diff --git a/jaas/configure b/jaas/configure new file mode 100755 index 00000000..f3c75204 --- /dev/null +++ b/jaas/configure @@ -0,0 +1,55 @@ +#!/bin/sh -u + +status=$(juju status --format=json) +candid_haproxy_machine=$(echo $status | jq '.applications."candid-haproxy".units."candid-haproxy/0".machine') +candid_haproxy_hostname=$(echo $status | jq -r ".machines.${candid_haproxy_machine}.hostname") + +jimm_haproxy_machine=$(echo $status | jq '.applications."jimm-haproxy".units."jimm-haproxy/0".machine') +jimm_haproxy_hostname=$(echo $status | jq -r ".machines.${jimm_haproxy_machine}.hostname") + +jimm_machine=$(echo $status | jq -r '.applications.jimm.units."jimm/0".machine') + +model_name=$(echo $status | jq -r ".model.name") +ssl_dir=jaas-${model_name} +domain_name=cloud.sts + +(cd ssl; ./create_ca_cert_jaas.sh ${ssl_dir} ${candid_haproxy_hostname}.${domain_name} ${jimm_haproxy_hostname}.${domain_name};) + +ssl_results="ssl/${ssl_dir}/results" +ssl_cert=$(base64 ${ssl_results}/servercert.pem| tr -d '\n') +ssl_key=$(base64 ${ssl_results}/serverkey.pem| tr -d '\n') + +# install CA locally +sudo cp ${ssl_results}/cacert.pem /usr/local/share/ca-certificates/jaas.crt +sudo update-ca-certificates + +# install CA on jimm server +juju scp ${ssl_results}/cacert.pem $jimm_machine: +juju exec --machine $jimm_machine -- sudo mv cacert.pem /usr/local/share/ca-certificates/jaas.crt +juju exec --machine $jimm_machine -- sudo update-ca-certificates +juju exec --machine $jimm_machine -- sudo systemctl restart jimm + +# install CA on controller +# TODO: fix for HA controller +juju scp -m controller ${ssl_results}/cacert.pem 0: +juju exec -m controller --machine 0 -- sudo mv cacert.pem /usr/local/share/ca-certificates/jaas.crt +juju exec -m controller --machine 0 -- sudo update-ca-certificates +juju exec -m controller --machine 0 -- sudo systemctl restart jujud-machine-0 + +# Wait for services to come back +echo "Wating for processes to restart..." +sleep 30 + +juju config jimm-haproxy ssl_cert=$ssl_cert +juju config jimm-haproxy ssl_key=$ssl_key +juju config candid-haproxy ssl_cert=$ssl_cert +juju config candid-haproxy ssl_key=$ssl_key + +juju config candid location=https://${candid_haproxy_hostname}.${domain_name} +juju config jimm candid-url=https://${candid_haproxy_hostname}.${domain_name} +juju config jimm dns-name=${jimm_haproxy_hostname}.${domain_name} +juju config jimm controller-admins=user1 + +echo "Run 'juju login ${jimm_haproxy_hostname}.${domain_name}' to register your juju client to the JAAS controller" +echo "You may need to add the ${ssl_results}/cacert.pem file to your browser to validate the https connection to candid" +echo "For loging into candid you can use user1 / password1" diff --git a/jaas/jaas.yaml.template b/jaas/jaas.yaml.template index 5ae62393..d8503353 100644 --- a/jaas/jaas.yaml.template +++ b/jaas/jaas.yaml.template @@ -6,9 +6,6 @@ # your bundle. # Variables -ssl_ca: &ssl_ca __SSL_CA__ -ssl_cert: &ssl_cert __SSL_CERT__ -ssl_key: &ssl_key __SSL_KEY__ candid-location: &candid-location "https://candid.se" jimm-dns-name: &jimm-dns-name "jimm.se" jaas-controller-admin: &jaas-controller-admin "ubuntu" @@ -67,8 +64,6 @@ applications: default_mode: tcp enable_monitoring: True peering_mode: active-active - ssl_cert: *ssl_cert - ssl_key: *ssl_key services: | - service_name: app-candid service_host: "0.0.0.0" @@ -97,8 +92,6 @@ applications: default_mode: tcp enable_monitoring: True peering_mode: active-active - ssl_cert: *ssl_cert - ssl_key: *ssl_key services: | - service_name: app-jimm service_host: "0.0.0.0" diff --git a/jaas/pipeline/00setup b/jaas/pipeline/00setup index c720459b..a956612d 100644 --- a/jaas/pipeline/00setup +++ b/jaas/pipeline/00setup @@ -12,6 +12,8 @@ export -a MOD_PASSTHROUGH_OPTS=() # Collection of messages to display at the end export -A MOD_MSGS=() +# Use order 0 to ensure this is first displayed +MOD_MSGS[0_common.0]="run ./configure to initialise your deployment" # Array list of overlays to use with this deployment. export -a MOD_OVERLAYS=() diff --git a/jaas/pipeline/02configure b/jaas/pipeline/02configure index 3839a0c2..d0b38d73 100644 --- a/jaas/pipeline/02configure +++ b/jaas/pipeline/02configure @@ -22,15 +22,9 @@ cat ${candid_keys}/bakery-key.json | jq -r .private | tr -d '\n' > ${candid_keys CANDID_URL=https://candid.sts candid create-agent --admin -f ${candid_keys}/admin.agent cat ${candid_keys}/admin.agent | jq -r .key.public | tr -d '\n' > ${candid_keys}/admin-agent-public-key -(cd ssl; . ./create_ca_cert.sh $MOD_SSL_STATE_DIR;) -ssl_results="ssl/$MOD_SSL_STATE_DIR/results" -MOD_PARAMS[__SSL_PATH__]=$ssl_results MOD_PARAMS[__CANDID_PUB_KEY__]=`cat $candid_keys/public-key` MOD_PARAMS[__CANDID_PRIV_KEY__]=`cat $candid_keys/private-key` MOD_PARAMS[__CANDID_ADMIN_AGENT_KEY__]=`cat $candid_keys/admin-agent-public-key` -MOD_PARAMS[__SSL_CA__]=`base64 ${ssl_results}/cacert.pem| tr -d '\n'` -MOD_PARAMS[__SSL_CERT__]=`base64 ${ssl_results}/servercert.pem| tr -d '\n'` -MOD_PARAMS[__SSL_KEY__]=`base64 ${ssl_results}/serverkey.pem| tr -d '\n'` # Skip processing input if it includes exclusive passthrough options ! has_excl_passthrough_opt && \ diff --git a/ssl/create_ca_cert_jaas.sh b/ssl/create_ca_cert_jaas.sh new file mode 100755 index 00000000..d1095e9d --- /dev/null +++ b/ssl/create_ca_cert_jaas.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +state_dir=$1 +results_dir=${state_dir}/results +declare -a required=( cacert.pem servercert.csr servercert.pem ) + +all_exist=true +for f in ${required[@]}; do + [ -r "$results_dir/$f" ] || all_exist=false && break +done + +if $all_exist; then + echo -e "Using existing ssl certificates in ssl/$state_dir\n" + exit +else + echo -e "Generating ssl certificates in ssl/$state_dir\n" +fi + +mkdir -p $results_dir +sed -r "s,__RESULTS_PATH__,$results_dir,g" openssl-ca.cnf.template > ${state_dir}/openssl-ca.cnf +sed -r "s,__RESULTS_PATH__,$results_dir,g" openssl-server.cnf.template > ${state_dir}/openssl-server.cnf + +sed -i -r "s,__CN_VIP__,$2,g" $state_dir/openssl-server.cnf +echo "DNS.1 = $2" >> $state_dir/openssl-server.cnf +echo "DNS.2 = $3" >> $state_dir/openssl-server.cnf + +touch $results_dir/index.txt +echo '01' > $results_dir/serial.txt +{ +openssl req -x509 -config $state_dir/openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out $results_dir/cacert.pem -outform PEM -subj "/C=GB/ST=England/L=London/O=Ubuntu Cloud/OU=Cloud" +openssl req -config $state_dir/openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out $results_dir/servercert.csr -outform PEM -subj "/C=GB/ST=England/L=London/O=Ubuntu Cloud/OU=Cloud/CN=$2" +openssl ca -batch -config $state_dir/openssl-ca.cnf -policy signing_policy -extensions signing_req -out $results_dir/servercert.pem -infiles $results_dir/servercert.csr +} &>/dev/null