StephanSainleger
/
0k-charms
forked from 0k/0k-charms
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

new: [apache] ssl plugin support, added letsencrypt ssl support.

postgres
Valentin Lab 6 years ago
parent
255bbdb466
commit
ca3106c820
2 changed files with 89 additions and 29 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 117
      apache/lib/common
  2. 1
      apache/test/vhost

117
apache/lib/common
View File

@ -32,9 +32,14 @@ export -f apache_publish_dir
apache_vhost_create () { apache_vhost_create () {
export APACHE_CONFIG_LOCATION="$SERVICE_CONFIGSTORE/etc/apache2/sites-enabled" export APACHE_CONFIG_LOCATION="$SERVICE_CONFIGSTORE/etc/apache2/sites-enabled"
export SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true
export PROTOCOLS=$(__vhost_cfg_normalize_protocol) || return 1 export PROTOCOLS=$(__vhost_cfg_normalize_protocol) || return 1
export SSL_PLUGIN_FUN=$(ssl_get_plugin_fun) || return 1
if is_protocol_enabled https; then
"$SSL_PLUGIN_FUN"_vars "$(relation-get ssl)" || return 1
fi
apache_vhost_statement "$PROTOCOLS" | apache_vhost_statement "$PROTOCOLS" |
file_put "$APACHE_CONFIG_LOCATION/$prefix$DOMAIN.conf" || return 1 file_put "$APACHE_CONFIG_LOCATION/$prefix$DOMAIN.conf" || return 1
@ -43,9 +48,7 @@ apache_vhost_create () {
apache_passwd_file || return 1 apache_passwd_file || return 1
fi fi
if is_protocol_enabled https; then
apache_ssl_files
fi
"$SSL_PLUGIN_FUN"_prepare "$(relation-get ssl)" || return 1
} }
@ -91,10 +94,55 @@ __vhost_cfg_normalize_protocol() {
} }
apache_ssl_files() {
local content
## XXXvlab: called twice... no better way to do this ?
__vhost_ssl_statement > /dev/null
## ssl_plugin_* and ssl_fallback should :
## - do anything to ensure that
## - issue config-add to add volumes if necessary
## - output 3 vars of where to find the 3 files from within the docker apache
ssl_get_plugin_fun() {
local cfg="$(relation-get ssl 2>/dev/null)"
if [[ "$(echo "$cfg" | shyaml get-type 2>/dev/null)" == "str" ]]; then
target_relation=
while read-0 relation_name target_service relation_config tech_dep; do
[ "$target_service" == "$cfg" ] || continue
verb "service ${DARKYELLOW}$target_service${NORMAL} matches" \
"${WHITE}ssl${NORMAL} value: candidate relation is ${DARKBLUE}$relation_name${NORMAL}"
fun="ssl_plugin_${relation_name}"
if declare -F "${fun}_vars" >/dev/null 2>&1 && declare -F "${fun}_prepare" >/dev/null 2>&1; then
verb "Corresponding plugin ${DARKGREEN}found${NORMAL} for relation ${DARKBLUE}$relation_name${NORMAL}"
echo "$fun"
return 0
else
verb "Corresponding plugin ${DARKRED}not found${NORMAL} for relation ${DARKBLUE}$relation_name${NORMAL}"
fi
done < <(get_compose_relations "$SERVICE_NAME") || return 1
err "Invalid ${WHITE}ssl${NORMAL} value: '$cfg' is not a valid linked service through a support relation."
return 1
else
echo ssl_fallback
fi
}
ssl_fallback_vars() {
local cfg="$1" cert key ca_cert
if __vhost_cfg_ssl_cert=$(echo "$cfg" | shyaml get-value cert 2>/dev/null); then
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}.pem
fi
if __vhost_cfg_ssl_key=$(echo "$cfg" | shyaml get-value key 2>/dev/null); then
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/${DOMAIN}.key
fi
if __vhost_cfg_ssl_ca_cert=$(echo "$cfg" | shyaml get-value ca-cert 2>/dev/null); then
__vhost_cfg_SSL_CA_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}-ca.pem
fi
}
ssl_fallback_prepare() {
local cfg="$1" cert key ca_cert
dst="$CONFIGSTORE/$BASE_CHARM_NAME" dst="$CONFIGSTORE/$BASE_CHARM_NAME"
volumes="" volumes=""
for label in cert key ca_cert; do for label in cert key ca_cert; do
@ -117,6 +165,31 @@ $volumes
} }
ssl_plugin_letsencrypt-dns_vars() {
__vhost_cfg_SSL_CERT_LOCATION=/etc/letsencrypt/live/${DOMAIN}/cert.pem
__vhost_cfg_SSL_KEY_LOCATION=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
__vhost_cfg_SSL_CHAIN=/etc/letsencrypt/live/${DOMAIN}/chain.pem
}
ssl_plugin_letsencrypt-dns_prepare() {
local service="$1" letsencrypt_charm
shift
export DEFAULT_COMPOSE_FILE="$COMPOSE_YML_FILE"
run_service_action "$service" add "$DOMAIN" $(echo "$SERVER_ALIAS" | shyaml get-values 2>/dev/null) || return 1
letsencrypt_charm=$(get_service_charm "$service") || return 1
config-add "\
services:
$MASTER_TARGET_CHARM_NAME:
volumes:
- $DATASTORE/${letsencrypt_charm}/etc/letsencrypt:/etc/letsencrypt:ro
" || return 1
}
apache_passwd_file() { apache_passwd_file() {
include parse || true include parse || true
@ -142,12 +215,15 @@ apache_passwd_file() {
## Produce the full statements depending on relation-get informations ## Produce the full statements depending on relation-get informations
apache_vhost_statement() { apache_vhost_statement() {
local vhost_statement local vhost_statement
export SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true
export PROTOCOLS="$1" export PROTOCOLS="$1"
if is_protocol_enabled http; then if is_protocol_enabled http; then
__vhost_full_vhost_statement http __vhost_full_vhost_statement http
fi fi
if is_protocol_enabled https; then if is_protocol_enabled https; then
export SSL_PLUGIN_FUN=$(ssl_get_plugin_fun) || return 1
"$SSL_PLUGIN_FUN"_vars "$(relation-get ssl 2>/dev/null)"
cat <<EOF cat <<EOF
<IfModule mod_ssl.c> <IfModule mod_ssl.c>
@ -246,28 +322,11 @@ $MASTER_BASE_CHARM_NAME:
__vhost_ssl_statement() { __vhost_ssl_statement() {
local key cert ca_cert
__vhost_cfg_ssl="$(relation-get ssl 2>/dev/null)"
if __vhost_cfg_ssl_cert=$(echo "$__vhost_cfg_ssl" | shyaml get-value cert 2>/dev/null); then
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}.pem
fi
if __vhost_cfg_ssl_key=$(echo "$__vhost_cfg_ssl" | shyaml get-value key 2>/dev/null); then
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/${DOMAIN}.key
fi
if __vhost_cfg_ssl_ca_cert=$(echo "$__vhost_cfg_ssl" | shyaml get-value ca-cert 2>/dev/null); then
__vhost_cfg_SSL_CA_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}-ca.pem
fi
if [ -z "$__vhost_cfg_SSL_CERT_LOCATION" ]; then
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/ssl-cert-snakeoil.pem
fi
## defaults
if [ -z "$__vhost_cfg_SSL_KEY_LOCATION" ]; then
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/ssl-cert-snakeoil.key
fi
__vhost_cfg_SSL_CERT_LOCATION=${__vhost_cfg_SSL_CERT_LOCATION:-/etc/ssl/certs/ssl-cert-snakeoil.pem}
__vhost_cfg_SSL_KEY_LOCATION=${__vhost_cfg_SSL_KEY_LOCATION:-/etc/ssl/private/ssl-cert-snakeoil.key}
cat <<EOF cat <<EOF
@ -280,13 +339,14 @@ SSLEngine On
SSLCertificateFile $__vhost_cfg_SSL_CERT_LOCATION SSLCertificateFile $__vhost_cfg_SSL_CERT_LOCATION
SSLCertificateKeyFile $__vhost_cfg_SSL_KEY_LOCATION SSLCertificateKeyFile $__vhost_cfg_SSL_KEY_LOCATION
$([ -z "$__vhost_cfg_SSL_CA_CERT_LOCATION" ] || echo "SSLCACertificateFile $__vhost_cfg_SSL_CA_CERT_LOCATION") $([ -z "$__vhost_cfg_SSL_CA_CERT_LOCATION" ] || echo "SSLCACertificateFile $__vhost_cfg_SSL_CA_CERT_LOCATION")
$([ -z "$__vhost_cfg_SSL_CHAIN" ] || echo "SSLCertificateChainFile $__vhost_cfg_SSL_CHAIN")
SSLVerifyClient None SSLVerifyClient None
EOF EOF
} }
__vhost_creds_statement() {
__vhost_creds_statement() {
if ! __vhost_cfg_creds_enabled=$(relation-get creds 2>/dev/null); then if ! __vhost_cfg_creds_enabled=$(relation-get creds 2>/dev/null); then
echo "Allow from all" echo "Allow from all"
return 0 return 0
@ -306,7 +366,6 @@ EOF
__vhost_head_statement() { __vhost_head_statement() {
local protocol="$1" local protocol="$1"
SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true
if [ "$protocol" == "https" ]; then if [ "$protocol" == "https" ]; then
prefix="s-" prefix="s-"

1
apache/test/vhost
View File

@ -331,6 +331,7 @@ is out '<VirtualHost *:80>
SSLCertificateFile /etc/ssl/certs/www.example.com.pem SSLCertificateFile /etc/ssl/certs/www.example.com.pem
SSLCertificateKeyFile /etc/ssl/private/www.example.com.key SSLCertificateKeyFile /etc/ssl/private/www.example.com.key
SSLCACertificateFile /etc/ssl/certs/www.example.com-ca.pem SSLCACertificateFile /etc/ssl/certs/www.example.com-ca.pem
SSLVerifyClient None SSLVerifyClient None

Write Preview
Loading…
Cancel
Save