stack/caucase: Implement updater promise

This promise will check that certificate matches the key and will check
that it is renewed before 15 days before expiration.

stack/caucase/buildout.hash.cfg

@@ -15,4 +15,4 @@
 
 [caucase-jinja2-library]
 filename = caucase.jinja2.library
-md5sum = 93dae9ec9df9c095f69b175e5772677e
+md5sum = 9a7247cdb2ee1d66c074b0660c54713f

stack/caucase/caucase.jinja2.library

@@ -52,7 +52,8 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
   mode='service',
   template_csr=None,
   template_csr_pem=None,
-  openssl=None
+  openssl=None,
+  promise=True
 ) -%}
 [{{ prefix }}-directory]
 recipe = slapos.cookbook:mkdirectory
@@ -104,6 +105,15 @@ command-line = '{{ buildout_bin_directory }}/caucase-updater'
   {% if key_path %}--key '{{ key_path }}' {%- endif %}
   {% if on_renew %}--on-renew '{{ on_renew }}' {%- endif %}
   {% if max_sleep %}--max-sleep '{{ max_sleep }}' {%- endif %}
+{% if promise -%}
+[{{ prefix }}-promise]
+<= monitor-promise-base
+module = check_certificate
+name = {{ prefix }}.py
+config-certificate = {{ crt_path }}
+config-key = {{ key_path }}
+config-certificate-expiration-days = 15
+{%- endif %}
 {%- endmacro %}
 
 {% macro rerequest(prefix, buildout_bin_directory, template, csr, key) -%}

[Vincent Pelletier]

This commit (and probably later in instanciation, af0336cf) is breaking software/caucase when used stand-alone:

Installing switch-softwaretype.
While:
  Installing.
  Getting section caucased-promise.
  Initializing section caucased-promise.
  Loading input sections for 'caucased-promise'
Error: No section named 'monitor-promise-base'

I see 2 possible fixes:

• Make stack/caucase extend stack/monitor.
• Provide an empty [monitor-promise-base] section here. Without a recipe, it should do nothing.

I'm not sure about the promise parameter. If the software release has monitor support, then there should be no reason to ignore the issues found by this tester. It is only if there is no monitor support than it would make sense to disable it, and providing an empty section should do the trick anyway.

[Vincent Pelletier]

This commit

I'm wrong: the exact error I am getting is because of af0336cf , which changed promise=None into promise=True.

BTW, README.rst needs to be updated as a consesquence of that commit:

  - ``<prefix>-promise``: (only produced if ``<promise>`` is not None). Creates an

and also as a consequence of this commit: updater macro is not documented for generating the section added above.

Without a recipe, it should do nothing.

Well, I just tested and it does something: it fails to instanciate. Because there is no recipe. I don't like the idea of providing a dummy recipe in such section, because then extends order becomes critical.

I would like to have a fix which does not require the monitor stack as dependency within caucase stack: it would be much nicer to let the software release decide whether it wants monitoring. But I do not have an idea of how to achieve this.

[Łukasz Nowak]

As discussed during a call I am going to add software/caucase to the test suite and make stack/caucase depend on stack/monitor, as monitoring stack is required anyway.