Revert "stack/erp5: support frontend-caucase-url-list option."

This reverts commit e1236eea.

Revert "stack/erp5: support frontend-caucase-url-list option."
This reverts commit e1236eea.
7a0756b2 · Kazuhiko Shiozaki · e1236eea · 7a0756b2 · 7a0756b2 · 7a0756b2
Commit 7a0756b2 authored May 27, 2020 by Kazuhiko Shiozaki
5 changed files
--- a/software/erp5/instance-erp5-input-schema.json
+++ b/software/erp5/instance-erp5-input-schema.json
@@ -453,11 +453,6 @@
        "ssl": {
          "description": "HTTPS certificate generation parameters",
          "properties": {
-            "frontend-caucase-url-list": {
-              "title": "Frontend Caucase URL List",
-              "description": "List of URLs of caucase service of frontend groups.",
-              "type": "array"
-            },
            "caucase-url": {
              "title": "Caucase URL",
              "description": "URL of caucase service to use. If not set, global setting will be used.",

--- a/stack/caucase/caucase.jinja2.library
+++ b/stack/caucase/caucase.jinja2.library
@@ -43,9 +43,9 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
  updater_path,
  url,
  data_dir,
+  crt_path,
  ca_path,
  crl_path,
-  crt_path=None,
  key_path=None,
  on_renew=None,
  max_sleep=None,
@@ -59,7 +59,6 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
 recipe = slapos.cookbook:mkdirectory
 data-dir = {{ data_dir }}

-{% if crt_path %}
 {% if template_csr_pem or template_csr -%}
 [{{ prefix }}-provided-csr-content]
 {%   if template_csr_pem %}
@@ -91,7 +90,6 @@ recipe = plone.recipe.command
 command = '{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
 {%- endif %}
 csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem
-{%- endif %}

 [{{ prefix }}]
 recipe = slapos.cookbook:wrapper
@@ -100,8 +98,8 @@ command-line = '{{ buildout_bin_directory }}/caucase-updater'
  --ca-url '{{ url }}'
  --cas-ca '${ {{- prefix }}-directory:data-dir}/cas.crt.pem'
  --mode '{{ mode }}'
-  {% if crt_path %}--csr '${ {{- prefix }}-csr:csr}'
-  --crt '{{ crt_path }}' {%- endif %}
+  --csr '${ {{- prefix }}-csr:csr}'
+  --crt '{{ crt_path }}'
  --ca '{{ ca_path }}'
  --crl '{{ crl_path }}'
  {% if key_path %}--key '{{ key_path }}' {%- endif %}

--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -78,7 +78,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e

 [template-erp5]
 filename = instance-erp5.cfg.in
-md5sum = 038c367b7c4249d854bb0535891f29b3
+md5sum = 82dc695e212be124d60ceb1143e56b0d

 [template-zeo]
 filename = instance-zeo.cfg.in
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = d375f1a15bade233fa134dcb05380f52
+md5sum = 6851e0c28a025bd26a4d3450204ae335

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -21,40 +21,22 @@ recipe = slapos.recipe.template:jinja2
 mode = 644

 {{ caucase.updater(
-     prefix='caucase-updater-0',
+     prefix='caucase-updater',
     buildout_bin_directory=parameter_dict['bin-directory'],
-     updater_path='${directory:services-on-watch}/caucase-updater-0',
+     updater_path='${directory:services-on-watch}/caucase-updater',
     url=ssl_parameter_dict['caucase-url'],
-     data_dir='${directory:srv}/caucase-updater-0',
+     data_dir='${directory:srv}/caucase-updater',
     crt_path='${apache-conf-ssl:caucase-cert}',
-     ca_path='${directory:srv}/caucase-updater-0/ca.crt',
-     crl_path='${directory:srv}/caucase-updater-0/crl.pem',
+     ca_path='${apache-conf-ssl:ca-cert}',
+     crl_path='${apache-conf-ssl:crl}',
     key_path='${apache-conf-ssl:caucase-key}',
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
     template_csr_pem=ssl_parameter_dict.get('csr'),
     openssl=parameter_dict['openssl'] ~ '/bin/openssl',
 )}}
-{% do section('caucase-updater-0') -%}
-{% do section('caucase-updater-0-promise') -%}
-
-{% for idx, frontend_caucase_url in enumerate(ssl_parameter_dict['frontend-caucase-url-list']) -%}
-{{   caucase.updater(
-       prefix='caucase-updater-%s' % (idx + 1),
-       buildout_bin_directory=parameter_dict['bin-directory'],
-       updater_path='${directory:services-on-watch}/caucase-updater-%s' % (idx + 1),
-       url=frontend_caucase_url,
-       data_dir='${directory:srv}/caucase-updater-%s' % (idx + 1),
-       ca_path='${directory:srv}/caucase-updater-%s/ca.crt' % (idx + 1),
-       crl_path='${directory:srv}/caucase-updater-%s/crl.pem' % (idx + 1),
-       on_renew='${apache-graceful:output}',
-       max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
-       template_csr_pem=ssl_parameter_dict.get('csr'),
-       openssl=parameter_dict['openssl'] ~ '/bin/openssl',
-     )}}
-{%   do section('caucase-updater-%s' % (idx + 1)) -%}
-{%   do section('caucase-updater-%s-promise' % (idx + 1)) -%}
-{% endfor -%}
+{% do section('caucase-updater') -%}
+{% do section('caucase-updater-promise') -%}

 {% set haproxy_dict = {} -%}
 {% set apache_dict = {} -%}
@@ -194,22 +176,9 @@ wait-for-files =
 recipe = collective.recipe.template
 output = ${directory:bin}/apache-httpd-graceful
 mode = 700
-input =
-  inline:
-  #!{{parameter_dict['bin-directory']}}/python2.7
-  from lock_file import LockFile
-  import os
-  import subprocess
-  with LockFile('${apache-conf-ssl:ca-cert}.lock', wait = True):
-    ca_path_list = [{% for idx in range(len(frontend_caucase_url_list) + 1) -%} '{{ '${directory:srv}/caucase-updater-%s/ca.crt' % idx }}', {% endfor -%}]
-    valid_ca_path_list = [path for path in ca_path_list
-                          if os.path.isfile(path) and subprocess.call(['openssl', 'x509', '-in', path], stdout=subprocess.PIPE) == 0]
-    file('${apache-conf-ssl:ca-cert}', 'w').write('\n'.join(file(path).read() for path in valid_ca_path_list))
-    crl_path_list = [{% for idx in range(len(frontend_caucase_url_list) + 1) -%} '{{ '${directory:srv}/caucase-updater-%s/crl.pem' % idx }}', {% endfor -%}]
-    valid_crl_path_list = [path for path in crl_path_list
-                          if os.path.isfile(path) and subprocess.call(['openssl', 'crl', '-in', path], stdout=subprocess.PIPE) == 0]
-    file('${apache-conf-ssl:crl}', 'w').write('\n'.join(file(path).read() for path in valid_crl_path_list))
-    subprocess.call(['kill',  '-USR1', file('${apache-conf-parameter-dict:pid-file}').read().strip()])
+input = inline:
+  #!/bin/sh
+  kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')"

 [{{ section('apache-promise') }}]
 <= monitor-promise-base

--- a/stack/erp5/instance-erp5.cfg.in
+++ b/stack/erp5/instance-erp5.cfg.in
@@ -98,7 +98,6 @@ backup-caucased = ${:srv}/backup/caucased
 {% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
 {% set balancer_dict = slapparameter_dict.get('balancer', {}) -%}
 {% do balancer_dict.setdefault('ssl', {}).setdefault('caucase-url', caucase_url) -%}
-{% do balancer_dict['ssl'].setdefault('frontend-caucase-url-list', []) -%}

 {{ request('memcached-persistent', 'kumofs', 'kumofs', {'tcpv4-port': 2000}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
 {{ request('memcached-volatile', 'kumofs', 'memcached', {'tcpv4-port': 2010, 'ram-storage-size': 64}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}