diff options
| -rw-r--r-- | xci/files/install-lib.sh | 2 | ||||
| -rw-r--r-- | xci/installer/kubespray/playbooks/configure-opnfvhost.yml | 24 | ||||
| -rw-r--r-- | xci/installer/kubespray/playbooks/configure-targethosts.yml | 8 | ||||
| -rw-r--r-- | xci/installer/osa/playbooks/configure-opnfvhost.yml | 29 | ||||
| -rw-r--r-- | xci/playbooks/manage-ssl-certs.yml | 32 |
5 files changed, 48 insertions, 47 deletions
diff --git a/xci/files/install-lib.sh b/xci/files/install-lib.sh index 92d1f065..a01e7e01 100644 --- a/xci/files/install-lib.sh +++ b/xci/files/install-lib.sh @@ -22,7 +22,7 @@ function install_ansible() { declare -A PKG_MAP # workaround: for latest bindep to work, it needs to use en_US local - export LANG=c + export LANG="C" CHECK_CMD_PKGS=( gcc diff --git a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml index a4bdbf07..f4a0602d 100644 --- a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml +++ b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml @@ -30,18 +30,6 @@ recursive: yes delete: yes - - name: generate SSH keys - command: ssh-keygen -b 2048 -t rsa -f /root/.ssh/id_rsa -q -N "" - args: - creates: /root/.ssh/id_rsa - - name: add id_rsa.pub to authorized_keys - shell: cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys - when: xci_flavor == 'aio' - - name: fetch public key - fetch: - src: "{{ ansible_env.HOME }}/.ssh/id_rsa.pub" - dest: "{{ xci_path }}/xci/files/authorized_keys" - flat: yes - name: delete the opnfv_inventory directory file: path: "{{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory" @@ -78,12 +66,8 @@ name: ansible version: "{{ xci_kube_ansible_pip_version }}" + - name: Configure SSL certificates + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml" -- hosts: localhost - remote_user: root - vars_files: - - "{{ xci_path }}/xci/var/opnfv.yml" - tasks: - - name: Append public keys to authorized_keys - shell: "/bin/cat {{ ansible_env.HOME }}/.ssh/id_rsa.pub >> {{ xci_path }}/xci/files/authorized_keys" - changed_when: True + - name: Manage SSH keys + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml" diff --git a/xci/installer/kubespray/playbooks/configure-targethosts.yml b/xci/installer/kubespray/playbooks/configure-targethosts.yml index d89cd334..dd7024fb 100644 --- a/xci/installer/kubespray/playbooks/configure-targethosts.yml +++ b/xci/installer/kubespray/playbooks/configure-targethosts.yml @@ -2,10 +2,8 @@ - hosts: all remote_user: root tasks: - - name: add public key to host - copy: - src: "{{ xci_path }}/xci/files/authorized_keys" - dest: /root/.ssh/authorized_keys + - name: Manage SSH keys + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml" - name: Install required packages package: name: "{{ kube_require_packages[ansible_pkg_mgr] }}" @@ -25,4 +23,6 @@ when: xci_flavor == 'ha' - role: "haproxy_server" haproxy_service_configs: "{{ haproxy_default_services}}" + haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" + haproxy_user_ssl_key: "/etc/ssl/private/xci.key" when: xci_flavor == 'ha' diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml index 35b17e55..f12f831c 100644 --- a/xci/installer/osa/playbooks/configure-opnfvhost.yml +++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml @@ -83,9 +83,9 @@ - { src: "{{ remote_xci_path }}/xci/installer/osa/files/cinder.yml", dest: "{{ openstack_osa_etc_path }}/env.d" } - { src: "{{ remote_xci_path }}/xci/installer/osa/files/user_variables_proxy.yml", dest: "{{ openstack_osa_etc_path }}/user_variables_proxy.yml", cond: "{{ lookup('env', 'http_proxy') != '' }}" } - { src: "{{ remote_xci_path }}/xci/installer/osa/files/setup-openstack.yml", dest: "{{ openstack_osa_path }}/playbooks" } - - { src: "{{ remote_xci_path }}/xci/installer/osa/files/ansible-role-requirements.yml", dest: "{{openstack_osa_path}}/ansible-role-requirements.yml", cond: openstack_osa_version != "master" } - - { src: "{{ remote_xci_path }}/xci/installer/osa/files/global-requirement-pins.txt", dest: "{{openstack_osa_path}}/global-requirement-pins.txt", cond: openstack_osa_version != "master" } - - { src: "{{ remote_xci_path }}/xci/installer/osa/files/openstack_services.yml", dest: "{{ openstack_osa_path }}/playbooks/defaults/repo_packages/openstack_services.yml", cond: openstack_osa_version != "master" } + - { src: "{{ remote_xci_path }}/xci/installer/osa/files/ansible-role-requirements.yml", dest: "{{openstack_osa_path}}/ansible-role-requirements.yml", cond: "{{ openstack_osa_version != 'master' }}" } + - { src: "{{ remote_xci_path }}/xci/installer/osa/files/global-requirement-pins.txt", dest: "{{openstack_osa_path}}/global-requirement-pins.txt", cond: "{{ openstack_osa_version != 'master' }}" } + - { src: "{{ remote_xci_path }}/xci/installer/osa/files/openstack_services.yml", dest: "{{ openstack_osa_path }}/playbooks/defaults/repo_packages/openstack_services.yml", cond: "{{ openstack_osa_version != 'master' }}" } when: item.cond is not defined or (item.cond is defined and item.cond | bool) loop_control: label: "{{ item.src }}" @@ -127,7 +127,6 @@ - pyyaml - python-neutronclient - python-openstackclient - - pyOpenSSL - name: Install ARA callback plugin in OSA virtualenv pip: name: ara @@ -154,24 +153,10 @@ chdir: "{{openstack_osa_path}}/scripts" changed_when: True - - name: Generate XCI private key - openssl_privatekey: - path: /etc/ssl/private/xci.key - size: 2048 - - - name: Generate XCI certificate request - openssl_csr: - privatekey_path: /etc/ssl/private/xci.key - path: /etc/ssl/private/xci.csr - common_name: "{{ xci_ssl_subject }}" - - - name: Generate XCI self signed certificate - openssl_certificate: - path: /etc/ssl/certs/xci.crt - privatekey_path: /etc/ssl/private/xci.key - csr_path: /etc/ssl/private/xci.csr - provider: selfsigned - selfsigned_not_after: 20800101000000Z + - name: Configure SSL certificates + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml" + vars: + extra_args: "-c https://raw.githubusercontent.com/openstack/requirements/{{ requirements_git_install_branch }}/upper-constraints.txt" - name: fetch xci environment copy: diff --git a/xci/playbooks/manage-ssl-certs.yml b/xci/playbooks/manage-ssl-certs.yml new file mode 100644 index 00000000..d0c5c518 --- /dev/null +++ b/xci/playbooks/manage-ssl-certs.yml @@ -0,0 +1,32 @@ +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 SUSE Linux GmbH and others. +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +- name: Install required pip packages for SSL + pip: + name: pyOpenSSL + state: present + extra_args: "{{ extra_args | default(omit) }}" + +- name: Generate XCI private key + openssl_privatekey: + path: /etc/ssl/private/xci.key + size: 2048 + +- name: Generate XCI certificate request + openssl_csr: + privatekey_path: /etc/ssl/private/xci.key + path: /etc/ssl/private/xci.csr + common_name: "{{ xci_ssl_subject }}" + +- name: Generate XCI self signed certificate + openssl_certificate: + path: /etc/ssl/certs/xci.crt + privatekey_path: /etc/ssl/private/xci.key + csr_path: /etc/ssl/private/xci.csr + provider: selfsigned + selfsigned_not_after: 20800101000000Z |