fixup! software/erp5: use a caucase managed certificate for balancer

fix balancer CSR generation: Caucase rerequest uses a CSR *template* and use it to generate a new CSR with a new key, so we should not use the actual key to generate this CSR, because it is caucase rerequest job to generate the key. Also, we should be careful not to generate a new CSR every time this command run, otherwise a new key will be generated and a new CSR will be sent to caucase, but caucase will not sign it automatically (since we configure it to sign only one certificate). This means that the case of IP address changes is currently not supported automatically. To support it we would need to: - force generation of a new CSR template - force caucase rerequester to request a new certificate (by removing existing certificate) - force caucased to sign the new certificate This commit also fix indentation and remove simplefile macro that is no longer used

fixup! software/erp5: use a caucase managed certificate for balancer
fix balancer CSR generation: Caucase rerequest uses a CSR *template* and use it to generate a new CSR with a new key, so we should not use the actual key to generate this CSR, because it is caucase rerequest job to generate the key. Also, we should be careful not to generate a new CSR every time this command run, otherwise a new key will be generated and a new CSR will be sent to caucase, but caucase will not sign it automatically (since we configure it to sign only one certificate). This means that the case of IP address changes is currently not supported automatically. To support it we would need to: - force generation of a new CSR template - force caucase rerequester to request a new certificate (by removing existing certificate) - force caucased to sign the new certificate This commit also fix indentation and remove simplefile macro that is no longer used
555b26a2 · Jérome Perrin · fb49ccdb · 555b26a2 · 555b26a2
Commit 555b26a2 authored Nov 10, 2020 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 42 deletions

stack/erp5/buildout.hash.cfg stack/erp5/buildout.hash.cfg +1 -1

stack/erp5/instance-balancer.cfg.in stack/erp5/instance-balancer.cfg.in +28 -41

No files found.
--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = ecf119142e6b5cd85a2ba397552d2142
+md5sum = fc8672d2ccbfa39470cee2d6ac8bea60

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -18,36 +18,39 @@ per partition. No more (undefined result), no less (IndexError).
 recipe = slapos.recipe.template:jinja2
 mode = 644

-[balancer-csr-request-config]
+[balancer-csr-template-config]
 < = jinja2-template-base
 template = inline:
-    [req]
-    prompt = no
-    req_extensions = req_ext
-    distinguished_name = dn
-    [ dn ]
-    CN = example.com
-    [ req_ext ]
-    subjectAltName = @alt_names
-    [ alt_names ]
-    IP.1 =  {{ ipv4 }}
-    {% if ipv6_set -%}
-    IP.2 =  {{ ipv6 }}
-    {% endif %}
+  [req]
+  prompt = no
+  req_extensions = req_ext
+  distinguished_name = dn
+  [ dn ]
+  CN = example.com
+  [ req_ext ]
+  subjectAltName = @alt_names
+  [ alt_names ]
+  IP.1 =  {{ ipv4 }}
+  {% if ipv6_set -%}
+  IP.2 =  {{ ipv6 }}
+  {% endif %}
 rendered = ${buildout:parts-directory}/${:_buildout_section_name_}/${:_buildout_section_name_}.txt

-[balancer-csr-request]
+[balancer-csr-template]
 recipe = plone.recipe.command
-command = {{ parameter_dict["openssl"] }}/bin/openssl req \
-  -newkey rsa:2048 \
-  -batch \
-  -new \
-  -nodes \
-  -keyout '${apache-conf-ssl:key}' \
-  -config '${balancer-csr-request-config:rendered}' \
-  -out '${:csr}'
+command =
+  if [ ! -f '${:csr}' ] ; then
+   {{ parameter_dict["openssl"] }}/bin/openssl req \
+      -newkey rsa:2048 \
+      -batch \
+      -new \
+      -nodes \
+      -keyout /dev/null \
+      -config '${balancer-csr-template-config:rendered}' \
+      -out '${:csr}'
+  fi
 stop-on-error = true
-csr = ${directory:etc}/${:_buildout_section_name_}.csr.pem
+csr = ${directory:srv}/${:_buildout_section_name_}.csr.pem


 {{ caucase.updater(
@@ -63,7 +66,7 @@ csr = ${directory:etc}/${:_buildout_section_name_}.csr.pem
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
     template_csr_pem=ssl_parameter_dict.get('csr'),
-     template_csr=None if ssl_parameter_dict.get('csr') else '${balancer-csr-request:csr}',
+     template_csr=None if ssl_parameter_dict.get('csr') else '${balancer-csr-template:csr}',
     openssl=parameter_dict['openssl'] ~ '/bin/openssl',
 )}}
 {% do section('caucase-updater') -%}
@@ -215,22 +218,6 @@ ca-cert-dir = ${directory:apache-ca-cert-dir}
 crl-dir = ${directory:apache-crl-dir}
 {%- endif %}

-[simplefile]
-< = jinja2-template-base
-template = inline:{{ '{{ content }}' }}
-
-{% macro simplefile(section_name, file_path, content, mode='') -%}
-{%   set content_section_name = section_name ~ '-content' -%}
-[{{  content_section_name }}]
-content = {{ dumps(content) }}
-
-[{{  section(section_name) }}]
-< = simplefile
-rendered = {{ file_path }}
-context = key content {{content_section_name}}:content
-mode = {{ mode }}
-{%- endmacro %}
-
 [apache-conf-parameter-dict]
 backend-list = {{ dumps(apache_dict.values()) }}
 zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}