openstack
/
charm-swift-proxy
Code Issues Proposed changes

Updates for swift + SSL configuration

This commit is contained in:
James Page 2013-03-04 14:36:33 +00:00
parent d5d1881020
commit b1c35ff2cb
4 changed files with 65 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
config.yaml
View File

@ -46,6 +46,17 @@ options:
zones before the storage ring will be initially balance. Deployment
requirements differ based on the zone-assignment policy configured, see
this charm's README for details.
# User provided SSL cert and key
ssl_cert:
type: string
description: |
SSL certificate to install and use for API ports. Setting this value
and ssl_key will enable reverse proxying, point Swifts's entry in the
Keystone catalog to use https, and override any certficiate and key
issued by Keystone (if it is configured to do so).
ssl_key:
type: string
description: SSL key to use with certificate specified as ssl_cert.
# CA Cert info
use-https:
default: "no"

25
hooks/swift_hooks.py
View File

@ -44,9 +44,6 @@ def install():
with open(swift.MEMCACHED_CONF, 'w') as conf:
conf.write(swift.render_config(swift.MEMCACHED_CONF, ctxt))
# generate or setup SSL certificate
swift.configure_ssl()
# initialize new storage rings.
for ring in swift.SWIFT_RINGS.iteritems():
swift.initialize_ring(ring[1],
@ -60,7 +57,7 @@ def install():
uid, gid = swift.swift_user()
os.chown(swift.WWW_DIR, uid, gid)
swift.write_apache_config()
utils.configure_https()
swift.configure_https()
def keystone_joined(relid=None):
@ -71,8 +68,7 @@ def keystone_joined(relid=None):
else:
hostname = utils.unit_get('private-address')
port = utils.config_get('bind-port')
ssl = utils.config_get('use-https')
if ssl == 'yes':
if utils.https():
proto = 'https'
else:
proto = 'http'
@ -88,7 +84,10 @@ def keystone_joined(relid=None):
def keystone_changed():
swift.write_proxy_config()
utils.configure_https()
swift.configure_https()
# Re-fire keystone hooks to ripple back the HTTPS service entry
for relid in utils.relation_ids('identity-service'):
keystone_joined(relid=relid)
def balance_rings():
@ -159,19 +158,11 @@ def config_changed():
for relid in relids:
keystone_joined(relid)
swift.write_proxy_config()
utils.configure_https()
swift.configure_https()
def cluster_changed():
api_port = utils.config_get('bind-port')
service_ports = {
"swift": [
utils.determine_haproxy_port(api_port),
utils.determine_api_port(api_port)
]
}
swift.proxy_control('restart')
utils.configure_haproxy(service_ports)
swift.configure_haproxy()
def ha_relation_changed():

27
hooks/swift_utils.py
View File

@ -383,3 +383,30 @@ def write_apache_config():
conf.write(render_config(APACHE_CONF, ctxt))
subprocess.check_call(['service', 'apache2', 'reload'])
def configure_haproxy():
api_port = utils.config_get('bind-port')
service_ports = {
"swift": [
utils.determine_haproxy_port(api_port),
utils.determine_api_port(api_port)
]
}
write_proxy_config()
utils.configure_haproxy(service_ports)
def configure_https():
if utils.https():
api_port = utils.config_get('bind-port')
if (len(utils.peer_units) > 0 or
utils.is_clustered()):
target_port = utils.determine_haproxy_port(api_port)
configure_haproxy()
else:
target_port = utils.determine_api_port(api_port)
write_proxy_config()
utils.setup_https(namespace="swift",
port_maps={api_port: target_port})
else:
return False

19
templates/apache2_site.tmpl Normal file
View File

@ -0,0 +1,19 @@
Listen {{ ext }}
NameVirtualHost *:{{ ext }}
<VirtualHost *: {{ ext }}>
ServerName {{ private-address }}
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key
ProxyPass / http://localhost:{{ int }}/
ProxyPassReverse / http://localhost:{{ int }}/
ProxyPreserveHost on
</VirtualHost>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>