Merge ssl-everywhere

2014-03-28 14:31:31 +00:00 · 2014-03-28 14:31:31 +00:00 · c13404061e
parent 7dc1e0d1ac af1cca24d3
commit c13404061e
8 changed files with 111 additions and 15 deletions
--- a/config.yaml
+++ b/config.yaml
@ -40,3 +40,19 @@ options:
    description: |
      By default, all services will log into their corresponding log files.
      Setting this to True will force all services to log to the syslog.
+  ssl_cert:
+    type: string
+    description: |
+      SSL certificate to install and use for API ports.  Setting this value
+      and ssl_key will enable reverse proxying, point Ceilometer's entry in the
+      Keystone catalog to use https, and override any certficiate and key
+      issued by Keystone (if it is configured to do so).
+  ssl_key:
+    type: string
+    description: SSL key to use with certificate specified as ssl_cert.
+  ssl_ca:
+    type: string
+    description: |
+      SSL CA to use with the certificate and key provided - this is only
+      required if you are providing a privately signed ssl_cert and ssl_key.
+
--- a/hooks/ceilometer_contexts.py
+++ b/hooks/ceilometer_contexts.py
@ -9,7 +9,8 @@ from charmhelpers.core.hookenv import (

 from charmhelpers.contrib.openstack.context import (
    OSContextGenerator,
-    context_complete
+    context_complete,
+    ApacheSSLContext as SSLContext,
 )

 CEILOMETER_DB = 'ceilometer'
@ -72,3 +73,10 @@ class CeilometerServiceContext(OSContextGenerator):
                if context_complete(conf):
                    return conf
        return {}
+
+
+class ApacheSSLContext(SSLContext):
+
+    service_namespace = "ceilometer"
+
+    external_ports = [CEILOMETER_PORT+100]
--- a/hooks/ceilometer_hooks.py
+++ b/hooks/ceilometer_hooks.py
@ -1,5 +1,6 @@
 #!/usr/bin/python

+import base64
 import sys
 from charmhelpers.fetch import (
    apt_install, filter_installed_packages,
@ -110,6 +111,11 @@ def keystone_joined():
 def ceilometer_joined():
    # Pass local context data onto related agent services
    context = get_ceilometer_context()
+    # This value gets tranformed to a path by the context we need to
+    # pass the data to agents.
+    if 'rabbit_ssl_ca' in context:
+        with open(context['rabbit_ssl_ca']) as fh:
+            context['rabbit_ssl_ca'] = base64.b64encode(fh.read())
    for relid in relation_ids('ceilometer-service'):
        relation_set(relid, context)

--- a/hooks/ceilometer_utils.py
+++ b/hooks/ceilometer_utils.py
@ -1,11 +1,16 @@
+import os
+
+from collections import OrderedDict
+
 from charmhelpers.contrib.openstack import (
    templating,
    context,
 )
 from ceilometer_contexts import (
+    ApacheSSLContext,
    LoggingConfigContext,
    MongoDBContext,
-    CeilometerContext
+    CeilometerContext,
 )
 from charmhelpers.contrib.openstack.utils import (
    get_os_codename_package,
@ -15,7 +20,11 @@ from charmhelpers.contrib.openstack.utils import (
 from charmhelpers.core.hookenv import config, log
 from charmhelpers.fetch import apt_update, apt_install

-CEILOMETER_CONF = "/etc/ceilometer/ceilometer.conf"
+CEILOMETER_CONF_DIR = "/etc/ceilometer"
+CEILOMETER_CONF = "%s/ceilometer.conf" % CEILOMETER_CONF_DIR
+HTTPS_APACHE_CONF = "/etc/apache2/sites-available/openstack_https_frontend"
+HTTPS_APACHE_24_CONF = "/etc/apache2/sites-available/" \
+    "openstack_https_frontend.conf"

 CEILOMETER_SERVICES = [
    'ceilometer-agent-central',
@ -27,11 +36,13 @@ CEILOMETER_DB = "ceilometer"
 CEILOMETER_SERVICE = "ceilometer"

 CEILOMETER_PACKAGES = [
+    'apache2',
    'ceilometer-agent-central',
    'ceilometer-collector',
    'ceilometer-api'
 ]

+
 CEILOMETER_ROLE = "ResellerAdmin"

 #NOVA_CONF = "/etc/nova/nova.conf"
@ -41,17 +52,26 @@ CEILOMETER_ROLE = "ResellerAdmin"
 #    ('DEFAULT', 'notification_driver', 'ceilometer.compute.nova_notifier')
 #]

-CONFIG_FILES = {
-    CEILOMETER_CONF: {
+
+CONFIG_FILES = OrderedDict([
+    (CEILOMETER_CONF, {
        'hook_contexts': [context.IdentityServiceContext(),
-                          context.AMQPContext(),
+                          context.AMQPContext(ssl_dir=CEILOMETER_CONF_DIR),
                          LoggingConfigContext(),
                          MongoDBContext(),
                          CeilometerContext(),
                          context.SyslogContext()],
        'services': CEILOMETER_SERVICES
-    }
-}
+    }),
+    (HTTPS_APACHE_CONF, {
+        'hook_contexts': [ApacheSSLContext()],
+        'services': ['apache2'],
+    }),
+    (HTTPS_APACHE_24_CONF, {
+        'hook_contexts': [ApacheSSLContext()],
+        'services': ['apache2'],
+    })
+])

 TEMPLATES = 'templates'

@ -73,6 +93,12 @@ def register_configs():
    for conf in CONFIG_FILES:
        configs.register(conf, CONFIG_FILES[conf]['hook_contexts'])

+    if os.path.exists('/etc/apache2/conf-available'):
+        configs.register(HTTPS_APACHE_24_CONF,
+                         CONFIG_FILES[HTTPS_APACHE_24_CONF]['hook_contexts'])
+    else:
+        configs.register(HTTPS_APACHE_CONF,
+                         CONFIG_FILES[HTTPS_APACHE_CONF]['hook_contexts'])
    return configs


--- a/templates/havana/ceilometer.conf
+++ b/templates/havana/ceilometer.conf
@ -7,6 +7,8 @@
 [DEFAULT]
 debug = {{ debug }}
 verbose = {{ verbose }}
+use_syslog = {{ use_syslog }}
+
 {% if rabbitmq_host or rabbitmq_hosts -%}
 {% if rabbitmq_hosts -%}
 rabbit_hosts = {{ rabbitmq_hosts }}
@ -20,8 +22,14 @@ rabbit_host = {{ rabbitmq_host }}
 rabbit_userid = {{ rabbitmq_user }}
 rabbit_password = {{ rabbitmq_password }}
 rabbit_virtual_host = {{ rabbitmq_virtual_host }}
-{% endif -%}
-use_syslog = {{ use_syslog }}
+{% if rabbit_ssl_port %}
+rabbit_use_ssl=True
+rabbit_port={{ rabbit_ssl_port }}
+{% if rabbit_ssl_ca %}
+kombu_ssl_ca_certs={{rabbit_ssl_ca}}
+{% endif %}
+{% endif %}
+{% endif %}

 [api]
 port = {{ port }}
--- a/templates/openstack_https_frontend
+++ b/templates/openstack_https_frontend
@ -0,0 +1,23 @@
+{% if endpoints %}
+{% for ext, int in endpoints %}
+Listen {{ ext }}
+NameVirtualHost *:{{ ext }}
+<VirtualHost *:{{ ext }}>
+    ServerName {{ private_address }}
+    SSLEngine on
+    SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert
+    SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key
+    ProxyPass / http://localhost:{{ int }}/
+    ProxyPassReverse / http://localhost:{{ int }}/
+    ProxyPreserveHost on
+</VirtualHost>
+<Proxy *>
+    Order deny,allow
+    Allow from all
+</Proxy>
+<Location />
+    Order allow,deny
+    Allow from all
+</Location>
+{% endfor %}
+{% endif %}
--- a/templates/openstack_https_frontend.conf
+++ b/templates/openstack_https_frontend.conf
@ -0,0 +1 @@
+openstack_https_frontend
--- a/unit_tests/test_ceilometer_utils.py
+++ b/unit_tests/test_ceilometer_utils.py
@ -38,14 +38,22 @@ class CeilometerUtilsTest(CharmTestCase):

    def test_restart_map(self):
        restart_map = utils.restart_map()
-        self.assertEquals(restart_map,
-                          {'/etc/ceilometer/ceilometer.conf': [
-                              'ceilometer-agent-central',
-                              'ceilometer-collector',
-                              'ceilometer-api']})
+        self.assertEquals(
+            restart_map,
+            {'/etc/ceilometer/ceilometer.conf': [
+                'ceilometer-agent-central',
+                'ceilometer-collector',
+                'ceilometer-api'],
+             "/etc/apache2/sites-available/openstack_https_frontend": [
+                 'apache2'],
+             "/etc/apache2/sites-available/openstack_https_frontend.conf": [
+                 'apache2']
+             }
+        )

    def test_get_ceilometer_conf(self):
        class TestContext():
+
            def __call__(self):
                return {'data': 'test'}
        with patch.dict(utils.CONFIG_FILES,