You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dlab.apache.org by lf...@apache.org on 2020/08/03 13:50:37 UTC
[incubator-dlab] branch DLAB-1594-2 created (now 9fbae91)
This is an automated email from the ASF dual-hosted git repository.
lfrolov pushed a change to branch DLAB-1594-2
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git.
at 9fbae91 [DLAB-1594]: lets encrypt certificates for ssn node
This branch includes the following new commits:
new ee71d62 [DLAB-1594]: added massage for redhat
new 9639c7c [DLAB-1594]: added variables
new 9fbae91 [DLAB-1594]: lets encrypt certificates for ssn node
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org
[incubator-dlab] 03/03: [DLAB-1594]: lets encrypt certificates for
ssn node
Posted by lf...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lfrolov pushed a commit to branch DLAB-1594-2
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
commit 9fbae9180f7edb6d9c2265229f764ddab89513aa
Author: leonidfrolov <fr...@gmail.com>
AuthorDate: Mon Aug 3 16:50:08 2020 +0300
[DLAB-1594]: lets encrypt certificates for ssn node
---
.../src/general/lib/os/debian/ssn_lib.py | 62 ++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py b/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py
index a31fc44..2c4ac9b 100644
--- a/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py
+++ b/infrastructure-provisioning/src/general/lib/os/debian/ssn_lib.py
@@ -173,6 +173,64 @@ def ensure_mongo():
print('Failed to install MongoDB: ', str(err))
sys.exit(1)
+def install_certbot(os_family):
+ try:
+ print('Installing Certbot')
+ if os_family == 'debian':
+ sudo('apt-get -y update')
+ sudo('apt-get -y install software-properties-common')
+ sudo('add-apt-repository -y universe')
+ sudo('add-apt-repository -y ppa:certbot/certbot')
+ sudo('apt-get -y update')
+ sudo('apt-get -y install certbot python-certbot-nginx')
+ elif os_family == 'redhat':
+ print('This OS family is not supported yet')
+ except Exception as err:
+ print('Failed Certbot install: ' + str(err))
+ sys.exit(1)
+
+def run_certbot(domain_name, email):
+ try:
+ print('Running Certbot')
+ sudo('service nginx stop')
+ if email != '':
+ sudo('certbot certonly --standalone -n -d {} -m {}'.format(domain_name, email))
+ else:
+ sudo('certbot certonly --standalone -n -d {} --register-unsafely-without-email --agree-tos'.format(domain_name))
+ except Exception as err:
+ print('Failed to run Certbot: ' + str(err))
+ sys.exit(1)
+
+def find_replace_line(file_path, searched_str, replacement_line):
+ try:
+ with open(file_path, 'r') as file:
+ lines = file.readlines()
+ for line in lines:
+ if searched_str in line:
+ line = replacement_line
+ with open(file_path, 'w') as file:
+ file.writelines(lines)
+ except Exception as err:
+ print('Failed to replace string: ' + str(err))
+ sys.exit(1)
+
+def configure_nginx_LE(domain_name):
+ try:
+ server_name_line =' server_name {};'.format(domain_name)
+ cert_path_line = ' ssl_certificate /etc/letsencrypt/live/{}/fullchain.pem;'.format(domain_name)
+ cert_key_line = ' ssl_certificate_key /etc/letsencrypt/live/{}/privkey.pem;'.format(domain_name)
+ certbot_service = 'ExecStart = /usr/bin/certbot -q renew --pre-hook "service nginx stop" --post-hook "service nginx start"'
+ certbot_service_path = '/lib/systemd/system/certbot.service'
+ nginx_config_path = '/etc/nginx/conf.d/nginx_proxy.conf'
+ find_replace_line(nginx_config_path,'server_name' ,server_name_line)
+ find_replace_line(nginx_config_path,'ssl_certificate' ,cert_path_line)
+ find_replace_line(nginx_config_path,'ssl_certificate_key' ,cert_key_line)
+ find_replace_line(certbot_service_path, 'ExecStart', certbot_service)
+ sudo('systemctl restart nginx')
+ except Exception as err:
+ print('Failed to run Certbot: ' + str(err))
+ sys.exit(1)
+
def start_ss(keyfile, host_string, dlab_conf_dir, web_path,
os_user, mongo_passwd, keystore_passwd, cloud_provider,
@@ -342,6 +400,10 @@ def start_ss(keyfile, host_string, dlab_conf_dir, web_path,
'-noprompt -storepass changeit -keystore {1}/lib/security/cacerts'.format(os_user, java_path))
sudo('keytool -importcert -trustcacerts -alias ssn -file /etc/ssl/certs/dlab.crt -noprompt '
'-storepass changeit -keystore {0}/lib/security/cacerts'.format(java_path))
+ elif os.environ['conf_letsencrypt_enabled'] == 'true':
+ install_certbot(os.environ['conf_os_family'])
+ run_certbot(cloud_params['LETS_ENCRYPT_DOMAIN_NAME'], cloud_params['LETS_ENCRYPT_EMAIL'])
+ configure_nginx_LE(cloud_params['LETS_ENCRYPT_DOMAIN_NAME'])
else:
sudo('keytool -genkeypair -alias ssn -keyalg RSA -validity 730 -storepass {1} -keypass {1} \
-keystore /home/{0}/keys/ssn.keystore.jks -keysize 2048 -dname "CN=localhost"'.format(
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org
[incubator-dlab] 02/03: [DLAB-1594]: added variables
Posted by lf...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lfrolov pushed a commit to branch DLAB-1594-2
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
commit 9639c7c3820d0b29aceecb925851f46f33330eb6
Author: leonidfrolov <fr...@gmail.com>
AuthorDate: Wed Jul 22 13:46:09 2020 +0300
[DLAB-1594]: added variables
---
infrastructure-provisioning/scripts/deploy_dlab.py | 6 ++
.../src/general/conf/dlab.ini | 6 ++
.../src/general/scripts/aws/ssn_configure.py | 71 ++++++++++++++++++++++
.../src/general/scripts/azure/ssn_configure.py | 71 ++++++++++++++++++++++
.../src/general/scripts/gcp/ssn_configure.py | 71 ++++++++++++++++++++++
5 files changed, 225 insertions(+)
diff --git a/infrastructure-provisioning/scripts/deploy_dlab.py b/infrastructure-provisioning/scripts/deploy_dlab.py
index 40b1485..7abc83b 100644
--- a/infrastructure-provisioning/scripts/deploy_dlab.py
+++ b/infrastructure-provisioning/scripts/deploy_dlab.py
@@ -143,6 +143,12 @@ parser.add_argument('--conf_stepcerts_root_ca', type=str, default='', help='Step
parser.add_argument('--conf_stepcerts_kid', type=str, default='', help='Step KID')
parser.add_argument('--conf_stepcerts_kid_password', type=str, default='', help='Step KID password')
parser.add_argument('--conf_stepcerts_ca_url', type=str, default='', help='Step CA URL')
+parser.add_argument('--conf_letsencrypt_enabled', type=str, default='false', help='Enable or disable Let`s Encrypt certificates')
+parser.add_argument('--conf_letsencrypt_domain_name', type=str, default='', help='Domain names to apply. '
+ 'For multiple domains enter a comma separated list of domains as a parameter')
+parser.add_argument('--conf_letsencrypt_email', type=str, default='', help='Email that will be entered during '
+ 'certificate obtaining and can be user for urgent renewal and security notices. '
+ 'Use comma to register multiple emails, e.g. u1@example.com,u2@example.com.')
parser.add_argument('--action', required=True, type=str, default='', choices=['build', 'deploy', 'create', 'terminate'],
help='Available options: build, deploy, create, terminate')
args = parser.parse_args()
diff --git a/infrastructure-provisioning/src/general/conf/dlab.ini b/infrastructure-provisioning/src/general/conf/dlab.ini
index 8ab5f9e..98b621d 100644
--- a/infrastructure-provisioning/src/general/conf/dlab.ini
+++ b/infrastructure-provisioning/src/general/conf/dlab.ini
@@ -77,6 +77,12 @@ stepcerts_enabled = false
# stepcerts_kid_password =
### Step certificates CA URL
# stepcerts_ca_url =
+### Enable or disable Lets Encrypt certificates
+letsencrypt_enabled = false
+### Domain names to apply
+# letsencrypt_domain_name =
+### email address to use
+# letsencrypt_email =
### Prefix of the private subnet
private_subnet_prefix = 24
### Range of subnets defined by user
diff --git a/infrastructure-provisioning/src/general/scripts/aws/ssn_configure.py b/infrastructure-provisioning/src/general/scripts/aws/ssn_configure.py
index bb8c555..759c417 100644
--- a/infrastructure-provisioning/src/general/scripts/aws/ssn_configure.py
+++ b/infrastructure-provisioning/src/general/scripts/aws/ssn_configure.py
@@ -456,6 +456,62 @@ if __name__ == "__main__":
'key': 'STEP_CA_URL',
'value': os.environ['conf_stepcerts_ca_url']
})
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': ''
+ })
+ elif os.environ['conf_letsencrypt_enabled'] == 'true':
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': os.environ['conf_letsencrypt_enabled']
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': os.environ['conf_letsencrypt_domain_name']
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': os.environ['conf_letsencrypt_email']
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_CERTS_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_ROOT_CA',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_KID_ID',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_KID_PASSWORD',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_CA_URL',
+ 'value': ''
+ })
else:
cloud_params.append(
{
@@ -482,6 +538,21 @@ if __name__ == "__main__":
'key': 'STEP_CA_URL',
'value': ''
})
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': ''
+ })
logging.info('[CONFIGURE SSN INSTANCE UI]')
print('[CONFIGURE SSN INSTANCE UI]')
params = "--hostname {} " \
diff --git a/infrastructure-provisioning/src/general/scripts/azure/ssn_configure.py b/infrastructure-provisioning/src/general/scripts/azure/ssn_configure.py
index 4557c67..fa3f827 100644
--- a/infrastructure-provisioning/src/general/scripts/azure/ssn_configure.py
+++ b/infrastructure-provisioning/src/general/scripts/azure/ssn_configure.py
@@ -359,6 +359,62 @@ if __name__ == "__main__":
'key': 'STEP_CA_URL',
'value': os.environ['conf_stepcerts_ca_url']
})
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': ''
+ })
+ elif os.environ['conf_letsencrypt_enabled'] == 'true':
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': os.environ['conf_letsencrypt_enabled']
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': os.environ['conf_letsencrypt_domain_name']
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': os.environ['conf_letsencrypt_email']
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_CERTS_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_ROOT_CA',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_KID_ID',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_KID_PASSWORD',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_CA_URL',
+ 'value': ''
+ })
else:
cloud_params.append(
{
@@ -385,6 +441,21 @@ if __name__ == "__main__":
'key': 'STEP_CA_URL',
'value': ''
})
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': ''
+ })
if os.environ['azure_datalake_enable'] == 'false':
cloud_params.append(
diff --git a/infrastructure-provisioning/src/general/scripts/gcp/ssn_configure.py b/infrastructure-provisioning/src/general/scripts/gcp/ssn_configure.py
index dd622d2..62c0991 100644
--- a/infrastructure-provisioning/src/general/scripts/gcp/ssn_configure.py
+++ b/infrastructure-provisioning/src/general/scripts/gcp/ssn_configure.py
@@ -396,6 +396,62 @@ if __name__ == "__main__":
'key': 'STEP_CA_URL',
'value': os.environ['conf_stepcerts_ca_url']
})
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': ''
+ })
+ elif os.environ['conf_letsencrypt_enabled'] == 'true':
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': os.environ['conf_letsencrypt_enabled']
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': os.environ['conf_letsencrypt_domain_name']
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': os.environ['conf_letsencrypt_email']
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_CERTS_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_ROOT_CA',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_KID_ID',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_KID_PASSWORD',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'STEP_CA_URL',
+ 'value': ''
+ })
else:
cloud_params.append(
{
@@ -422,6 +478,21 @@ if __name__ == "__main__":
'key': 'STEP_CA_URL',
'value': ''
})
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_ENABLED',
+ 'value': 'false'
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_DOMAIN_NAME',
+ 'value': ''
+ })
+ cloud_params.append(
+ {
+ 'key': 'LETS_ENCRYPT_EMAIL',
+ 'value': ''
+ })
params = "--hostname {} --keyfile {} --dlab_path {} --os_user {} --os_family {} --billing_enabled {} " \
"--request_id {} --billing_dataset_name {} \
--resource {} --service_base_name {} --cloud_provider {} --default_endpoint_name {} " \
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org
[incubator-dlab] 01/03: [DLAB-1594]: added massage for redhat
Posted by lf...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lfrolov pushed a commit to branch DLAB-1594-2
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
commit ee71d62e5e6640be44ede1170bf5cd48e390e0cd
Author: leonidfrolov <fr...@gmail.com>
AuthorDate: Wed Jul 22 12:35:22 2020 +0300
[DLAB-1594]: added massage for redhat
---
infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py | 2 ++
infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py | 2 ++
2 files changed, 4 insertions(+)
diff --git a/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py b/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py
index 8dde808..3ee832e 100644
--- a/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py
+++ b/infrastructure-provisioning/src/general/lib/os/redhat/edge_lib.py
@@ -111,6 +111,8 @@ def install_nginx_lua(edge_ip, nginx_version, keycloak_auth_server_url, keycloak
sudo('systemctl daemon-reload')
sudo('systemctl enable step-cert-manager.service')
else:
+ if os.environ['conf_letsencrypt_enabled'] == 'true':
+ print('Lets Encrypt certificates are not supported for redhat in dlab. Using self signed certificates')
sudo('openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/certs/dlab.key \
-out /etc/ssl/certs/dlab.crt -subj "/C=US/ST=US/L=US/O=dlab/CN={}"'.format(hostname))
sudo('mkdir -p /tmp/lua')
diff --git a/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py b/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py
index ddda21f..a0022da 100644
--- a/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py
+++ b/infrastructure-provisioning/src/general/lib/os/redhat/ssn_lib.py
@@ -356,6 +356,8 @@ def start_ss(keyfile, host_string, dlab_conf_dir, web_path,
sudo('keytool -importcert -trustcacerts -alias ssn -file /etc/ssl/certs/dlab.crt -noprompt '
'-storepass changeit -keystore {0}/lib/security/cacerts'.format(java_path))
else:
+ if os.environ['conf_letsencrypt_enabled'] == 'true':
+ print('Lets Encrypt certificates are not supported for redhat in dlab. Using self signed certificates')
sudo('keytool -genkeypair -alias ssn -keyalg RSA -validity 730 -storepass {1} -keypass {1} \
-keystore /home/{0}/keys/ssn.keystore.jks -keysize 2048 -dname "CN=localhost"'.format(
os_user, keystore_passwd))
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org