xci: osa: Use Ansible modules to create ssl certificates

Ansible already provides modules to create ssl certificates so we can use these instead of running the openssl commands directly. Moreover, we can drop all the tasks which create the ssl directories since there are being created by the openssl package which also creates the appropriate symlinks. Finally, there is no need to generate the certificate on localhost if only the OPNFV host consumes it, so move these steps to the appropriate playbook. Change-Id: I0045945c502013be3d76440876e894a44a092690 Signed-off-by: Markos Chandras <mchandras@suse.de>
author: Markos Chandras <mchandras@suse.de> 2018-04-03 12:47:54 +0100
committer: Markos Chandras <mchandras@suse.de> 2018-04-04 10:55:12 +0100
commit: 9fc661b56dbd90df944755140bfff88fb1197fbd (patch)
tree: 99428d2a69a577ebb14afbdcba82742b2e5284db
parent: 8199744e9cee88127291b22ebeb9e78142cc4ade (diff)
2 files changed, 30 insertions, 51 deletions
diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml
index 6c2b1d35..0e6fdd16 100644
--- a/xci/installer/osa/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml
@@ -123,6 +123,7 @@
         - pyyaml
         - python-neutronclient
         - python-openstackclient
+        - pyOpenSSL
     - name: Install ARA callback plugin in OSA virtualenv
       pip:
         name: ara
@@ -148,30 +149,26 @@
       args:
         chdir: "{{openstack_osa_path}}/scripts"
       changed_when: True
-    - name: check if certificate directory /etc/ssl/certs exists already
-      stat: path=/etc/ssl/certs
-      register: check_etc_ssl_certs
-    - name: create certificate directory /etc/ssl/certs
-      file:
-        path: "/etc/ssl/certs"
-        state: directory
-      when: check_etc_ssl_certs.stat.exists == false
-    - name: create key directory /etc/ssl/private
-      file:
-        path: "/etc/ssl/private"
-        state: directory
-    - name: copy certificate to /etc/ssl/certs
-      copy:
-        src: "/etc/ssl/certs/xci.crt"
-        dest: "/etc/ssl/certs/"
-    - name: read remote key from /etc/ssl/private
-      set_fact:
-        xci_ssl_key: "{{ lookup('pipe', 'sudo cat /etc/ssl/private/xci.key' ) }}"
-    - name: copy key to /etc/ssl/private
-      copy:
-        content: "{{ xci_ssl_key }}"
-        dest: "/etc/ssl/private/xci.key"
-      become: true
+
+    - name: Generate XCI private key
+      openssl_privatekey:
+        path: /etc/ssl/private/xci.key
+        size: 2048
+
+    - name: Generate XCI certificate request
+      openssl_csr:
+        privatekey_path: /etc/ssl/private/xci.key
+        path: /etc/ssl/private/xci.csr
+        common_name: "{{ xci_ssl_subject }}"
+
+    - name: Generate XCI self signed certificate
+      openssl_certificate:
+        path: /etc/ssl/certs/xci.crt
+        privatekey_path: /etc/ssl/private/xci.key
+        csr_path: /etc/ssl/private/xci.csr
+        provider: selfsigned
+        selfsigned_not_after: 20800101000000Z
+
     - name: fetch xci environment
       copy:
         src: "{{ xci_path }}/.cache/xci.env"
diff --git a/xci/playbooks/configure-localhost.yml b/xci/playbooks/configure-localhost.yml
index 1f010528..5f091c92 100644
--- a/xci/playbooks/configure-localhost.yml
+++ b/xci/playbooks/configure-localhost.yml
@@ -69,34 +69,16 @@
         path: "{{log_path}}"
         state: directory
         recurse: no
-    - block:
-        - name: check if certificate directory /etc/ssl/certs exists already
-          stat: path=/etc/ssl/certs
-          register: check_etc_ssl_certs
-        - name: create certificate directory /etc/ssl/certs
-          become: true
-          file:
-            path: "/etc/ssl/certs"
-            state: directory
-          when: check_etc_ssl_certs.stat.exists == false
-        - name: create key directory /etc/ssl/private
-          become: true
-          file:
-            path: "/etc/ssl/private"
-            state: directory
-        - name: generate self signed certificate
-          command: openssl req -new -nodes -x509 -subj "{{ xci_ssl_subject }}" -days 3650 -keyout "/etc/ssl/private/xci.key" -out "/etc/ssl/certs/xci.crt" -extensions v3_ca
-          become: true
-        - name: Synchronize local development OSA repository to XCI paths
-          # command module is much faster than the copy module
-          synchronize:
-            src: "{{ openstack_osa_dev_path }}"
-            dest: "{{ xci_cache }}/repos/openstack-ansible"
-            recursive: yes
-            delete: yes
-          when:
-            - openstack_osa_dev_path != ""
+
+    - name: Synchronize local development OSA repository to XCI paths
+      # command module is much faster than the copy module
+      synchronize:
+        src: "{{ openstack_osa_dev_path }}"
+        dest: "{{ xci_cache }}/repos/openstack-ansible"
+        recursive: yes
+        delete: yes
       when:
+        - openstack_osa_dev_path != ""
         - installer_type == "osa"
 
     - name: Configure SSH key for local user
author	Markos Chandras <mchandras@suse.de>	2018-04-03 12:47:54 +0100
committer	Markos Chandras <mchandras@suse.de>	2018-04-04 10:55:12 +0100
commit	9fc661b56dbd90df944755140bfff88fb1197fbd (patch)
tree	99428d2a69a577ebb14afbdcba82742b2e5284db
parent	8199744e9cee88127291b22ebeb9e78142cc4ade (diff)