Generate and use certificates for OSA

Instead of making OSA to generate self signed certs, bring our
own and pass them.
By this way we will be able to trust in that certs, and start
consuming OpenStack easily.

It will also generate proper openrc file to source it and start
consuming the cloud properly.

Change-Id: Ic72a8b05e6efb222926fc5fa0800e033b2dbd22f
Closes-Bug: RELENG-266
Signed-off-by: Yolanda Robla <yroblamo@redhat.com>

11 files changed, 123 insertions, 3 deletions

diff --git a/xci/README.rst b/xci/README.rst
index 462fffd1..9ce293cd 100644
--- a/xci/README.rst
+++ b/xci/README.rst
@@ -124,6 +124,10 @@ You can generate one by executing
 
     ssh-keygen -t rsa
 
+After the script finishes, it will provide an openrc file that can be
+sourced to properly start using the cloud. It will be available under the
+opnfv host (in $HOME path), and on the the buildhost (in $XCI_DEVEL_ROOT path)
+
 Advanced Usage
 --------------
 
diff --git a/xci/config/env-vars b/xci/config/env-vars
index f4a3facc..976eb66b 100755
--- a/xci/config/env-vars
+++ b/xci/config/env-vars
@@ -5,6 +5,7 @@
 export OPNFV_RELENG_GIT_URL=https://gerrit.opnfv.org/gerrit/releng-xci.git
 export OPENSTACK_BIFROST_GIT_URL=https://git.openstack.org/openstack/bifrost
 export OPENSTACK_OSA_GIT_URL=https://git.openstack.org/openstack/openstack-ansible
+export OPENSTACK_OSA_OPENRC_GIT_URL=https://git.openstack.org/openstack/openstack-ansible-openstack_openrc
 export OPENSTACK_OSA_ETC_PATH=/etc/openstack_deploy
 export OPNFV_HOST_IP=192.168.122.2
 export OPNFV_XCI_PATH=$OPNFV_RELENG_PATH/xci
@@ -20,3 +21,5 @@ export DIB_OS_RELEASE=${DIB_OS_RELEASE:-xenial}
 export DIB_OS_ELEMENT=${DIB_OS_ELEMENT:-ubuntu-minimal}
 export DIB_OS_PACKAGES=${DIB_OS_PACKAGES:-"vlan,vim,less,bridge-utils,sudo,language-pack-en,iputils-ping,rsyslog,curl,python,debootstrap,ifenslave,ifenslave-2.6,lsof,lvm2,tcpdump,nfs-kernel-server,chrony,iptables"}
 export EXTRA_DIB_ELEMENTS=${EXTRA_DIB_ELEMENTS:-"openssh-server"}
+# subject of the certificate
+export XCI_SSL_SUBJECT=${XCI_SSL_SUBJECT:-"/C=US/ST=California/L=San Francisco/O=IT/CN=xci.releng.opnfv.org"}
diff --git a/xci/config/user-vars b/xci/config/user-vars
index c960b904..709aa29e 100755
--- a/xci/config/user-vars
+++ b/xci/config/user-vars
@@ -30,6 +30,7 @@ export XCI_FLAVOR=${XCI_FLAVOR:-aio}
 #-------------------------------------------------------------------------------
 export XCI_DEVEL_ROOT=${XCI_DEVEL_ROOT:-"/tmp/.xci-deploy-env"}
 export OPNFV_RELENG_PATH="${XCI_DEVEL_ROOT}/releng-xci"
+export OPENSTACK_OSA_OPENRC_PATH="${XCI_DEVEL_ROOT}/openstack-ansible-openstack_openrc"
 export OPENSTACK_BIFROST_PATH="${XCI_DEVEL_ROOT}/bifrost"
 export OPENSTACK_OSA_PATH="${XCI_DEVEL_ROOT}/openstack-ansible"
 export OPNFV_SSH_HOST_KEYS_PATH="${XCI_DEVEL_ROOT}/ssh_host_keys"
diff --git a/xci/file/ha/user_variables.yml b/xci/file/ha/user_variables.yml
index 58ba5679..8235f6f7 100644
--- a/xci/file/ha/user_variables.yml
+++ b/xci/file/ha/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
 ## Sahara
 sahara_api_workers_max: 2
 sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.220:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/file/install-ansible.sh b/xci/file/install-ansible.sh
index 67a49b39..16ff86c8 100644
--- a/xci/file/install-ansible.sh
+++ b/xci/file/install-ansible.sh
@@ -30,6 +30,7 @@ if [ -x '/usr/bin/zypper' ]; then
         [python-devel]=python-devel
         [venv]=python-virtualenv
         [wget]=wget
+        [openssl]=openssl
     )
     EXTRA_PKG_DEPS=( python-xml )
     # NOTE (cinerama): we can't install python without removing this package
@@ -50,6 +51,7 @@ elif [ -x '/usr/bin/apt-get' ]; then
               [python-devel]=libpython-dev
               [venv]=python-virtualenv
               [wget]=wget
+              [openssl]=openssl
             )
     EXTRA_PKG_DEPS=()
 elif [ -x '/usr/bin/dnf' ] || [ -x '/usr/bin/yum' ]; then
@@ -67,6 +69,7 @@ elif [ -x '/usr/bin/dnf' ] || [ -x '/usr/bin/yum' ]; then
         [python-devel]=python-devel
         [venv]=python-virtualenv
         [wget]=wget
+        [openssl]=openssl
     )
     EXTRA_PKG_DEPS=()
 else
diff --git a/xci/file/mini/user_variables.yml b/xci/file/mini/user_variables.yml
index fa8a38f3..0b8c6cd7 100644
--- a/xci/file/mini/user_variables.yml
+++ b/xci/file/mini/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
 ## Sahara
 sahara_api_workers_max: 2
 sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.3:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/file/noha/user_variables.yml b/xci/file/noha/user_variables.yml
index bdb2df09..72a8ab7d 100644
--- a/xci/file/noha/user_variables.yml
+++ b/xci/file/noha/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
 ## Sahara
 sahara_api_workers_max: 2
 sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.3:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/playbooks/configure-localhost.yml b/xci/playbooks/configure-localhost.yml
index 40147d31..2dfa0530 100644
--- a/xci/playbooks/configure-localhost.yml
+++ b/xci/playbooks/configure-localhost.yml
@@ -15,7 +15,7 @@
   roles:
     - role: remove-folders
     - { role: clone-repository, project: "opnfv/releng-xci", repo: "{{ OPNFV_RELENG_GIT_URL }}", dest: "{{ OPNFV_RELENG_PATH }}", version: "{{ OPNFV_RELENG_VERSION }}" }
-
+    - { role: clone-repository, project: "openstack/openstack-ansible-openstack_openrc", repo: "{{ OPENSTACK_OSA_OPENRC_GIT_URL }}", dest: "{{ OPENSTACK_OSA_OPENRC_PATH }}", version: "master" }
 - hosts: localhost
   connection: local
   gather_facts: false
@@ -57,3 +57,21 @@
       copy:
         src: "{{XCI_FLAVOR_ANSIBLE_FILE_PATH}}/flavor-vars.yml"
         dest: "{{OPNFV_RELENG_PATH}}/xci/var"
+- hosts: localhost
+  connection: local
+  gather_facts: false
+  vars_files:
+    - ../var/{{ ansible_os_family }}.yml
+    - ../var/opnfv.yml
+  tasks:
+    - name: create certificate directory /etc/ssl/certs
+      file:
+        path: "/etc/ssl/certs"
+        state: directory
+    - name: create key directory /etc/ssl/private
+      file:
+        path: "/etc/ssl/private"
+        state: directory
+    - name: generate self signed certificate
+      command: openssl req -new -nodes -x509 -subj "{{ XCI_SSL_SUBJECT }}" -days 3650 -keyout "/etc/ssl/private/xci.key" -out "/etc/ssl/certs/xci.crt" -extensions v3_ca
+      become: true
diff --git a/xci/playbooks/configure-opnfvhost.yml b/xci/playbooks/configure-opnfvhost.yml
index 7bc434d7..5beddcd7 100644
--- a/xci/playbooks/configure-opnfvhost.yml
+++ b/xci/playbooks/configure-opnfvhost.yml
@@ -97,6 +97,28 @@
       command: "python pw-token-gen.py --file {{OPENSTACK_OSA_ETC_PATH}}/user_secrets.yml"
       args:
         chdir: "{{OPENSTACK_OSA_PATH}}/scripts"
+    - name: create certificate directory /etc/ssl/certs
+      file:
+        path: "/etc/ssl/certs"
+        state: directory
+    - name: create key directory /etc/ssl/private
+      file:
+        path: "/etc/ssl/private"
+        state: directory
+    - name: copy certificate to /etc/ssl/certs
+      copy:
+        src: "/etc/ssl/certs/xci.crt"
+        dest: "/etc/ssl/certs/"
+      become: true
+    - name: read remote key from /etc/ssl/private
+      set_fact:
+        xci_ssl_key: "{{ lookup('pipe', 'sudo cat /etc/ssl/private/xci.key' ) }}"
+    - name: copy key to /etc/ssl/private
+      copy:
+        content: "{{ xci_ssl_key }}"
+        dest: "/etc/ssl/private/xci.key"
+      become: true
+
 - hosts: localhost
   remote_user: root
   vars_files:
@@ -106,3 +128,26 @@
       shell: "/bin/cat {{ OPNFV_SSH_HOST_KEYS_PATH }}/opnfv/root/.ssh/id_rsa.pub >> ../file/authorized_keys"
     - name: Append public keys to authorized_keys
       shell: "/bin/cat {{ ansible_env.HOME }}/.ssh/id_rsa.pub >> ../file/authorized_keys"
+
+- hosts: opnfv
+  gather_facts: no
+  remote_user: root
+  vars_files:
+    - ../var/{{ ansible_os_family }}.yml
+    - ../var/flavor-vars.yml
+    - ../var/opnfv.yml
+    - "{{ XCI_FLAVOR_ANSIBLE_FILE_PATH }}/user_variables.yml"
+  roles:
+    - role: "openstack-ansible-openstack_openrc"
+  tasks:
+    - name: add extra insecure flag to generated openrc
+      blockinfile:
+          dest: "{{ ansible_env.HOME }}/openrc"
+          block: |
+              export OS_INSECURE=true
+
+    - name: fetch generated openrc
+      fetch:
+        src: "{{ ansible_env.HOME }}/openrc"
+        dest: "{{ XCI_DEVEL_ROOT }}/"
+        flat: true
diff --git a/xci/var/opnfv.yml b/xci/var/opnfv.yml
index aeafaceb..c6c74c87 100644
--- a/xci/var/opnfv.yml
+++ b/xci/var/opnfv.yml
@@ -9,6 +9,7 @@
 ##############################################################################
 OPNFV_RELENG_GIT_URL: "{{ lookup('env','OPNFV_RELENG_GIT_URL') }}"
 OPNFV_RELENG_PATH: "{{ lookup('env','OPNFV_RELENG_PATH') }}"
+XCI_DEVEL_ROOT: "{{ lookup('env','XCI_DEVEL_ROOT') }}"
 OPNFV_RELENG_DEV_PATH: "{{ lookup('env','OPNFV_RELENG_DEV_PATH') }}"
 OPNFV_RELENG_VERSION: "{{ lookup('env','OPNFV_RELENG_VERSION') }}"
 OPENSTACK_BIFROST_GIT_URL: "{{ lookup('env','OPENSTACK_BIFROST_GIT_URL') }}"
@@ -16,7 +17,9 @@ OPENSTACK_BIFROST_PATH: "{{ lookup('env','OPENSTACK_BIFROST_PATH') }}"
 OPENSTACK_BIFROST_DEV_PATH: "{{ lookup('env','OPENSTACK_BIFROST_DEV_PATH') }}"
 OPENSTACK_BIFROST_VERSION: "{{ lookup('env','OPENSTACK_BIFROST_VERSION') }}"
 OPENSTACK_OSA_GIT_URL: "{{ lookup('env','OPENSTACK_OSA_GIT_URL') }}"
+OPENSTACK_OSA_OPENRC_GIT_URL: "{{ lookup('env', 'OPENSTACK_OSA_OPENRC_GIT_URL') }}"
 OPENSTACK_OSA_PATH: "{{ lookup('env','OPENSTACK_OSA_PATH') }}"
+OPENSTACK_OSA_OPENRC_PATH: "{{ lookup('env', 'OPENSTACK_OSA_OPENRC_PATH') }}"
 OPENSTACK_OSA_DEV_PATH: "{{ lookup('env','OPENSTACK_OSA_DEV_PATH') }}"
 OPENSTACK_OSA_VERSION: "{{ lookup('env','OPENSTACK_OSA_VERSION') }}"
 OPENSTACK_OSA_ETC_PATH: "{{ lookup('env','OPENSTACK_OSA_ETC_PATH') }}"
@@ -28,3 +31,4 @@ LOG_PATH: "{{ lookup('env','LOG_PATH') }}"
 OPNFV_HOST_IP: "{{ lookup('env','OPNFV_HOST_IP') }}"
 OPNFV_SSH_HOST_KEYS_PATH: "{{ lookup('env', 'OPNFV_SSH_HOST_KEYS_PATH') }}"
 XCI_EXTRA_VARS_PATH: "{{ lookup('env', 'XCI_EXTRA_VARS_PATH') }}"
+XCI_SSL_SUBJECT: "{{ lookup('env', 'XCI_SSL_SUBJECT') }}"
diff --git a/xci/xci-deploy.sh b/xci/xci-deploy.sh
index 60151220..ced6fff0 100755
--- a/xci/xci-deploy.sh
+++ b/xci/xci-deploy.sh
@@ -126,8 +126,8 @@ echo "Info: Configured localhost host for openstack-ansible"
 #-------------------------------------------------------------------------------
 echo "Info: Configuring opnfv deployment host for openstack-ansible"
 echo "-----------------------------------------------------------------------"
-cd $OPNFV_XCI_PATH/playbooks
-ansible-playbook $ANSIBLE_VERBOSITY -i inventory configure-opnfvhost.yml
+cd ${XCI_DEVEL_ROOT}
+ansible-playbook $ANSIBLE_VERBOSITY -i ${OPNFV_XCI_PATH}/playbooks/inventory ${OPNFV_XCI_PATH}/playbooks/configure-opnfvhost.yml
 echo "-----------------------------------------------------------------------"
 echo "Info: Configured opnfv deployment host for openstack-ansible"