def request_server_certificates():
'''Send the data that is required to create a server certificate for
this server.'''
website = endpoint_from_flag('website.available')
# Use the public ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_public_ip()
# Create SANs that the tls layer will add to the server cert.
sans = [
hookenv.unit_public_ip(),
get_ingress_address(website.endpoint_name),
socket.gethostname(),
]
hacluster = endpoint_from_flag('ha.connected')
if hacluster:
vips = hookenv.config('ha-cluster-vip').split()
dns_record = hookenv.config('ha-cluster-dns')
if vips:
sans.extend(vips)
else:
sans.append(dns_record)
# maybe they have extra names they want as SANs
extra_sans = hookenv.config('extra_sans')
if extra_sans and not extra_sans == "":
sans.extend(extra_sans.split())
# Request a server cert with this information.
tls_client.request_server_cert(common_name,
sans,
crt_path=server_crt_path,
key_path=server_key_path)
def send_data():
# Send the data that is required to create a server certificate for
# this server.
config = hookenv.config()
server_crt_path = crtPath('server')
client_crt_path = crtPath('client')
server_key_path = keyPath('server')
client_key_path = keyPath('client')
ca_crt_path = caPath()
# Use the private ip of this unit as the Common Name for the certificate.
if config['ssl_cert']:
for certs_path in ('server_crt_path', 'client_crt_path'):
with open(certs_path, "wb") as fs:
os.chmod(
certs_path,
stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
fs.write(base64.b64decode(config['ssl_cert']))
if config['ssl_key']:
with open(certs_path, "wb") as fks:
os.chmod(certs_path, stat.S_IWUSR | stat.S_IWUSR)
fks.write(base64.b64decode(config['ssl_key']))
import_srv_crt_to_keystore()
if config['ssl_ca']:
with open(ca_crt_path, "wb") as fca:
os.chmod(
ca_crt_path,
stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
fca.write(base64.b64decode(config['ssl_ca']))
import_ca_crt_to_keystore()
else:
common_name = hookenv.unit_private_ip()
common_public_name = hookenv.unit_public_ip()
sans = [
common_name,
common_public_name,
hookenv.unit_public_ip(),
socket.gethostname(),
socket.getfqdn(),
]
# maybe they have extra names they want as SANs
extra_sans = hookenv.config('subject_alt_names')
if extra_sans and not extra_sans == "":
sans.extend(extra_sans.split())
# Request a server cert with this information.
tls_client.request_server_cert(common_name,
sans,
crt_path=server_crt_path,
key_path=server_key_path)
# Request a client cert with this information.
tls_client.request_client_cert(common_name,
sans,
crt_path=client_crt_path,
key_path=client_key_path)
def request_server_certs(servers):
try:
for server in servers:
cn = server['common_name']
hookenv.log('requesting server cert for {}'.format(cn))
request_server_cert(cn, server.get('sans', []),
crt_path='/etc/ssl/cert-manager/servers/'
'{}.crt'.format(cn),
key_path='/etc/ssl/cert-manager/servers/'
'private/{}.key'.format(cn))
except Exception as e:
hookenv.log('"servers" config setting is invalid: {}'.format(e))
hookenv.status_set('blocked',
'"servers" config setting is invalid')
return
def config_changed():
if data_changed('cert-manager.clients', hookenv.config().get('clients')):
try:
clients = yaml.load(hookenv.config().get('clients'))
for client in clients:
cn = client['common_name']
hookenv.log('requesting client cert for {}'.format(cn))
request_client_cert(cn,
client.get('sans', []),
crt_path='/etc/ssl/cert-manager/clients/'
'{}.crt'.format(cn),
key_path='/etc/ssl/cert-manager/clients/'
'private/{}.key'.format(cn))
except Exception as e:
hookenv.log('"clients" config setting is invalid: {}'.format(e))
hookenv.status_set('blocked',
'"clients" config setting is invalid')
return
else:
clients = []
if data_changed('cert-manager.servers', hookenv.config().get('servers')):
try:
servers = yaml.load(hookenv.config().get('servers'))
for server in servers:
cn = server['common_name']
hookenv.log('requesting server cert for {}'.format(cn))
request_server_cert(cn,
server.get('sans', []),
crt_path='/etc/ssl/cert-manager/servers/'
'{}.crt'.format(cn),
key_path='/etc/ssl/cert-manager/servers/'
'private/{}.key'.format(cn))
except Exception as e:
hookenv.log('"servers" config setting is invalid: {}'.format(e))
hookenv.status_set('blocked',
'"servers" config setting is invalid')
return
else:
servers = []
hookenv.status_set(
'active', '{} client, '
'{} server certs'.format(len(clients), len(servers)))
def request_server_certificates():
'''Send the data that is required to create a server certificate for
this server.'''
website = endpoint_from_flag('website.available')
# Use the public ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_public_ip()
bind_ips = kubernetes_common.get_bind_addrs(ipv4=True, ipv6=True)
# Create SANs that the tls layer will add to the server cert.
sans = [
# The CN field is checked as a hostname, so if it's an IP, it
# won't match unless also included in the SANs as an IP field.
common_name,
kubernetes_common.get_ingress_address(website.endpoint_name),
socket.gethostname(),
socket.getfqdn(),
] + bind_ips
forced_lb_ips = hookenv.config('loadbalancer-ips').split()
if forced_lb_ips:
sans.extend(forced_lb_ips)
else:
hacluster = endpoint_from_flag('ha.connected')
if hacluster:
vips = hookenv.config('ha-cluster-vip').split()
dns_record = hookenv.config('ha-cluster-dns')
if vips:
sans.extend(vips)
elif dns_record:
sans.append(dns_record)
# maybe they have extra names they want as SANs
extra_sans = hookenv.config('extra_sans')
if extra_sans and not extra_sans == "":
sans.extend(extra_sans.split())
# Request a server cert with this information.
tls_client.request_server_cert(common_name,
sorted(set(sans)),
crt_path=server_crt_path,
key_path=server_key_path)
def send_data():
# Send the data that is required to create a server certificate for
# this server.
# Use the private ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_private_ip()
# Create SANs that the tls layer will add to the server cert.
sans = [
common_name,
socket.gethostname(),
]
extra_names = hookenv.config().get('subject_alt_names', '')
sans.extend([n.strip() for n in extra_names.split(',') if n])
# Request a server cert with this information.
tls_client.request_server_cert(common_name,
sans,
crt_path=crtPath('server'),
key_path=keyPath('server'))
tls_client.request_client_cert('system:snap-kafka',
crt_path=crtPath('client'),
key_path=keyPath('client'))
def request_certificate():
'''Send the data that is required to create a server certificate for
the webhook payload. Note that only the leader requests a certificate.
This is then shared across leadership data with the other units.'''
# this won't work without a service IP, check that first
service_ip = _get_service_ip('aws-iam-authenticator')
if not service_ip:
hookenv.status_set('maintenance', 'Waiting for service')
return
hookenv.status_set('maintenance', 'Requesting certificates')
leader_set({'service_ip': service_ip})
# Use the public ip of this unit as the Common Name for the certificate.
common_name = _get_cert_common_name()
# Create SANs that the tls layer will add to the server cert.
sans = [service_ip, 'aws-iam', 'aws-iam.{}'.format(namespace)]
# Request a server cert with this information.
tls_client.request_server_cert(common_name, sorted(set(sans)))
set_flag('charm.aws-iam.certificate-requested')