def install_custom_ca(): """ Installs a configured CA cert into the system-wide location. """ ca_cert = hookenv.config().get('custom-registry-ca') if ca_cert: try: # decode to bytes, as that's what install_ca_cert wants _ca = b64decode(ca_cert) except Exception: status.blocked( 'Invalid base64 value for custom-registry-ca config') return else: host.install_ca_cert(_ca, name='juju-custom-registry') charm = hookenv.charm_name() hookenv.log( 'Custom registry CA has been installed for {}'.format(charm)) # manage appropriate charm flags to recycle the runtime daemon if charm == 'docker': clear_flag('docker.available') set_flag('docker.restart') elif charm == 'containerd': set_flag('containerd.restart') else: hookenv.log('Unknown runtime: {}. ' 'Cannot request a service restart.'.format(charm))
def configure_registry(): """ Add docker registry config when present. :return: None """ registry = endpoint_from_flag('endpoint.docker-registry.ready') docker_registry = { 'host': strip_url(registry.registry_netloc), 'url': registry.registry_netloc, } # Handle auth data. if registry.has_auth_basic(): docker_registry['username'] = registry.basic_user docker_registry['password'] = registry.basic_password # Handle TLS data. if registry.has_tls(): # Ensure the CA that signed our registry cert is trusted. host.install_ca_cert(registry.tls_ca, name='juju-docker-registry') docker_registry['ca'] = str(ca_crt_path) docker_registry['key'] = str(server_key_path) docker_registry['cert'] = str(server_crt_path) DB.set('registry', docker_registry) config_changed() set_state('containerd.registry.configured')
def config_changed(): hookenv.log('begin config-changed hook.') configs = get_configs() configs.write_all() ensure_perms() update_nrpe_config() config = hookenv.config() if config.changed('frequency'): hookenv.log("'frequency' changed, removing cron job") uninstall_cron_script() if config['run']: hookenv.log("installing to cronjob to " "/etc/cron.{}".format(config['frequency'])) hookenv.log("installing {} for polling".format(CRON_POLL_FILEPATH)) install_cron_poll() install_cron_script() else: hookenv.log("'run' set to False, removing cron jobs") uninstall_cron_script() uninstall_cron_poll() if config.get('ssl_ca'): install_ca_cert(base64.b64decode(config.get('ssl_ca')), ) config.save()
def configure_registry(): """ Add docker registry config when present. :return: None """ registry = endpoint_from_flag("endpoint.docker-registry.ready") netloc = registry.registry_netloc # handle tls data cert_subdir = netloc cert_dir = os.path.join(CERTIFICATE_DIRECTORY, cert_subdir) insecure_opt = {"insecure-registry": netloc} if registry.has_tls(): # ensure the CA that signed our registry cert is trusted install_ca_cert(registry.tls_ca, name="juju-docker-registry") # remove potential insecure docker opts related to this registry manage_docker_opts(insecure_opt, remove=True) manage_registry_certs(cert_dir, remove=False) else: manage_docker_opts(insecure_opt, remove=False) manage_registry_certs(cert_dir, remove=True) # handle auth data if registry.has_auth_basic(): hookenv.log("Logging into docker registry: {}.".format(netloc)) cmd = [ "docker", "login", netloc, "-u", registry.basic_user, "-p", registry.basic_password, ] try: check_output(cmd, stderr=subprocess.STDOUT) except CalledProcessError as e: if b"http response" in e.output.lower(): # non-tls login with basic auth will error like this: # Error response ... server gave HTTP response to HTTPS client msg = "docker login requires a TLS-enabled registry" elif b"unauthorized" in e.output.lower(): # invalid creds will error like this: # Error response ... 401 Unauthorized msg = "Incorrect credentials for docker registry" else: msg = "docker login failed, see juju debug-log" status.blocked(msg) else: hookenv.log("Disabling auth for docker registry: {}.".format(netloc)) # NB: it's safe to logout of a registry that was never logged in check_call(["docker", "logout", netloc]) # NB: store our netloc so we can clean up if the registry goes away DB.set("registry_netloc", netloc) set_state("docker.registry.configured")
def configure_registry(): '''Add docker registry config when present.''' registry = endpoint_from_flag('endpoint.docker-registry.ready') netloc = registry.registry_netloc # handle tls data cert_subdir = netloc insecure_opt = {'insecure-registry': netloc} if registry.has_tls(): # ensure the CA that signed our registry cert is trusted install_ca_cert(registry.tls_ca, name='juju-docker-registry') # remove potential insecure docker opts related to this registry manage_docker_opts(insecure_opt, remove=True) manage_registry_certs(cert_subdir, remove=False) else: manage_docker_opts(insecure_opt, remove=False) manage_registry_certs(cert_subdir, remove=True) # handle auth data if registry.has_auth_basic(): hookenv.log('Logging into docker registry: {}.'.format(netloc)) cmd = ['docker', 'login', netloc, '-u', registry.basic_user, '-p', registry.basic_password] try: check_output(cmd, stderr=subprocess.STDOUT) except CalledProcessError as e: if b'http response' in e.output.lower(): # non-tls login with basic auth will error like this: # Error response ... server gave HTTP response to HTTPS client msg = 'docker login requires a TLS-enabled registry' elif b'unauthorized' in e.output.lower(): # invalid creds will error like this: # Error response ... 401 Unauthorized msg = 'Incorrect credentials for docker registry' else: msg = 'docker login failed, see juju debug-log' hookenv.status_set('blocked', msg) else: hookenv.log('Disabling auth for docker registry: {}.'.format(netloc)) # NB: it's safe to logout of a registry that was never logged in check_call(['docker', 'logout', netloc]) # NB: store our netloc so we can clean up if the registry goes away db.set('registry_netloc', netloc) set_state('kubernetes-master-worker-base.registry.configured')
def _configure_local_client(): '''Configure daemon.json and certs for the local docker client.''' charm_config = hookenv.config() # client config depends on whether the registry is secure or insecure netloc = get_netloc() if is_flag_set('charm.docker-registry.tls-enabled'): insecure_registry = '' # if our ca changed, install it into the default sys location # (docker client > 1.13 will use this) tls_ca = charm_config.get('tls-ca-path', '') if os.path.isfile(tls_ca) and any_file_changed([tls_ca]): ca_content = None with open(tls_ca, 'rb') as f: ca_content = f.read() if ca_content: host.install_ca_cert(ca_content) # Put our certs where the docker client expects to find them # NB: these are the same certs used to serve the registry, but have # strict path requirements when used for docker client auth. client_tls_dst = '/etc/docker/certs.d/{}'.format(netloc) os.makedirs(client_tls_dst, exist_ok=True) tls_cert = charm_config.get('tls-cert-path', '') if os.path.isfile(tls_cert) and any_file_changed([tls_cert]): tls_cert_link = '{}/client.cert'.format(client_tls_dst) _remove_if_exists(tls_cert_link) os.symlink(tls_cert, tls_cert_link) tls_key = charm_config.get('tls-key-path', '') if os.path.isfile(tls_key) and any_file_changed([tls_key]): tls_key_link = '{}/client.key'.format(client_tls_dst) _remove_if_exists(tls_key_link) os.symlink(tls_key, tls_key_link) else: insecure_registry = '"{}"'.format(netloc) templating.render('daemon.json', '/etc/docker/daemon.json', {'registries': insecure_registry}) host.service_restart('docker')
def _manage_ca_certs(ca, cert_relation_id): """Manage CA certs. :param ca: CA Certificate from certificate relation. :type ca: str :param cert_relation_id: Relation id providing the certs :type cert_relation_id: str """ config_ssl_ca = config('ssl_ca') config_cert_file = ca_cert_absolute_path(CONFIG_CA_CERT_FILE) if config_ssl_ca: log( "Installing CA certificate from charm ssl_ca config to {}".format( config_cert_file), INFO) install_ca_cert(b64decode(config_ssl_ca).rstrip(), name=CONFIG_CA_CERT_FILE) elif os.path.exists(config_cert_file): log("Removing CA certificate {}".format(config_cert_file), INFO) os.remove(config_cert_file) log("Installing CA certificate from certificate relation", INFO) install_ca_cert(ca.encode(), name=get_cert_relation_ca_name(cert_relation_id))
def configure_ca(self): ca_cert = config('ssl-ca') if ca_cert: install_ca_cert(b64decode(ca_cert))
def install_ca_cert(ca_cert): host.install_ca_cert(ca_cert, CONFIG_CA_CERT_FILE)
def setup_ssl(): ca = config('ssl_ca') install_ca_cert(b64decode(ca))
def install_ca_cert(ca_cert): host.install_ca_cert(ca_cert, 'keystone_juju_ca_cert')
def install_root_ca_cert(): cert_provider = endpoint_from_flag('certificates.ca.available') host.install_ca_cert(cert_provider.root_ca_cert) set_state('cert_provider.ca.changed')
def install_root_ca_cert(): cert_provider = endpoint_from_flag('cert-provider.ca.available') host.install_ca_cert(cert_provider.root_ca_cert) clear_flag('cert-provider.ca.changed')