Add a configure script to JAAS

The script finishes the configuration after the model has been deployed
canonical · Dec 21, 2023 · f436018 · f436018
1 parent e5758c0
commit f436018
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 13 deletions.
diff --git a/jaas/configure b/jaas/configure
@@ -0,0 +1,55 @@
+#!/bin/sh -u
+
+status=$(juju status  --format=json)
+candid_haproxy_machine=$(echo $status | jq '.applications."candid-haproxy".units."candid-haproxy/0".machine')
+candid_haproxy_hostname=$(echo $status | jq -r ".machines.${candid_haproxy_machine}.hostname")
+
+jimm_haproxy_machine=$(echo $status | jq '.applications."jimm-haproxy".units."jimm-haproxy/0".machine')
+jimm_haproxy_hostname=$(echo $status | jq -r ".machines.${jimm_haproxy_machine}.hostname")
+
+jimm_machine=$(echo $status | jq -r '.applications.jimm.units."jimm/0".machine')
+
+model_name=$(echo $status | jq -r ".model.name")
+ssl_dir=jaas-${model_name}
+domain_name=cloud.sts
+
+(cd ssl; ./create_ca_cert_jaas.sh ${ssl_dir} ${candid_haproxy_hostname}.${domain_name} ${jimm_haproxy_hostname}.${domain_name};)
+
+ssl_results="ssl/${ssl_dir}/results"
+ssl_cert=$(base64 ${ssl_results}/servercert.pem| tr -d '\n')
+ssl_key=$(base64 ${ssl_results}/serverkey.pem| tr -d '\n')
+
+# install CA locally
+sudo cp ${ssl_results}/cacert.pem /usr/local/share/ca-certificates/jaas.crt
+sudo update-ca-certificates
+
+# install CA on jimm server
+juju scp ${ssl_results}/cacert.pem $jimm_machine:
+juju exec --machine $jimm_machine -- sudo mv cacert.pem /usr/local/share/ca-certificates/jaas.crt
+juju exec --machine $jimm_machine -- sudo update-ca-certificates
+juju exec --machine $jimm_machine -- sudo systemctl restart jimm
+
+# install CA on controller
+# TODO: fix for HA controller
+juju scp -m controller ${ssl_results}/cacert.pem 0:
+juju exec -m controller --machine 0 -- sudo mv cacert.pem /usr/local/share/ca-certificates/jaas.crt
+juju exec -m controller --machine 0 -- sudo update-ca-certificates
+juju exec -m controller --machine 0 -- sudo systemctl restart jujud-machine-0
+
+# Wait for services to come back
+echo "Wating for processes to restart..."
+sleep 30
+
+juju config jimm-haproxy ssl_cert=$ssl_cert
+juju config jimm-haproxy ssl_key=$ssl_key
+juju config candid-haproxy ssl_cert=$ssl_cert
+juju config candid-haproxy ssl_key=$ssl_key
+
+juju config candid location=https://${candid_haproxy_hostname}.${domain_name}
+juju config jimm candid-url=https://${candid_haproxy_hostname}.${domain_name}
+juju config jimm dns-name=${jimm_haproxy_hostname}.${domain_name}
+juju config jimm controller-admins=user1
+
+echo "Run 'juju login ${jimm_haproxy_hostname}.${domain_name}' to register your juju client to the JAAS controller"
+echo "You may need to add the ${ssl_results}/cacert.pem file to your browser to validate the https connection to candid"
+echo "For loging into candid you can use user1 / password1"
diff --git a/jaas/jaas.yaml.template b/jaas/jaas.yaml.template
@@ -6,9 +6,6 @@
 # your bundle.
 
 # Variables
-ssl_ca:                     &ssl_ca                    __SSL_CA__
-ssl_cert:                   &ssl_cert                  __SSL_CERT__
-ssl_key:                    &ssl_key                   __SSL_KEY__
 candid-location:            &candid-location           "https://candid.se"
 jimm-dns-name:              &jimm-dns-name             "jimm.se"
 jaas-controller-admin:      &jaas-controller-admin     "ubuntu"
@@ -67,8 +64,6 @@ applications:
       default_mode: tcp
       enable_monitoring: True
       peering_mode: active-active
-      ssl_cert: *ssl_cert
-      ssl_key: *ssl_key
       services: |
         - service_name: app-candid
           service_host: "0.0.0.0"
@@ -97,8 +92,6 @@ applications:
       default_mode: tcp
       enable_monitoring: True
       peering_mode: active-active
-      ssl_cert: *ssl_cert
-      ssl_key: *ssl_key
       services: |
         - service_name: app-jimm
           service_host: "0.0.0.0"

diff --git a/jaas/pipeline/00setup b/jaas/pipeline/00setup
@@ -12,6 +12,8 @@ export -a MOD_PASSTHROUGH_OPTS=()
 
 # Collection of messages to display at the end
 export -A MOD_MSGS=()
+# Use order 0 to ensure this is first displayed
+MOD_MSGS[0_common.0]="run ./configure to initialise your deployment"
 
 # Array list of overlays to use with this deployment.
 export -a MOD_OVERLAYS=()

diff --git a/jaas/pipeline/02configure b/jaas/pipeline/02configure
@@ -22,15 +22,9 @@ cat ${candid_keys}/bakery-key.json | jq -r .private | tr -d '\n' > ${candid_keys
 CANDID_URL=https://candid.sts candid create-agent --admin   -f ${candid_keys}/admin.agent
 cat ${candid_keys}/admin.agent | jq -r .key.public | tr -d '\n' > ${candid_keys}/admin-agent-public-key
 
-(cd ssl; . ./create_ca_cert.sh $MOD_SSL_STATE_DIR;)
-ssl_results="ssl/$MOD_SSL_STATE_DIR/results"
-MOD_PARAMS[__SSL_PATH__]=$ssl_results
 MOD_PARAMS[__CANDID_PUB_KEY__]=`cat $candid_keys/public-key`
 MOD_PARAMS[__CANDID_PRIV_KEY__]=`cat $candid_keys/private-key`
 MOD_PARAMS[__CANDID_ADMIN_AGENT_KEY__]=`cat $candid_keys/admin-agent-public-key`
-MOD_PARAMS[__SSL_CA__]=`base64 ${ssl_results}/cacert.pem| tr -d '\n'`
-MOD_PARAMS[__SSL_CERT__]=`base64 ${ssl_results}/servercert.pem| tr -d '\n'`
-MOD_PARAMS[__SSL_KEY__]=`base64 ${ssl_results}/serverkey.pem| tr -d '\n'`
 
 # Skip processing input if it includes exclusive passthrough options
 ! has_excl_passthrough_opt && \

diff --git a/ssl/create_ca_cert_jaas.sh b/ssl/create_ca_cert_jaas.sh
@@ -0,0 +1,32 @@
+#!/bin/bash -eu
+state_dir=$1
+results_dir=${state_dir}/results
+declare -a required=( cacert.pem servercert.csr servercert.pem )
+
+all_exist=true
+for f in ${required[@]}; do
+    [ -r "$results_dir/$f" ] || all_exist=false && break
+done
+
+if $all_exist; then
+    echo -e "Using existing ssl certificates in ssl/$state_dir\n"
+    exit
+else
+    echo -e "Generating ssl certificates in ssl/$state_dir\n"
+fi
+
+mkdir -p $results_dir
+sed -r "s,__RESULTS_PATH__,$results_dir,g" openssl-ca.cnf.template > ${state_dir}/openssl-ca.cnf
+sed -r "s,__RESULTS_PATH__,$results_dir,g" openssl-server.cnf.template > ${state_dir}/openssl-server.cnf
+
+sed -i -r "s,__CN_VIP__,$2,g" $state_dir/openssl-server.cnf
+echo "DNS.1 = $2" >> $state_dir/openssl-server.cnf
+echo "DNS.2 = $3" >> $state_dir/openssl-server.cnf
+
+touch $results_dir/index.txt
+echo '01' > $results_dir/serial.txt
+{
+openssl req -x509 -config $state_dir/openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out $results_dir/cacert.pem -outform PEM -subj "/C=GB/ST=England/L=London/O=Ubuntu Cloud/OU=Cloud"
+openssl req -config $state_dir/openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out $results_dir/servercert.csr -outform PEM -subj "/C=GB/ST=England/L=London/O=Ubuntu Cloud/OU=Cloud/CN=$2"
+openssl ca -batch -config $state_dir/openssl-ca.cnf -policy signing_policy -extensions signing_req -out $results_dir/servercert.pem -infiles $results_dir/servercert.csr
+} &>/dev/null