• Jérome Perrin's avatar
    stack/erp5: use caucase managed certificate for balancer · c90ff590
    Jérome Perrin authored
    This reverts commit 620c9332 (stack/erp5: stop using caucase managed
    certificate for balancer, 2020-11-10) with an updated design. We add a
    caucase service for balancer in the balancer partition. The caucase
    service from the root partition (that was not used) is removed.
    
    The underlying idea is that the default configuration should use multiple
    caucases with limited scope, here we have one caucase to manage the
    certificate used by haproxy server in the balancer partition, so we put
    one caucase to manage this certificate and the caucase is configured to
    auto-accept one certificate only. The plan is that when we will add a
    certificate for mariadb server, we'll add another caucase inside this
    mariadb server.
    
    For more advanced usage and also to support the cases where a new
    certificate needs to be re-emitted for some reason, users can request
    with an existing caucase URL. In that case, they will have to accept
    the certificate requests.
    
    Notable changes:
    
    balancer/ssl/caucase-url is no longer documented in parameters, this is
    an internal parameter, users can pass one global caucase service to
    manage all partition
    
    CAUCASE environment variable is no longer set when running zope. There
    was no identified use case and with this new approach of multiple
    caucases, the term "caucase" alone became ambiguous.
    c90ff590
README.rst 3.66 KB