Restore use of legacy use-https flag
This commit is contained in:
parent
be5dbdc20f
commit
cefead2cd5
|
@ -57,9 +57,10 @@ options:
|
||||||
ssl_key:
|
ssl_key:
|
||||||
type: string
|
type: string
|
||||||
description: SSL key to use with certificate specified as ssl_cert.
|
description: SSL key to use with certificate specified as ssl_cert.
|
||||||
# CA Cert info
|
# Locally generated CA Cert info (only use without keystone)
|
||||||
|
# These options are deprecated and will be removed sometime
|
||||||
use-https:
|
use-https:
|
||||||
default: "no"
|
default: "yes"
|
||||||
type: string
|
type: string
|
||||||
description: Whether to listen on HTTPS
|
description: Whether to listen on HTTPS
|
||||||
country:
|
country:
|
||||||
|
@ -78,6 +79,7 @@ options:
|
||||||
default: CN
|
default: CN
|
||||||
type: string
|
type: string
|
||||||
description: Common Name
|
description: Common Name
|
||||||
|
# General Swift Proxy configuration
|
||||||
bind-port:
|
bind-port:
|
||||||
default: 8080
|
default: 8080
|
||||||
type: int
|
type: int
|
||||||
|
|
|
@ -193,19 +193,6 @@ def write_proxy_config():
|
||||||
proxy_control('restart')
|
proxy_control('restart')
|
||||||
subprocess.check_call(['open-port', str(bind_port)])
|
subprocess.check_call(['open-port', str(bind_port)])
|
||||||
|
|
||||||
def configure_ssl():
|
|
||||||
# this should be expanded to cover setting up user-specified certificates
|
|
||||||
if (utils.config_get('use-https') == 'yes' and
|
|
||||||
not os.path.isfile(SSL_CERT) and
|
|
||||||
not os.path.isfile(SSL_KEY)):
|
|
||||||
subj = '/C=%s/ST=%s/L=%s/CN=%s' %\
|
|
||||||
(utils.config_get('country'), utils.config_get('state'),
|
|
||||||
utils.config_get('locale'), utils.config_get('common-name'))
|
|
||||||
cmd = ['openssl', 'req', '-new', '-x509', '-nodes',
|
|
||||||
'-out', SSL_CERT, '-keyout', SSL_KEY,
|
|
||||||
'-subj', subj]
|
|
||||||
subprocess.check_call(cmd)
|
|
||||||
|
|
||||||
|
|
||||||
def _load_builder(path):
|
def _load_builder(path):
|
||||||
# lifted straight from /usr/bin/swift-ring-builder
|
# lifted straight from /usr/bin/swift-ring-builder
|
||||||
|
|
|
@ -13,6 +13,7 @@ import subprocess
|
||||||
import socket
|
import socket
|
||||||
import sys
|
import sys
|
||||||
import base64
|
import base64
|
||||||
|
import tempfile
|
||||||
|
|
||||||
|
|
||||||
def do_hooks(hooks):
|
def do_hooks(hooks):
|
||||||
|
@ -320,6 +321,8 @@ def https():
|
||||||
.
|
.
|
||||||
returns: boolean
|
returns: boolean
|
||||||
'''
|
'''
|
||||||
|
if config_get('use-https'):
|
||||||
|
return True
|
||||||
if config_get('ssl_cert') and config_get('ssl_key'):
|
if config_get('ssl_cert') and config_get('ssl_key'):
|
||||||
return True
|
return True
|
||||||
for r_id in relation_ids('identity-service'):
|
for r_id in relation_ids('identity-service'):
|
||||||
|
@ -366,6 +369,11 @@ def enable_https(port_maps, namespace):
|
||||||
key = relation_get('ssl_key', rid=r_id, unit=unit)
|
key = relation_get('ssl_key', rid=r_id, unit=unit)
|
||||||
if not ca_cert:
|
if not ca_cert:
|
||||||
ca_cert = relation_get('ca_cert', rid=r_id, unit=unit)
|
ca_cert = relation_get('ca_cert', rid=r_id, unit=unit)
|
||||||
|
if (not (cert and key and ca_cert) and
|
||||||
|
config_get('use-https')):
|
||||||
|
juju_log('INFO',
|
||||||
|
"Using self-signed SSL certificate.")
|
||||||
|
(cert, key) = generate_cert()
|
||||||
else:
|
else:
|
||||||
juju_log('INFO',
|
juju_log('INFO',
|
||||||
"Using SSL certificate provided in service config.")
|
"Using SSL certificate provided in service config.")
|
||||||
|
@ -474,6 +482,32 @@ def setup_https(port_maps, namespace):
|
||||||
enable_https(port_maps, namespace)
|
enable_https(port_maps, namespace)
|
||||||
|
|
||||||
|
|
||||||
|
def generate_cert():
|
||||||
|
'''
|
||||||
|
Generates a self signed certificate and key using the
|
||||||
|
provided charm configuration data.
|
||||||
|
|
||||||
|
returns: tuple of (cert, key)
|
||||||
|
'''
|
||||||
|
CERT = '/etc/swift/ssl.cert'
|
||||||
|
KEY = '/etc/swift/ssl.key'
|
||||||
|
if (not os.path.exists(CERT) and
|
||||||
|
not os.path.exists(KEY)):
|
||||||
|
subj = '/C=%s/ST=%s/L=%s/CN=%s' %\
|
||||||
|
(config_get('country'), config_get('state'),
|
||||||
|
config_get('locale'), config_get('common-name'))
|
||||||
|
cmd = ['openssl', 'req', '-new', '-x509', '-nodes',
|
||||||
|
'-out', CERT, '-keyout', KEY,
|
||||||
|
'-subj', subj]
|
||||||
|
subprocess.check_call(cmd)
|
||||||
|
# Slurp as base64 encoded - makes handling easier up the stack
|
||||||
|
with open(CERT, 'r') as cfile:
|
||||||
|
ssl_cert = base64.b64encode(cfile.read())
|
||||||
|
with open(KEY, 'r') as kfile:
|
||||||
|
ssl_key = base64.b64encode(kfile.read())
|
||||||
|
return (ssl_cert, ssl_key)
|
||||||
|
|
||||||
|
|
||||||
def determine_api_port(public_port):
|
def determine_api_port(public_port):
|
||||||
'''
|
'''
|
||||||
Determine correct API server listening port based on
|
Determine correct API server listening port based on
|
||||||
|
|
Loading…
Reference in New Issue