rabbit ssl support

2014-02-23 22:48:14 -05:00 · 2014-02-23 22:48:14 -05:00 · 0a2c8a98d2
parent 014c53d5bd
commit 0a2c8a98d2
7 changed files with 160 additions and 37 deletions
--- a/charm-helpers.yaml
+++ b/charm-helpers.yaml
@ -1,4 +1,4 @@
-branch: lp:charm-helpers
+branch: lp:~hazmat/charm-helpers/ssl-everywhere
 destination: hooks/charmhelpers
 include:
    - core
--- a/hooks/ceilometer_utils.py
+++ b/hooks/ceilometer_utils.py
@ -15,7 +15,8 @@ from charmhelpers.contrib.openstack.utils import (
 from charmhelpers.core.hookenv import config, log
 from charmhelpers.fetch import apt_update, apt_install

-CEILOMETER_CONF = "/etc/ceilometer/ceilometer.conf"
+CEILOMETER_CONF_DIR = "/etc/ceilometer"
+CEILOMETER_CONF = "%s/ceilometer.conf" % CEILOMETER_CONF_DIR

 CEILOMETER_SERVICES = [
    'ceilometer-agent-central',
@ -44,7 +45,7 @@ CEILOMETER_ROLE = "ResellerAdmin"
 CONFIG_FILES = {
    CEILOMETER_CONF: {
        'hook_contexts': [context.IdentityServiceContext(),
-                          context.AMQPContext(),
+                          context.AMQPContext(ssl_dir=CEILOMETER_CONF_DIR),
                          LoggingConfigContext(),
                          MongoDBContext(),
                          CeilometerContext()],
--- a/hooks/charmhelpers/contrib/openstack/context.py
+++ b/hooks/charmhelpers/contrib/openstack/context.py
@ -1,5 +1,6 @@
 import json
 import os
+import time

 from base64 import b64decode

@ -23,7 +24,6 @@ from charmhelpers.core.hookenv import (
    unit_get,
    unit_private_ip,
    ERROR,
-    WARNING,
 )

 from charmhelpers.contrib.hahelpers.cluster import (
@ -68,6 +68,43 @@ def context_complete(ctxt):
    return True


+def config_flags_parser(config_flags):
+    if config_flags.find('==') >= 0:
+        log("config_flags is not in expected format (key=value)",
+            level=ERROR)
+        raise OSContextError
+    # strip the following from each value.
+    post_strippers = ' ,'
+    # we strip any leading/trailing '=' or ' ' from the string then
+    # split on '='.
+    split = config_flags.strip(' =').split('=')
+    limit = len(split)
+    flags = {}
+    for i in xrange(0, limit - 1):
+        current = split[i]
+        next = split[i + 1]
+        vindex = next.rfind(',')
+        if (i == limit - 2) or (vindex < 0):
+            value = next
+        else:
+            value = next[:vindex]
+
+        if i == 0:
+            key = current
+        else:
+            # if this not the first entry, expect an embedded key.
+            index = current.rfind(',')
+            if index < 0:
+                log("invalid config value(s) at index %s" % (i),
+                    level=ERROR)
+                raise OSContextError
+            key = current[index + 1:]
+
+        # Add to collection.
+        flags[key.strip(post_strippers)] = value.rstrip(post_strippers)
+    return flags
+
+
 class OSContextGenerator(object):
    interfaces = []

@ -78,7 +115,8 @@ class OSContextGenerator(object):
 class SharedDBContext(OSContextGenerator):
    interfaces = ['shared-db']

-    def __init__(self, database=None, user=None, relation_prefix=None):
+    def __init__(self,
+                 database=None, user=None, relation_prefix=None, ssl_dir=None):
        '''
        Allows inspecting relation for settings prefixed with relation_prefix.
        This is useful for parsing access for multiple databases returned via
@ -87,6 +125,7 @@ class SharedDBContext(OSContextGenerator):
        self.relation_prefix = relation_prefix
        self.database = database
        self.user = user
+        self.ssl_dir = ssl_dir

    def __call__(self):
        self.database = self.database or config('database')
@ -104,19 +143,46 @@ class SharedDBContext(OSContextGenerator):

        for rid in relation_ids('shared-db'):
            for unit in related_units(rid):
-                passwd = relation_get(password_setting, rid=rid, unit=unit)
+                rdata = relation_get(rid=rid, unit=unit)
                ctxt = {
-                    'database_host': relation_get('db_host', rid=rid,
-                                                  unit=unit),
+                    'database_host': rdata.get('db_host'),
                    'database': self.database,
                    'database_user': self.user,
-                    'database_password': passwd,
+                    'database_password': rdata.get(password_setting)
                }
                if context_complete(ctxt):
+                    db_ssl(rdata, ctxt, self.ssl_dir)
                    return ctxt
        return {}


+def db_ssl(rdata, ctxt, ssl_dir, log):
+    ctxt.update({'database_ssl_ca': '', 'database_ssl_key': '',
+                 'database_ssl_cert': ''})
+    if 'ssl_ca' in rdata and ssl_dir:
+        ca_path = os.path.join(ssl_dir, 'db-client.ca')
+        with open(ca_path, 'w') as fh:
+            fh.write(b64decode(rdata['ssl_ca']))
+        ctxt['database_ssl_ca'] = ca_path
+    elif 'ssl_ca' in rdata:
+        log("Charm not setup for ssl support but ssl ca found")
+        return ctxt
+    if 'ssl_cert' in rdata:
+        cert_path = os.path.join(
+            ssl_dir, 'db-client.cert')
+        if not os.path.exists(cert_path):
+            log("Waiting 1m for ssl client cert validity")
+            time.sleep(60)
+        with open(cert_path, 'w') as fh:
+            fh.write(b64decode(rdata['ssl_cert']))
+        ctxt['database_ssl_cert'] = cert_path
+        key_path = os.path.join(ssl_dir, 'db-client.key')
+        with open(key_path, 'w') as fh:
+            fh.write(b64decode(rdata['ssl_key']))
+        ctxt['database_ssl_key'] = key_path
+    return ctxt
+
+
 class IdentityServiceContext(OSContextGenerator):
    interfaces = ['identity-service']

@ -151,6 +217,9 @@ class IdentityServiceContext(OSContextGenerator):
 class AMQPContext(OSContextGenerator):
    interfaces = ['amqp']

+    def __init__(self, ssl_dir=None):
+        self.ssl_dir = ssl_dir
+
    def __call__(self):
        log('Generating template context for amqp')
        conf = config()
@ -161,7 +230,6 @@ class AMQPContext(OSContextGenerator):
            log('Could not generate shared_db context. '
                'Missing required charm config options: %s.' % e)
            raise OSContextError
-
        ctxt = {}
        for rid in relation_ids('amqp'):
            for unit in related_units(rid):
@ -178,17 +246,38 @@ class AMQPContext(OSContextGenerator):
                                                      unit=unit),
                    'rabbitmq_virtual_host': vhost,
                })
+                ssl_port = relation_get('ssl_port', rid=rid, unit=unit)
+                if ssl_port:
+                    ctxt['rabbit_ssl_port'] = ssl_port
+                ssl_ca = relation_get('ssl_ca', rid=rid, unit=unit)
+                if ssl_ca:
+                    ctxt['rabbit_ssl_ca'] = ssl_ca
+
                if context_complete(ctxt):
+                    if 'rabbit_ssl_ca' in ctxt:
+                        if not self.ssl_dir:
+                            log(("Charm not setup for ssl support "
+                                 "but ssl ca found"))
+                            break
+                        ca_path = os.path.join(
+                            self.ssl_dir, 'rabbit-client-ca.pem')
+                        with open(ca_path, 'w') as fh:
+                            fh.write(b64decode(ctxt['rabbit_ssl_ca']))
+                            ctxt['rabbit_ssl_ca'] = ca_path
                    # Sufficient information found = break out!
                    break
            # Used for active/active rabbitmq >= grizzly
-            ctxt['rabbitmq_hosts'] = []
-            for unit in related_units(rid):
-                ctxt['rabbitmq_hosts'].append(relation_get('private-address',
-                                                           rid=rid, unit=unit))
+            if 'clustered' not in ctxt and len(related_units(rid)) > 1:
+                rabbitmq_hosts = []
+                for unit in related_units(rid):
+                    rabbitmq_hosts.append(relation_get('private-address',
+                                                       rid=rid, unit=unit))
+                ctxt['rabbitmq_hosts'] = ','.join(rabbitmq_hosts)
        if not context_complete(ctxt):
            return {}
        else:
+            ctxt.setdefault('rabbit_ssl_port', '')
+            ctxt.setdefault('rabbit_ssl_ca', '')
            return ctxt


@ -286,6 +375,7 @@ class ImageServiceContext(OSContextGenerator):


 class ApacheSSLContext(OSContextGenerator):
+
    """
    Generates a context for an apache vhost configuration that configures
    HTTPS reverse proxying for one or many endpoints.  Generated context
@ -428,33 +518,37 @@ class NeutronContext(object):
        elif self.plugin == 'nvp':
            ctxt.update(self.nvp_ctxt())

+        alchemy_flags = config('neutron-alchemy-flags')
+        if alchemy_flags:
+            flags = config_flags_parser(alchemy_flags)
+            ctxt['neutron_alchemy_flags'] = flags
+
        self._save_flag_file()
        return ctxt


 class OSConfigFlagContext(OSContextGenerator):
-        '''
-        Responsible adding user-defined config-flags in charm config to a
-        to a template context.
-        '''
+
+        """
+        Responsible for adding user-defined config-flags in charm config to a
+        template context.
+
+        NOTE: the value of config-flags may be a comma-separated list of
+              key=value pairs and some Openstack config files support
+              comma-separated lists as values.
+        """
+
        def __call__(self):
            config_flags = config('config-flags')
-            if not config_flags or config_flags in ['None', '']:
+            if not config_flags:
                return {}
-            config_flags = config_flags.split(',')
-            flags = {}
-            for flag in config_flags:
-                if '=' not in flag:
-                    log('Improperly formatted config-flag, expected k=v '
-                        'got %s' % flag, level=WARNING)
-                    continue
-                k, v = flag.split('=')
-                flags[k.strip()] = v
-            ctxt = {'user_config_flags': flags}
-            return ctxt
+
+            flags = config_flags_parser(config_flags)
+            return {'user_config_flags': flags}


 class SubordinateConfigContext(OSContextGenerator):
+
    """
    Responsible for inspecting relations to subordinates that
    may be exporting required config via a json blob.
@ -495,6 +589,7 @@ class SubordinateConfigContext(OSContextGenerator):
        }

    """
+
    def __init__(self, service, config_file, interface):
        """
        :param service     : Service name key to query in any subordinate
@ -539,3 +634,11 @@ class SubordinateConfigContext(OSContextGenerator):
            ctxt['sections'] = {}

        return ctxt
+
+
+class SyslogContext(OSContextGenerator):
+    def __call__(self):
+        ctxt = {
+            'use_syslog': config('use-syslog')
+        }
+        return ctxt
--- a/hooks/charmhelpers/contrib/openstack/utils.py
+++ b/hooks/charmhelpers/contrib/openstack/utils.py
@ -415,7 +415,7 @@ def get_host_ip(hostname):
    return ns_query(hostname)


-def get_hostname(address):
+def get_hostname(address, fqdn=True):
    """
    Resolves hostname for given IP, or returns the input
    if it is already a hostname.
@ -434,7 +434,11 @@ def get_hostname(address):
    if not result:
        return None

-    # strip trailing .
-    if result.endswith('.'):
-        return result[:-1]
-    return result
+    if fqdn:
+        # strip trailing .
+        if result.endswith('.'):
+            return result[:-1]
+        else:
+            return result
+    else:
+        return result.split('.')[0]
--- a/hooks/charmhelpers/core/hookenv.py
+++ b/hooks/charmhelpers/core/hookenv.py
@ -8,6 +8,7 @@ import os
 import json
 import yaml
 import subprocess
+import sys
 import UserDict
 from subprocess import CalledProcessError

@ -149,6 +150,11 @@ def service_name():
    return local_unit().split('/')[0]


+def hook_name():
+    """The name of the currently executing hook"""
+    return os.path.basename(sys.argv[0])
+
+
@cached
 def config(scope=None):
    """Juju charm configuration"""
--- a/hooks/charmhelpers/fetch/init.py
+++ b/hooks/charmhelpers/fetch/init.py
@ -136,7 +136,7 @@ def apt_hold(packages, fatal=False):

 def add_source(source, key=None):
    if (source.startswith('ppa:') or
-        source.startswith('http:') or
+        source.startswith('http') or
        source.startswith('deb ') or
            source.startswith('cloud-archive:')):
        subprocess.check_call(['add-apt-repository', '--yes', source])
@ -156,7 +156,9 @@ def add_source(source, key=None):
        with open('/etc/apt/sources.list.d/proposed.list', 'w') as apt:
            apt.write(PROPOSED_POCKET.format(release))
    if key:
-        subprocess.check_call(['apt-key', 'import', key])
+        subprocess.check_call(['apt-key', 'adv', '--keyserver',
+                               'keyserver.ubuntu.com', '--recv',
+                               key])


 class SourceConfigError(Exception):
--- a/templates/havana/ceilometer.conf
+++ b/templates/havana/ceilometer.conf
@ -12,6 +12,13 @@ rabbit_host = {{ rabbitmq_host }}
 rabbit_userid = {{ rabbitmq_user }}
 rabbit_password = {{ rabbitmq_password }}
 rabbit_virtual_host = {{ rabbitmq_virtual_host }}
+{% if rabbit_ssl_port %}
+rabbit_use_ssl=True
+rabbit_port={{ rabbit_ssl_port }}
+{% if rabbit_ssl_ca %}
+kombu_ssl_ca_certs={{rabbit_ssl_ca}}
+{% endif %}
+{% endif %}

 [api]
 port = {{ port }}