Updates for swift + SSL configuration
This commit is contained in:
parent
d5d1881020
commit
b1c35ff2cb
11
config.yaml
11
config.yaml
|
@ -46,6 +46,17 @@ options:
|
|||
zones before the storage ring will be initially balance. Deployment
|
||||
requirements differ based on the zone-assignment policy configured, see
|
||||
this charm's README for details.
|
||||
# User provided SSL cert and key
|
||||
ssl_cert:
|
||||
type: string
|
||||
description: |
|
||||
SSL certificate to install and use for API ports. Setting this value
|
||||
and ssl_key will enable reverse proxying, point Swifts's entry in the
|
||||
Keystone catalog to use https, and override any certficiate and key
|
||||
issued by Keystone (if it is configured to do so).
|
||||
ssl_key:
|
||||
type: string
|
||||
description: SSL key to use with certificate specified as ssl_cert.
|
||||
# CA Cert info
|
||||
use-https:
|
||||
default: "no"
|
||||
|
|
|
@ -44,9 +44,6 @@ def install():
|
|||
with open(swift.MEMCACHED_CONF, 'w') as conf:
|
||||
conf.write(swift.render_config(swift.MEMCACHED_CONF, ctxt))
|
||||
|
||||
# generate or setup SSL certificate
|
||||
swift.configure_ssl()
|
||||
|
||||
# initialize new storage rings.
|
||||
for ring in swift.SWIFT_RINGS.iteritems():
|
||||
swift.initialize_ring(ring[1],
|
||||
|
@ -60,7 +57,7 @@ def install():
|
|||
uid, gid = swift.swift_user()
|
||||
os.chown(swift.WWW_DIR, uid, gid)
|
||||
swift.write_apache_config()
|
||||
utils.configure_https()
|
||||
swift.configure_https()
|
||||
|
||||
|
||||
def keystone_joined(relid=None):
|
||||
|
@ -71,8 +68,7 @@ def keystone_joined(relid=None):
|
|||
else:
|
||||
hostname = utils.unit_get('private-address')
|
||||
port = utils.config_get('bind-port')
|
||||
ssl = utils.config_get('use-https')
|
||||
if ssl == 'yes':
|
||||
if utils.https():
|
||||
proto = 'https'
|
||||
else:
|
||||
proto = 'http'
|
||||
|
@ -88,7 +84,10 @@ def keystone_joined(relid=None):
|
|||
|
||||
def keystone_changed():
|
||||
swift.write_proxy_config()
|
||||
utils.configure_https()
|
||||
swift.configure_https()
|
||||
# Re-fire keystone hooks to ripple back the HTTPS service entry
|
||||
for relid in utils.relation_ids('identity-service'):
|
||||
keystone_joined(relid=relid)
|
||||
|
||||
|
||||
def balance_rings():
|
||||
|
@ -159,19 +158,11 @@ def config_changed():
|
|||
for relid in relids:
|
||||
keystone_joined(relid)
|
||||
swift.write_proxy_config()
|
||||
utils.configure_https()
|
||||
swift.configure_https()
|
||||
|
||||
|
||||
def cluster_changed():
|
||||
api_port = utils.config_get('bind-port')
|
||||
service_ports = {
|
||||
"swift": [
|
||||
utils.determine_haproxy_port(api_port),
|
||||
utils.determine_api_port(api_port)
|
||||
]
|
||||
}
|
||||
swift.proxy_control('restart')
|
||||
utils.configure_haproxy(service_ports)
|
||||
swift.configure_haproxy()
|
||||
|
||||
|
||||
def ha_relation_changed():
|
||||
|
|
|
@ -383,3 +383,30 @@ def write_apache_config():
|
|||
conf.write(render_config(APACHE_CONF, ctxt))
|
||||
subprocess.check_call(['service', 'apache2', 'reload'])
|
||||
|
||||
|
||||
def configure_haproxy():
|
||||
api_port = utils.config_get('bind-port')
|
||||
service_ports = {
|
||||
"swift": [
|
||||
utils.determine_haproxy_port(api_port),
|
||||
utils.determine_api_port(api_port)
|
||||
]
|
||||
}
|
||||
write_proxy_config()
|
||||
utils.configure_haproxy(service_ports)
|
||||
|
||||
|
||||
def configure_https():
|
||||
if utils.https():
|
||||
api_port = utils.config_get('bind-port')
|
||||
if (len(utils.peer_units) > 0 or
|
||||
utils.is_clustered()):
|
||||
target_port = utils.determine_haproxy_port(api_port)
|
||||
configure_haproxy()
|
||||
else:
|
||||
target_port = utils.determine_api_port(api_port)
|
||||
write_proxy_config()
|
||||
utils.setup_https(namespace="swift",
|
||||
port_maps={api_port: target_port})
|
||||
else:
|
||||
return False
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
Listen {{ ext }}
|
||||
NameVirtualHost *:{{ ext }}
|
||||
<VirtualHost *: {{ ext }}>
|
||||
ServerName {{ private-address }}
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert
|
||||
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key
|
||||
ProxyPass / http://localhost:{{ int }}/
|
||||
ProxyPassReverse / http://localhost:{{ int }}/
|
||||
ProxyPreserveHost on
|
||||
</VirtualHost>
|
||||
<Proxy *>
|
||||
Order deny,allow
|
||||
Allow from all
|
||||
</Proxy>
|
||||
<Location />
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Location>
|
Loading…
Reference in New Issue