def send_data():
assertDirExists(METAMORPHOSIS_CERT)
# Request a server cert with this information.
tls_client.request_client_cert(
hookenv.service_name(),
crt_path=METAMORPHOSIS_CERT,
key_path=METAMORPHOSIS_KEY)
def send_data():
# Send the data that is required to create a server certificate for
# this server.
config = hookenv.config()
server_crt_path = crtPath('server')
client_crt_path = crtPath('client')
server_key_path = keyPath('server')
client_key_path = keyPath('client')
ca_crt_path = caPath()
# Use the private ip of this unit as the Common Name for the certificate.
if config['ssl_cert']:
for certs_path in ('server_crt_path', 'client_crt_path'):
with open(certs_path, "wb") as fs:
os.chmod(
certs_path,
stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
fs.write(base64.b64decode(config['ssl_cert']))
if config['ssl_key']:
with open(certs_path, "wb") as fks:
os.chmod(certs_path, stat.S_IWUSR | stat.S_IWUSR)
fks.write(base64.b64decode(config['ssl_key']))
import_srv_crt_to_keystore()
if config['ssl_ca']:
with open(ca_crt_path, "wb") as fca:
os.chmod(
ca_crt_path,
stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
fca.write(base64.b64decode(config['ssl_ca']))
import_ca_crt_to_keystore()
else:
common_name = hookenv.unit_private_ip()
common_public_name = hookenv.unit_public_ip()
sans = [
common_name,
common_public_name,
hookenv.unit_public_ip(),
socket.gethostname(),
socket.getfqdn(),
]
# maybe they have extra names they want as SANs
extra_sans = hookenv.config('subject_alt_names')
if extra_sans and not extra_sans == "":
sans.extend(extra_sans.split())
# Request a server cert with this information.
tls_client.request_server_cert(common_name,
sans,
crt_path=server_crt_path,
key_path=server_key_path)
# Request a client cert with this information.
tls_client.request_client_cert(common_name,
sans,
crt_path=client_crt_path,
key_path=client_key_path)
def send_data():
# Request a server cert with this information.
tls_client.request_client_cert(
'system:snap-ksql',
crt_path=os.path.join(
KSQL_SNAP_COMMON,
'etc',
'client.crt',
),
key_path=os.path.join(
KSQL_SNAP_COMMON,
'etc',
'client.key'
)
)
def request_client_certs(clients):
try:
for client in clients:
cn = client['common_name']
hookenv.log('requesting client cert for {}'.format(cn))
request_client_cert(cn, client.get('sans', []),
crt_path='/etc/ssl/cert-manager/clients/'
'{}.crt'.format(cn),
key_path='/etc/ssl/cert-manager/clients/'
'private/{}.key'.format(cn))
except Exception as e:
hookenv.log('"clients" config setting is invalid: {}'.format(e))
hookenv.status_set('blocked',
'"clients" config setting is invalid')
return
def config_changed():
if data_changed('cert-manager.clients', hookenv.config().get('clients')):
try:
clients = yaml.load(hookenv.config().get('clients'))
for client in clients:
cn = client['common_name']
hookenv.log('requesting client cert for {}'.format(cn))
request_client_cert(cn,
client.get('sans', []),
crt_path='/etc/ssl/cert-manager/clients/'
'{}.crt'.format(cn),
key_path='/etc/ssl/cert-manager/clients/'
'private/{}.key'.format(cn))
except Exception as e:
hookenv.log('"clients" config setting is invalid: {}'.format(e))
hookenv.status_set('blocked',
'"clients" config setting is invalid')
return
else:
clients = []
if data_changed('cert-manager.servers', hookenv.config().get('servers')):
try:
servers = yaml.load(hookenv.config().get('servers'))
for server in servers:
cn = server['common_name']
hookenv.log('requesting server cert for {}'.format(cn))
request_server_cert(cn,
server.get('sans', []),
crt_path='/etc/ssl/cert-manager/servers/'
'{}.crt'.format(cn),
key_path='/etc/ssl/cert-manager/servers/'
'private/{}.key'.format(cn))
except Exception as e:
hookenv.log('"servers" config setting is invalid: {}'.format(e))
hookenv.status_set('blocked',
'"servers" config setting is invalid')
return
else:
servers = []
hookenv.status_set(
'active', '{} client, '
'{} server certs'.format(len(clients), len(servers)))
def send_data():
# Send the data that is required to create a server certificate for
# this server.
# Use the private ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_private_ip()
# Create SANs that the tls layer will add to the server cert.
sans = [
common_name,
socket.gethostname(),
]
extra_names = hookenv.config().get('subject_alt_names', '')
sans.extend([n.strip() for n in extra_names.split(',') if n])
# Request a server cert with this information.
tls_client.request_server_cert(common_name,
sans,
crt_path=crtPath('server'),
key_path=keyPath('server'))
tls_client.request_client_cert('system:snap-kafka',
crt_path=crtPath('client'),
key_path=keyPath('client'))
def send_data():
# Request a server cert with this information.
tls_client.request_client_cert(
hookenv.service_name(),
crt_path=SISYPHUS_CERT,
key_path=SISYPHUS_KEY)