← Back to branch summary

~hopem/charms/trusty/keystone/reloads

« back to all changes in this revision

Viewing changes to hooks/keystone_context.py

  • Committer: Edward Hope-Morley
  • Date: 2015-01-05 17:49:38 UTC
  • Revision ID: edward.hope-morley@canonical.com-20150105174938-zp8ifxfuzwntg8m7
[hopem,r=]

Fixes ssl cert sycnhronisation across peers

Closes-Bug: 1317782

Show diffs side-by-side

added added

removed removed

Lines of Context:
hooks/keystone_context.py
 
1
import os
 
2
 
1
3
from charmhelpers.core.hookenv import config
2
4
 
3
5
from charmhelpers.core.host import mkdir, write_file
9
11
    determine_api_port
10
12
)
11
13
 
 
14
from charmhelpers.core.hookenv import (
 
15
    log,
 
16
    INFO,
 
17
)
 
18
 
12
19
from charmhelpers.contrib.hahelpers.apache import install_ca_cert
13
20
 
14
 
import os
15
 
 
16
21
CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'
17
22
 
18
23
 
29
34
        return super(ApacheSSLContext, self).__call__()
30
35
 
31
36
    def configure_cert(self, cn):
32
 
        from keystone_utils import SSH_USER, get_ca
 
37
        from keystone_utils import (
 
38
            SSH_USER,
 
39
            get_ca,
 
40
            is_ssl_cert_master,
 
41
            ensure_permissions,
 
42
        )
 
43
 
33
44
        ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
34
 
        mkdir(path=ssl_dir)
 
45
        perms = 0o755
 
46
        mkdir(path=ssl_dir, owner=SSH_USER, group='keystone', perms=perms)
 
47
        # Ensure accessible by keystone ssh user and group (for sync)
 
48
        ensure_permissions(ssl_dir, user=SSH_USER, group='keystone',
 
49
                           perms=perms)
 
50
 
 
51
        if not is_ssl_cert_master():
 
52
            log("Not leader or cert master so skipping apache cert config",
 
53
                level=INFO)
 
54
            return
 
55
 
 
56
        log("Creating apache ssl certs in %s" % (ssl_dir), level=INFO)
 
57
 
35
58
        ca = get_ca(user=SSH_USER)
36
59
        cert, key = ca.get_cert_and_key(common_name=cn)
37
60
        write_file(path=os.path.join(ssl_dir, 'cert_{}'.format(cn)),
38
 
                   content=cert)
 
61
                   content=cert, owner=SSH_USER, group='keystone', perms=0o644)
39
62
        write_file(path=os.path.join(ssl_dir, 'key_{}'.format(cn)),
40
 
                   content=key)
 
63
                   content=key, owner=SSH_USER, group='keystone', perms=0o644)
41
64
 
42
65
    def configure_ca(self):
43
 
        from keystone_utils import SSH_USER, get_ca
 
66
        from keystone_utils import (
 
67
            SSH_USER,
 
68
            get_ca,
 
69
            is_ssl_cert_master,
 
70
            ensure_permissions,
 
71
        )
 
72
 
 
73
        if not is_ssl_cert_master():
 
74
            log("Not leader or cert master so skipping apache ca config",
 
75
                level=INFO)
 
76
            return
 
77
 
44
78
        ca = get_ca(user=SSH_USER)
45
79
        install_ca_cert(ca.get_ca_bundle())
 
80
        # Ensure accessible by keystone ssh user and group (unison)
 
81
        ensure_permissions(CA_CERT_PATH, user=SSH_USER, group='keystone',
 
82
                           perms=0o0644)
46
83
 
47
84
    def canonical_names(self):
48
85
        addresses = self.get_network_addresses()