Merge "Generate and use certificates for OSA"

11 files changed, 123 insertions, 3 deletions

diff --git a/xci/README.rst b/xci/README.rst
index 462fffd1..9ce293cd 100644
--- a/xci/README.rst
+++ b/xci/README.rst
@@ -124,6 +124,10 @@ You can generate one by executing
 
     ssh-keygen -t rsa
 
+After the script finishes, it will provide an openrc file that can be
+sourced to properly start using the cloud. It will be available under the
+opnfv host (in $HOME path), and on the the buildhost (in $XCI_DEVEL_ROOT path)
+
 Advanced Usage
 --------------
 
diff --git a/xci/config/env-vars b/xci/config/env-vars
index f4a3facc..976eb66b 100755
--- a/xci/config/env-vars
+++ b/xci/config/env-vars
@@ -5,6 +5,7 @@
 export OPNFV_RELENG_GIT_URL=https://gerrit.opnfv.org/gerrit/releng-xci.git
 export OPENSTACK_BIFROST_GIT_URL=https://git.openstack.org/openstack/bifrost
 export OPENSTACK_OSA_GIT_URL=https://git.openstack.org/openstack/openstack-ansible
+export OPENSTACK_OSA_OPENRC_GIT_URL=https://git.openstack.org/openstack/openstack-ansible-openstack_openrc
 export OPENSTACK_OSA_ETC_PATH=/etc/openstack_deploy
 export OPNFV_HOST_IP=192.168.122.2
 export OPNFV_XCI_PATH=$OPNFV_RELENG_PATH/xci
@@ -20,3 +21,5 @@ export DIB_OS_RELEASE=${DIB_OS_RELEASE:-xenial}
 export DIB_OS_ELEMENT=${DIB_OS_ELEMENT:-ubuntu-minimal}
 export DIB_OS_PACKAGES=${DIB_OS_PACKAGES:-"vlan,vim,less,bridge-utils,sudo,language-pack-en,iputils-ping,rsyslog,curl,python,debootstrap,ifenslave,ifenslave-2.6,lsof,lvm2,tcpdump,nfs-kernel-server,chrony,iptables"}
 export EXTRA_DIB_ELEMENTS=${EXTRA_DIB_ELEMENTS:-"openssh-server"}
+# subject of the certificate
+export XCI_SSL_SUBJECT=${XCI_SSL_SUBJECT:-"/C=US/ST=California/L=San Francisco/O=IT/CN=xci.releng.opnfv.org"}
diff --git a/xci/config/user-vars b/xci/config/user-vars
index c960b904..709aa29e 100755
--- a/xci/config/user-vars
+++ b/xci/config/user-vars
@@ -30,6 +30,7 @@ export XCI_FLAVOR=${XCI_FLAVOR:-aio}
 #-------------------------------------------------------------------------------
 export XCI_DEVEL_ROOT=${XCI_DEVEL_ROOT:-"/tmp/.xci-deploy-env"}
 export OPNFV_RELENG_PATH="${XCI_DEVEL_ROOT}/releng-xci"
+export OPENSTACK_OSA_OPENRC_PATH="${XCI_DEVEL_ROOT}/openstack-ansible-openstack_openrc"
 export OPENSTACK_BIFROST_PATH="${XCI_DEVEL_ROOT}/bifrost"
 export OPENSTACK_OSA_PATH="${XCI_DEVEL_ROOT}/openstack-ansible"
 export OPNFV_SSH_HOST_KEYS_PATH="${XCI_DEVEL_ROOT}/ssh_host_keys"
diff --git a/xci/file/ha/user_variables.yml b/xci/file/ha/user_variables.yml
index 58ba5679..8235f6f7 100644
--- a/xci/file/ha/user_variables.yml
+++ b/xci/file/ha/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
 ## Sahara
 sahara_api_workers_max: 2
 sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.220:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/file/install-ansible.sh b/xci/file/install-ansible.sh
index 67a49b39..16ff86c8 100644
--- a/xci/file/install-ansible.sh
+++ b/xci/file/install-ansible.sh
@@ -30,6 +30,7 @@ if [ -x '/usr/bin/zypper' ]; then
         [python-devel]=python-devel
         [venv]=python-virtualenv
         [wget]=wget
+        [openssl]=openssl
     )
     EXTRA_PKG_DEPS=( python-xml )
     # NOTE (cinerama): we can't install python without removing this package
@@ -50,6 +51,7 @@ elif [ -x '/usr/bin/apt-get' ]; then
               [python-devel]=libpython-dev
               [venv]=python-virtualenv
               [wget]=wget
+              [openssl]=openssl
             )
     EXTRA_PKG_DEPS=()
 elif [ -x '/usr/bin/dnf' ] || [ -x '/usr/bin/yum' ]; then
@@ -67,6 +69,7 @@ elif [ -x '/usr/bin/dnf' ] || [ -x '/usr/bin/yum' ]; then
         [python-devel]=python-devel
         [venv]=python-virtualenv
         [wget]=wget
+        [openssl]=openssl
     )
     EXTRA_PKG_DEPS=()
 else
diff --git a/xci/file/mini/user_variables.yml b/xci/file/mini/user_variables.yml
index fa8a38f3..0b8c6cd7 100644
--- a/xci/file/mini/user_variables.yml
+++ b/xci/file/mini/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
 ## Sahara
 sahara_api_workers_max: 2
 sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.3:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/file/noha/user_variables.yml b/xci/file/noha/user_variables.yml
index bdb2df09..72a8ab7d 100644
--- a/xci/file/noha/user_variables.yml
+++ b/xci/file/noha/user_variables.yml
@@ -146,3 +146,17 @@ trove_wsgi_processes: 1
 ## Sahara
 sahara_api_workers_max: 2
 sahara_api_workers: 1
+
+openrc_os_auth_url: "https://192.168.122.3:5000/v3"
+keystone_auth_admin_password: "opnfv-secret-password"
+openrc_os_password: "opnfv-secret-password"
+openrc_os_domain_name: "Default"
+openrc_cinder_endpoint_type: "publicURL"
+openrc_nova_endpoint_type: "publicURL"
+openrc_os_endpoint_type: "publicURL"
+openrc_clouds_yml_interface: "public"
+openrc_region_name: RegionOne
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+keystone_service_adminuri_insecure: true
+keystone_service_internaluri_insecure: true
diff --git a/xci/playbooks/configure-localhost.yml b/xci/playbooks/configure-localhost.yml
index 40147d31..2dfa0530 100644
--- a/xci/playbooks/configure-localhost.yml
+++ b/xci/playbooks/configure-localhost.yml
@@ -15,7 +15,7 @@
   roles:
     - role: remove-folders
     - { role: clone-repository, project: "opnfv/releng-xci", repo: "{{ OPNFV_RELENG_GIT_URL }}", dest: "{{ OPNFV_RELENG_PATH }}", version: "{{ OPNFV_RELENG_VERSION }}" }
-
+    - { role: clone-repository, project: "openstack/openstack-ansible-openstack_openrc", repo: "{{ OPENSTACK_OSA_OPENRC_GIT_URL }}", dest: "{{ OPENSTACK_OSA_OPENRC_PATH }}", version: "master" }
 - hosts: localhost
   connection: local
   gather_facts: false
@@ -57,3 +57,21 @@
       copy:
         src: "{{XCI_FLAVOR_ANSIBLE_FILE_PATH}}/flavor-vars.yml"
         dest: "{{OPNFV_RELENG_PATH}}/xci/var"
+- hosts: localhost
+  connection: local
+  gather_facts: false
+  vars_files:
+    - ../var/{{ ansible_os_family }}.yml
+    - ../var/opnfv.yml
+  tasks:
+    - name: create certificate directory /etc/ssl/certs
+      file:
+        path: "/etc/ssl/certs"
+        state: directory
+    - name: create key directory /etc/ssl/private
+      file:
+        path: "/etc/ssl/private"
+        state: directory
+    - name: generate self signed certificate
+      command: openssl req -new -nodes -x509 -subj "{{ XCI_SSL_SUBJECT }}" -days 3650 -keyout "/etc/ssl/private/xci.key" -out "/etc/ssl/certs/xci.crt" -extensions v3_ca
+      become: true
diff --git a/xci/playbooks/configure-opnfvhost.yml b/xci/playbooks/configure-opnfvhost.yml
index 7bc434d7..5beddcd7 100644
--- a/xci/playbooks/configure-opnfvhost.yml
+++ b/xci/playbooks/configure-opnfvhost.yml
@@ -97,6 +97,28 @@
       command: "python pw-token-gen.py --file {{OPENSTACK_OSA_ETC_PATH}}/user_secrets.yml"
       args:
         chdir: "{{OPENSTACK_OSA_PATH}}/scripts"
+    - name: create certificate directory /etc/ssl/certs
+      file:
+        path: "/etc/ssl/certs"
+        state: directory
+    - name: create key directory /etc/ssl/private
+      file:
+        path: "/etc/ssl/private"
+        state: directory
+    - name: copy certificate to /etc/ssl/certs
+      copy:
+        src: "/etc/ssl/certs/xci.crt"
+        dest: "/etc/ssl/certs/"
+      become: true
+    - name: read remote key from /etc/ssl/private
+      set_fact:
+        xci_ssl_key: "{{ lookup('pipe', 'sudo cat /etc/ssl/private/xci.key' ) }}"
+    - name: copy key to /etc/ssl/private
+      copy:
+        content: "{{ xci_ssl_key }}"
+        dest: "/etc/ssl/private/xci.key"
+      become: true
+
 - hosts: localhost
   remote_user: root
   vars_files:
@@ -106,3 +128,26 @@
       shell: "/bin/cat {{ OPNFV_SSH_HOST_KEYS_PATH }}/opnfv/root/.ssh/id_rsa.pub >> ../file/authorized_keys"
     - name: Append public keys to authorized_keys
       shell: "/bin/cat {{ ansible_env.HOME }}/.ssh/id_rsa.pub >> ../file/authorized_keys"
+
+- hosts: opnfv
+  gather_facts: no
+  remote_user: root
+  vars_files:
+    - ../var/{{ ansible_os_family }}.yml
+    - ../var/flavor-vars.yml
+    - ../var/opnfv.yml
+    - "{{ XCI_FLAVOR_ANSIBLE_FILE_PATH }}/user_variables.yml"
+  roles:
+    - role: "openstack-ansible-openstack_openrc"
+  tasks:
+    - name: add extra insecure flag to generated openrc
+      blockinfile:
+          dest: "{{ ansible_env.HOME }}/openrc"
+          block: |
+              export OS_INSECURE=true
+
+    - name: fetch generated openrc
+      fetch:
+        src: "{{ ansible_env.HOME }}/openrc"
+        dest: "{{ XCI_DEVEL_ROOT }}/"
+        flat: true
diff --git a/xci/var/opnfv.yml b/xci/var/opnfv.yml
index aeafaceb..c6c74c87 100644
--- a/xci/var/opnfv.yml
+++ b/xci/var/opnfv.yml
@@ -9,6 +9,7 @@
 ##############################################################################
 OPNFV_RELENG_GIT_URL: "{{ lookup('env','OPNFV_RELENG_GIT_URL') }}"
 OPNFV_RELENG_PATH: "{{ lookup('env','OPNFV_RELENG_PATH') }}"
+XCI_DEVEL_ROOT: "{{ lookup('env','XCI_DEVEL_ROOT') }}"
 OPNFV_RELENG_DEV_PATH: "{{ lookup('env','OPNFV_RELENG_DEV_PATH') }}"
 OPNFV_RELENG_VERSION: "{{ lookup('env','OPNFV_RELENG_VERSION') }}"
 OPENSTACK_BIFROST_GIT_URL: "{{ lookup('env','OPENSTACK_BIFROST_GIT_URL') }}"
@@ -16,7 +17,9 @@ OPENSTACK_BIFROST_PATH: "{{ lookup('env','OPENSTACK_BIFROST_PATH') }}"
 OPENSTACK_BIFROST_DEV_PATH: "{{ lookup('env','OPENSTACK_BIFROST_DEV_PATH') }}"
 OPENSTACK_BIFROST_VERSION: "{{ lookup('env','OPENSTACK_BIFROST_VERSION') }}"
 OPENSTACK_OSA_GIT_URL: "{{ lookup('env','OPENSTACK_OSA_GIT_URL') }}"
+OPENSTACK_OSA_OPENRC_GIT_URL: "{{ lookup('env', 'OPENSTACK_OSA_OPENRC_GIT_URL') }}"
 OPENSTACK_OSA_PATH: "{{ lookup('env','OPENSTACK_OSA_PATH') }}"
+OPENSTACK_OSA_OPENRC_PATH: "{{ lookup('env', 'OPENSTACK_OSA_OPENRC_PATH') }}"
 OPENSTACK_OSA_DEV_PATH: "{{ lookup('env','OPENSTACK_OSA_DEV_PATH') }}"
 OPENSTACK_OSA_VERSION: "{{ lookup('env','OPENSTACK_OSA_VERSION') }}"
 OPENSTACK_OSA_ETC_PATH: "{{ lookup('env','OPENSTACK_OSA_ETC_PATH') }}"
@@ -28,3 +31,4 @@ LOG_PATH: "{{ lookup('env','LOG_PATH') }}"
 OPNFV_HOST_IP: "{{ lookup('env','OPNFV_HOST_IP') }}"
 OPNFV_SSH_HOST_KEYS_PATH: "{{ lookup('env', 'OPNFV_SSH_HOST_KEYS_PATH') }}"
 XCI_EXTRA_VARS_PATH: "{{ lookup('env', 'XCI_EXTRA_VARS_PATH') }}"
+XCI_SSL_SUBJECT: "{{ lookup('env', 'XCI_SSL_SUBJECT') }}"
diff --git a/xci/xci-deploy.sh b/xci/xci-deploy.sh
index 60151220..ced6fff0 100755
--- a/xci/xci-deploy.sh
+++ b/xci/xci-deploy.sh
@@ -126,8 +126,8 @@ echo "Info: Configured localhost host for openstack-ansible"
 #-------------------------------------------------------------------------------
 echo "Info: Configuring opnfv deployment host for openstack-ansible"
 echo "-----------------------------------------------------------------------"
-cd $OPNFV_XCI_PATH/playbooks
-ansible-playbook $ANSIBLE_VERBOSITY -i inventory configure-opnfvhost.yml
+cd ${XCI_DEVEL_ROOT}
+ansible-playbook $ANSIBLE_VERBOSITY -i ${OPNFV_XCI_PATH}/playbooks/inventory ${OPNFV_XCI_PATH}/playbooks/configure-opnfvhost.yml
 echo "-----------------------------------------------------------------------"
 echo "Info: Configured opnfv deployment host for openstack-ansible"