← Back to branch summary

~corey.bryant/charms/trusty/keystone/python-six

« back to all changes in this revision

Viewing changes to hooks/keystone_context.py

  • Committer: James Page
  • Date: 2014-03-27 10:54:38 UTC
  • mfrom: (55.1.22 keystone)
  • mto: (52.4.7 keystone)
  • mto: This revision was merged to the branch mainline in revision 60.
  • Revision ID: james.page@canonical.com-20140327105438-oid8czi9ud51iut1
Merge ssl-everywhere branch (may break stuff)

Show diffs side-by-side

added added

removed removed

Lines of Context:
hooks/keystone_context.py
 
1
from charmhelpers.core.hookenv import (
 
2
    config, unit_private_ip)
 
3
 
 
4
from charmhelpers.contrib.openstack import context
 
5
 
 
6
from charmhelpers.contrib.hahelpers.cluster import (
 
7
    determine_apache_port,
 
8
    determine_api_port,
 
9
    is_clustered,
 
10
)
 
11
 
 
12
from subprocess import (
 
13
    check_call
 
14
)
 
15
 
 
16
import os
 
17
 
 
18
CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'
 
19
 
 
20
 
 
21
class ApacheSSLContext(context.ApacheSSLContext):
 
22
 
 
23
    interfaces = ['https']
 
24
    external_ports = []
 
25
    service_namespace = 'keystone'
 
26
 
 
27
    def __call__(self):
 
28
        # late import to work around circular dependency
 
29
        from keystone_utils import determine_ports
 
30
        self.external_ports = determine_ports()
 
31
        return super(ApacheSSLContext, self).__call__()
 
32
 
 
33
    def configure_cert(self):
 
34
        #import keystone_ssl as ssl
 
35
        from keystone_utils import SSH_USER, get_ca
 
36
        if not os.path.isdir('/etc/apache2/ssl'):
 
37
            os.mkdir('/etc/apache2/ssl')
 
38
        ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
 
39
        if not os.path.isdir(ssl_dir):
 
40
            os.mkdir(ssl_dir)
 
41
        if is_clustered():
 
42
            https_cn = config('vip')
 
43
        else:
 
44
            https_cn = unit_private_ip()
 
45
        ca = get_ca(user=SSH_USER)
 
46
        cert, key = ca.get_cert_and_key(common_name=https_cn)
 
47
        with open(os.path.join(ssl_dir, 'cert'), 'w') as cert_out:
 
48
            cert_out.write(cert)
 
49
        with open(os.path.join(ssl_dir, 'key'), 'w') as key_out:
 
50
            key_out.write(key)
 
51
        if ca:
 
52
            with open(CA_CERT_PATH, 'w') as ca_out:
 
53
                ca_out.write(ca.get_ca_bundle())
 
54
            check_call(['update-ca-certificates'])
 
55
 
 
56
 
 
57
class HAProxyContext(context.HAProxyContext):
 
58
    interfaces = []
 
59
 
 
60
    def __call__(self):
 
61
        '''
 
62
        Extends the main charmhelpers HAProxyContext with a port mapping
 
63
        specific to this charm.
 
64
        Also used to extend nova.conf context with correct api_listening_ports
 
65
        '''
 
66
        from keystone_utils import api_port
 
67
        ctxt = super(HAProxyContext, self).__call__()
 
68
 
 
69
        # determine which port api processes should bind to, depending
 
70
        # on existence of haproxy + apache frontends
 
71
        listen_ports = {}
 
72
        listen_ports['admin_port'] = api_port('keystone-admin')
 
73
        listen_ports['public_port'] = api_port('keystone-public')
 
74
 
 
75
        # Apache ports
 
76
        a_admin_port = determine_apache_port(api_port('keystone-admin'))
 
77
        a_public_port = determine_apache_port(api_port('keystone-public'))
 
78
 
 
79
        port_mapping = {
 
80
            'admin-port': [
 
81
                api_port('keystone-admin'), a_admin_port],
 
82
            'public-port': [
 
83
                api_port('keystone-public'), a_public_port],
 
84
        }
 
85
 
 
86
        # for haproxy.conf
 
87
        ctxt['service_ports'] = port_mapping
 
88
        # for keystone.conf
 
89
        ctxt['listen_ports'] = listen_ports
 
90
        return ctxt
 
91
 
 
92
 
 
93
class KeystoneContext(context.OSContextGenerator):
 
94
    interfaces = []
 
95
 
 
96
    def __call__(self):
 
97
        from keystone_utils import api_port, set_admin_token
 
98
        ctxt = {}
 
99
        ctxt['token'] = set_admin_token()
 
100
        ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'))
 
101
        ctxt['public_port'] = determine_api_port(api_port('keystone-public'))
 
102
        ctxt['debug'] = config('debug') in ['yes', 'true', 'True']
 
103
        ctxt['verbose'] = config('verbose') in ['yes', 'true', 'True']
 
104
        if config('enable-pki') not in ['false', 'False', 'no', 'No']:
 
105
            ctxt['signing'] = True
 
106
        return ctxt