Skip to content
This repository has been archived by the owner on Apr 23, 2019. It is now read-only.

Added SSL certificates uploading. #164

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions nodes/sample_host.json
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,10 @@
"redirect_domain_names": ["<domain name>", "<domain name>", "<...>"],
"ruby_version": "2.1.0",
"ssl_info": {
"key": "<ssl key>",
"crt": "<ssl crt>"
},
"enabled": true,
"certificate": "The cert file, optional",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe communicate more clearly that it should be a path for a file (and not the content):

"certificate": "path to the cert file, optional",
"certificate": "path to the key file"

?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, but this is not the full path to cert files but a cert file name only. These files should be copied to vendor/cookbook/rails/files/default/certificates before uploading. For example:

"ssl_info": {
  "enabled": true,
  "certificate": "my_cert.crt", # if not given, the app's name will be used, for ex: intercity_sample_app.crt"
  "certificate_key": "my_cert.key"
}
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah. In that case I'd communicate that, indeed.

"certificate": "my_cert.crt (if not given, the app's name will be used, for ex: intercity_sample_app.crt)"
"certificate_key": "my_cert.key"

Unfortunately one cannot add comments to a JSON file...

(After all, even when reading the code I was confused as how to use it. But that might just say about my Monday State Of Mind too :))

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What exactly were you confused with?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry; I was merely a bit confused as to what I should have to place in the value of "certificate" and "certificate_key". I assumed it had to the abslute path on my local machine.

I was merely thinking out loud how we could improve the wording so it becomes immediate apparent what we are expecting as values there.

"certificate_key": "The key for the cert file"
},
"env_vars": {
"key_1": "val_1",
"key_2": "val_2"
Expand Down
Empty file.
40 changes: 40 additions & 0 deletions vendor/cookbooks/rails/libraries/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,45 @@ def nginx_custom_configuration(app_info)

empty_conf.merge(app_info["nginx_custom"] || {})
end

# Returns a server path to certificate file
#
# applications_root = '/u/apps/'
# name = 'my_app'
# app_info['ssl_certificate'] = 'my_cert.crt'
# ssl_certificate(applications_root, name, app_info) # => /u/apps/my_app/shared/config/my_cert.crt'
#
# applications_root = '/u/apps/'
# name = 'my_app'
# app_info['ssl_certificate'] = nil
# ssl_certificate(applications_root, name, app_info) # => /u/apps/my_app/shared/config/my_app.crt'
#
def ssl_certificate(applications_root, name, app_info)
raise "Invalid application config given, no `ssl_info` present" unless ssl_info?(app_info)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trailing whitespace detected.

Pathname.new(applications_root).join(name, "shared", "config",
app_info["ssl_info"]["certificate"] || "#{name}.crt")
end

# See #ssl_certificate
#
def ssl_certificate_key(applications_root, name, app_info)
raise "Invalid application config given, no `ssl_info` present" unless ssl_info?(app_info)

Pathname.new(applications_root).join(name, "shared", "config",
app_info["ssl_info"]["certificate_key"] || "#{name}.key")
end

# Check if the app config has ssl_info section
#
def ssl_info?(app_info)
app_info.key?('ssl_info')

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer double-quoted strings unless you need single quotes to avoid extra backslashes for escaping.

end

# Checks if the app config has ssl enabled
#
def ssl_enabled?(app_info)
ssl_info?(app_info) && app_info['ssl_info']['enabled']

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer double-quoted strings unless you need single quotes to avoid extra backslashes for escaping.

end
end
end
58 changes: 34 additions & 24 deletions vendor/cookbooks/rails/recipes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@

# Include library helpers
::Chef::Resource.send(:include, Rails::Helpers)
::Chef::Recipe.send(:include, Rails::Helpers)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for my curiosity: what does this do?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

without this line, the following wouldn't work, method missing:

98: ssl_certificate_path = ssl_certificate(applications_root, app, app_info)

since it's a level of recipe, not resource such as:

cookbook_file pathname.to_s do
  ssl_certificate_path = ssl_certificate(applications_root, app, app_info)
end


node[:active_applications].each do |app, app_info|
rails_env = app_info['rails_env'] || "production"
Expand Down Expand Up @@ -93,33 +94,42 @@

end

if app_info['ssl_info']
template "#{applications_root}/#{app}/shared/config/certificate.crt" do
owner "deploy"
group "deploy"
mode 0644
source "app_cert.crt.erb"
variables :app_crt=> app_info['ssl_info']['crt']
if ssl_enabled?(app_info)
ssl_certificate_path = ssl_certificate(applications_root, app, app_info)
ssl_certificate_key_path = ssl_certificate_key(applications_root, app, app_info)

[ssl_certificate_path, ssl_certificate_key_path].each do |pathname|
cookbook_file pathname.to_s do
source "certificates/#{pathname.basename}"
owner "deploy"
group "deploy"
mode 0644
end
end

template "#{applications_root}/#{app}/shared/config/certificate.key" do
owner "deploy"
group "deploy"
mode 0644
source "app_cert.key.erb"
variables :app_key=> app_info['ssl_info']['key']
template "/etc/nginx/sites-available/#{app}.conf" do
source "app_nginx.conf.erb"
variables(
name: app,
domain_names: app_info["domain_names"],
redirect_domain_names: app_info["redirect_domain_names"],
ssl_enabled: true,
ssl_certificate: ssl_certificate_path,
ssl_certificate_key: ssl_certificate_key_path,
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(service: "nginx")
end
else
template "/etc/nginx/sites-available/#{app}.conf" do
source "app_nginx.conf.erb"
variables(
name: app,
domain_names: app_info["domain_names"],
redirect_domain_names: app_info["redirect_domain_names"],
ssl_enabled: false,
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(service: "nginx")
end
end

template "/etc/nginx/sites-available/#{app}.conf" do
source "app_nginx.conf.erb"
variables(
name: app,
domain_names: app_info["domain_names"],
redirect_domain_names: app_info["redirect_domain_names"],
enable_ssl: File.exists?("#{applications_root}/#{app}/shared/config/certificate.crt"),
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(service: "nginx")
end

template "#{applications_root}/#{app}/shared/config/unicorn.rb" do
Expand Down
59 changes: 34 additions & 25 deletions vendor/cookbooks/rails/recipes/passenger.rb
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@

# Include library helpers
::Chef::Resource.send(:include, Rails::Helpers)
::Chef::Recipe.send(:include, Rails::Helpers)

node[:active_applications].each do |app, app_info|
rails_env = app_info['rails_env'] || "production"
Expand Down Expand Up @@ -98,45 +99,53 @@
end

if app_info['database_info']

template "#{applications_root}/#{app}/shared/config/database.yml" do
owner deploy_user
group deploy_user
mode 0600
source "app_database.yml.erb"
variables :database_info => app_info['database_info'], :rails_env => rails_env
end

end

if app_info['ssl_info']
template "#{applications_root}/#{app}/shared/config/certificate.crt" do
owner "deploy"
group "deploy"
mode 0644
source "app_cert.crt.erb"
variables :app_crt=> app_info['ssl_info']['crt']
if ssl_enabled?(app_info)
ssl_certificate_path = ssl_certificate(applications_root, app, app_info)
ssl_certificate_key_path = ssl_certificate_key(applications_root, app, app_info)

[ssl_certificate_path, ssl_certificate_key_path].each do |pathname|
cookbook_file pathname.to_s do
source "certificates/#{pathname.basename}"
owner "deploy"
group "deploy"
mode 0644
end
end

template "#{applications_root}/#{app}/shared/config/certificate.key" do
owner "deploy"
group "deploy"
mode 0644
source "app_cert.key.erb"
variables :app_key=> app_info['ssl_info']['key']
template "/etc/nginx/sites-available/#{app}.conf" do
source "app_passenger_nginx.conf.erb"
variables(
name: app,
rails_env: rails_env,
domain_names: app_info["domain_names"],
ssl_enabled: true,

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trailing whitespace detected.

ssl_certificate: ssl_certificate_path,
ssl_certificate_key: ssl_certificate_key_path,
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(:service => "nginx")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the new Ruby 1.9 hash syntax.

end
else
template "/etc/nginx/sites-available/#{app}.conf" do
source "app_passenger_nginx.conf.erb"
variables(
name: app,
rails_env: rails_env,
domain_names: app_info["domain_names"],
ssl_enabled: false,
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(:service => "nginx")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the new Ruby 1.9 hash syntax.

end
end

template "/etc/nginx/sites-available/#{app}.conf" do
source "app_passenger_nginx.conf.erb"
variables(
name: app,
rails_env: rails_env,
domain_names: app_info["domain_names"],
enable_ssl: File.exists?("#{applications_root}/#{app}/shared/config/certificate.crt"),
custom_configuration: nginx_custom_configuration(app_info))
notifies :reload, resources(:service => "nginx")
end

nginx_site "#{app}.conf" do
action :enable
Expand Down
1 change: 0 additions & 1 deletion vendor/cookbooks/rails/templates/default/app_cert.crt.erb

This file was deleted.

1 change: 0 additions & 1 deletion vendor/cookbooks/rails/templates/default/app_cert.key.erb

This file was deleted.

8 changes: 4 additions & 4 deletions vendor/cookbooks/rails/templates/default/app_nginx.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<% if @redirect_domain_names && @redirect_domain_names.any? %>
server {
listen <%= node['nginx']['port'] || '80' %>;
<% if @enable_ssl %>
<% if @ssl_enabled %>
listen 443 ssl;
<% end %>
server_name <%= @redirect_domain_names.join(' ') %>;
Expand All @@ -29,13 +29,13 @@ server {
<%= @custom_configuration["server_main"] %>
}

<% if @enable_ssl %>
<% if @ssl_enabled %>

server {
listen 443 ssl;

ssl_certificate <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.crt;
ssl_certificate_key <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.key;
ssl_certificate <%= @ssl_certificate %>;
ssl_certificate_key <%= @ssl_certificate_key %>;

server_name <%= @domain_names.join(' ') %>;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,13 @@ server {
<%= @custom_configuration["server_main"] %>
}

<% if @enable_ssl %>
<% if @ssl_enabled %>

server {
listen 443 ssl;

ssl_certificate <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.crt;
ssl_certificate_key <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.key;
ssl_certificate <%= @ssl_certificate %>;
ssl_certificate_key <%= @ssl_certificate_key %>;

passenger_enabled on;
passenger_app_env <%= @rails_env %>;
Expand Down