Ejemplo n.º 1
1
    def __call__(self):
        if isinstance(self.external_ports, six.string_types):
            self.external_ports = [self.external_ports]

        if not self.external_ports or not https():
            return {}

        self.configure_ca()
        self.enable_modules()

        ctxt = {
            'namespace': self.service_namespace,
            'endpoints': [],
            'ext_ports': []
        }

        for cn in self.canonical_names():
            self.configure_cert(cn)

        addresses = self.get_network_addresses()
        for address, endpoint in sorted(set(addresses)):
            for api_port in self.external_ports:
                ext_port = determine_apache_port(api_port)
                int_port = determine_api_port(api_port)
                portmap = (address, endpoint, int(ext_port), int(int_port))
                ctxt['endpoints'].append(portmap)
                ctxt['ext_ports'].append(int(ext_port))

        ctxt['ext_ports'] = sorted(list(set(ctxt['ext_ports'])))
        return ctxt
Ejemplo n.º 2
0
 def test_https_cert_key_incomplete_identity_relation(self):
     '''It determines https unavailable if cert not in identity-service'''
     self.config_get.return_value = False
     self.relation_ids.return_value = 'identity-service:0'
     self.relation_list.return_value = 'keystone/0'
     self.relation_get.return_value = None
     self.assertFalse(cluster_utils.https())
    def __call__(self):
        ctxt = {}
        servers = []
        try:
            for rid in relation_ids('memcache'):
                for rel in relations_for_id(rid):
                    priv_addr = rel['private-address']
                    # Format it as IPv6 address if needed
                    priv_addr = format_ipv6_addr(priv_addr) or priv_addr
                    servers.append("%s:%s" % (priv_addr, rel['port']))
        except Exception as ex:
            log("Could not get memcache servers: %s" % (ex), level='WARNING')
            servers = []

        ctxt['memcached_servers'] = ','.join(servers)

        # Configure nova-novncproxy https if nova-api is using https.
        if https():
            cn = resolve_address(endpoint_type=INTERNAL)
            if cn:
                cert_filename = 'cert_{}'.format(cn)
                key_filename = 'key_{}'.format(cn)
            else:
                cert_filename = 'cert'
                key_filename = 'key'

            ssl_dir = '/etc/apache2/ssl/nova'
            cert = os.path.join(ssl_dir, cert_filename)
            key = os.path.join(ssl_dir, key_filename)
            if os.path.exists(cert) and os.path.exists(key):
                ctxt['ssl_cert'] = cert
                ctxt['ssl_key'] = key

        return ctxt
Ejemplo n.º 4
0
    def __call__(self):
        ctxt = {}
        servers = []
        try:
            for rid in relation_ids('memcache'):
                for rel in relations_for_id(rid):
                    priv_addr = rel['private-address']
                    # Format it as IPv6 address if needed
                    priv_addr = format_ipv6_addr(priv_addr) or priv_addr
                    servers.append("%s:%s" % (priv_addr, rel['port']))
        except Exception as ex:
            log("Could not get memcache servers: %s" % (ex), level='WARNING')
            servers = []

        ctxt['memcached_servers'] = ','.join(servers)

        # Configure nova-novncproxy https if nova-api is using https.
        if https():
            cn = resolve_address(endpoint_type=INTERNAL)
            if cn:
                cert_filename = 'cert_{}'.format(cn)
                key_filename = 'key_{}'.format(cn)
            else:
                cert_filename = 'cert'
                key_filename = 'key'

            ssl_dir = '/etc/apache2/ssl/nova'
            cert = os.path.join(ssl_dir, cert_filename)
            key = os.path.join(ssl_dir, key_filename)
            if os.path.exists(cert) and os.path.exists(key):
                ctxt['ssl_cert'] = cert
                ctxt['ssl_key'] = key

        return ctxt
Ejemplo n.º 5
0
    def __call__(self):
        if isinstance(self.external_ports, six.string_types):
            self.external_ports = [self.external_ports]

        if not self.external_ports or not https():
            return {}

        self.configure_ca()
        self.enable_modules()

        ctxt = {'namespace': self.service_namespace,
                'endpoints': [],
                'ext_ports': []}

        for cn in self.canonical_names():
            self.configure_cert(cn)

        addresses = self.get_network_addresses()
        for address, endpoint in sorted(set(addresses)):
            for api_port in self.external_ports:
                ext_port = determine_apache_port(api_port,
                                                 singlenode_mode=True)
                int_port = determine_api_port(api_port, singlenode_mode=True)
                portmap = (address, endpoint, int(ext_port), int(int_port))
                ctxt['endpoints'].append(portmap)
                ctxt['ext_ports'].append(int(ext_port))

        ctxt['ext_ports'] = sorted(list(set(ctxt['ext_ports'])))
        return ctxt
Ejemplo n.º 6
0
def services():
    """Returns a list of services associate with this charm."""
    _services = []
    for v in BASE_RESOURCE_MAP.values():
        _services.extend(v.get('services', []))
    _set_services = set(_services)
    if not https():
        _set_services.remove('apache2')
    return list(_set_services)
Ejemplo n.º 7
0
 def test_https_cert_key_in_config(self):
     '''It determines https is available if cert + key in charm config'''
     # config_get('use-https')
     self.config_get.side_effect = [
         'no',  # config_get('use-https')
         'cert',  # config_get('ssl_cert')
         'key',  # config_get('ssl_key')
     ]
     self.assertTrue(cluster_utils.https())
Ejemplo n.º 8
0
    def __call__(self):
        # late import to work around circular dependency
        from keystone_utils import (determine_ports, update_hash_from_path,
                                    APACHE_SSL_DIR)

        ssl_paths = [CA_CERT_PATH, APACHE_SSL_DIR]

        self.external_ports = determine_ports()
        before = hashlib.sha256()
        for path in ssl_paths:
            update_hash_from_path(before, path)

        ret = super(NginxSSLContext, self).__call__()
        if not ret:
            log("SSL not used", level='DEBUG')
            return {}

        after = hashlib.sha256()
        for path in ssl_paths:
            update_hash_from_path(after, path)

        # Ensure that Nginx is restarted if these change
        if before.hexdigest() != after.hexdigest():
            service_restart('snap.keystone.nginx')

        # Transform for use by Nginx
        """
        {'endpoints': [(u'10.5.0.30', u'10.5.0.30', 4990, 4980),
                       (u'10.5.0.30', u'10.5.0.30', 35347, 35337)],
         'ext_ports': [4990, 35347],
         'namespace': 'keystone'}
        """

        nginx_ret = {}
        nginx_ret['ssl'] = https()
        nginx_ret['namespace'] = self.service_namespace
        endpoints = {}
        for ep in ret['endpoints']:
            int_address, address, ext, internal = ep
            if ext <= 5000:
                endpoints['public'] = {
                    'socket': 'public',
                    'address': address,
                    'ext': ext
                }
            elif ext >= 35337:
                endpoints['admin'] = {
                    'socket': 'admin',
                    'address': address,
                    'ext': ext
                }
            else:
                log("Unrecognized internal port", level='ERROR')
        nginx_ret['endpoints'] = endpoints

        return nginx_ret
def canonical_url():
    """Returns the correct HTTP URL to this host given the state of HTTPS
    configuration and hacluster.
    """
    scheme = 'http'
    if https():
        scheme = 'https'

    addr = resolve_address(INTERNAL)
    return '%s://%s' % (scheme, format_ipv6_addr(addr) or addr)
Ejemplo n.º 10
0
def canonical_url():
    """Returns the correct HTTP URL to this host given the state of HTTPS
    configuration and hacluster.
    """
    scheme = 'http'
    if https():
        scheme = 'https'

    addr = resolve_address(INTERNAL)
    return '%s://%s' % (scheme, format_ipv6_addr(addr) or addr)
Ejemplo n.º 11
0
def admin_relation_changed(relation_id=None):
    # TODO: fixup
    relation_data = {
        'service_hostname': resolve_address(ADMIN),
        'service_port': config('service-port'),
        'service_username': config('admin-user'),
        'service_tenant_name': config('admin-role'),
        'service_region': config('region'),
        'service_protocol': 'https' if https() else 'http',
    }
    relation_data['service_password'] = get_admin_passwd()
    relation_set(relation_id=relation_id, **relation_data)
Ejemplo n.º 12
0
 def test_https_cert_key_in_identity_relation(self):
     '''It determines https is available if cert in identity-service'''
     self.config_get.return_value = False
     self.relation_ids.return_value = 'identity-service:0'
     self.relation_list.return_value = 'keystone/0'
     self.relation_get.side_effect = [
         'yes',  # relation_get('https_keystone')
         'cert',  # relation_get('ssl_cert')
         'key',  # relation_get('ssl_key')
         'ca_cert',  # relation_get('ca_cert')
     ]
     self.assertTrue(cluster_utils.https())
Ejemplo n.º 13
0
def admin_relation_changed(relation_id=None):
    # TODO: fixup
    relation_data = {
        "service_hostname": resolve_address(ADMIN),
        "service_port": config("service-port"),
        "service_username": config("admin-user"),
        "service_tenant_name": config("admin-role"),
        "service_region": config("region"),
        "service_protocol": "https" if https() else "http",
    }
    relation_data["service_password"] = get_admin_passwd()
    relation_set(relation_id=relation_id, **relation_data)
Ejemplo n.º 14
0
def admin_relation_changed(relation_id=None):
    # TODO: fixup
    relation_data = {
        'service_hostname': resolve_address(ADMIN),
        'service_port': config('service-port'),
        'service_username': config('admin-user'),
        'service_tenant_name': config('admin-role'),
        'service_region': config('region'),
        'service_protocol': 'https' if https() else 'http',
    }
    relation_data['service_password'] = get_admin_passwd()
    relation_set(relation_id=relation_id, **relation_data)
Ejemplo n.º 15
0
    def neutron_ctxt(self):
        if https():
            proto = 'https'
        else:
            proto = 'http'

        if is_clustered():
            host = config('vip')
        else:
            host = unit_get('private-address')

        ctxt = {'network_manager': self.network_manager,
                'neutron_url': '%s://%s:%s' % (proto, host, '9696')}
        return ctxt
Ejemplo n.º 16
0
def listen_port():
    """Determine port to listen to.

    The value in configuration will be used if specified, otherwise the default
    will be determined based on presence of TLS configuration.

    :returns: Port number
    :rtype: int
    """
    if https():
        default_port = 443
    else:
        default_port = 80
    return config('port') or default_port
Ejemplo n.º 17
0
 def neutron_ctxt(self):
     if https():
         proto = 'https'
     else:
         proto = 'http'
     if is_clustered():
         host = config('vip')
     else:
         host = unit_get('private-address')
     url = '%s://%s:%s' % (proto, host, '9696')
     ctxt = {
         'network_manager': self.network_manager,
         'neutron_url': url,
     }
     return ctxt
Ejemplo n.º 18
0
    def __call__(self):
        if isinstance(self.external_ports, basestring):
            self.external_ports = [self.external_ports]
        if (not self.external_ports or not https()):
            return {}

        self.configure_ca()
        self.enable_modules()

        ctxt = {
            'namespace': self.service_namespace,
            'endpoints': [],
            'ext_ports': []
        }

        for cn in self.canonical_names():
            self.configure_cert(cn)

        addresses = []
        vips = []
        if config('vip'):
            vips = config('vip').split()

        for network_type in ['os-internal-network',
                             'os-admin-network',
                             'os-public-network']:
            address = get_address_in_network(config(network_type),
                                             unit_get('private-address'))
            if len(vips) > 0 and is_clustered():
                for vip in vips:
                    if is_address_in_network(config(network_type),
                                             vip):
                        addresses.append((address, vip))
                        break
            elif is_clustered():
                addresses.append((address, config('vip')))
            else:
                addresses.append((address, address))

        for address, endpoint in set(addresses):
            for api_port in self.external_ports:
                ext_port = determine_apache_port(api_port)
                int_port = determine_api_port(api_port)
                portmap = (address, endpoint, int(ext_port), int(int_port))
                ctxt['endpoints'].append(portmap)
                ctxt['ext_ports'].append(int(ext_port))
        ctxt['ext_ports'] = list(set(ctxt['ext_ports']))
        return ctxt
    def __call__(self):
        ''' Grab cert and key from configuraton for SSL config '''
        ctxt = {
            'http_port': 70,
            'https_port': 433,
            'enforce_ssl': False,
            'hsts_max_age_seconds': config('hsts-max-age-seconds'),
            "custom_theme": config('custom-theme'),
        }

        if config('enforce-ssl') and https():
            ctxt['enforce_ssl'] = True
        else:
            log("Enforce ssl redirect requested but ssl not configured - "
                "skipping redirect", level=WARNING)

        return ctxt
def console_settings():
    rel_settings = {}
    proto = common.console_attributes('protocol')
    if not proto:
        return {}
    rel_settings['console_keymap'] = hookenv.config('console-keymap')
    rel_settings['console_access_protocol'] = proto

    console_ssl = False
    if (hookenv.config('console-ssl-cert') and
            hookenv.config('console-ssl-key')):
        console_ssl = True

    if hookenv.config('console-proxy-ip') == 'local':
        if console_ssl:
            address = ch_ip.resolve_address(endpoint_type=ch_ip.PUBLIC)
            address = ch_network_ip.format_ipv6_addr(address) or address
            proxy_base_addr = 'https://%s' % address
        else:
            # canonical_url will only return 'https:' if API SSL are enabled.
            proxy_base_addr = ch_ip.canonical_url(CONFIGS, ch_ip.PUBLIC)
    else:
        if console_ssl or ch_cluster.https():
            schema = "https"
        else:
            schema = "http"

        proxy_base_addr = ("{}://{}"
                           .format(schema, hookenv.config('console-proxy-ip')))

    if proto == 'vnc':
        protocols = ['novnc', 'xvpvnc']
    else:
        protocols = [proto]
    for _proto in protocols:
        rel_settings['console_proxy_{}_address'.format(_proto)] = \
            "{}:{}{}".format(
                proxy_base_addr,
                common.console_attributes('proxy-port', proto=_proto),
                common.console_attributes('proxy-page', proto=_proto))
        rel_settings['console_proxy_%s_host' % (_proto)] = \
            urlparse(proxy_base_addr).hostname
        rel_settings['console_proxy_%s_port' % (_proto)] = \
            common.console_attributes('proxy-port', proto=_proto)

    return rel_settings
def console_settings():
    rel_settings = {}
    proto = common.console_attributes('protocol')
    if not proto:
        return {}
    rel_settings['console_keymap'] = hookenv.config('console-keymap')
    rel_settings['console_access_protocol'] = proto

    console_ssl = False
    if (hookenv.config('console-ssl-cert') and
            hookenv.config('console-ssl-key')):
        console_ssl = True

    if hookenv.config('console-proxy-ip') == 'local':
        if console_ssl:
            address = ch_ip.resolve_address(endpoint_type=ch_ip.PUBLIC)
            address = ch_network_ip.format_ipv6_addr(address) or address
            proxy_base_addr = 'https://%s' % address
        else:
            # canonical_url will only return 'https:' if API SSL are enabled.
            proxy_base_addr = ch_ip.canonical_url(CONFIGS, ch_ip.PUBLIC)
    else:
        if console_ssl or ch_cluster.https():
            schema = "https"
        else:
            schema = "http"

        proxy_base_addr = ("{}://{}"
                           .format(schema, hookenv.config('console-proxy-ip')))

    if proto == 'vnc':
        protocols = ['novnc', 'xvpvnc']
    else:
        protocols = [proto]
    for _proto in protocols:
        rel_settings['console_proxy_{}_address'.format(_proto)] = \
            "{}:{}{}".format(
                proxy_base_addr,
                common.console_attributes('proxy-port', proto=_proto),
                common.console_attributes('proxy-page', proto=_proto))
        rel_settings['console_proxy_%s_host' % (_proto)] = \
            urlparse(proxy_base_addr).hostname
        rel_settings['console_proxy_%s_port' % (_proto)] = \
            common.console_attributes('proxy-port', proto=_proto)

    return rel_settings
Ejemplo n.º 22
0
def resource_map():
    """Dynamically generate a map of resources.

    These will be managed for a single hook execution.
    """
    resource_map = deepcopy(BASE_RESOURCE_MAP)

    if not https():
        resource_map.pop(APACHE_SITE_CONF)
        resource_map.pop(APACHE_SITE_24_CONF)
    else:
        if os.path.exists('/etc/apache2/conf-available'):
            resource_map.pop(APACHE_SITE_CONF)
        else:
            resource_map.pop(APACHE_SITE_24_CONF)

    resource_map[CEPH_CONF]['services'] = [service_name()]
    return resource_map
    def __call__(self):
        if isinstance(self.external_ports, basestring):
            self.external_ports = [self.external_ports]
        if not self.external_ports or not https():
            return {}

        self.configure_cert()
        self.enable_modules()

        ctxt = {"namespace": self.service_namespace, "private_address": unit_get("private-address"), "endpoints": []}
        for ext_port in self.external_ports:
            if peer_units() or is_clustered():
                int_port = determine_haproxy_port(ext_port)
            else:
                int_port = determine_api_port(ext_port)
            portmap = (int(ext_port), int(int_port))
            ctxt["endpoints"].append(portmap)
        return ctxt
Ejemplo n.º 24
0
def resource_map():
    """Dynamically generate a map of resources.

    These will be managed for a single hook execution.
    """
    resource_map = deepcopy(BASE_RESOURCE_MAP)

    if not https():
        resource_map.pop(APACHE_SITE_CONF)
        resource_map.pop(APACHE_SITE_24_CONF)
    else:
        if os.path.exists('/etc/apache2/conf-available'):
            resource_map.pop(APACHE_SITE_CONF)
        else:
            resource_map.pop(APACHE_SITE_24_CONF)

    resource_map[CEPH_CONF]['services'] = [service_name()]
    return resource_map
def console_settings():
    rel_settings = {}
    proto = console_attributes('protocol')
    if not proto:
        return {}
    rel_settings['console_keymap'] = config('console-keymap')
    rel_settings['console_access_protocol'] = proto

    console_ssl = False
    if config('console-ssl-cert') and config('console-ssl-key'):
        console_ssl = True

    if config('console-proxy-ip') == 'local':
        if console_ssl:
            address = resolve_address(endpoint_type=PUBLIC)
            address = format_ipv6_addr(address) or address
            proxy_base_addr = 'https://%s' % address
        else:
            # canonical_url will only return 'https:' if API SSL are enabled.
            proxy_base_addr = canonical_url(CONFIGS, PUBLIC)
    else:
        if console_ssl or https():
            schema = "https"
        else:
            schema = "http"

        proxy_base_addr = "%s://%s" % (schema, config('console-proxy-ip'))

    if proto == 'vnc':
        protocols = ['novnc', 'xvpvnc']
    else:
        protocols = [proto]
    for _proto in protocols:
        rel_settings['console_proxy_%s_address' % (_proto)] = \
            "%s:%s%s" % (proxy_base_addr,
                         console_attributes('proxy-port', proto=_proto),
                         console_attributes('proxy-page', proto=_proto))
        rel_settings['console_proxy_%s_host' % (_proto)] = \
            urlparse(proxy_base_addr).hostname
        rel_settings['console_proxy_%s_port' % (_proto)] = \
            console_attributes('proxy-port', proto=_proto)

    return rel_settings
Ejemplo n.º 26
0
def console_settings():
    rel_settings = {}
    proto = console_attributes('protocol')
    if not proto:
        return {}
    rel_settings['console_keymap'] = config('console-keymap')
    rel_settings['console_access_protocol'] = proto

    console_ssl = False
    if config('console-ssl-cert') and config('console-ssl-key'):
        console_ssl = True

    if config('console-proxy-ip') == 'local':
        if console_ssl:
            address = resolve_address(endpoint_type=PUBLIC)
            address = format_ipv6_addr(address) or address
            proxy_base_addr = 'https://%s' % address
        else:
            # canonical_url will only return 'https:' if API SSL are enabled.
            proxy_base_addr = canonical_url(CONFIGS, PUBLIC)
    else:
        if console_ssl or https():
            schema = "https"
        else:
            schema = "http"

        proxy_base_addr = "%s://%s" % (schema, config('console-proxy-ip'))

    if proto == 'vnc':
        protocols = ['novnc', 'xvpvnc']
    else:
        protocols = [proto]
    for _proto in protocols:
        rel_settings['console_proxy_%s_address' % (_proto)] = \
            "%s:%s%s" % (proxy_base_addr,
                         console_attributes('proxy-port', proto=_proto),
                         console_attributes('proxy-page', proto=_proto))
        rel_settings['console_proxy_%s_host' % (_proto)] = \
            urlparse(proxy_base_addr).hostname
        rel_settings['console_proxy_%s_port' % (_proto)] = \
            console_attributes('proxy-port', proto=_proto)

    return rel_settings
Ejemplo n.º 27
0
    def __call__(self):
        # late import to work around circular dependency
        from keystone_utils import (
            determine_ports, )

        self.external_ports = determine_ports()
        ret = super(NginxSSLContext, self).__call__()
        if not ret:
            log("SSL not used", level='DEBUG')
            return {}

        # Transform for use by Nginx
        """
        {'endpoints': [(u'10.5.0.30', u'10.5.0.30', 4990, 4980),
                       (u'10.5.0.30', u'10.5.0.30', 35347, 35337)],
         'ext_ports': [4990, 35347],
         'namespace': 'keystone'}
        """

        nginx_ret = {}
        nginx_ret['ssl'] = https()
        nginx_ret['namespace'] = self.service_namespace
        endpoints = {}
        for ep in ret['endpoints']:
            int_address, address, ext, internal = ep
            if ext <= 5000:
                endpoints['public'] = {
                    'socket': 'public',
                    'address': address,
                    'ext': ext
                }
            elif ext >= 35337:
                endpoints['admin'] = {
                    'socket': 'admin',
                    'address': address,
                    'ext': ext
                }
            else:
                log("Unrecognized internal port", level='ERROR')
        nginx_ret['endpoints'] = endpoints

        return nginx_ret
Ejemplo n.º 28
0
def admin_relation_changed(relation_id=None):
    # TODO: fixup
    if expect_ha() and not is_clustered():
        log("Expected to be HA but no hacluster relation yet", level=INFO)
        return
    relation_data = {
        'service_hostname': resolve_address(ADMIN),
        'service_port': config('service-port'),
        'service_username': config('admin-user'),
        'service_tenant_name': config('admin-role'),
        'service_region': config('region'),
        'service_protocol': 'https' if https() else 'http',
        'api_version': get_api_version(),
    }
    if relation_data['api_version'] > 2:
        relation_data['service_user_domain_name'] = ADMIN_DOMAIN
        relation_data['service_project_domain_name'] = ADMIN_DOMAIN
        relation_data['service_project_name'] = ADMIN_PROJECT
    relation_data['service_password'] = get_admin_passwd()
    relation_set(relation_id=relation_id, **relation_data)
    def __call__(self):
        ctxt = {}
        # Configure nova-novncproxy https if nova-api is using https.
        if ch_cluster.https():
            cn = ch_ip.resolve_address(endpoint_type=ch_ip.INTERNAL)
            if cn:
                cert_filename = 'cert_{}'.format(cn)
                key_filename = 'key_{}'.format(cn)
            else:
                cert_filename = 'cert'
                key_filename = 'key'

            ssl_dir = '/etc/apache2/ssl/nova'
            cert = os.path.join(ssl_dir, cert_filename)
            key = os.path.join(ssl_dir, key_filename)
            if os.path.exists(cert) and os.path.exists(key):
                ctxt['ssl_cert'] = cert
                ctxt['ssl_key'] = key

        return ctxt
Ejemplo n.º 30
0
def admin_relation_changed(relation_id=None):
    # TODO: fixup
    if expect_ha() and not is_clustered():
        log("Expected to be HA but no hacluster relation yet", level=INFO)
        return
    relation_data = {
        'service_hostname': resolve_address(ADMIN),
        'service_port': config('service-port'),
        'service_username': config('admin-user'),
        'service_tenant_name': config('admin-role'),
        'service_region': config('region'),
        'service_protocol': 'https' if https() else 'http',
        'api_version': get_api_version(),
    }
    if relation_data['api_version'] > 2:
        relation_data['service_user_domain_name'] = ADMIN_DOMAIN
        relation_data['service_project_domain_name'] = ADMIN_DOMAIN
        relation_data['service_project_name'] = ADMIN_PROJECT
    relation_data['service_password'] = get_admin_passwd()
    relation_set(relation_id=relation_id, **relation_data)
    def __call__(self):
        ctxt = {}
        # Configure nova-novncproxy https if nova-api is using https.
        if ch_cluster.https():
            cn = ch_ip.resolve_address(endpoint_type=ch_ip.INTERNAL)
            if cn:
                cert_filename = 'cert_{}'.format(cn)
                key_filename = 'key_{}'.format(cn)
            else:
                cert_filename = 'cert'
                key_filename = 'key'

            ssl_dir = '/etc/apache2/ssl/nova'
            cert = os.path.join(ssl_dir, cert_filename)
            key = os.path.join(ssl_dir, key_filename)
            if os.path.exists(cert) and os.path.exists(key):
                ctxt['ssl_cert'] = cert
                ctxt['ssl_key'] = key

        return ctxt
Ejemplo n.º 32
0
    def __call__(self):
        if isinstance(self.external_ports, basestring):
            self.external_ports = [self.external_ports]
        if (not self.external_ports or not https()):
            return {}

        self.configure_cert()
        self.enable_modules()

        ctxt = {
            'namespace': self.service_namespace,
            'private_address': unit_get('private-address'),
            'endpoints': []
        }
        for api_port in self.external_ports:
            ext_port = determine_apache_port(api_port)
            int_port = determine_api_port(api_port)
            portmap = (int(ext_port), int(int_port))
            ctxt['endpoints'].append(portmap)
        return ctxt
Ejemplo n.º 33
0
def keystone_joined(relid=None):
    if not cluster.eligible_leader(SWIFT_HA_RES):
        return
    if cluster.is_clustered():
        hostname = config('vip')
    else:
        hostname = unit_get('private-address')
    port = config('bind-port')
    if cluster.https():
        proto = 'https'
    else:
        proto = 'http'
    admin_url = '%s://%s:%s' % (proto, hostname, port)
    internal_url = public_url = '%s/v1/AUTH_$(tenant_id)s' % admin_url
    relation_set(service='swift',
                 region=config('region'),
                 public_url=public_url, internal_url=internal_url,
                 admin_url=admin_url,
                 requested_roles=config('operator-roles'),
                 relation_id=relid)
Ejemplo n.º 34
0
    def __call__(self):
        # late import to work around circular dependency
        from keystone_utils import (
            determine_ports,
        )

        self.external_ports = determine_ports()
        ret = super(NginxSSLContext, self).__call__()
        if not ret:
            log("SSL not used", level='DEBUG')
            return {}

        # Transform for use by Nginx
        """
        {'endpoints': [(u'10.5.0.30', u'10.5.0.30', 4990, 4980),
                       (u'10.5.0.30', u'10.5.0.30', 35347, 35337)],
         'ext_ports': [4990, 35347],
         'namespace': 'keystone'}
        """

        nginx_ret = {}
        nginx_ret['ssl'] = https()
        nginx_ret['namespace'] = self.service_namespace
        endpoints = {}
        for ep in ret['endpoints']:
            int_address, address, ext, internal = ep
            if ext <= 5000:
                endpoints['public'] = {
                    'socket': 'public',
                    'address': address,
                    'ext': ext}
            elif ext >= 35337:
                endpoints['admin'] = {
                    'socket': 'admin',
                    'address': address,
                    'ext': ext}
            else:
                log("Unrecognized internal port", level='ERROR')
        nginx_ret['endpoints'] = endpoints

        return nginx_ret
Ejemplo n.º 35
0
    def __call__(self):
        if isinstance(self.external_ports, basestring):
            self.external_ports = [self.external_ports]
        if (not self.external_ports or not https()):
            return {}

        self.configure_cert()
        self.enable_modules()

        ctxt = {
            'namespace': self.service_namespace,
            'private_address': unit_get('private-address'),
            'endpoints': []
        }
        for ext_port in self.external_ports:
            if peer_units() or is_clustered():
                int_port = determine_haproxy_port(ext_port)
            else:
                int_port = determine_api_port(ext_port)
            portmap = (int(ext_port), int(int_port))
            ctxt['endpoints'].append(portmap)
        return ctxt
Ejemplo n.º 36
0
    def __call__(self):
        if isinstance(self.external_ports, six.string_types):
            self.external_ports = [self.external_ports]

        if not self.external_ports or not https():
            return {}

        self.configure_ca()
        self.enable_modules()

        ctxt = {
            'namespace': self.service_namespace,
            'endpoints': [],
            'ext_ports': []
        }

        cns = self.canonical_names()
        if cns:
            for cn in cns:
                self.configure_cert(cn)
        else:
            # Expect cert/key provided in config (currently assumed that ca
            # uses ip for cn)
            cn = resolve_address(endpoint_type=INTERNAL)
            self.configure_cert(cn)

        addresses = self.get_network_addresses()
        for address, endpoint in sorted(set(addresses)):
            for api_port in self.external_ports:
                ext_port = determine_apache_port(api_port,
                                                 singlenode_mode=True)
                int_port = determine_api_port(api_port, singlenode_mode=True)
                portmap = (address, endpoint, int(ext_port), int(int_port))
                ctxt['endpoints'].append(portmap)
                ctxt['ext_ports'].append(int(ext_port))

        ctxt['ext_ports'] = sorted(list(set(ctxt['ext_ports'])))
        return ctxt
Ejemplo n.º 37
0
    def __call__(self):
        if isinstance(self.external_ports, six.string_types):
            self.external_ports = [self.external_ports]

        if not self.external_ports or not https():
            return {}

        self.configure_ca()
        self.enable_modules()

        ctxt = {'namespace': self.service_namespace,
                'endpoints': [],
                'ext_ports': []}

        cns = self.canonical_names()
        if cns:
            for cn in cns:
                self.configure_cert(cn)
        else:
            # Expect cert/key provided in config (currently assumed that ca
            # uses ip for cn)
            cn = resolve_address(endpoint_type=INTERNAL)
            self.configure_cert(cn)

        addresses = self.get_network_addresses()
        for address, endpoint in sorted(set(addresses)):
            for api_port in self.external_ports:
                ext_port = determine_apache_port(api_port,
                                                 singlenode_mode=True)
                int_port = determine_api_port(api_port, singlenode_mode=True)
                portmap = (address, endpoint, int(ext_port), int(int_port))
                ctxt['endpoints'].append(portmap)
                ctxt['ext_ports'].append(int(ext_port))

        ctxt['ext_ports'] = sorted(list(set(ctxt['ext_ports'])))
        return ctxt
Ejemplo n.º 38
0
 def test_https_explict(self):
     '''It determines https is available if configured explicitly'''
     # config_get('use-https')
     self.config_get.return_value = 'yes'
     self.assertTrue(cluster_utils.https())