fix: [zato] restart load-balancer after updating the .pem cert

keycloak-elabore/README.rst

@@ -11,6 +11,8 @@ To start with ``keycloak``, just put this service in your
 ``compose.yml``::
 
     keycloak:
+      docker-compose:
+        image: docker.0k.io/keycloak24.0.4-elabore:1.0.0
       options:
         admin-password: CHANGEME
       relations:

keycloak-elabore/actions/rebuild

@@ -0,0 +1,3 @@
+#!/bin/bash 
+
+

keycloak-elabore/metadata.yml

@@ -1,7 +1,4 @@
 
-data-resources:
-  - /opt/keycloak
-
 default-options:
 
 uses:
@@ -17,7 +14,7 @@ uses:
   postgres-database:
     #constraint: required | recommended | optional
     #auto: pair | summon | none ## default: pair
-    constraint: required
+    constraint: recommended
     auto: summon
     solves:
       database: "main storage"

zato/README.org

@@ -0,0 +1,32 @@
+# -*- ispell-local-dictionary: "english" -*-
+
+* Info
+
+From Zato 3.2 : https://zato.io/en/docs/3.2/tutorial/01.html
+
+
+* Usage
+
+Lauching with web-proxy need to have a frontend connected
+Deployments of services : they should be mounted as volume for the docker
+
+Warning : if using keycloak the correct keycloak_public_key have to be manually placed in reso
+
+#+begin_src yaml
+
+zato:
+  docker-compose:
+    volumes:
+      - <PROJECT_FOLDER>/schemas:/opt/zato/current/extlib/schemas:rw
+      - <PROJECT_FOLDER>/models:/opt/zato/current/extlib/models:rw
+      - <PROJECT_FOLDER>/services:/opt/hot-deploy/services:rw
+      - <PROJECT_FOLDER>/enmasse:/opt/hot-deploy/enmasse:rw
+      - <PROJECT_FOLDER>/resources/keycloak_public_key.pem:/opt/hot-deploy/keycloak_public_key.pem:rw
+  relations:
+    web-proxy:
+      frontend:
+        domain: zato.<mondomain>.coop
+
+#+end_src
+
+

zato/actions/renew_crt

@@ -0,0 +1,23 @@
+#!/bin/bash
+# compose: no-hooks
+
+## Merged letsencrypt certificate for load_balancer in zato 
+
+. $CHARM_PATH/lib/common
+
+DOMAIN=$(relation:get "$SERVICE_NAME":web-proxy domain)
+
+
+merge_crt_letsencrypt "$DOMAIN" || exit 1 
+
+zato_commands="
+cd /opt/zato &&
+./restart-load-balancer.sh
+"
+
+if ! exec_as_zato_in_container "$zato_commands"; then
+    printf "Error: failed to execute 'restart-load-balancer' in container '%s'.\n" "$CONTAINER_NAME" >&2
+    return 1
+fi
+
+echo "load balancer restarted"

zato/actions/restart-zato

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+
+if [ -z "$SERVICE_DATASTORE" ]; then
+    echo "This script is meant to be run through 'compose' to work properly." >&2
+    exit 1
+fi
+
+. "$CHARM_PATH/lib/common"
+
+# Combined commands to be run as zato user
+zato_commands="
+    cd /opt/zato/env/qs-1 &&
+    ./start-server-fg.sh &
+"
+
+# Execute commands as zato user
+exec_as_zato_in_container "/opt/zato/current/bin/zato stop /opt/zato/env/qs-1/server1/"
+sleep 3
+if ! exec_as_zato_in_container "$zato_commands"; then
+    printf "Error: Failed to execute zato commands in container '%s'.\n" "$CONTAINER_NAME" >&2
+    exit 1
+fi
+
+printf "Zato restarted  successfully in container '%s'.\n" "$CONTAINER_NAME" >&2

zato/actions/start-zato

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+
+if [ -z "$SERVICE_DATASTORE" ]; then
+    echo "This script is meant to be run through 'compose' to work properly." >&2
+    exit 1
+fi
+
+. "$CHARM_PATH/lib/common"
+
+# Combined commands to be run as zato user
+zato_commands="
+    cd /opt/zato/env/qs-1 &&
+    ./start-server-fg.sh &
+"
+
+# Execute commands as zato user
+if ! exec_as_zato_in_container "$zato_commands"; then
+    printf "Error: Failed to execute zato commands in container '%s'.\n" "$CONTAINER_NAME" >&2
+    return 1
+fi
+
+printf "Zato started successfully in container '%s'.\n" "$CONTAINER_NAME" >&2
+

zato/actions/stop-zato

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+
+if [ -z "$SERVICE_DATASTORE" ]; then
+    echo "This script is meant to be run through 'compose' to work properly." >&2
+    exit 1
+fi
+
+. "$CHARM_PATH/lib/common"
+
+# Combined commands to be run as zato user
+zato_commands="/opt/zato/current/bin/zato stop /opt/zato/env/qs-1/server1/"
+
+# Execute commands as zato user
+if ! exec_as_zato_in_container "$zato_commands"; then
+    printf "Error: Failed to execute zato commands in container '%s'.\n" "$CONTAINER_NAME" >&2
+    return 1
+fi
+
+printf "Zato stopped successfully in container '%s'.\n" "$CONTAINER_NAME" >&2
+

zato/hooks/init

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+## Init is run on host
+## For now it is run every time the script is launched, but
+## it should be launched only once after build.
+
+## Accessible variables are:
+## - SERVICE_NAME        Name of current service
+## - DOCKER_BASE_IMAGE   Base image from which this service might be built if any
+## - SERVICE_DATASTORE           Location on host of the DATASTORE of this service
+## - SERVICE_CONFIGSTORE         Location on host of the CONFIGSTORE of this service
+
+
+set -e
+
+. lib/common
+
+ZATO_DIR="/opt/hot-deploy"
+DATASTORE_ZATO_DIR="$SERVICE_NAME$ZATO_DIR"
+
+
+SSH_PASSWORD_FILE="$SERVICE_DATASTORE"/.compose/password/ssh-password
+DASHBOARD_PASSWORD_FILE="$SERVICE_DATASTORE"/.compose/password/dashboard-password
+IDE_PASSWORD_FILE="$SERVICE_DATASTORE"/.compose/password/ide-password
+## Load balancer script in not in /opt/zato/env/qs-1 because this folder is created after launch
+RESTART_LOADBALANCER_FILE=/opt/zato/restart-load-balancer.sh
+
+ssh_password=$(generate_or_get_secret "$SSH_PASSWORD_FILE")
+dashboard_password=$(generate_or_get_secret "$DASHBOARD_PASSWORD_FILE")
+ide_password=$(generate_or_get_secret "$IDE_PASSWORD_FILE")
+
+
+init-config-add "
+$SERVICE_NAME:
+  environment:
+    Zato_Log_Env_Details: \"True\"
+    Zato_Dashboard_Debug_Enabled: \"True\"
+    Zato_SSH_Password: \"$ssh_password\"
+    Zato_Dashboard_Password: \"$dashboard_password\"
+    Zato_IDE_Password: \"$ide_password\"
+  volumes:
+    - /srv/charm-store/elabore-charms/zato/resources$RESTART_LOADBALANCER_FILE:$RESTART_LOADBALANCER_FILE
+"
+
+# uid=$(docker_get_uid "$SERVICE_NAME" "zato")
+# mkdir -p "$DATASTORE_ZATO_DIR"
+# chown "$uid" "$DATASTORE_ZATO_DIR"
+

zato/hooks/postgres_database-relation-joined

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+user=$(relation-get user) || exit 1
+password="$(relation-get password)" || exit 1
+dbname="$(relation-get dbname)" || exit 1
+COMPOSE_DIR="$SERVICE_DATASTORE/.compose"
+
+echo "
+user:${user}
+dbname:${dbname}
+password:${password}
+" > $COMPOSE_DIR/psql_id

zato/hooks/web_proxy-relation-joined

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+. lib/common
+
+DOMAIN=$(relation-get domain) || exit 1
+CUSTOM_CREATE_LB_PATH="/opt/zato/3.2.0/code/zato-cli/src/zato/cli/create_lb.py"
+
+set -e
+
+merge_crt_letsencrypt "$DOMAIN"
+
+# adding custom config file to handle https in load_balancer with letsencrypt-fullchain certificate
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    volumes:
+      - $BASE_CHARM_PATH/resources/$CUSTOM_CREATE_LB_PATH:$CUSTOM_CREATE_LB_PATH
+      - $DEST_LETSENCRYPT_FULLCHAIN:/opt/zato/letsencrypt-fullchain.pem
+"
+
+info "Configured $SERVICE_NAME load_balancer with HTTPS support."

zato/lib/common

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+generate_or_get_secret() {
+    local secret_file="$1"
+    local secret_value
+
+    if ! [ -f "$secret_file" ]; then
+        info "Generating secret password for ${secret_file##*/}"
+        mkdir -p "${secret_file%/*}"
+        umask 077
+        secret_value=$(openssl rand -hex 32)
+        echo "$secret_value" > "$secret_file"
+    else
+        info "Using existing secret from ${secret_file##*/}"
+        secret_value=$(cat "$secret_file")
+    fi
+
+    echo "$secret_value"
+}
+
+get_container_name(){
+    containers="$(get_running_containers_for_service "$SERVICE_NAME")"
+    if [ -z "$containers" ]; then
+        error "No running containers found for service $SERVICE_NAME"
+        exit 1
+    fi
+    container="$(echo "$containers" | head -n 1)"
+    echo "$container"
+}
+
+# Function to execute all commands sequentially as the zato user inside the Docker container
+exec_as_zato_in_container() {
+    CONTAINER_NAME=$(get_container_name)
+    local cmd="$1"
+    if ! docker exec -i "$CONTAINER_NAME" bash -c "su - zato -c '$cmd'"; then
+        printf "Error: Failed to execute command '%s' as zato user in container '%s'\n" "$cmd" "$CONTAINER_NAME" >&2
+        return 1
+    fi
+}
+
+## merge certificate for zato HapProxy to handle https API calls
+merge_crt_letsencrypt(){
+    local DOMAIN="$1"
+    
+    DEST_LETSENCRYPT_FULLCHAIN="$SERVICE_DATASTORE/opt/zato/letsencrypt-fullchain.pem"
+    mkdir -p "${DEST_LETSENCRYPT_FULLCHAIN%/*}"
+    cat $DATASTORE/letsencrypt/etc/letsencrypt/live/$DOMAIN/{fullchain,privkey}.pem > "$DEST_LETSENCRYPT_FULLCHAIN" || return 1
+    info "Letsencrypt {fullchain,privkey}.pem have been concat to /opt/zato/letsencrypt-fullchain.pem for zato hapProxy conf"
+}
+
+

zato/metadata.yml

@@ -0,0 +1,35 @@
+docker-image: docker.0k.io/zato-3.2-quickstart
+docker-compose:
+  ports:
+    - "21223:21223"
+
+uses:
+  web-proxy:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: recommended
+    auto: pair
+    solves:
+      proxy: "Public access"
+    default-options:
+      target: !var-expand ${MASTER_BASE_SERVICE_NAME}:8183
+  postgres-database:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: recommended
+    auto: summon
+    solves:
+      database: "main storage"
+  schedule-command:
+    constraint: required
+    auto: pair
+    solves:
+      maintenance: "Auto renew crt for hapProxy in zato"
+    default-options: !var-expand
+      (35 3 * * 7) {-D -p 10} compose renew_crt "$BASE_SERVICE_NAME"
+  backup:
+    constraint: recommended
+    auto: pair
+    solves:
+      backup: "Automatic regular backup"
+    default-options:

zato/resources/opt/zato/3.2.0/code/zato-cli/src/zato/cli/create_lb.py

@@ -0,0 +1,222 @@
+# -*- coding: utf-8 -*-
+
+"""
+Copyright (C) 2021, Zato Source s.r.o. https://zato.io
+
+Licensed under AGPLv3, see LICENSE.txt for terms and conditions.
+"""
+
+# stdlib
+import os, uuid
+
+# Zato
+from zato.cli import is_arg_given, ZatoCommand
+from zato.common.defaults import http_plain_server_port
+from zato.common.util.open_ import open_w
+
+config_template = """{{
+  "haproxy_command": "haproxy",
+  "host": "localhost",
+  "port": 20151,
+  "is_tls_enabled": false,
+  "keyfile": "./zato-lba-priv-key.pem",
+  "certfile": "./zato-lba-cert.pem",
+  "ca_certs": "./zato-lba-ca-certs.pem",
+  "work_dir": "../",
+  "verify_fields": {{}},
+  "log_config": "./logging.conf",
+  "pid_file": "zato-lb-agent.pid"
+}}
+"""
+
+zato_config_template = """
+# ##############################################################################
+
+global
+    log 127.0.0.1:514 local0 debug # ZATO global:log
+    stats socket {stats_socket} # ZATO global:stats_socket
+
+# ##############################################################################
+
+defaults
+    log global
+    option httpclose
+
+    stats uri /zato-lb-stats # ZATO defaults:stats uri
+
+    timeout connect 15000 # ZATO defaults:timeout connect
+    timeout client 15000 # ZATO defaults:timeout client
+    timeout server 15000 # ZATO defaults:timeout server
+
+    errorfile 503 {http_503_path}
+
+    stats enable
+    stats realm   Haproxy\ Statistics
+
+    # Note: The password below is a UUID4 written in plain-text.
+    stats auth    admin1:{stats_password}
+
+    stats refresh 5s
+
+# ##############################################################################
+
+backend bck_http_plain
+    mode http
+    balance roundrobin
+
+# ZATO begin backend bck_http_plain
+
+{default_backend}
+
+# ZATO end backend bck_http_plain
+
+# ##############################################################################
+
+frontend front_http_plain
+
+    mode http
+    default_backend bck_http_plain
+
+    option forwardfor
+    option httplog # ZATO frontend front_http_plain:option log-http-requests
+    bind 0.0.0.0:11223 # ZATO frontend front_http_plain:bind
+    maxconn 200 # ZATO frontend front_http_plain:maxconn
+
+    monitor-uri /zato-lb-alive # ZATO frontend front_http_plain:monitor-uri
+
+# ##############################################################################
+
+frontend front_tls_no_client_certs
+
+        mode http
+        default_backend bck_http_plain
+        option forwardfor
+        reqadd X-Forwarded-Proto:\ https
+
+        acl has_x_forwarded_proto req.fhdr(X-Forwarded-Proto) -m found
+        http-request deny if has_x_forwarded_proto
+
+        bind 0.0.0.0:21223 ssl crt /opt/zato/letsencrypt-fullchain.pem
+
+"""  # noqa
+
+default_backend = """
+    server http_plain--server1 127.0.0.1:{server01_port} check inter 2s rise 2 fall 2 # ZATO backend bck_http_plain:server--server1
+"""
+
+http_503 = """HTTP/1.0 503 Service Unavailable
+Cache-Control: no-cache
+Connection: close
+Content-Type: application/json
+
+{"zato_env":
+  {"details": "No server is available to handle the request",
+  "result": "ZATO_ERROR",
+  "cid": "K012345678901234567890123456"}
+}
+"""
+
+
+class Create(ZatoCommand):
+    """Creates a new Zato load-balancer"""
+
+    opts = []
+    opts.append(
+        {
+            "name": "--pub-key-path",
+            "help": "Path to the load-balancer agent's public key in PEM",
+        }
+    )
+    opts.append(
+        {
+            "name": "--priv-key-path",
+            "help": "Path to the load-balancer agent's private key in PEM",
+        }
+    )
+    opts.append(
+        {
+            "name": "--cert-path",
+            "help": "Path to the load-balancer agent's certificate in PEM",
+        }
+    )
+    opts.append(
+        {
+            "name": "--ca-certs-path",
+            "help": "Path to the a PEM list of certificates the load-balancer's agent will trust",
+        }
+    )
+
+    needs_empty_dir = True
+
+    def __init__(self, args):
+        super(Create, self).__init__(args)
+        self.target_dir = os.path.abspath(args.path)  # noqa
+
+    def execute(
+        self,
+        args,
+        use_default_backend=False,
+        server02_port=None,
+        show_output=True,
+    ):
+        # Zato
+        from zato.common.util.logging_ import get_logging_conf_contents
+
+        os.mkdir(os.path.join(self.target_dir, "config"))  # noqa
+        os.mkdir(os.path.join(self.target_dir, "logs"))  # noqa
+
+        repo_dir = os.path.join(self.target_dir, "config", "repo")  # noqa
+        os.mkdir(repo_dir)  # noqa
+
+        log_path = os.path.abspath(
+            os.path.join(repo_dir, "..", "..", "logs", "lb-agent.log")
+        )  # noqa
+        stats_socket = os.path.join(self.target_dir, "haproxy-stat.sock")  # noqa
+
+        is_tls_enabled = is_arg_given(args, "priv_key_path")
+        config = config_template.format(
+            **{
+                "is_tls_enabled": is_tls_enabled,
+            }
+        )
+
+        logging_conf_contents = get_logging_conf_contents()
+
+        open_w(os.path.join(repo_dir, "lb-agent.conf")).write(config)  # noqa
+        open_w(os.path.join(repo_dir, "logging.conf")).write(
+            logging_conf_contents
+        )  # noqa
+
+        if use_default_backend:
+            backend = default_backend.format(
+                server01_port=http_plain_server_port,
+                server02_port=server02_port,
+            )
+        else:
+            backend = "\n# ZATO default_backend_empty"
+
+        zato_config = zato_config_template.format(
+            stats_socket=stats_socket,
+            stats_password=uuid.uuid4().hex,
+            default_backend=backend,
+            http_503_path=os.path.join(repo_dir, "503.http"),
+        )  # noqa
+
+        open_w(os.path.join(repo_dir, "zato.config")).write(zato_config)  # noqa
+        open_w(os.path.join(repo_dir, "503.http")).write(http_503)  # noqa
+
+        self.copy_lb_crypto(repo_dir, args)
+
+        # Initial info
+        self.store_initial_info(
+            self.target_dir, self.COMPONENTS.LOAD_BALANCER.code
+        )
+
+        if show_output:
+            if self.verbose:
+                msg = "Successfully created a load-balancer's agent in {}".format(
+                    self.target_dir
+                )
+                self.logger.debug(msg)
+            else:
+                self.logger.info("OK")

zato/resources/opt/zato/env/qs-1/load-balancer/config/repo/zato.config

@@ -0,0 +1,68 @@
+
+# ##############################################################################
+
+global
+    log 127.0.0.1:514 local0 debug # ZATO global:log
+    stats socket /opt/zato/env/qs-1/load-balancer/haproxy-stat.sock # ZATO global:stats_socket
+
+# ##############################################################################
+
+defaults
+    log global
+    option httpclose
+
+    stats uri /zato-lb-stats # ZATO defaults:stats uri
+
+    timeout connect 15000 # ZATO defaults:timeout connect
+    timeout client 15000 # ZATO defaults:timeout client
+    timeout server 15000 # ZATO defaults:timeout server
+
+    errorfile 503 /opt/zato/env/qs-1/load-balancer/config/repo/503.http
+
+    stats enable
+    stats realm   Haproxy\ Statistics
+
+    # Note: The password below is a UUID4 written in plain-text.
+    stats auth    admin1:8ecbddd3bebe474b93ae43b353a917ff
+
+    stats refresh 5s
+
+# ##############################################################################
+
+backend bck_http_plain
+    mode http
+    balance roundrobin
+
+# ZATO begin backend bck_http_plain
+
+
+    server http_plain--server1 127.0.0.1:17010 check inter 2s rise 2 fall 2 # ZATO backend bck_http_plain:server--server1
+
+
+# ZATO end backend bck_http_plain
+
+# ##############################################################################
+
+frontend front_http_plain
+
+    mode http
+    default_backend bck_http_plain
+
+    option forwardfor
+    option httplog # ZATO frontend front_http_plain:option log-http-requests
+    bind 0.0.0.0:11223 # ZATO frontend front_http_plain:bind
+    maxconn 200 # ZATO frontend front_http_plain:maxconn
+
+    monitor-uri /zato-lb-alive # ZATO frontend front_http_plain:monitor-uri
+
+frontend front_tls_no_client_certs
+
+        mode http
+        default_backend bck_http_plain
+        option forwardfor
+        reqadd X-Forwarded-Proto:\ https
+
+        acl has_x_forwarded_proto req.fhdr(X-Forwarded-Proto) -m found
+        http-request deny if has_x_forwarded_proto
+
+        bind 0.0.0.0:21223 ssl crt /opt/hot-deploy/cert/letsencrypt-fullchain.pem

zato/resources/opt/zato/restart-load-balancer.sh

@@ -0,0 +1,14 @@
+export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:~/current/bin
+export PYTHONPATH=:/opt/zato/current/extlib
+export ZATO_PYTHON_REQS=/opt/hot-deploy/python-reqs/requirements.txt
+export ZATO_HOT_DEPLOY_DIR=/opt/hot-deploy/services:
+export ZATO_USER_CONF_DIR=/opt/hot-deploy/user-conf:/tmp/zato-user-conf
+export ZATO_HOT_DEPLOY_PREFER_SNAPSHOTS=True
+export Zato_Is_Quickstart=
+export Zato_Log_Env_Details=True
+export Zato_TLS_Verify=
+export Zato_Is_Docker=True
+
+~/current/bin/zato stop /opt/zato/env/qs-1/load-balancer 
+kill $(ps -aux | grep zato.agent.load_balancer.main | grep -v grep | grep -v /bin/sh | awk '{ print $2 }') 
+~/current/bin/zato start /opt/zato/env/qs-1/load-balancer --env-file /opt/hot-deploy/enmasse/env.ini

zatodoc/actions/popo

@@ -0,0 +1,5 @@
+#!/bin/bash
+## compose: no-hooks
+
+
+echo youpla 

zatodoc/metadata.yml

@@ -0,0 +1,23 @@
+description: Zato Doc
+subordinate: true
+requires:
+  web-publishing-directory:
+    interface: publish-dir
+    scope: container
+
+data-resources:
+  - /opt/zatodoc/
+
+
+uses:
+  publish-dir:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    scope: container
+    constraint: required
+    auto: summon
+    solves:
+      container: "main running server"
+    default-options:
+      location: !var-expand "$DATASTORE/$BASE_SERVICE_NAME/opt/zatodoc"
+