def kick_nginx(tls): # we are just going to sighup it, but still want to avoid kicking it # without need if data_changed('cert', tls.get_server_cert()): # certificate changed, so sighup nginx hookenv.log("Certificate information changed, sending SIGHUP to nginx") host.service_restart('nginx') tls_client.reset_certificate_write_flag('server')
def kick_api_server(tls): # need to be idempotent and don't want to kick the api server # without need if data_changed('cert', tls.get_server_cert()): # certificate changed, so restart the api server hookenv.log("Certificate information changed, restarting api server") restart_apiserver() tls_client.reset_certificate_write_flag('server')
def kick_nginx(tls): # we are just going to sighup it, but still want to avoid kicking it # without need if data_changed('cert', tls.get_server_cert()): # certificate changed, so sighup nginx hookenv.log("Certificate information changed, sending SIGHUP to nginx") host.service_restart('nginx') tls_client.reset_certificate_write_flag('server')
def kick_api_server(tls): # need to be idempotent and don't want to kick the api server # without need if data_changed('cert', tls.get_server_cert()): # certificate changed, so restart the api server hookenv.log("Certificate information changed, restarting api server") set_state('kube-apiserver.do-restart') tls_client.reset_certificate_write_flag('server')
def configure_tls(tls, tlsc): hookenv.log('Configuring slapd TLS') hookenv.status_set('maintenance', 'Configuring TLS via olc') # ldap group should be able to read the private key # certificates are public information hence are untouched tls_options = layer.options('tls-client') srv_key = tls_options.get('server_key_path') srv_cert = tls_options.get('server_certificate_path') ca_cert = tls_options.get('ca_certificate_path') hookenv.log('Changing owner for the server key') for f in [srv_key, srv_cert, ca_cert]: shutil.chown(f, user='******', group='openldap') os.chmod(f, 0o640) s = Server('ldapi:///var/run/slapd/ldapi') hookenv.log('Connecting to slapd over a unix socket') c = Connection(s, authentication=SASL, sasl_mechanism=EXTERNAL, sasl_credentials='') if not c.bind(): raise Exception("Unable to bind to a local slapd server") hookenv.log('Modifying TLS config entries in via olc') # configure openldap via olc (OnLine Configuration) res = c.modify( 'cn=config', { 'olcTLSCACertificateFile': [(MODIFY_REPLACE, [ca_cert])], 'olcTLSCertificateFile': [(MODIFY_REPLACE, [srv_cert])], 'olcTLSCertificateKeyFile': [(MODIFY_REPLACE, [srv_key])], }) if not res: raise Exception('Failed to configure TLS options via olc') tls_client.reset_certificate_write_flag('server') hookenv.status_set('active', 'slapd is configured')