Custom SSL certificate for Contrail WebUI

Adding ssl creation step (in /etc/contrail/webui_ssl) while installing contrail-web-core package in stead of making it part of contrail-provisioning. Change-Id: I03c612f4baf3c95231de2feb031ec321e219b0e3 Related-Bug: #1704746 (cherry picked from commit bd34383) (cherry picked from commit bedac2b)
Juniper · Nov 22, 2017 · 5fab254 · 5fab254
1 parent bc643bb
commit 5fab254
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 2 deletions.
diff --git a/common/debian/contrail-web-core/debian/contrail-web-core.postinst b/common/debian/contrail-web-core/debian/contrail-web-core.postinst
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+websslpath=/etc/contrail/webui_ssl
+sslsub=/C=US/ST=CA/L=Sunnyvale/O=JuniperNetworks/OU=JuniperCA/CN=ContrailCA
+
+if [ ! -e $websslpath/cs-key.pem ] && [ ! -e $websslpath/cs-cert.pem ]; then
+	openssl req -new -newkey rsa:2048 -nodes -out $websslpath/certrequest.csr -keyout $websslpath/cs-key.pem -subj $sslsub
+	openssl x509 -req -days 730 -in $websslpath/certrequest.csr -signkey $websslpath/cs-key.pem -out $websslpath/cs-cert.pem
+fi
diff --git a/common/debian/contrail-web-core/debian/contrail-web-core.postrm b/common/debian/contrail-web-core/debian/contrail-web-core.postrm
@@ -0,0 +1,13 @@
+#!/bin/sh
+# vim: set ts=2 et:
+
+set -e
+websslpath=/etc/contrail/webui_ssl
+
+if [ "$1" = "remove" ] || [ "$1" = "purge" ] ; then
+  if [ -e $websslpath ] ; then
+    mv $websslpath /tmp/webui_ssl.$(date +%F_%R).backup
+  fi
+fi
+#DEBHELPER#
+
diff --git a/common/debian/contrail-web-core/debian/control b/common/debian/contrail-web-core/debian/control
@@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 8)
 Package: contrail-web-core
 Architecture: amd64
 Maintainer: swamy <swamy@juniper.net>
-Depends: redis-server (>= 2:2.6.13-1), nodejs (>=0.10.35-1contrail1)
+Depends: redis-server (>= 2:2.6.13-1), nodejs (>=0.10.35-1contrail1), openssl
 Replaces: contrail-webui
 Conflicts: contrail-webui
 Section: contrail-web-core

diff --git a/common/debian/contrail-web-core/debian/rules b/common/debian/contrail-web-core/debian/rules
@@ -24,6 +24,7 @@ export _contrailwebsrc := /usr/src/contrail/contrail-web-core
 export _libdir := /usr/lib64
 export _nodemodules := node_modules
 export _config := $(SB_TOP)/contrail-web-core/config
+export _webuisslpath := /etc/contrail/webui_ssl
 
 export BUILDTIME := $(shell date -u +%y%m%d%H%M)
 
@@ -53,10 +54,12 @@ override_dh_auto_install:
 	rm -rf $(buildroot)/$(_contrailwebsrc)
 	rm -rf $(buildroot)/$(_libdir)/node_modules
 	rm -rf $(buildroot)/$(_contrailetc)
+	rm -rf $(buildroot)/$(_webuisslpath)
 
 	mkdir -p $(buildroot)/$(_contrailwebsrc)
 	mkdir -p $(buildroot)/$(_libdir)/node_modules
 	mkdir -p $(buildroot)/$(_contrailetc)
+	mkdir -p $(buildroot)/$(_webuisslpath)
 
 	cp -r -p $(SB_TOP)/contrail-web-core/* $(buildroot)/$(_contrailwebsrc)/.
 

diff --git a/common/rpm/contrail-web-core.spec b/common/rpm/contrail-web-core.spec
@@ -9,7 +9,9 @@
 %define		_nodemodules		node_modules/
 %define		_config			contrail-web-core/config
 %define		_contrailuitoolsdir	src/tools
-%define         _supervisordir /etc/contrail/supervisord_webui_files
+%define		_supervisordir		/etc/contrail/supervisord_webui_files
+%define		_websslpath		/etc/contrail/webui_ssl
+%define		_sslsub			/C=US/ST=CA/L=Sunnyvale/O=JuniperNetworks/OU=JuniperCA/CN=ContrailCA
 
 %if 0%{?_buildTag:1}
 %define         _relstr      %{_buildTag}
@@ -36,6 +38,7 @@ Vendor:             Juniper Networks Inc
 Requires:	redis
 Requires:	nodejs >= nodejs-0.10.35-1contrail
 Requires:	supervisor
+Requires:	openssl
 
 Obsoletes:      contrail-webui
 
@@ -71,13 +74,15 @@ install -d -m 755 %{buildroot}%{_initddir}
 %endif
 rm -rf %{buildroot}%{_libdir}/node_modules
 rm -rf %{buildroot}%{_contrailetc}
+rm -rf %{buildroot}%{_websslpath}
 
 mkdir -p %{buildroot}%{_contrailwebsrc}
 %if 0%{?fedora} >= 17
 mkdir -p %{buildroot}%{_servicedir}
 %endif
 mkdir -p %{buildroot}%{_libdir}/node_modules
 mkdir -p %{buildroot}%{_contrailetc}
+mkdir -p %{buildroot}%{_websslpath}
 
 #cp -r -p %{_sourcedir}/%{name}/contrail-ui/* %{buildroot}%{_contrailwebsrc}/
 pushd %{_builddir}/..
@@ -134,8 +139,13 @@ rm -rf %{_specdir}/contrail-webui.spec
 %config(noreplace) %{_contrailetc}/contrail-webui-userauth.js
 %config(noreplace) %{_supervisordir}/*
 %config(noreplace) %{_contrailetc}/supervisord_webui.conf
+%dir %{_websslpath}
 
 %post
+if [ ! -e %{_websslpath}/cs-key.pem ] || [ ! -e %{_websslpath}/cs-cert.pem ] ; then
+	openssl req -new -newkey rsa:2048 -nodes -out %{_websslpath}/certrequest.csr -keyout %{_websslpath}/cs-key.pem -subj %{_sslsub}
+	openssl x509 -req -days 730 -in %{_websslpath}/certrequest.csr -signkey %{_websslpath}/cs-key.pem -out %{_websslpath}/cs-cert.pem
+fi
 %if 0%{?rhel}
 %else
 /bin/systemctl daemon-reload
@@ -160,6 +170,12 @@ elif [ $1 = 0 ] ; then
 fi
 exit 0
 
+%postun
+if [ $1 = 0 ] ; then
+	# Backup the SSL keys in /tmp
+	mv %{_websslpath} /tmp/webui_ssl.%(date +%F_%R).backup
+fi
+
 %changelog
 * Tue Jan 30 2013 - bmandal@contrailsystems.com
 - Added log file in package.