diff options
| author |   Markos Chandras <mchandras@suse.de> | 2018-09-03 17:21:52 +0100 |
|---|---|---|
| committer |   Fatih Degirmenci <fdegir@gmail.com> | 2018-09-04 05:59:43 +0000 |
| commit | 680f203f5b37b10fbaaf69c04b983cf333c12dc6 (patch) | |
| tree | b56c9ece0436dee47729dc51aa5b9ed9b1615b0f | |
| parent | 933c7a0f36c970d24954b9ba1552a29a75b43976 (diff) | |
xci: osa: Restore self-signed XCI certificate
This reverts commit cc583f30f881ba956fb4f1402aa4dd1608b27da2.
We still need to have control over the generated certificates so lets
keep creating our own.
deploy-scenario:os-nosdn-nofeature
installer-type:osa
Change-Id: I9e730bce2dba578ca0b561b168eaf1c2eca1282d
7 files changed, 48 insertions, 0 deletions
diff --git a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml index 36104b6c..00a8053f 100644 --- a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml +++ b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml @@ -83,6 +83,9 @@ - { name: 'netaddr' } - { name: 'ansible-modules-hashivault' } + - name: Configure SSL certificates + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml" + - name: fetch xci environment copy: src: "{{ xci_path }}/.cache/xci.env" diff --git a/xci/installer/kubespray/playbooks/configure-targethosts.yml b/xci/installer/kubespray/playbooks/configure-targethosts.yml index 859460c6..7989bfb6 100644 --- a/xci/installer/kubespray/playbooks/configure-targethosts.yml +++ b/xci/installer/kubespray/playbooks/configure-targethosts.yml @@ -37,4 +37,6 @@ when: xci_flavor == 'ha' - role: "haproxy_server" haproxy_service_configs: "{{ haproxy_default_services}}" + haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" + haproxy_user_ssl_key: "/etc/ssl/private/xci.key" when: xci_flavor == 'ha' diff --git a/xci/installer/osa/files/ha/user_variables.yml b/xci/installer/osa/files/ha/user_variables.yml index 8c2e9f0c..abbe688e 100644 --- a/xci/installer/osa/files/ha/user_variables.yml +++ b/xci/installer/osa/files/ha/user_variables.yml @@ -164,5 +164,7 @@ openrc_os_endpoint_type: "publicURL" openrc_clouds_yml_interface: "public" openrc_region_name: RegionOne openrc_insecure: true +haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" +haproxy_user_ssl_key: "/etc/ssl/private/xci.key" keystone_service_adminuri_insecure: true keystone_service_internaluri_insecure: true diff --git a/xci/installer/osa/files/mini/user_variables.yml b/xci/installer/osa/files/mini/user_variables.yml index b4d847bc..db956e38 100644 --- a/xci/installer/osa/files/mini/user_variables.yml +++ b/xci/installer/osa/files/mini/user_variables.yml @@ -164,5 +164,7 @@ openrc_os_endpoint_type: "publicURL" openrc_clouds_yml_interface: "public" openrc_region_name: RegionOne openrc_insecure: true +haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" +haproxy_user_ssl_key: "/etc/ssl/private/xci.key" keystone_service_adminuri_insecure: true keystone_service_internaluri_insecure: true diff --git a/xci/installer/osa/files/noha/user_variables.yml b/xci/installer/osa/files/noha/user_variables.yml index 5e7ed83c..b9fd2e89 100644 --- a/xci/installer/osa/files/noha/user_variables.yml +++ b/xci/installer/osa/files/noha/user_variables.yml @@ -164,5 +164,7 @@ openrc_os_endpoint_type: "publicURL" openrc_clouds_yml_interface: "public" openrc_region_name: RegionOne openrc_insecure: true +haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" +haproxy_user_ssl_key: "/etc/ssl/private/xci.key" keystone_service_adminuri_insecure: true keystone_service_internaluri_insecure: true diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml index 768b6564..b677fecd 100644 --- a/xci/installer/osa/playbooks/configure-opnfvhost.yml +++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml @@ -158,6 +158,11 @@ chdir: "{{openstack_osa_path}}/scripts" changed_when: True + - name: Configure SSL certificates + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml" + vars: + extra_args: "-c https://raw.githubusercontent.com/openstack/requirements/{{ requirements_git_install_branch }}/upper-constraints.txt" + - name: fetch xci environment copy: src: "{{ xci_path }}/.cache/xci.env" diff --git a/xci/playbooks/manage-ssl-certs.yml b/xci/playbooks/manage-ssl-certs.yml new file mode 100644 index 00000000..d0c5c518 --- /dev/null +++ b/xci/playbooks/manage-ssl-certs.yml @@ -0,0 +1,32 @@ +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 SUSE Linux GmbH and others. +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +- name: Install required pip packages for SSL + pip: + name: pyOpenSSL + state: present + extra_args: "{{ extra_args | default(omit) }}" + +- name: Generate XCI private key + openssl_privatekey: + path: /etc/ssl/private/xci.key + size: 2048 + +- name: Generate XCI certificate request + openssl_csr: + privatekey_path: /etc/ssl/private/xci.key + path: /etc/ssl/private/xci.csr + common_name: "{{ xci_ssl_subject }}" + +- name: Generate XCI self signed certificate + openssl_certificate: + path: /etc/ssl/certs/xci.crt + privatekey_path: /etc/ssl/private/xci.key + csr_path: /etc/ssl/private/xci.csr + provider: selfsigned + selfsigned_not_after: 20800101000000Z |