Updates for swift + SSL configuration
This commit is contained in:
James Page
11
config.yaml
11
config.yaml
@@ -46,6 +46,17 @@ options:
|
|||||||
zones before the storage ring will be initially balance. Deployment
|
zones before the storage ring will be initially balance. Deployment
|
||||||
requirements differ based on the zone-assignment policy configured, see
|
requirements differ based on the zone-assignment policy configured, see
|
||||||
this charm's README for details.
|
this charm's README for details.
|
||||||
|
# User provided SSL cert and key
|
||||||
|
ssl_cert:
|
||||||
|
type: string
|
||||||
|
description: |
|
||||||
|
SSL certificate to install and use for API ports. Setting this value
|
||||||
|
and ssl_key will enable reverse proxying, point Swifts's entry in the
|
||||||
|
Keystone catalog to use https, and override any certficiate and key
|
||||||
|
issued by Keystone (if it is configured to do so).
|
||||||
|
ssl_key:
|
||||||
|
type: string
|
||||||
|
description: SSL key to use with certificate specified as ssl_cert.
|
||||||
# CA Cert info
|
# CA Cert info
|
||||||
use-https:
|
use-https:
|
||||||
default: "no"
|
default: "no"
|
||||||
|
|||||||
@@ -44,9 +44,6 @@ def install():
|
|||||||
with open(swift.MEMCACHED_CONF, 'w') as conf:
|
with open(swift.MEMCACHED_CONF, 'w') as conf:
|
||||||
conf.write(swift.render_config(swift.MEMCACHED_CONF, ctxt))
|
conf.write(swift.render_config(swift.MEMCACHED_CONF, ctxt))
|
||||||
|
|
||||||
# generate or setup SSL certificate
|
|
||||||
swift.configure_ssl()
|
|
||||||
|
|
||||||
# initialize new storage rings.
|
# initialize new storage rings.
|
||||||
for ring in swift.SWIFT_RINGS.iteritems():
|
for ring in swift.SWIFT_RINGS.iteritems():
|
||||||
swift.initialize_ring(ring[1],
|
swift.initialize_ring(ring[1],
|
||||||
@@ -60,7 +57,7 @@ def install():
|
|||||||
uid, gid = swift.swift_user()
|
uid, gid = swift.swift_user()
|
||||||
os.chown(swift.WWW_DIR, uid, gid)
|
os.chown(swift.WWW_DIR, uid, gid)
|
||||||
swift.write_apache_config()
|
swift.write_apache_config()
|
||||||
utils.configure_https()
|
swift.configure_https()
|
||||||
|
|
||||||
|
|
||||||
def keystone_joined(relid=None):
|
def keystone_joined(relid=None):
|
||||||
@@ -71,8 +68,7 @@ def keystone_joined(relid=None):
|
|||||||
else:
|
else:
|
||||||
hostname = utils.unit_get('private-address')
|
hostname = utils.unit_get('private-address')
|
||||||
port = utils.config_get('bind-port')
|
port = utils.config_get('bind-port')
|
||||||
ssl = utils.config_get('use-https')
|
if utils.https():
|
||||||
if ssl == 'yes':
|
|
||||||
proto = 'https'
|
proto = 'https'
|
||||||
else:
|
else:
|
||||||
proto = 'http'
|
proto = 'http'
|
||||||
@@ -88,7 +84,10 @@ def keystone_joined(relid=None):
|
|||||||
|
|
||||||
def keystone_changed():
|
def keystone_changed():
|
||||||
swift.write_proxy_config()
|
swift.write_proxy_config()
|
||||||
utils.configure_https()
|
swift.configure_https()
|
||||||
|
# Re-fire keystone hooks to ripple back the HTTPS service entry
|
||||||
|
for relid in utils.relation_ids('identity-service'):
|
||||||
|
keystone_joined(relid=relid)
|
||||||
|
|
||||||
|
|
||||||
def balance_rings():
|
def balance_rings():
|
||||||
@@ -159,19 +158,11 @@ def config_changed():
|
|||||||
for relid in relids:
|
for relid in relids:
|
||||||
keystone_joined(relid)
|
keystone_joined(relid)
|
||||||
swift.write_proxy_config()
|
swift.write_proxy_config()
|
||||||
utils.configure_https()
|
swift.configure_https()
|
||||||
|
|
||||||
|
|
||||||
def cluster_changed():
|
def cluster_changed():
|
||||||
api_port = utils.config_get('bind-port')
|
swift.configure_haproxy()
|
||||||
service_ports = {
|
|
||||||
"swift": [
|
|
||||||
utils.determine_haproxy_port(api_port),
|
|
||||||
utils.determine_api_port(api_port)
|
|
||||||
]
|
|
||||||
}
|
|
||||||
swift.proxy_control('restart')
|
|
||||||
utils.configure_haproxy(service_ports)
|
|
||||||
|
|
||||||
|
|
||||||
def ha_relation_changed():
|
def ha_relation_changed():
|
||||||
|
|||||||
@@ -383,3 +383,30 @@ def write_apache_config():
|
|||||||
conf.write(render_config(APACHE_CONF, ctxt))
|
conf.write(render_config(APACHE_CONF, ctxt))
|
||||||
subprocess.check_call(['service', 'apache2', 'reload'])
|
subprocess.check_call(['service', 'apache2', 'reload'])
|
||||||
|
|
||||||
|
|
||||||
|
def configure_haproxy():
|
||||||
|
api_port = utils.config_get('bind-port')
|
||||||
|
service_ports = {
|
||||||
|
"swift": [
|
||||||
|
utils.determine_haproxy_port(api_port),
|
||||||
|
utils.determine_api_port(api_port)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
write_proxy_config()
|
||||||
|
utils.configure_haproxy(service_ports)
|
||||||
|
|
||||||
|
|
||||||
|
def configure_https():
|
||||||
|
if utils.https():
|
||||||
|
api_port = utils.config_get('bind-port')
|
||||||
|
if (len(utils.peer_units) > 0 or
|
||||||
|
utils.is_clustered()):
|
||||||
|
target_port = utils.determine_haproxy_port(api_port)
|
||||||
|
configure_haproxy()
|
||||||
|
else:
|
||||||
|
target_port = utils.determine_api_port(api_port)
|
||||||
|
write_proxy_config()
|
||||||
|
utils.setup_https(namespace="swift",
|
||||||
|
port_maps={api_port: target_port})
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|||||||
19
templates/apache2_site.tmpl
Normal file
19
templates/apache2_site.tmpl
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
Listen {{ ext }}
|
||||||
|
NameVirtualHost *:{{ ext }}
|
||||||
|
<VirtualHost *: {{ ext }}>
|
||||||
|
ServerName {{ private-address }}
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert
|
||||||
|
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key
|
||||||
|
ProxyPass / http://localhost:{{ int }}/
|
||||||
|
ProxyPassReverse / http://localhost:{{ int }}/
|
||||||
|
ProxyPreserveHost on
|
||||||
|
</VirtualHost>
|
||||||
|
<Proxy *>
|
||||||
|
Order deny,allow
|
||||||
|
Allow from all
|
||||||
|
</Proxy>
|
||||||
|
<Location />
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Location>
|
||||||
Reference in New Issue
Block a user