reconfigure client ssl on runtime config change

2014-02-28 21:56:33 -05:00 · 2014-02-28 21:56:33 -05:00 · 8c05752d7b
parent 1699f88542
commit 8c05752d7b
3 changed files with 21 additions and 5 deletions
--- a/config.yaml
+++ b/config.yaml
@ -24,17 +24,17 @@ options:
    description: SSL port
  ssl_key:
    type: string
-    description: private unencrypted key in PEM format (starts "-----BEGIN RSA PRIVATE KEY-----")
+    description: private unencrypted key in base64 PEM format (starts "-----BEGIN RSA PRIVATE KEY-----")
    default: ""
  ssl_cert:
    type: string
-    description: X.509 certificate in PEM format (starts "-----BEGIN CERTIFICATE-----")
+    description: X.509 certificate in base64 PEM format (starts "-----BEGIN CERTIFICATE-----")
    default: ""
  ssl_ca:
    type: string
    description: |
-      Certificate authority cert that signed pem. Optional if the ssl_cert is signed by a ca
-      recognized by the os.
+      Certificate authority cert that the cert. Optional if the ssl_cert is signed by a ca
+      recognized by the os. Format is base64 PEM (concatenated certs if needed).
    default: ""

  nagios_context:
--- a/hooks/rabbitmq_server_relations.py
+++ b/hooks/rabbitmq_server_relations.py
@ -395,6 +395,20 @@ def _get_ssl_mode():
    return ssl_mode, external_ca


+def reconfigure_client_ssl(ssl_enabled=False):
+    ssl_config_keys = set(('ssl_key', 'ssl_cert', 'ssl_ca'))
+    for rid in hookenv.relation_ids('amqp'):
+        rdata = hookenv.relation_get(
+            rid=rid, unit=os.environ['JUJU_UNIT_NAME'])
+        if not ssl_enabled and ssl_config_keys.intersection(rdata):
+            # No clean way to remove entirely, but blank them.
+            utils.relation_set(
+                rid=rid, ssl_key='', ssl_cert='', ssl_ca='')
+        elif ssl_enabled and not ssl_config_keys.intersection(rdata):
+            configure_client_ssl(rdata)
+            utils.relation_set(rid=rid, **rdata)
+
+
 def configure_rabbit_ssl():
    """
    The legacy config support adds some additional complications.
@ -408,6 +422,7 @@ def configure_rabbit_ssl():
        if os.path.exists(rabbit.RABBITMQ_CONF):
            os.remove(rabbit.RABBITMQ_CONF)
        utils.close_port(utils.config_get('ssl_port'))
+        reconfigure_client_ssl()
        return

    ssl_key = utils.config_get('ssl_key')
@ -429,6 +444,7 @@ def configure_rabbit_ssl():
    rabbit.enable_ssl(
        ssl_key, ssl_cert, ssl_port, ssl_ca,
        ssl_only=(ssl_mode == "only"), ssl_client=False)
+    reconfigure_client_ssl(True)
    utils.open_port(ssl_port)


--- a/2
+++ b/2
@ -1 +1 @@
-114
+115