Browse Source

new: [apache] ssl plugin support, added letsencrypt ssl support.

postgres
Valentin Lab 6 years ago
parent
commit
ca3106c820
  1. 117
      apache/lib/common
  2. 1
      apache/test/vhost

117
apache/lib/common

@ -32,9 +32,14 @@ export -f apache_publish_dir
apache_vhost_create () { apache_vhost_create () {
export APACHE_CONFIG_LOCATION="$SERVICE_CONFIGSTORE/etc/apache2/sites-enabled" export APACHE_CONFIG_LOCATION="$SERVICE_CONFIGSTORE/etc/apache2/sites-enabled"
export SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true
export PROTOCOLS=$(__vhost_cfg_normalize_protocol) || return 1 export PROTOCOLS=$(__vhost_cfg_normalize_protocol) || return 1
export SSL_PLUGIN_FUN=$(ssl_get_plugin_fun) || return 1
if is_protocol_enabled https; then
"$SSL_PLUGIN_FUN"_vars "$(relation-get ssl)" || return 1
fi
apache_vhost_statement "$PROTOCOLS" | apache_vhost_statement "$PROTOCOLS" |
file_put "$APACHE_CONFIG_LOCATION/$prefix$DOMAIN.conf" || return 1 file_put "$APACHE_CONFIG_LOCATION/$prefix$DOMAIN.conf" || return 1
@ -43,9 +48,7 @@ apache_vhost_create () {
apache_passwd_file || return 1 apache_passwd_file || return 1
fi fi
if is_protocol_enabled https; then
apache_ssl_files
fi
"$SSL_PLUGIN_FUN"_prepare "$(relation-get ssl)" || return 1
} }
@ -91,10 +94,55 @@ __vhost_cfg_normalize_protocol() {
} }
apache_ssl_files() {
local content
## XXXvlab: called twice... no better way to do this ?
__vhost_ssl_statement > /dev/null
## ssl_plugin_* and ssl_fallback should :
## - do anything to ensure that
## - issue config-add to add volumes if necessary
## - output 3 vars of where to find the 3 files from within the docker apache
ssl_get_plugin_fun() {
local cfg="$(relation-get ssl 2>/dev/null)"
if [[ "$(echo "$cfg" | shyaml get-type 2>/dev/null)" == "str" ]]; then
target_relation=
while read-0 relation_name target_service relation_config tech_dep; do
[ "$target_service" == "$cfg" ] || continue
verb "service ${DARKYELLOW}$target_service${NORMAL} matches" \
"${WHITE}ssl${NORMAL} value: candidate relation is ${DARKBLUE}$relation_name${NORMAL}"
fun="ssl_plugin_${relation_name}"
if declare -F "${fun}_vars" >/dev/null 2>&1 && declare -F "${fun}_prepare" >/dev/null 2>&1; then
verb "Corresponding plugin ${DARKGREEN}found${NORMAL} for relation ${DARKBLUE}$relation_name${NORMAL}"
echo "$fun"
return 0
else
verb "Corresponding plugin ${DARKRED}not found${NORMAL} for relation ${DARKBLUE}$relation_name${NORMAL}"
fi
done < <(get_compose_relations "$SERVICE_NAME") || return 1
err "Invalid ${WHITE}ssl${NORMAL} value: '$cfg' is not a valid linked service through a support relation."
return 1
else
echo ssl_fallback
fi
}
ssl_fallback_vars() {
local cfg="$1" cert key ca_cert
if __vhost_cfg_ssl_cert=$(echo "$cfg" | shyaml get-value cert 2>/dev/null); then
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}.pem
fi
if __vhost_cfg_ssl_key=$(echo "$cfg" | shyaml get-value key 2>/dev/null); then
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/${DOMAIN}.key
fi
if __vhost_cfg_ssl_ca_cert=$(echo "$cfg" | shyaml get-value ca-cert 2>/dev/null); then
__vhost_cfg_SSL_CA_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}-ca.pem
fi
}
ssl_fallback_prepare() {
local cfg="$1" cert key ca_cert
dst="$CONFIGSTORE/$BASE_CHARM_NAME" dst="$CONFIGSTORE/$BASE_CHARM_NAME"
volumes="" volumes=""
for label in cert key ca_cert; do for label in cert key ca_cert; do
@ -117,6 +165,31 @@ $volumes
} }
ssl_plugin_letsencrypt-dns_vars() {
__vhost_cfg_SSL_CERT_LOCATION=/etc/letsencrypt/live/${DOMAIN}/cert.pem
__vhost_cfg_SSL_KEY_LOCATION=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
__vhost_cfg_SSL_CHAIN=/etc/letsencrypt/live/${DOMAIN}/chain.pem
}
ssl_plugin_letsencrypt-dns_prepare() {
local service="$1" letsencrypt_charm
shift
export DEFAULT_COMPOSE_FILE="$COMPOSE_YML_FILE"
run_service_action "$service" add "$DOMAIN" $(echo "$SERVER_ALIAS" | shyaml get-values 2>/dev/null) || return 1
letsencrypt_charm=$(get_service_charm "$service") || return 1
config-add "\
services:
$MASTER_TARGET_CHARM_NAME:
volumes:
- $DATASTORE/${letsencrypt_charm}/etc/letsencrypt:/etc/letsencrypt:ro
" || return 1
}
apache_passwd_file() { apache_passwd_file() {
include parse || true include parse || true
@ -142,12 +215,15 @@ apache_passwd_file() {
## Produce the full statements depending on relation-get informations ## Produce the full statements depending on relation-get informations
apache_vhost_statement() { apache_vhost_statement() {
local vhost_statement local vhost_statement
export SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true
export PROTOCOLS="$1" export PROTOCOLS="$1"
if is_protocol_enabled http; then if is_protocol_enabled http; then
__vhost_full_vhost_statement http __vhost_full_vhost_statement http
fi fi
if is_protocol_enabled https; then if is_protocol_enabled https; then
export SSL_PLUGIN_FUN=$(ssl_get_plugin_fun) || return 1
"$SSL_PLUGIN_FUN"_vars "$(relation-get ssl 2>/dev/null)"
cat <<EOF cat <<EOF
<IfModule mod_ssl.c> <IfModule mod_ssl.c>
@ -246,28 +322,11 @@ $MASTER_BASE_CHARM_NAME:
__vhost_ssl_statement() { __vhost_ssl_statement() {
local key cert ca_cert
__vhost_cfg_ssl="$(relation-get ssl 2>/dev/null)"
if __vhost_cfg_ssl_cert=$(echo "$__vhost_cfg_ssl" | shyaml get-value cert 2>/dev/null); then
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}.pem
fi
if __vhost_cfg_ssl_key=$(echo "$__vhost_cfg_ssl" | shyaml get-value key 2>/dev/null); then
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/${DOMAIN}.key
fi
if __vhost_cfg_ssl_ca_cert=$(echo "$__vhost_cfg_ssl" | shyaml get-value ca-cert 2>/dev/null); then
__vhost_cfg_SSL_CA_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}-ca.pem
fi
if [ -z "$__vhost_cfg_SSL_CERT_LOCATION" ]; then
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/ssl-cert-snakeoil.pem
fi
## defaults
if [ -z "$__vhost_cfg_SSL_KEY_LOCATION" ]; then
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/ssl-cert-snakeoil.key
fi
__vhost_cfg_SSL_CERT_LOCATION=${__vhost_cfg_SSL_CERT_LOCATION:-/etc/ssl/certs/ssl-cert-snakeoil.pem}
__vhost_cfg_SSL_KEY_LOCATION=${__vhost_cfg_SSL_KEY_LOCATION:-/etc/ssl/private/ssl-cert-snakeoil.key}
cat <<EOF cat <<EOF
@ -280,13 +339,14 @@ SSLEngine On
SSLCertificateFile $__vhost_cfg_SSL_CERT_LOCATION SSLCertificateFile $__vhost_cfg_SSL_CERT_LOCATION
SSLCertificateKeyFile $__vhost_cfg_SSL_KEY_LOCATION SSLCertificateKeyFile $__vhost_cfg_SSL_KEY_LOCATION
$([ -z "$__vhost_cfg_SSL_CA_CERT_LOCATION" ] || echo "SSLCACertificateFile $__vhost_cfg_SSL_CA_CERT_LOCATION") $([ -z "$__vhost_cfg_SSL_CA_CERT_LOCATION" ] || echo "SSLCACertificateFile $__vhost_cfg_SSL_CA_CERT_LOCATION")
$([ -z "$__vhost_cfg_SSL_CHAIN" ] || echo "SSLCertificateChainFile $__vhost_cfg_SSL_CHAIN")
SSLVerifyClient None SSLVerifyClient None
EOF EOF
} }
__vhost_creds_statement() {
__vhost_creds_statement() {
if ! __vhost_cfg_creds_enabled=$(relation-get creds 2>/dev/null); then if ! __vhost_cfg_creds_enabled=$(relation-get creds 2>/dev/null); then
echo "Allow from all" echo "Allow from all"
return 0 return 0
@ -306,7 +366,6 @@ EOF
__vhost_head_statement() { __vhost_head_statement() {
local protocol="$1" local protocol="$1"
SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true
if [ "$protocol" == "https" ]; then if [ "$protocol" == "https" ]; then
prefix="s-" prefix="s-"

1
apache/test/vhost

@ -331,6 +331,7 @@ is out '<VirtualHost *:80>
SSLCertificateFile /etc/ssl/certs/www.example.com.pem SSLCertificateFile /etc/ssl/certs/www.example.com.pem
SSLCertificateKeyFile /etc/ssl/private/www.example.com.key SSLCertificateKeyFile /etc/ssl/private/www.example.com.key
SSLCACertificateFile /etc/ssl/certs/www.example.com-ca.pem SSLCACertificateFile /etc/ssl/certs/www.example.com-ca.pem
SSLVerifyClient None SSLVerifyClient None

Loading…
Cancel
Save