diff --git a/config.yaml b/config.yaml
index 95362e7..edfc69e 100644
--- a/config.yaml
+++ b/config.yaml
@@ -46,6 +46,17 @@ options:
zones before the storage ring will be initially balance. Deployment
requirements differ based on the zone-assignment policy configured, see
this charm's README for details.
+ # User provided SSL cert and key
+ ssl_cert:
+ type: string
+ description: |
+ SSL certificate to install and use for API ports. Setting this value
+ and ssl_key will enable reverse proxying, point Swifts's entry in the
+ Keystone catalog to use https, and override any certficiate and key
+ issued by Keystone (if it is configured to do so).
+ ssl_key:
+ type: string
+ description: SSL key to use with certificate specified as ssl_cert.
# CA Cert info
use-https:
default: "no"
diff --git a/hooks/swift_hooks.py b/hooks/swift_hooks.py
index 8777365..e59e422 100755
--- a/hooks/swift_hooks.py
+++ b/hooks/swift_hooks.py
@@ -44,9 +44,6 @@ def install():
with open(swift.MEMCACHED_CONF, 'w') as conf:
conf.write(swift.render_config(swift.MEMCACHED_CONF, ctxt))
- # generate or setup SSL certificate
- swift.configure_ssl()
-
# initialize new storage rings.
for ring in swift.SWIFT_RINGS.iteritems():
swift.initialize_ring(ring[1],
@@ -60,7 +57,7 @@ def install():
uid, gid = swift.swift_user()
os.chown(swift.WWW_DIR, uid, gid)
swift.write_apache_config()
- utils.configure_https()
+ swift.configure_https()
def keystone_joined(relid=None):
@@ -71,8 +68,7 @@ def keystone_joined(relid=None):
else:
hostname = utils.unit_get('private-address')
port = utils.config_get('bind-port')
- ssl = utils.config_get('use-https')
- if ssl == 'yes':
+ if utils.https():
proto = 'https'
else:
proto = 'http'
@@ -88,7 +84,10 @@ def keystone_joined(relid=None):
def keystone_changed():
swift.write_proxy_config()
- utils.configure_https()
+ swift.configure_https()
+ # Re-fire keystone hooks to ripple back the HTTPS service entry
+ for relid in utils.relation_ids('identity-service'):
+ keystone_joined(relid=relid)
def balance_rings():
@@ -159,19 +158,11 @@ def config_changed():
for relid in relids:
keystone_joined(relid)
swift.write_proxy_config()
- utils.configure_https()
+ swift.configure_https()
def cluster_changed():
- api_port = utils.config_get('bind-port')
- service_ports = {
- "swift": [
- utils.determine_haproxy_port(api_port),
- utils.determine_api_port(api_port)
- ]
- }
- swift.proxy_control('restart')
- utils.configure_haproxy(service_ports)
+ swift.configure_haproxy()
def ha_relation_changed():
diff --git a/hooks/swift_utils.py b/hooks/swift_utils.py
index c6f0458..1121a8d 100644
--- a/hooks/swift_utils.py
+++ b/hooks/swift_utils.py
@@ -383,3 +383,30 @@ def write_apache_config():
conf.write(render_config(APACHE_CONF, ctxt))
subprocess.check_call(['service', 'apache2', 'reload'])
+
+def configure_haproxy():
+ api_port = utils.config_get('bind-port')
+ service_ports = {
+ "swift": [
+ utils.determine_haproxy_port(api_port),
+ utils.determine_api_port(api_port)
+ ]
+ }
+ write_proxy_config()
+ utils.configure_haproxy(service_ports)
+
+
+def configure_https():
+ if utils.https():
+ api_port = utils.config_get('bind-port')
+ if (len(utils.peer_units) > 0 or
+ utils.is_clustered()):
+ target_port = utils.determine_haproxy_port(api_port)
+ configure_haproxy()
+ else:
+ target_port = utils.determine_api_port(api_port)
+ write_proxy_config()
+ utils.setup_https(namespace="swift",
+ port_maps={api_port: target_port})
+ else:
+ return False
diff --git a/templates/apache2_site.tmpl b/templates/apache2_site.tmpl
new file mode 100644
index 0000000..812f1b4
--- /dev/null
+++ b/templates/apache2_site.tmpl
@@ -0,0 +1,19 @@
+Listen {{ ext }}
+NameVirtualHost *:{{ ext }}
+
+ ServerName {{ private-address }}
+ SSLEngine on
+ SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert
+ SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key
+ ProxyPass / http://localhost:{{ int }}/
+ ProxyPassReverse / http://localhost:{{ int }}/
+ ProxyPreserveHost on
+
+
+ Order deny,allow
+ Allow from all
+
+
+ Order allow,deny
+ Allow from all
+