revcache

Merge ~pwlars/revcache/+git/revcache-charm:ssl-support into ~canonical-hw-cert/revcache/+git/revcache-charm:master

Proposed by Paul Larson on 2018-05-22

Status:	Merged
Approved by:	Paul Larson on 2018-05-23
Approved revision:	a5135d1d62e911e0cce42886d87e09c7675cbac3
Merged at revision:	5d56cf80b1624c8027f3b92177160edf69dab9f7
Proposed branch:	~pwlars/revcache/+git/revcache-charm:ssl-support
Merge into:	~canonical-hw-cert/revcache/+git/revcache-charm:master
Diff against target:	111 lines (+73/-1) 3 files modified metadata.yaml (+13/-0) playbooks/revcache.yaml (+46/-1) templates/revcache-vhost-https.conf (+14/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Paul Larson			Approve on 2018-05-23
Review via email: mp+346656@code.launchpad.net

This proposal supersedes a proposal from 2018-05-17.

Description of the change

Just noticed I had submitted this against the revcache branch rather than the charm branch originally. Here's the right one.

This adds support for https to revcache, and works with or without chain certificates. It will only configure it for https if you have specified all of the necessary certificate/key files. Otherwise it will configure it for http.

I've tested this locally on my machine, and it does seem to work both with and without ssl certs specified.

Revision history for this message

Paul Larson (pwlars) wrote on 2018-05-23:

I'd like to go ahead and land this and try deployment in production. Self-approving since it's not yet a production service, so if necessary, we can continue to fix/modify as needed with no ill effects

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Hardware Certification

Paul Larson

 diff --git a/metadata.yaml b/metadata.yaml
 index c84b059..5697c5f 100644
 --- a/metadata.yaml
 +++ b/metadata.yaml
@@ -8,3 +8,16 @@ tags:
  requires:
    db:
      interface: redis
++resources:
++  ssl_certificate:
++    type: file
++    filename: revcache.crt
++    description: SSL Certificate File
++  ssl_chain:
++    type: file
++    filename: revcache-chain.crt
++    description: SSL Certificate Chain File
++  ssl_key:
++    type: file
++    filename: revcache.key
++    description: SSL Key File
 diff --git a/playbooks/revcache.yaml b/playbooks/revcache.yaml
 index 74066fe..c540ff3 100644
 --- a/playbooks/revcache.yaml
 +++ b/playbooks/revcache.yaml
@@ -2,6 +2,8 @@
  - hosts: all
    vars:
      - service_dir: "/srv/revcache"
++    - ssl_cert_location: ""
++    - ssl_key_location: ""
    tasks:
      - name: set final status
        shell: status-set active ready
@@ -83,12 +85,55 @@
        tags:
          - install
++    - name: Get SSL Certificate File
++      shell: resource-get ssl_certificate || echo -n ""
++      register: ssl_certificate
++      tags:
++        - config-changed
++
++    - name: Get SSL Certificate Chain File
++      shell: resource-get ssl_chain || echo -n ""
++      register: ssl_chain
++      tags:
++        - config-changed
++
++    - name: Get SSL Certificate File
++      shell: resource-get ssl_key || echo -n ""
++      register: ssl_key
++      tags:
++        - config-changed
++
++    - name: Copy SSL Key
++      when: ssl_key.stdout != ""
++      copy:
++        src={{ ssl_key.stdout }}
++        dest=/etc/ssl/private/revcache.key
++      tags:
++        - config-changed
++
++    - name: Copy SSL certificate
++      when: ssl_certificate.stdout != ""
++      shell: cat {{ ssl_certificate.stdout }} {{ ssl_chain.stdout }} > /etc/ssl/certs/revcache.crt
++      tags:
++        - config-changed
++
      - name: Copy nginx site config file
++      when: ssl_key.stdout == "" and
++            ssl_certificate.stdout == ""
        copy:
          src: "{{ charm_dir }}/templates/revcache-vhost.conf"
          dest: "/etc/nginx/sites-enabled/revcache"
        tags:
--        - install
++        - config-changed
++
++    - name: Copy nginx site config file
++      when: ssl_key.stdout != "" and
++            ssl_certificate.stdout != ""
++      copy:
++        src: "{{ charm_dir }}/templates/revcache-vhost-https.conf"
++        dest: "/etc/nginx/sites-enabled/revcache"
++      tags:
++        - config-changed
      - name: Start revcache
        service:
 diff --git a/templates/revcache-vhost-https.conf b/templates/revcache-vhost-https.conf
 new file mode 100644
 index 0000000..9bb269b
 --- /dev/null
 +++ b/templates/revcache-vhost-https.conf
@@ -0,0 +1,14 @@
++server {
++    listen 443 ssl;
++    server_name localhost;
++    ssl_certificate /etc/ssl/certs/revcache.crt;
++    ssl_certificate_key /etc/ssl/private/revcache.key;
++    location / {
++        include proxy_params;
++        proxy_pass http://localhost:8000;
++    }
++    location /basic_status {
++        stub_status;
++    }
++    error_log /var/log/revcache-nginx-error.log warn;
++}

revcache

Merge ~pwlars/revcache/+git/revcache-charm:ssl-support into ~canonical-hw-cert/revcache/+git/revcache-charm:master

Commit message

Description of the change

Preview Diff

Subscribers