summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFatih Degirmenci <fatih.degirmenci@ericsson.com>2017-09-15 04:22:56 +0000
committerGerrit Code Review <gerrit@opnfv.org>2017-09-15 04:22:56 +0000
commit0c63da903cc5eefbdc7b796fa91b5887090f1f70 (patch)
treee4a050c5510ad314a60b85b8fe4a8ff21cea1874
parent2357c9d195173cb7cdf57ffcbc7e92cea73e0ff1 (diff)
parentd08ce6dfd4df2574be8f69419f5e5c027cae6d2a (diff)
Merge "Generate and use certificates for OSA"
-rw-r--r--xci/README.rst4
-rwxr-xr-xxci/config/env-vars3
-rwxr-xr-xxci/config/user-vars1
-rw-r--r--xci/file/ha/user_variables.yml14
-rw-r--r--xci/file/install-ansible.sh3
-rw-r--r--xci/file/mini/user_variables.yml14
-rw-r--r--xci/file/noha/user_variables.yml14
-rw-r--r--xci/playbooks/configure-localhost.yml20
-rw-r--r--xci/playbooks/configure-opnfvhost.yml45
-rw-r--r--xci/var/opnfv.yml4
-rwxr-xr-xxci/xci-deploy.sh4
11 files changed, 123 insertions, 3 deletions
diff --git a/xci/README.rst b/xci/README.rst
index 462fffd1..9ce293cd 100644
--- a/xci/README.rst
+++ b/xci/README.rst
@@ -124,6 +124,10 @@ You can generate one by executing
ssh-keygen -t rsa
+After the script finishes, it will provide an openrc file that can be
+sourced to properly start using the cloud. It will be available under the
+opnfv host (in $HOME path), and on the the buildhost (in $XCI_DEVEL_ROOT path)
+
Advanced Usage
--------------
diff --git a/xci/config/env-vars b/xci/config/env-vars
index f4a3facc..976eb66b 100755
--- a/xci/config/env-vars
+++ b/xci/config/env-vars
@@ -5,6 +5,7 @@
export OPNFV_RELENG_GIT_URL=https://gerrit.opnfv.org/gerrit/releng-xci.git
export OPENSTACK_BIFROST_GIT_URL=https://git.openstack.org/openstack/bifrost
export OPENSTACK_OSA_GIT_URL=https://git.openstack.org/openstack/openstack-ansible
+export OPENSTACK_OSA_OPENRC_GIT_URL=https://git.openstack.org/openstack/openstack-ansible-openstack_openrc
export OPENSTACK_OSA_ETC_PATH=/etc/openstack_deploy
export OPNFV_HOST_IP=192.168.122.2
export OPNFV_XCI_PATH=$OPNFV_RELENG_PATH/xci
@@ -20,3 +21,5 @@ export DIB_OS_RELEASE=${DIB_OS_RELEASE:-xenial}
export DIB_OS_ELEMENT=${DIB_OS_ELEMENT:-ubuntu-minimal}
export DIB_OS_PACKAGES=${DIB_OS_PACKAGES:-"vlan,vim,less,bridge-utils,sudo,language-pack-en,iputils-ping,rsyslog,curl,python,debootstrap,ifenslave,ifenslave-2.6,lsof,lvm2,tcpdump,nfs-kernel-server,chrony,iptables"}
export EXTRA_DIB_ELEMENTS=${EXTRA_DIB_ELEMENTS:-"openssh-server"}
+# subject of the certificate
+export XCI_SSL_SUBJECT=${XCI_SSL_SUBJECT:-"/C=US/ST=California/L=San Francisco/O=IT/CN=xci.releng.opnfv.org"}
diff --git a/xci/config/user-vars b/xci/config/user-vars
index c960b904..709aa29e 100755
--- a/xci/config/user-vars
+++ b/xci/config/user-vars
@@ -30,6 +30,7 @@ export XCI_FLAVOR=${XCI_FLAVOR:-aio}
#-------------------------------------------------------------------------------
export XCI_DEVEL_ROOT=${XCI_DEVEL_ROOT:-"/tmp/.xci-deploy-env"}
export OPNFV_RELENG_PATH="${XCI_DEVEL_ROOT}/releng-xci"
+export OPENSTACK_OSA_OPENRC_PATH="${XCI_DEVEL_ROOT}/openstack-ansible-openstack_openrc"
export OPENSTACK_BIFROST_PATH="${XCI_DEVEL_ROOT}/bifrost"
export OPENSTACK_OSA_PATH="${XCI_DEVEL_ROOT}/openstack-ansible"
export OPNFV_SSH_HOST_KEYS_PATH="${XCI_DEVEL_ROOT}/ssh_host_keys"
diff --git a/xci/file/ha/user_variables.yml b/xci/file/ha/user_variables.yml
index 58ba5679..8235f6f7 100644
--- a/xci/file/ha/user_variables.yml
+++ b/xci/file/ha/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
## Sahara
sahara_api_workers_max: 2
sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.220:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/file/install-ansible.sh b/xci/file/install-ansible.sh
index 67a49b39..16ff86c8 100644
--- a/xci/file/install-ansible.sh
+++ b/xci/file/install-ansible.sh
@@ -30,6 +30,7 @@ if [ -x '/usr/bin/zypper' ]; then
[python-devel]=python-devel
[venv]=python-virtualenv
[wget]=wget
+ [openssl]=openssl
)
EXTRA_PKG_DEPS=( python-xml )
# NOTE (cinerama): we can't install python without removing this package
@@ -50,6 +51,7 @@ elif [ -x '/usr/bin/apt-get' ]; then
[python-devel]=libpython-dev
[venv]=python-virtualenv
[wget]=wget
+ [openssl]=openssl
)
EXTRA_PKG_DEPS=()
elif [ -x '/usr/bin/dnf' ] || [ -x '/usr/bin/yum' ]; then
@@ -67,6 +69,7 @@ elif [ -x '/usr/bin/dnf' ] || [ -x '/usr/bin/yum' ]; then
[python-devel]=python-devel
[venv]=python-virtualenv
[wget]=wget
+ [openssl]=openssl
)
EXTRA_PKG_DEPS=()
else
diff --git a/xci/file/mini/user_variables.yml b/xci/file/mini/user_variables.yml
index fa8a38f3..0b8c6cd7 100644
--- a/xci/file/mini/user_variables.yml
+++ b/xci/file/mini/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
## Sahara
sahara_api_workers_max: 2
sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.3:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/file/noha/user_variables.yml b/xci/file/noha/user_variables.yml
index bdb2df09..72a8ab7d 100644
--- a/xci/file/noha/user_variables.yml
+++ b/xci/file/noha/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
## Sahara
sahara_api_workers_max: 2
sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.3:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/playbooks/configure-localhost.yml b/xci/playbooks/configure-localhost.yml
index 40147d31..2dfa0530 100644
--- a/xci/playbooks/configure-localhost.yml
+++ b/xci/playbooks/configure-localhost.yml
@@ -15,7 +15,7 @@
roles:
- role: remove-folders
- { role: clone-repository, project: "opnfv/releng-xci", repo: "{{ OPNFV_RELENG_GIT_URL }}", dest: "{{ OPNFV_RELENG_PATH }}", version: "{{ OPNFV_RELENG_VERSION }}" }
-
+ - { role: clone-repository, project: "openstack/openstack-ansible-openstack_openrc", repo: "{{ OPENSTACK_OSA_OPENRC_GIT_URL }}", dest: "{{ OPENSTACK_OSA_OPENRC_PATH }}", version: "master" }
- hosts: localhost
connection: local
gather_facts: false
@@ -57,3 +57,21 @@
copy:
src: "{{XCI_FLAVOR_ANSIBLE_FILE_PATH}}/flavor-vars.yml"
dest: "{{OPNFV_RELENG_PATH}}/xci/var"
+- hosts: localhost
+ connection: local
+ gather_facts: false
+ vars_files:
+ - ../var/{{ ansible_os_family }}.yml
+ - ../var/opnfv.yml
+ tasks:
+ - name: create certificate directory /etc/ssl/certs
+ file:
+ path: "/etc/ssl/certs"
+ state: directory
+ - name: create key directory /etc/ssl/private
+ file:
+ path: "/etc/ssl/private"
+ state: directory
+ - name: generate self signed certificate
+ command: openssl req -new -nodes -x509 -subj "{{ XCI_SSL_SUBJECT }}" -days 3650 -keyout "/etc/ssl/private/xci.key" -out "/etc/ssl/certs/xci.crt" -extensions v3_ca
+ become: true
diff --git a/xci/playbooks/configure-opnfvhost.yml b/xci/playbooks/configure-opnfvhost.yml
index 7bc434d7..5beddcd7 100644
--- a/xci/playbooks/configure-opnfvhost.yml
+++ b/xci/playbooks/configure-opnfvhost.yml
@@ -97,6 +97,28 @@
command: "python pw-token-gen.py --file {{OPENSTACK_OSA_ETC_PATH}}/user_secrets.yml"
args:
chdir: "{{OPENSTACK_OSA_PATH}}/scripts"
+ - name: create certificate directory /etc/ssl/certs
+ file:
+ path: "/etc/ssl/certs"
+ state: directory
+ - name: create key directory /etc/ssl/private
+ file:
+ path: "/etc/ssl/private"
+ state: directory
+ - name: copy certificate to /etc/ssl/certs
+ copy:
+ src: "/etc/ssl/certs/xci.crt"
+ dest: "/etc/ssl/certs/"
+ become: true
+ - name: read remote key from /etc/ssl/private
+ set_fact:
+ xci_ssl_key: "{{ lookup('pipe', 'sudo cat /etc/ssl/private/xci.key' ) }}"
+ - name: copy key to /etc/ssl/private
+ copy:
+ content: "{{ xci_ssl_key }}"
+ dest: "/etc/ssl/private/xci.key"
+ become: true
+
- hosts: localhost
remote_user: root
vars_files:
@@ -106,3 +128,26 @@
shell: "/bin/cat {{ OPNFV_SSH_HOST_KEYS_PATH }}/opnfv/root/.ssh/id_rsa.pub >> ../file/authorized_keys"
- name: Append public keys to authorized_keys
shell: "/bin/cat {{ ansible_env.HOME }}/.ssh/id_rsa.pub >> ../file/authorized_keys"
+
+- hosts: opnfv
+ gather_facts: no
+ remote_user: root
+ vars_files:
+ - ../var/{{ ansible_os_family }}.yml
+ - ../var/flavor-vars.yml
+ - ../var/opnfv.yml
+ - "{{ XCI_FLAVOR_ANSIBLE_FILE_PATH }}/user_variables.yml"
+ roles:
+ - role: "openstack-ansible-openstack_openrc"
+ tasks:
+ - name: add extra insecure flag to generated openrc
+ blockinfile:
+ dest: "{{ ansible_env.HOME }}/openrc"
+ block: |
+ export OS_INSECURE=true
+
+ - name: fetch generated openrc
+ fetch:
+ src: "{{ ansible_env.HOME }}/openrc"
+ dest: "{{ XCI_DEVEL_ROOT }}/"
+ flat: true
diff --git a/xci/var/opnfv.yml b/xci/var/opnfv.yml
index aeafaceb..c6c74c87 100644
--- a/xci/var/opnfv.yml
+++ b/xci/var/opnfv.yml
@@ -9,6 +9,7 @@
##############################################################################
OPNFV_RELENG_GIT_URL: "{{ lookup('env','OPNFV_RELENG_GIT_URL') }}"
OPNFV_RELENG_PATH: "{{ lookup('env','OPNFV_RELENG_PATH') }}"
+XCI_DEVEL_ROOT: "{{ lookup('env','XCI_DEVEL_ROOT') }}"
OPNFV_RELENG_DEV_PATH: "{{ lookup('env','OPNFV_RELENG_DEV_PATH') }}"
OPNFV_RELENG_VERSION: "{{ lookup('env','OPNFV_RELENG_VERSION') }}"
OPENSTACK_BIFROST_GIT_URL: "{{ lookup('env','OPENSTACK_BIFROST_GIT_URL') }}"
@@ -16,7 +17,9 @@ OPENSTACK_BIFROST_PATH: "{{ lookup('env','OPENSTACK_BIFROST_PATH') }}"
OPENSTACK_BIFROST_DEV_PATH: "{{ lookup('env','OPENSTACK_BIFROST_DEV_PATH') }}"
OPENSTACK_BIFROST_VERSION: "{{ lookup('env','OPENSTACK_BIFROST_VERSION') }}"
OPENSTACK_OSA_GIT_URL: "{{ lookup('env','OPENSTACK_OSA_GIT_URL') }}"
+OPENSTACK_OSA_OPENRC_GIT_URL: "{{ lookup('env', 'OPENSTACK_OSA_OPENRC_GIT_URL') }}"
OPENSTACK_OSA_PATH: "{{ lookup('env','OPENSTACK_OSA_PATH') }}"
+OPENSTACK_OSA_OPENRC_PATH: "{{ lookup('env', 'OPENSTACK_OSA_OPENRC_PATH') }}"
OPENSTACK_OSA_DEV_PATH: "{{ lookup('env','OPENSTACK_OSA_DEV_PATH') }}"
OPENSTACK_OSA_VERSION: "{{ lookup('env','OPENSTACK_OSA_VERSION') }}"
OPENSTACK_OSA_ETC_PATH: "{{ lookup('env','OPENSTACK_OSA_ETC_PATH') }}"
@@ -28,3 +31,4 @@ LOG_PATH: "{{ lookup('env','LOG_PATH') }}"
OPNFV_HOST_IP: "{{ lookup('env','OPNFV_HOST_IP') }}"
OPNFV_SSH_HOST_KEYS_PATH: "{{ lookup('env', 'OPNFV_SSH_HOST_KEYS_PATH') }}"
XCI_EXTRA_VARS_PATH: "{{ lookup('env', 'XCI_EXTRA_VARS_PATH') }}"
+XCI_SSL_SUBJECT: "{{ lookup('env', 'XCI_SSL_SUBJECT') }}"
diff --git a/xci/xci-deploy.sh b/xci/xci-deploy.sh
index 60151220..ced6fff0 100755
--- a/xci/xci-deploy.sh
+++ b/xci/xci-deploy.sh
@@ -126,8 +126,8 @@ echo "Info: Configured localhost host for openstack-ansible"
#-------------------------------------------------------------------------------
echo "Info: Configuring opnfv deployment host for openstack-ansible"
echo "-----------------------------------------------------------------------"
-cd $OPNFV_XCI_PATH/playbooks
-ansible-playbook $ANSIBLE_VERBOSITY -i inventory configure-opnfvhost.yml
+cd ${XCI_DEVEL_ROOT}
+ansible-playbook $ANSIBLE_VERBOSITY -i ${OPNFV_XCI_PATH}/playbooks/inventory ${OPNFV_XCI_PATH}/playbooks/configure-opnfvhost.yml
echo "-----------------------------------------------------------------------"
echo "Info: Configured opnfv deployment host for openstack-ansible"