Make CKAN and ODK add-ca-cert parametrizable

2020-04-06 10:45:46 +02:00 · 2020-04-06 10:45:46 +02:00 · 09a146b54c
commit 09a146b54c
parent 5f6a7a2517
8 changed files with 15 additions and 3 deletions
--- a/apk/spoc
+++ b/apk/spoc
@ -1 +1 @@
-Subproject commit b3f2a4be70309c51a3a119cc32bd01ec1a08d2de
+Subproject commit d70fe9756a978e231a504fdc740a829bf343ad55
--- a/lxc-apps/ckan/ckan-datapusher.image.d/bin/add-ca-cert
+++ b/lxc-apps/ckan/ckan-datapusher.image.d/bin/add-ca-cert
@ -2,7 +2,10 @@
 import ssl
-cert = ssl.get_server_certificate(('host', 443))
+with open('/etc/ckan-datapusher/add-ca-cert.env') as f:
    env = dict(tuple(line.split('=')) for line in f.read().splitlines())
 cert = ssl.get_server_certificate((env['DOMAIN'], env['PORT']))
 with open('/usr/lib/python2.7/site-packages/requests/cacert.pem', 'a') as f:
    f.write(cert)
--- a/lxc-apps/ckan/install.sh
+++ b/lxc-apps/ckan/install.sh
@ -47,6 +47,7 @@ spoc-container start ckan-solr
 # Configure CKAN DataPusher
 install -o 100000 -g 108080 -m 750 -d ${DATAPUSHER_CONF}
 install -o 108080 -g 108080 -m 750 -d ${DATAPUSHER_DATA}
 install -o 100000 -g 108080 -m 640 datapusher_conf/add-ca-cert.env ${DATAPUSHER_CONF}/add-ca-cert.env
 install -o 100000 -g 108080 -m 640 datapusher_conf/datapusher.wsgi ${DATAPUSHER_CONF}/datapusher.wsgi
 install -o 100000 -g 108080 -m 640 datapusher_conf/datapusher_settings.py ${DATAPUSHER_CONF}/datapusher_settings.py
--- a/lxc-apps/ckan/install/datapusher_conf/add-ca-cert.env
+++ b/lxc-apps/ckan/install/datapusher_conf/add-ca-cert.env
@ -0,0 +1,2 @@
 DOMAIN=ckan.spotter.vm
 PORT=443
--- a/lxc-apps/opendatakit/app
+++ b/lxc-apps/opendatakit/app
@ -24,6 +24,7 @@
                "opendatakit-postgres"
            ],
            "mounts": {
                "opendatakit/odkbuild_conf/add-ca-cert.env": "srv/opendatakit-build/add-ca-cert.env:file"
                "opendatakit/odkbuild_conf/config.yml": "srv/opendatakit-build/config.yml:file"
            }
        },
--- a/lxc-apps/opendatakit/install.sh
+++ b/lxc-apps/opendatakit/install.sh
@ -31,6 +31,7 @@ install -o 108080 -g 108080 -m 640 odk_conf/server.xml ${ODK_CONF}/server.xml
 # Configure OpenDataKit Build
 export OPENDATAKITBUILD_COOKIE_SECRET=$(head -c 8 /dev/urandom | hexdump -e '"%x"')
 install -o 108080 -g 108080 -m 750 -d ${ODKBUILD_CONF}
 install -o 108080 -g 108080 -m 640 odkbuild_conf/add-ca-cert.env ${ODKBUILD_CONF}/add-ca-cert.env
 envsubst <odkbuild_conf/config.yml | install -o 108080 -g 108080 -m 640 /dev/stdin ${ODKBUILD_CONF}/config.yml
 spoc-container exec opendatakit-build -- sh -c 'cd /srv/opendatakit-build; rake db:migrate'
--- a/lxc-apps/opendatakit/install/odkbuild_conf/add-ca-cert.env
+++ b/lxc-apps/opendatakit/install/odkbuild_conf/add-ca-cert.env
@ -0,0 +1,2 @@
 DOMAIN=odk.spotter.vm
 PORT=443
--- a/lxc-apps/opendatakit/opendatakit-build.image.d/bin/add-ca-cert
+++ b/lxc-apps/opendatakit/opendatakit-build.image.d/bin/add-ca-cert
@ -1,4 +1,6 @@
 #!/bin/sh
-true | openssl s_client -connect host:443 | openssl x509 -out /usr/local/share/ca-certificates/host.crt
+. /srv/opendatakit-build/add-ca-cert.env
 true | openssl s_client -connect ${DOMAIN}:${PORT} | openssl x509 -out /usr/local/share/ca-certificates/opendatakit.crt
 update-ca-certificates
		`@ -1 +1 @@`
			`Subproject commit b3f2a4be70309c51a3a119cc32bd01ec1a08d2de`				`Subproject commit d70fe9756a978e231a504fdc740a829bf343ad55`