XXX caddy-frontend: Setup backend client auth

XXX not finished

software/caddy-frontend/buildout.hash.cfg

@@ -22,15 +22,15 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
 
 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = 5c24bcdfd915fe7503f984f3f7ce11fb
+md5sum = 867a4f148e73b306605c596056f7d88f
 
 [template-caddy-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 6d7113ebf0c46b0e4c72c128ebb647db
+md5sum = c186f3c93efc804aba5f22b4daab565a
 
 [template-slave-list]
 _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
-md5sum = 7a36bbd93846da3a5a4c1228dcc91aa8
+md5sum = 546141e0df2a9b12924b07c29f5dfdbe
 
 [template-replicate-publish-slave-information]
 _update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in
@@ -54,7 +54,7 @@ md5sum = 266f175dbdfc588af7a86b0b1884fe73
 
 [template-backend-haproxy-configuration]
 _update_hash_filename_ = templates/backend-haproxy.cfg.in
-md5sum = 33be88f2779e5219a4a64e0fcd06feda
+md5sum = 545af6130777ee9545e43167ffe54b82
 
 [template-log-access]
 _update_hash_filename_ = templates/template-log-access.conf.in

software/caddy-frontend/instance-apache-frontend.cfg.in

@@ -14,6 +14,8 @@ parts =
   switch-caddy-softwaretype
   caucase-updater
   caucase-updater-promise
+  backend-client-caucase-updater
+  backend-client-caucase-updater-promise
   frontend-caddy-graceful
   port-redirection
   promise-frontend-caddy-configuration
@@ -67,6 +69,7 @@ service = ${:etc}/service
 etc-run = ${:etc}/run
 
 ca-dir = ${:srv}/ssl
+backend-client-dir = ${:srv}/backend-client
 # BBB: SlapOS Master non-zero knowledge BEGIN
 bbb-ssl-dir = ${:srv}/bbb-ssl
 # BBB: SlapOS Master non-zero knowledge END
@@ -198,6 +201,47 @@ stop-on-error = True
      template_csr='${kedifa-login-csr:template-csr}'
 )}}
 
+[backend-client-login-config]
+d = ${directory:backend-client-dir}
+template-csr = ${:d}/csr.pem
+key = ${:d}/certificate.pem
+certificate = ${:key}
+ca-certificate = ${:d}/ca.pem
+cas-ca-certificate = ${:d}/cas-ca.pem
+crl = ${:d}/crl.pem
+
+[backend-client-login-csr]
+recipe = plone.recipe.command
+organization = {{ slapparameter_dict['cluster-identification'] }}
+organizational_unit = {{ instance_parameter['configuration.frontend-name'] }}
+command =
+{% if slapparameter_dict['backend-client-caucase-url'] %}
+  if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ]  ; then
+    {{ parameter_dict['openssl'] }} req -new -sha256 \
+      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -subj "/O=${:organization}/OU=${:organizational_unit}" \
+      -out ${:template-csr}
+  fi
+{% endif %}
+  test -f ${:key} && test -f ${:template-csr}
+update-command = ${:command}
+template-csr = ${backend-client-login-config:template-csr}
+key = ${backend-client-login-config:key}
+stop-on-error = True
+
+{{ caucase.updater(
+     prefix='backend-client-caucase-updater',
+     buildout_bin_directory=parameter_dict['bin_directory'],
+     updater_path='${directory:service}/backend-client-login-certificate-caucase-updater',
+     url=slapparameter_dict['backend-client-caucase-url'],
+     data_dir='${directory:srv}/backend-client-caucase-updater',
+     crt_path='${backend-client-login-config:certificate}',
+     ca_path='${backend-client-login-config:ca-certificate}',
+     crl_path='${backend-client-login-config:crl}',
+     key_path='${backend-client-login-csr:key}',
+     template_csr='${backend-client-login-csr:template-csr}'
+)}}
+
 [dynamic-custom-personal-template-slave-list]
 < = jinja2-template-base
 template = {{ parameter_dict['template_slave_list'] }}
@@ -660,6 +704,7 @@ log-socket = ${backend-haproxy-rsyslogd:log-socket}
 graceful-command = ${backend-haproxy-validate:rendered} && kill -USR2 $(cat ${:pid-file})
 http-port = ${configuration:backend-haproxy-http-port}
 https-port = ${configuration:backend-haproxy-https-port}
+backend-client-login-certificate = ${backend-client-login-config:certificate}
 
 [backend-haproxy-wrapper]
 recipe = slapos.recipe.template:jinja2

software/caddy-frontend/instance-apache-replicate.cfg.in

@@ -9,6 +9,9 @@
 {% set master_partition_monitor_monitor_httpd_port = 8401 %}
 {% set kedifa_partition_monitor_httpd_port = 8402 %}
 {% set frontend_monitor_httpd_base_port = 8410 %}
+{% set caucase_host = '[' ~ instance_parameter['ipv6-random'] ~ ']' %}
+{% set caucase_netloc = caucase_host ~ ':' ~ instance_parameter['configuration.caucase_port'] %}
+{% set caucase_url = 'http://' ~ caucase_netloc %}
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 rendered = ${buildout:directory}/${:filename}
@@ -225,6 +228,7 @@ state = {{ state }}
 {%   endif %}
 config-slave-kedifa-information = ${request-kedifa:connection-slave-kedifa-information}
 config-kedifa-caucase-url = ${request-kedifa:connection-caucase-url}
+config-backend-client-caucase-url = {{ caucase_url }}
 config-master-key-download-url = ${request-kedifa:connection-master-key-download-url}
 config-cluster-identification = {{ cluster_identification }}
 {#   Do not send additional parameters for destroyed nodes #}
@@ -259,6 +263,7 @@ domain = {{ slapparameter_dict.get('domain') }}
 slave-amount = {{ slave_instance_list | length }}
 accepted-slave-amount = {{ authorized_slave_list | length }}
 rejected-slave-amount = {{ rejected_slave_dict | length }}
+backend-client-cacucase-url = {{ caucase_url }}
 {# sort_keys are important in order to avoid shuffling parameters on each run #}
 rejected-slave-dict = {{ dumps(json_module.dumps(rejected_slave_title_dict, sort_keys=True)) }}
 rejected-slave-promise-url = ${rejected-slave-promise:config-url}
@@ -371,12 +376,17 @@ kedifa = ${request-kedifa:connection-monitor-base-url}
 {{ frontend }} = {{ '${' + frontend + ':connection-monitor-base-url}' }}
 {% endfor %}
 
-{% if aikc_enabled %}
 [directory]
 recipe = slapos.cookbook:mkdirectory
-
 bin = ${buildout:directory}/bin/
 srv = ${buildout:directory}/srv/
+backup = ${:srv}/backup
+# CAUCASE directories
+caucased = ${:srv}/caucased
+backup-caucased = ${:backup}/caucased
+
+{% if aikc_enabled %}
+[directory]
 aikc = ${:srv}/aikc
 
 [aikc-config]
@@ -599,6 +609,20 @@ config-filename = ${rejected-slave-json:rendered}
 config-state = empty
 config-url = ${rejected-slave-publish:url}
 
+[caucased-backend-client]
+hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
+{{  caucase.caucased(
+      prefix='caucased-backend-client',
+      buildout_bin_directory=parameter_dict['bin_directory'],
+      caucased_path='${directory:service}/caucased-backend-client',
+      backup_dir='${directory:backup-caucased}',
+      data_dir='${directory:caucased}',
+      netloc=caucase_netloc,
+      service_auto_approve_count=0,
+      user_auto_approve_count=1,
+      key_len=2048,
+)}}
+
 [buildout]
 extends =
   {{ common_profile }}
@@ -610,6 +634,8 @@ parts =
   request-kedifa
   rejected-slave-promise
   promise-rejected-slave-publish-ip-port
+  caucased-backend-client
+  caucased-backend-client-promise
 {% for part in part_list %}
 {{ '  %s' % part }}
 {% endfor %}

software/caddy-frontend/templates/apache-custom-slave-list.cfg.in

@@ -426,6 +426,7 @@ log-socket = {{ backend_haproxy_configuration['log-socket'] }}
 local-ipv4 = {{ dumps('' ~ local_ipv4) }}
 http-port = {{ ('' ~ backend_haproxy_configuration['http-port']) }}
 https-port = {{ ('' ~ backend_haproxy_configuration['https-port']) }}
+backend-client-login-certificate = {{ ('' ~ backend_haproxy_configuration['backend-client-login-certificate']) }}
 ##<Backend haproxy>
 
 [buildout]

software/caddy-frontend/templates/backend-haproxy.cfg.in

@@ -51,7 +51,8 @@ frontend https-backend
 {%-   for (scheme, prefix) in [('http', 'http_backend'), ('https', 'https_backend')] %}
 {%-     set info_dict = slave_instance[prefix] %}
 {%-     if info_dict['scheme'] == 'https' %}
-{%-       set ssl = ['ssl verify'] %}
+{%-       set ssl = ['crt %s' % (configuration['backend-client-login-certificate'],)] %}
+{%-       do ssl.append('ssl verify') %}
 {%-       set path_to_ssl_proxy_ca_crt = slave_instance.get('path_to_ssl_proxy_ca_crt') %}
 {%-       if slave_instance['ssl_proxy_verify'] %}
 {%-         if path_to_ssl_proxy_ca_crt %}