aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xdeployed-server/scripts/enable-ssh-admin.sh60
-rw-r--r--environments/puppet-ceph-external.yaml2
-rw-r--r--puppet/services/database/mongodb.yaml6
3 files changed, 67 insertions, 1 deletions
diff --git a/deployed-server/scripts/enable-ssh-admin.sh b/deployed-server/scripts/enable-ssh-admin.sh
new file mode 100755
index 00000000..dcabeadf
--- /dev/null
+++ b/deployed-server/scripts/enable-ssh-admin.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -eu
+
+# whitespace (space or newline) separated list
+OVERCLOUD_HOSTS=${OVERCLOUD_HOSTS:-""}
+OVERCLOUD_SSH_USER=${OVERCLOUD_SSH_USER:-"$USER"}
+# this is just for compatibility with CI
+SUBNODES_SSH_KEY=${SUBNODES_SSH_KEY:-"$HOME/.ssh/id_rsa"}
+# this is the intended variable for overriding
+OVERCLOUD_SSH_KEY=${OVERCLOUD_SSH_KEY:-"$SUBNODES_SSH_KEY"}
+
+SLEEP_TIME=5
+
+function overcloud_ssh_hosts_json {
+ echo "$OVERCLOUD_HOSTS" | python -c '
+from __future__ import print_function
+import json, re, sys
+print(json.dumps(re.split("\s+", sys.stdin.read().strip())))'
+}
+
+function overcloud_ssh_key_json {
+ # we pass the contents to Mistral instead of just path, otherwise
+ # the key file would have to be readable for the mistral user
+ cat "$OVERCLOUD_SSH_KEY" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))'
+}
+
+function workflow_finished {
+ local execution_id="$1"
+ openstack workflow execution show -f shell $execution_id | grep 'state="SUCCESS"' > /dev/null
+}
+
+if [ -z "$OVERCLOUD_HOSTS" ]; then
+ echo 'Please set $OVERCLOUD_HOSTS'
+ exit 1
+fi
+
+echo "Starting workflow to create ssh admin on deployed servers."
+echo "SSH user: $OVERCLOUD_SSH_USER"
+echo "SSH key file: $OVERCLOUD_SSH_KEY"
+echo "Hosts: $OVERCLOUD_HOSTS"
+echo
+
+EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json)}"
+EXECUTION_CREATE_OUTPUT=$(openstack workflow execution create -f shell -d 'deployed server ssh admin creation' tripleo.access.v1.enable_ssh_admin "$EXECUTION_PARAMS")
+echo "$EXECUTION_CREATE_OUTPUT"
+EXECUTION_ID=$(echo "$EXECUTION_CREATE_OUTPUT" | grep '^id=' | awk '-F"' '{ print $2 }')
+
+if [ -z "$EXECUTION_ID" ]; then
+ echo "Failed to get workflow execution ID for ssh admin creation workflow"
+ exit 1
+fi
+
+echo -n "Waiting for the workflow execution to finish (id $EXECUTION_ID)."
+while ! workflow_finished $EXECUTION_ID; do
+ sleep $SLEEP_TIME
+ echo -n .
+done
+
+echo "Success."
diff --git a/environments/puppet-ceph-external.yaml b/environments/puppet-ceph-external.yaml
index 2f577c26..7718b821 100644
--- a/environments/puppet-ceph-external.yaml
+++ b/environments/puppet-ceph-external.yaml
@@ -1,5 +1,5 @@
# ******************************************************************************
-# DEPRECATED: Use tripleo-heat-templates/environments/storage/ceph-external.yaml
+# DEPRECATED: Use tripleo-heat-templates/environments/storage/external-ceph.yaml
# instead.
# ******************************************************************************
# A Heat environment file which can be used to enable the
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
index 04f34e24..dcead0f7 100644
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@@ -47,6 +47,11 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
conditions:
@@ -98,6 +103,7 @@ outputs:
generate_service_certificates: true
mongodb::server::ssl: true
mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem'
+ mongodb::server::ssl_ca: {get_param: InternalTLSCAFile}
mongodb_certificate_specs:
service_pem: '/etc/pki/tls/certs/mongodb.pem'
service_certificate: '/etc/pki/tls/certs/mongodb.crt'