def kick_nginx(tls):
# we are just going to sighup it, but still want to avoid kicking it
# without need
if data_changed('cert', tls.get_server_cert()):
# certificate changed, so sighup nginx
hookenv.log("Certificate information changed, sending SIGHUP to nginx")
host.service_restart('nginx')
tls_client.reset_certificate_write_flag('server')
def kick_api_server(tls):
# need to be idempotent and don't want to kick the api server
# without need
if data_changed('cert', tls.get_server_cert()):
# certificate changed, so restart the api server
hookenv.log("Certificate information changed, restarting api server")
restart_apiserver()
tls_client.reset_certificate_write_flag('server')
def kick_nginx(tls):
# we are just going to sighup it, but still want to avoid kicking it
# without need
if data_changed('cert', tls.get_server_cert()):
# certificate changed, so sighup nginx
hookenv.log("Certificate information changed, sending SIGHUP to nginx")
host.service_restart('nginx')
tls_client.reset_certificate_write_flag('server')
def kick_api_server(tls):
# need to be idempotent and don't want to kick the api server
# without need
if data_changed('cert', tls.get_server_cert()):
# certificate changed, so restart the api server
hookenv.log("Certificate information changed, restarting api server")
set_state('kube-apiserver.do-restart')
tls_client.reset_certificate_write_flag('server')
def configure_tls(tls, tlsc):
hookenv.log('Configuring slapd TLS')
hookenv.status_set('maintenance', 'Configuring TLS via olc')
# ldap group should be able to read the private key
# certificates are public information hence are untouched
tls_options = layer.options('tls-client')
srv_key = tls_options.get('server_key_path')
srv_cert = tls_options.get('server_certificate_path')
ca_cert = tls_options.get('ca_certificate_path')
hookenv.log('Changing owner for the server key')
for f in [srv_key, srv_cert, ca_cert]:
shutil.chown(f, user='******', group='openldap')
os.chmod(f, 0o640)
s = Server('ldapi:///var/run/slapd/ldapi')
hookenv.log('Connecting to slapd over a unix socket')
c = Connection(s,
authentication=SASL,
sasl_mechanism=EXTERNAL,
sasl_credentials='')
if not c.bind():
raise Exception("Unable to bind to a local slapd server")
hookenv.log('Modifying TLS config entries in via olc')
# configure openldap via olc (OnLine Configuration)
res = c.modify(
'cn=config', {
'olcTLSCACertificateFile': [(MODIFY_REPLACE, [ca_cert])],
'olcTLSCertificateFile': [(MODIFY_REPLACE, [srv_cert])],
'olcTLSCertificateKeyFile': [(MODIFY_REPLACE, [srv_key])],
})
if not res:
raise Exception('Failed to configure TLS options via olc')
tls_client.reset_certificate_write_flag('server')
hookenv.status_set('active', 'slapd is configured')
