charm-keystone/hooks/keystone_context.py

from charmhelpers.core.hookenv import config

from charmhelpers.core.host import mkdir, write_file

from charmhelpers.contrib.openstack import context

from charmhelpers.contrib.hahelpers.cluster import (
    determine_apache_port,
    determine_api_port
)

from charmhelpers.contrib.hahelpers.apache import install_ca_cert

import os

CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'


class ApacheSSLContext(context.ApacheSSLContext):

    interfaces = ['https']
    external_ports = []
    service_namespace = 'keystone'

    def __call__(self):
        # late import to work around circular dependency
        from keystone_utils import determine_ports
        self.external_ports = determine_ports()
        return super(ApacheSSLContext, self).__call__()

    def configure_cert(self, cn):
        from keystone_utils import SSH_USER, get_ca
        ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
        mkdir(path=ssl_dir)
        ca = get_ca(user=SSH_USER)
        cert, key = ca.get_cert_and_key(common_name=cn)
        write_file(path=os.path.join(ssl_dir, 'cert_{}'.format(cn)),
                   content=cert)
        write_file(path=os.path.join(ssl_dir, 'key_{}'.format(cn)),
                   content=key)

    def configure_ca(self):
        from keystone_utils import SSH_USER, get_ca
        ca = get_ca(user=SSH_USER)
        install_ca_cert(ca.get_ca_bundle())

    def canonical_names(self):
        addresses = self.get_network_addresses()
        addrs = []
        for address, endpoint in addresses:
            addrs.append(endpoint)

        return list(set(addrs))


class HAProxyContext(context.HAProxyContext):
    interfaces = []

    def __call__(self):
        '''
        Extends the main charmhelpers HAProxyContext with a port mapping
        specific to this charm.
        Also used to extend nova.conf context with correct api_listening_ports
        '''
        from keystone_utils import api_port
        ctxt = super(HAProxyContext, self).__call__()

        # determine which port api processes should bind to, depending
        # on existence of haproxy + apache frontends
        listen_ports = {}
        listen_ports['admin_port'] = api_port('keystone-admin')
        listen_ports['public_port'] = api_port('keystone-public')

        # Apache ports
        a_admin_port = determine_apache_port(api_port('keystone-admin'))
        a_public_port = determine_apache_port(api_port('keystone-public'))

        port_mapping = {
            'admin-port': [
                api_port('keystone-admin'), a_admin_port],
            'public-port': [
                api_port('keystone-public'), a_public_port],
        }

        # for haproxy.conf
        ctxt['service_ports'] = port_mapping
        # for keystone.conf
        ctxt['listen_ports'] = listen_ports
        return ctxt


class KeystoneContext(context.OSContextGenerator):
    interfaces = []

    def __call__(self):
        from keystone_utils import (
            api_port, set_admin_token,
            endpoint_url, resolve_address,
            PUBLIC, ADMIN
        )
        ctxt = {}
        ctxt['token'] = set_admin_token(config('admin-token'))
        ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'))
        ctxt['public_port'] = determine_api_port(api_port('keystone-public'))
        ctxt['debug'] = config('debug') in ['yes', 'true', 'True']
        ctxt['verbose'] = config('verbose') in ['yes', 'true', 'True']
        ctxt['identity_backend'] = config('identity-backend')
        ctxt['assignment_backend'] = config('assignment-backend')
        if config('identity-backend') == 'ldap':
            ctxt['ldap_server'] = config('ldap-server')
            ctxt['ldap_user'] = config('ldap-user')
            ctxt['ldap_password'] = config('ldap-password')
            ctxt['ldap_suffix'] = config('ldap-suffix')
            ctxt['ldap_readonly'] = config('ldap-readonly')
            ldap_flags = config('ldap-config-flags')
            if ldap_flags:
                flags = context.config_flags_parser(ldap_flags)
                ctxt['ldap_config_flags'] = flags

        if config('enable-pki') not in ['false', 'False', 'no', 'No']:
            ctxt['signing'] = True

        # Base endpoint URL's which are used in keystone responses
        # to unauthenticated requests to redirect clients to the
        # correct auth URL.
        ctxt['public_endpoint'] = endpoint_url(
            resolve_address(PUBLIC),
            api_port('keystone-public')).rstrip('v2.0')
        ctxt['admin_endpoint'] = endpoint_url(
            resolve_address(ADMIN),
            api_port('keystone-admin')).rstrip('v2.0')
        return ctxt
sync with lp:~xianghui/charm-helpers/lp1385162, use get_adrresses() in charms-helpers instead. 2014-11-13 22:26:56 +08:00			`from charmhelpers.core.hookenv import config`
Support https under multiple networks 2014-09-22 15:23:26 +01:00
			`from charmhelpers.core.host import mkdir, write_file`
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00
			`from charmhelpers.contrib.openstack import context`

			`from charmhelpers.contrib.hahelpers.cluster import (`
			`determine_apache_port,`
sync with lp:~xianghui/charm-helpers/lp1385162, use get_adrresses() in charms-helpers instead. 2014-11-13 22:26:56 +08:00			`determine_api_port`
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`)`

Support https under multiple networks 2014-09-22 15:23:26 +01:00			`from charmhelpers.contrib.hahelpers.apache import install_ca_cert`

Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`import os`

			`CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'`

Restore logging options 2014-02-26 17:28:37 +00:00
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`class ApacheSSLContext(context.ApacheSSLContext):`

			`interfaces = ['https']`
			`external_ports = []`
			`service_namespace = 'keystone'`

			`def __call__(self):`
			`# late import to work around circular dependency`
			`from keystone_utils import determine_ports`
			`self.external_ports = determine_ports()`
			`return super(ApacheSSLContext, self).__call__()`

Support https under multiple networks 2014-09-22 15:23:26 +01:00			`def configure_cert(self, cn):`
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`from keystone_utils import SSH_USER, get_ca`
			`ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)`
Support https under multiple networks 2014-09-22 15:23:26 +01:00			`mkdir(path=ssl_dir)`
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`ca = get_ca(user=SSH_USER)`
Support https under multiple networks 2014-09-22 15:23:26 +01:00			`cert, key = ca.get_cert_and_key(common_name=cn)`
			`write_file(path=os.path.join(ssl_dir, 'cert_{}'.format(cn)),`
			`content=cert)`
			`write_file(path=os.path.join(ssl_dir, 'key_{}'.format(cn)),`
			`content=key)`

			`def configure_ca(self):`
			`from keystone_utils import SSH_USER, get_ca`
			`ca = get_ca(user=SSH_USER)`
			`install_ca_cert(ca.get_ca_bundle())`

			`def canonical_names(self):`
Sync lp:charm-helpers. 2014-11-14 10:16:38 +08:00			`addresses = self.get_network_addresses()`
sync with lp:~xianghui/charm-helpers/lp1385162, use get_adrresses() in charms-helpers instead. 2014-11-13 22:26:56 +08:00			`addrs = []`
			`for address, endpoint in addresses:`
			`addrs.append(endpoint)`

			`return list(set(addrs))`
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00

			`class HAProxyContext(context.HAProxyContext):`
			`interfaces = []`

			`def __call__(self):`
			`'''`
			`Extends the main charmhelpers HAProxyContext with a port mapping`
			`specific to this charm.`
			`Also used to extend nova.conf context with correct api_listening_ports`
			`'''`
			`from keystone_utils import api_port`
			`ctxt = super(HAProxyContext, self).__call__()`

			`# determine which port api processes should bind to, depending`
			`# on existence of haproxy + apache frontends`
			`listen_ports = {}`
			`listen_ports['admin_port'] = api_port('keystone-admin')`
			`listen_ports['public_port'] = api_port('keystone-public')`

			`# Apache ports`
			`a_admin_port = determine_apache_port(api_port('keystone-admin'))`
			`a_public_port = determine_apache_port(api_port('keystone-public'))`

			`port_mapping = {`
			`'admin-port': [`
			`api_port('keystone-admin'), a_admin_port],`
			`'public-port': [`
			`api_port('keystone-public'), a_public_port],`
			`}`

			`# for haproxy.conf`
			`ctxt['service_ports'] = port_mapping`
			`# for keystone.conf`
			`ctxt['listen_ports'] = listen_ports`
			`return ctxt`


			`class KeystoneContext(context.OSContextGenerator):`
			`interfaces = []`

			`def __call__(self):`
Add explicit endpoint configuration 2014-09-21 18:57:48 +01:00			`from keystone_utils import (`
			`api_port, set_admin_token,`
			`endpoint_url, resolve_address,`
			`PUBLIC, ADMIN`
			`)`
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`ctxt = {}`
Ensure configured admin-token is used if provided 2014-03-28 11:34:38 +00:00			`ctxt['token'] = set_admin_token(config('admin-token'))`
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'))`
			`ctxt['public_port'] = determine_api_port(api_port('keystone-public'))`
Restore logging options 2014-02-26 17:28:37 +00:00			`ctxt['debug'] = config('debug') in ['yes', 'true', 'True']`
			`ctxt['verbose'] = config('verbose') in ['yes', 'true', 'True']`
Support ldap identity backend 2014-08-11 17:23:45 +08:00			`ctxt['identity_backend'] = config('identity-backend')`
			`ctxt['assignment_backend'] = config('assignment-backend')`
			`if config('identity-backend') == 'ldap':`
			`ctxt['ldap_server'] = config('ldap-server')`
			`ctxt['ldap_user'] = config('ldap-user')`
			`ctxt['ldap_password'] = config('ldap-password')`
			`ctxt['ldap_suffix'] = config('ldap-suffix')`
Support using ldap identity backend 2014-08-12 13:39:51 +08:00			`ctxt['ldap_readonly'] = config('ldap-readonly')`
Support ldap identity backend 2014-08-11 17:23:45 +08:00			`ldap_flags = config('ldap-config-flags')`
			`if ldap_flags:`
			`flags = context.config_flags_parser(ldap_flags)`
			`ctxt['ldap_config_flags'] = flags`

Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`if config('enable-pki') not in ['false', 'False', 'no', 'No']:`
			`ctxt['signing'] = True`
Add explicit endpoint configuration 2014-09-21 18:57:48 +01:00
Drop v2.0 from base endpoints 2014-09-22 09:32:02 +01:00			`# Base endpoint URL's which are used in keystone responses`
			`# to unauthenticated requests to redirect clients to the`
			`# correct auth URL.`
			`ctxt['public_endpoint'] = endpoint_url(`
			`resolve_address(PUBLIC),`
Revert previous change 2014-09-22 09:39:54 +01:00			`api_port('keystone-public')).rstrip('v2.0')`
Drop v2.0 from base endpoints 2014-09-22 09:32:02 +01:00			`ctxt['admin_endpoint'] = endpoint_url(`
			`resolve_address(ADMIN),`
Revert previous change 2014-09-22 09:39:54 +01:00			`api_port('keystone-admin')).rstrip('v2.0')`
Rewrite charm to get it more in line with other OpenStack charms. Added support for contexts and templating. Makes use of charm-helpers instead of relaying on its own tools (probably could use some additional work). HA is currently non-functional. ETA for fixing: less than 2 days. 2014-02-25 12:34:13 +01:00			`return ctxt`