=rid,196 'auth_host': rdata.get('auth_host'),
167 unit=unit),197 'auth_port': rdata.get('auth_port'),
168 'auth_host': relation_get('auth_host', rid=rid, unit=unit),198 'admin_tenant_name': rdata.get('service_tenant'),
169 'auth_port': relation_get('auth_port', rid=rid, unit=unit),199 'admin_user': rdata.get('service_username'),
170 'admin_tenant_name': relation_get('service_tenant',200 'admin_password': rdata.get('service_password'),
171 rid=rid, unit=unit),201 'service_protocol':
172 'admin_user': relation_get('service_username', rid=rid,202 rdata.get('service_protocol') or 'http',
173 unit=unit),203 'auth_protocol':
174 'admin_password': relation_get('service_password', rid=rid,204 rdata.get('auth_protocol') or 'http',
175 unit=unit),
176 # XXX: Hard-coded http.
177 'service_protocol': 'http',
178 'auth_protocol': 'http',
179 }205 }
180 if context_complete(ctxt):206 if context_complete(ctxt):
181 return ctxt207 return ctxt
@@ -185,6 +211,9 @@
185class AMQPContext(OSContextGenerator):211class AMQPContext(OSContextGenerator):
186 interfaces = ['amqp']212 interfaces = ['amqp']
187213
214 def __init__(self, ssl_dir=None):
215 self.ssl_dir = ssl_dir
216
188 def __call__(self):217 def __call__(self):
189 log('Generating template context for amqp')218 log('Generating template context for amqp')
190 conf = config()219 conf = config()
@@ -195,7 +224,6 @@
195 log('Could not generate shared_db context. '224 log('Could not generate shared_db context. '
196 'Missing required charm config options: %s.' % e)225 'Missing required charm config options: %s.' % e)
197 raise OSContextError226 raise OSContextError
198
199 ctxt = {}227 ctxt = {}
200 for rid in relation_ids('amqp'):228 for rid in relation_ids('amqp'):
201 for unit in related_units(rid):229 for unit in related_units(rid):
@@ -212,7 +240,24 @@
212 unit=unit),240 unit=unit),
213 'rabbitmq_virtual_host': vhost,241 'rabbitmq_virtual_host': vhost,
214 })242 })
243 ssl_port = relation_get('ssl_port', rid=rid, unit=unit)
244 if ssl_port:
245 ctxt['rabbit_ssl_port'] = ssl_port
246 ssl_ca = relation_get('ssl_ca', rid=rid, unit=unit)
247 if ssl_ca:
248 ctxt['rabbit_ssl_ca'] = ssl_ca
249
215 if context_complete(ctxt):250 if context_complete(ctxt):
251 if 'rabbit_ssl_ca' in ctxt:
252 if not self.ssl_dir:
253 log(("Charm not setup for ssl support "
254 "but ssl ca found"))
255 break
256 ca_path = os.path.join(
257 self.ssl_dir, 'rabbit-client-ca.pem')
258 with open(ca_path, 'w') as fh:
259 fh.write(b64decode(ctxt['rabbit_ssl_ca']))
260 ctxt['rabbit_ssl_ca'] = ca_path
216 # Sufficient information found = break out!261 # Sufficient information found = break out!
217 break262 break
218 # Used for active/active rabbitmq >= grizzly263 # Used for active/active rabbitmq >= grizzly
@@ -240,10 +285,13 @@
240 '''This generates context for /etc/ceph/ceph.conf templates'''285 '''This generates context for /etc/ceph/ceph.conf templates'''
241 if not relation_ids('ceph'):286 if not relation_ids('ceph'):
242 return {}287 return {}
288
243 log('Generating template context for ceph')289 log('Generating template context for ceph')
290
244 mon_hosts = []291 mon_hosts = []
245 auth = None292 auth = None
246 key = None293 key = None
294 use_syslog = str(config('use-syslog')).lower()
247 for rid in relation_ids('ceph'):295 for rid in relation_ids('ceph'):
248 for unit in related_units(rid):296 for unit in related_units(rid):
249 mon_hosts.append(relation_get('private-address', rid=rid,297 mon_hosts.append(relation_get('private-address', rid=rid,
@@ -255,6 +303,7 @@
255 'mon_hosts': ' '.join(mon_hosts),303 'mon_hosts': ' '.join(mon_hosts),
256 'auth': auth,304 'auth': auth,
257 'key': key,305 'key': key,
306 'use_syslog': use_syslog
258 }307 }
259308
260 if not os.path.isdir('/etc/ceph'):309 if not os.path.isdir('/etc/ceph'):
@@ -391,7 +440,7 @@
391 return ctxt440 return ctxt
392441
393442
394class NeutronContext(object):443class NeutronContext(OSContextGenerator):
395 interfaces = []444 interfaces = []
396445
397 @property446 @property
@@ -452,6 +501,22 @@
452501
453 return nvp_ctxt502 return nvp_ctxt
454503
504 def neutron_ctxt(self):
505 if https():
506 proto = 'https'
507 else:
508 proto = 'http'
509 if is_clustered():
510 host = config('vip')
511 else:
512 host = unit_get('private-address')
513 url = '%s://%s:%s' % (proto, host, '9292')
514 ctxt = {
515 'network_manager': self.network_manager,
516 'neutron_url': url,
517 }
518 return ctxt
519
455 def __call__(self):520 def __call__(self):
456 self._ensure_packages()521 self._ensure_packages()
457522
@@ -461,7 +526,7 @@
461 if not self.plugin:526 if not self.plugin:
462 return {}527 return {}
463528
464 ctxt = {'network_manager': self.network_manager}529 ctxt = self.neutron_ctxt()
465530
466 if self.plugin == 'ovs':531 if self.plugin == 'ovs':
467 ctxt.update(self.ovs_ctxt())532 ctxt.update(self.ovs_ctxt())
468533
=== modified file 'hooks/charmhelpers/contrib/openstack/templates/ceph.conf'
--- hooks/charmhelpers/contrib/openstack/templates/ceph.conf 2013-10-17 21:48:08 +0000
+++ hooks/charmhelpers/contrib/openstack/templates/ceph.conf 2014-03-04 16:53:59 +0000
@@ -9,3 +9,6 @@
9 keyring = /etc/ceph/$cluster.$name.keyring9 keyring = /etc/ceph/$cluster.$name.keyring
10 mon host = {{ mon_hosts }}10 mon host = {{ mon_hosts }}
11{% endif -%}11{% endif -%}
12log to syslog = {{ use_syslog }}
13err to syslog = {{ use_syslog }}
14clog to syslog = {{ use_syslog }}
1215
=== modified file 'hooks/charmhelpers/contrib/storage/linux/ceph.py'
--- hooks/charmhelpers/contrib/storage/linux/ceph.py 2013-11-06 03:53:17 +0000
+++ hooks/charmhelpers/contrib/storage/linux/ceph.py 2014-03-04 16:53:59 +0000
@@ -49,6 +49,9 @@
49 auth supported = {auth}49 auth supported = {auth}
50 keyring = {keyring}50 keyring = {keyring}
51 mon host = {mon_hosts}51 mon host = {mon_hosts}
52 log to syslog = {use_syslog}
53 err to syslog = {use_syslog}
54 clog to syslog = {use_syslog}
52"""55"""
5356
5457
@@ -194,7 +197,7 @@
194 return hosts197 return hosts
195198
196199
197def configure(service, key, auth):200def configure(service, key, auth, use_syslog):
198 ''' Perform basic configuration of Ceph '''201 ''' Perform basic configuration of Ceph '''
199 create_keyring(service, key)202 create_keyring(service, key)
200 create_key_file(service, key)203 create_key_file(service, key)
@@ -202,7 +205,8 @@
202 with open('/etc/ceph/ceph.conf', 'w') as ceph_conf:205 with open('/etc/ceph/ceph.conf', 'w') as ceph_conf:
203 ceph_conf.write(CEPH_CONF.format(auth=auth,206 ceph_conf.write(CEPH_CONF.format(auth=auth,
204 keyring=_keyring_path(service),207 keyring=_keyring_path(service),
205 mon_hosts=",".join(map(str, hosts))))208 mon_hosts=",".join(map(str, hosts)),
209 use_syslog=use_syslog))
206 modprobe('rbd')210 modprobe('rbd')
207211
208212
209213
=== modified file 'hooks/cinder_utils.py'
--- hooks/cinder_utils.py 2014-02-17 07:53:12 +0000
+++ hooks/cinder_utils.py 2014-03-04 16:53:59 +0000
@@ -83,8 +83,9 @@
83class CinderCharmError(Exception):83class CinderCharmError(Exception):
84 pass84 pass
8585
86CINDER_CONF = '/etc/cinder/cinder.conf'86CINDER_CONF_DIR = "/etc/cinder"
87CINDER_API_CONF = '/etc/cinder/api-paste.ini'87CINDER_CONF = '%s/cinder.conf' % CINDER_CONF_DIR
88CINDER_API_CONF = '%s/api-paste.ini' % CINDER_CONF_DIR
88CEPH_CONF = '/etc/ceph/ceph.conf'89CEPH_CONF = '/etc/ceph/ceph.conf'
89HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'90HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
90APACHE_SITE_CONF = '/etc/apache2/sites-available/openstack_https_frontend'91APACHE_SITE_CONF = '/etc/apache2/sites-available/openstack_https_frontend'
@@ -96,8 +97,8 @@
96# with file in restart_on_changes()'s service map.97# with file in restart_on_changes()'s service map.
97CONFIG_FILES = OrderedDict([98CONFIG_FILES = OrderedDict([
98 (CINDER_CONF, {99 (CINDER_CONF, {
99 'hook_contexts': [context.SharedDBContext(),100 'hook_contexts': [context.SharedDBContext(ssl_dir=CINDER_CONF_DIR),
100 context.AMQPContext(),101 context.AMQPContext(ssl_dir=CINDER_CONF_DIR),
101 context.ImageServiceContext(),102 context.ImageServiceContext(),
102 context.OSConfigFlagContext(),103 context.OSConfigFlagContext(),
103 context.SyslogContext(),104 context.SyslogContext(),
104105
=== modified file 'templates/cinder.conf'
--- templates/cinder.conf 2014-02-03 10:44:24 +0000
+++ templates/cinder.conf 2014-03-04 16:53:59 +0000
@@ -16,11 +16,18 @@
16lock_path = /var/lock/cinder16lock_path = /var/lock/cinder
17volumes_dir = /var/lib/cinder/volumes17volumes_dir = /var/lib/cinder/volumes
18{% if database_host -%}18{% if database_host -%}
19sql_connection = mysql://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}19sql_connection = mysql://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
20{% endif -%}20{% endif %}
21{% if rabbitmq_host -%}21{% if rabbitmq_host %}
22notification_driver = cinder.openstack.common.notifier.rabbit_notifier22notification_driver = cinder.openstack.common.notifier.rabbit_notifier
23control_exchange = cinder23control_exchange = cinder
24{% if rabbit_ssl_port %}
25rabbit_use_ssl=True
26rabbit_port={{ rabbit_ssl_port }}
27{% if rabbit_ssl_ca %}
28kombu_ssl_ca_certs={{rabbit_ssl_ca}}
29{% endif %}
30{% endif %}
24rabbit_host = {{ rabbitmq_host }}31rabbit_host = {{ rabbitmq_host }}
25rabbit_userid = {{ rabbitmq_user }}32rabbit_userid = {{ rabbitmq_user }}
26rabbit_password = {{ rabbitmq_password }}33rabbit_password = {{ rabbitmq_password }}
2734
=== modified file 'templates/havana/api-paste.ini'
--- templates/havana/api-paste.ini 2013-10-17 21:48:08 +0000
+++ templates/havana/api-paste.ini 2014-03-04 16:53:59 +0000
@@ -58,6 +58,9 @@
58[filter:authtoken]58[filter:authtoken]
59paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory59paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
60{% if service_host -%}60{% if service_host -%}
61service_protocol = {{ service_protocol }}
62service_host = {{ service_host }}
63service_port = {{ service_port }}
61auth_host = {{ auth_host }}64auth_host = {{ auth_host }}
62auth_port = {{ auth_port }}65auth_port = {{ auth_port }}
63auth_protocol = {{ auth_protocol }}66auth_protocol = {{ auth_protocol }}

Subscribers

People subscribed via source and target branches

to all changes: