Skip to content
This repository has been archived by the owner on Apr 23, 2019. It is now read-only.

Added SSL certificates uploading. #164

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions nodes/sample_host.json
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,10 @@
"redirect_domain_names": ["<domain name>", "<domain name>", "<...>"],
"ruby_version": "2.1.0",
"ssl_info": {
"key": "<ssl key>",
"crt": "<ssl crt>"
},
"enabled": true,
"certificate": "The cert file, optional",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe communicate more clearly that it should be a path for a file (and not the content):

"certificate": "path to the cert file, optional",
"certificate": "path to the key file"

?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, but this is not the full path to cert files but a cert file name only. These files should be copied to vendor/cookbook/rails/files/default/certificates before uploading. For example:

"ssl_info": {
  "enabled": true,
  "certificate": "my_cert.crt", # if not given, the app's name will be used, for ex: intercity_sample_app.crt"
  "certificate_key": "my_cert.key"
}
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah. In that case I'd communicate that, indeed.

"certificate": "my_cert.crt (if not given, the app's name will be used, for ex: intercity_sample_app.crt)"
"certificate_key": "my_cert.key"

Unfortunately one cannot add comments to a JSON file...

(After all, even when reading the code I was confused as how to use it. But that might just say about my Monday State Of Mind too :))

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What exactly were you confused with?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry; I was merely a bit confused as to what I should have to place in the value of "certificate" and "certificate_key". I assumed it had to the abslute path on my local machine.

I was merely thinking out loud how we could improve the wording so it becomes immediate apparent what we are expecting as values there.

"certificate_key": "The key for the cert file"
},
"env_vars": {
"key_1": "val_1",
"key_2": "val_2"
Expand Down
Empty file.
42 changes: 42 additions & 0 deletions vendor/cookbooks/rails/libraries/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,47 @@ def nginx_custom_configuration(app_info)

empty_conf.merge(app_info["nginx_custom"] || {})
end

# Returns a server path to certificate file
#
# applications_root = '/u/apps/'
# name = 'my_app'
# ssl_certificate(applications_root, name, app_info) # => /u/apps/my_app/shared/config/my_app.crt'
#
# or,
#
# applications_root = '/u/apps/'
# name = 'my_app'
# app_info['ssl_info']['certificate'] = 'my_cert.crt'
# ssl_certificate(applications_root, name, app_info) # => /u/apps/my_app/shared/config/my_cert.crt'
#
#
def ssl_certificate(applications_root, name, app_info)
raise "Invalid application config given, no `ssl_info` present" unless ssl_info?(app_info)

Pathname.new(applications_root).join(name, "shared", "config",
app_info["ssl_info"]["certificate"] || "#{name}.crt")
end

# See #ssl_certificate
#
def ssl_certificate_key(applications_root, name, app_info)
raise "Invalid application config given, no `ssl_info` present" unless ssl_info?(app_info)

Pathname.new(applications_root).join(name, "shared", "config",
app_info["ssl_info"]["certificate_key"] || "#{name}.key")
end

# Check if the app config has ssl_info section
#
def ssl_info?(app_info)
app_info.key?("ssl_info")
end

# Checks if the app config has ssl enabled
#
def ssl_enabled?(app_info)
ssl_info?(app_info) && app_info["ssl_info"]["enabled"]
end
end
end
58 changes: 34 additions & 24 deletions vendor/cookbooks/rails/recipes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@

# Include library helpers
::Chef::Resource.send(:include, Rails::Helpers)
::Chef::Recipe.send(:include, Rails::Helpers)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for my curiosity: what does this do?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

without this line, the following wouldn't work, method missing:

98: ssl_certificate_path = ssl_certificate(applications_root, app, app_info)

since it's a level of recipe, not resource such as:

cookbook_file pathname.to_s do
  ssl_certificate_path = ssl_certificate(applications_root, app, app_info)
end


node[:active_applications].each do |app, app_info|
rails_env = app_info['rails_env'] || "production"
Expand Down Expand Up @@ -93,33 +94,42 @@

end

if app_info['ssl_info']
template "#{applications_root}/#{app}/shared/config/certificate.crt" do
owner "deploy"
group "deploy"
mode 0644
source "app_cert.crt.erb"
variables :app_crt=> app_info['ssl_info']['crt']
if ssl_enabled?(app_info)
ssl_certificate_path = ssl_certificate(applications_root, app, app_info)
ssl_certificate_key_path = ssl_certificate_key(applications_root, app, app_info)

[ssl_certificate_path, ssl_certificate_key_path].each do |pathname|
cookbook_file pathname.to_s do
source "certificates/#{pathname.basename}"
owner "deploy"
group "deploy"
mode 0644
end
end

template "#{applications_root}/#{app}/shared/config/certificate.key" do
owner "deploy"
group "deploy"
mode 0644
source "app_cert.key.erb"
variables :app_key=> app_info['ssl_info']['key']
template "/etc/nginx/sites-available/#{app}.conf" do
source "app_nginx.conf.erb"
variables(
name: app,
domain_names: app_info["domain_names"],
redirect_domain_names: app_info["redirect_domain_names"],
ssl_enabled: true,
ssl_certificate: ssl_certificate_path,
ssl_certificate_key: ssl_certificate_key_path,
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(service: "nginx")
end
else
template "/etc/nginx/sites-available/#{app}.conf" do
source "app_nginx.conf.erb"
variables(
name: app,
domain_names: app_info["domain_names"],
redirect_domain_names: app_info["redirect_domain_names"],
ssl_enabled: false,
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(service: "nginx")
end
end

template "/etc/nginx/sites-available/#{app}.conf" do
source "app_nginx.conf.erb"
variables(
name: app,
domain_names: app_info["domain_names"],
redirect_domain_names: app_info["redirect_domain_names"],
enable_ssl: File.exists?("#{applications_root}/#{app}/shared/config/certificate.crt"),
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(service: "nginx")
end

template "#{applications_root}/#{app}/shared/config/unicorn.rb" do
Expand Down
59 changes: 34 additions & 25 deletions vendor/cookbooks/rails/recipes/passenger.rb
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@

# Include library helpers
::Chef::Resource.send(:include, Rails::Helpers)
::Chef::Recipe.send(:include, Rails::Helpers)

node[:active_applications].each do |app, app_info|
rails_env = app_info['rails_env'] || "production"
Expand Down Expand Up @@ -98,45 +99,53 @@
end

if app_info['database_info']

template "#{applications_root}/#{app}/shared/config/database.yml" do
owner deploy_user
group deploy_user
mode 0600
source "app_database.yml.erb"
variables :database_info => app_info['database_info'], :rails_env => rails_env
end

end

if app_info['ssl_info']
template "#{applications_root}/#{app}/shared/config/certificate.crt" do
owner "deploy"
group "deploy"
mode 0644
source "app_cert.crt.erb"
variables :app_crt=> app_info['ssl_info']['crt']
if ssl_enabled?(app_info)
ssl_certificate_path = ssl_certificate(applications_root, app, app_info)
ssl_certificate_key_path = ssl_certificate_key(applications_root, app, app_info)

[ssl_certificate_path, ssl_certificate_key_path].each do |pathname|
cookbook_file pathname.to_s do
source "certificates/#{pathname.basename}"
owner "deploy"
group "deploy"
mode 0644
end
end

template "#{applications_root}/#{app}/shared/config/certificate.key" do
owner "deploy"
group "deploy"
mode 0644
source "app_cert.key.erb"
variables :app_key=> app_info['ssl_info']['key']
template "/etc/nginx/sites-available/#{app}.conf" do
source "app_passenger_nginx.conf.erb"
variables(
name: app,
rails_env: rails_env,
domain_names: app_info["domain_names"],
ssl_enabled: true,
ssl_certificate: ssl_certificate_path,
ssl_certificate_key: ssl_certificate_key_path,
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(service: "nginx")
end
else
template "/etc/nginx/sites-available/#{app}.conf" do
source "app_passenger_nginx.conf.erb"
variables(
name: app,
rails_env: rails_env,
domain_names: app_info["domain_names"],
ssl_enabled: false,
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(service: "nginx")
end
end

template "/etc/nginx/sites-available/#{app}.conf" do
source "app_passenger_nginx.conf.erb"
variables(
name: app,
rails_env: rails_env,
domain_names: app_info["domain_names"],
enable_ssl: File.exists?("#{applications_root}/#{app}/shared/config/certificate.crt"),
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(:service => "nginx")
end

nginx_site "#{app}.conf" do
action :enable
Expand Down
1 change: 0 additions & 1 deletion vendor/cookbooks/rails/templates/default/app_cert.crt.erb

This file was deleted.

1 change: 0 additions & 1 deletion vendor/cookbooks/rails/templates/default/app_cert.key.erb

This file was deleted.

8 changes: 4 additions & 4 deletions vendor/cookbooks/rails/templates/default/app_nginx.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<% if @redirect_domain_names && @redirect_domain_names.any? %>
server {
listen <%= node['nginx']['port'] || '80' %>;
<% if @enable_ssl %>
<% if @ssl_enabled %>
listen 443 ssl;
<% end %>
server_name <%= @redirect_domain_names.join(' ') %>;
Expand All @@ -29,13 +29,13 @@ server {
<%= @custom_configuration["server_main"] %>
}

<% if @enable_ssl %>
<% if @ssl_enabled %>

server {
listen 443 ssl;

ssl_certificate <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.crt;
ssl_certificate_key <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.key;
ssl_certificate <%= @ssl_certificate %>;
ssl_certificate_key <%= @ssl_certificate_key %>;

server_name <%= @domain_names.join(' ') %>;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,13 @@ server {
<%= @custom_configuration["server_main"] %>
}

<% if @enable_ssl %>
<% if @ssl_enabled %>

server {
listen 443 ssl;

ssl_certificate <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.crt;
ssl_certificate_key <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.key;
ssl_certificate <%= @ssl_certificate %>;
ssl_certificate_key <%= @ssl_certificate_key %>;

passenger_enabled on;
passenger_app_env <%= @rails_env %>;
Expand Down