diff options
Diffstat (limited to 'xci')
| -rwxr-xr-x | xci/infra/bifrost/scripts/bifrost-provision.sh | 6 | ||||
| -rwxr-xr-x | xci/installer/kubespray/deploy.sh | 6 | ||||
| -rw-r--r-- | xci/installer/kubespray/playbooks/configure-opnfvhost.yml | 27 | ||||
| -rw-r--r-- | xci/installer/kubespray/playbooks/configure-targethosts.yml | 8 | ||||
| -rw-r--r-- | xci/installer/osa/playbooks/configure-opnfvhost.yml | 72 | ||||
| -rw-r--r-- | xci/installer/osa/playbooks/configure-targethosts.yml | 32 | ||||
| -rw-r--r-- | xci/playbooks/configure-localhost.yml | 36 | ||||
| -rw-r--r-- | xci/playbooks/get-opnfv-scenario-requirements.yml | 2 | ||||
| -rw-r--r-- | xci/playbooks/manage-ssh-keys.yml | 47 | ||||
| -rw-r--r-- | xci/playbooks/manage-ssl-certs.yml | 32 |
10 files changed, 123 insertions, 145 deletions
diff --git a/xci/infra/bifrost/scripts/bifrost-provision.sh b/xci/infra/bifrost/scripts/bifrost-provision.sh index 2b849e34..f653a2fd 100755 --- a/xci/infra/bifrost/scripts/bifrost-provision.sh +++ b/xci/infra/bifrost/scripts/bifrost-provision.sh @@ -100,8 +100,10 @@ if [[ -e ${XCI_PATH}/deployment_image.qcow2 ]]; then sudo mv ${XCI_PATH}/deployment_image.qcow2* /httpboot/ fi -# Install missing dependencies -pip install -q --upgrade -r "$(dirname $0)/../requirements.txt" +# Install missing dependencies. Use sudo since for bifrost jobs +# the venv is not ready yet. +[[ -n ${VIRTUAL_ENV:-} ]] && _sudo="" || _sudo="sudo -H -E" +${_sudo} pip install -q --upgrade -r "$(dirname $0)/../requirements.txt" # Change working directory cd $BIFROST_HOME/playbooks diff --git a/xci/installer/kubespray/deploy.sh b/xci/installer/kubespray/deploy.sh index 364ee2b6..5136f5a8 100755 --- a/xci/installer/kubespray/deploy.sh +++ b/xci/installer/kubespray/deploy.sh @@ -91,10 +91,12 @@ echo "-----------------------------------------------------------------------" echo "Info: Kubernetes installation is successfully completed!" echo "-----------------------------------------------------------------------" -# Configure the kubernetes authentication in opnfv host. +# Configure the kubernetes authentication in opnfv host. In future releases +# kubectl is no longer an artifact so we should not fail if it's not available. +# This needs to be removed in the future ssh root@$OPNFV_HOST_IP "mkdir -p ~/.kube/;\ cp -f ~/admin.conf ~/.kube/config; \ - cp -f ~/kubectl /usr/local/bin" + cp -f ~/kubectl /usr/local/bin || true" echo "Login opnfv host ssh root@$OPNFV_HOST_IP according to the user-guide to create a service diff --git a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml index eed814ba..f4a0602d 100644 --- a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml +++ b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml @@ -30,18 +30,6 @@ recursive: yes delete: yes - - name: generate SSH keys - command: ssh-keygen -b 2048 -t rsa -f /root/.ssh/id_rsa -q -N "" - args: - creates: /root/.ssh/id_rsa - - name: add id_rsa.pub to authorized_keys - shell: cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys - when: xci_flavor == 'aio' - - name: fetch public key - fetch: - src: "{{ ansible_env.HOME }}/.ssh/id_rsa.pub" - dest: "{{ xci_path }}/xci/files/authorized_keys" - flat: yes - name: delete the opnfv_inventory directory file: path: "{{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory" @@ -59,7 +47,7 @@ command: "cp -rf {{ remote_xci_path }}/xci/installer/kubespray/files/k8s-cluster.yml \ {{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory/group_vars" args: - creates: "{{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory/group_vars" + creates: "{{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory/group_vars/k8s-cluster.yml" - name: Install required packages package: name: "{{ kube_require_packages[ansible_pkg_mgr] }}" @@ -78,13 +66,8 @@ name: ansible version: "{{ xci_kube_ansible_pip_version }}" + - name: Configure SSL certificates + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml" -- hosts: localhost - remote_user: root - vars_files: - - "{{ xci_path }}/xci/var/opnfv.yml" - tasks: - - name: Append public keys to authorized_keys - shell: "/bin/cat {{ ansible_env.HOME }}/.ssh/id_rsa.pub >> {{ xci_path }}/xci/files/authorized_keys" - args: - creates: "{{ xci_path }}/xci/files/authorized_keys" + - name: Manage SSH keys + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml" diff --git a/xci/installer/kubespray/playbooks/configure-targethosts.yml b/xci/installer/kubespray/playbooks/configure-targethosts.yml index d89cd334..dd7024fb 100644 --- a/xci/installer/kubespray/playbooks/configure-targethosts.yml +++ b/xci/installer/kubespray/playbooks/configure-targethosts.yml @@ -2,10 +2,8 @@ - hosts: all remote_user: root tasks: - - name: add public key to host - copy: - src: "{{ xci_path }}/xci/files/authorized_keys" - dest: /root/.ssh/authorized_keys + - name: Manage SSH keys + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml" - name: Install required packages package: name: "{{ kube_require_packages[ansible_pkg_mgr] }}" @@ -25,4 +23,6 @@ when: xci_flavor == 'ha' - role: "haproxy_server" haproxy_service_configs: "{{ haproxy_default_services}}" + haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" + haproxy_user_ssl_key: "/etc/ssl/private/xci.key" when: xci_flavor == 'ha' diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml index 11957cdc..f12f831c 100644 --- a/xci/installer/osa/playbooks/configure-opnfvhost.yml +++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml @@ -43,15 +43,6 @@ proxy_settings_no_proxy: "{{ lookup('env','no_proxy') }}" tasks: - - name: Configure SSH key for root user - user: - name: root - generate_ssh_key: yes - ssh_key_bits: 2048 - ssh_key_comment: xci - ssh_key_type: rsa - state: present - - name: Copy releng-xci to remote host synchronize: src: "{{ xci_path }}/" @@ -92,9 +83,9 @@ - { src: "{{ remote_xci_path }}/xci/installer/osa/files/cinder.yml", dest: "{{ openstack_osa_etc_path }}/env.d" } - { src: "{{ remote_xci_path }}/xci/installer/osa/files/user_variables_proxy.yml", dest: "{{ openstack_osa_etc_path }}/user_variables_proxy.yml", cond: "{{ lookup('env', 'http_proxy') != '' }}" } - { src: "{{ remote_xci_path }}/xci/installer/osa/files/setup-openstack.yml", dest: "{{ openstack_osa_path }}/playbooks" } - - { src: "{{ remote_xci_path }}/xci/installer/osa/files/ansible-role-requirements.yml", dest: "{{openstack_osa_path}}/ansible-role-requirements.yml", cond: openstack_osa_version != "master" } - - { src: "{{ remote_xci_path }}/xci/installer/osa/files/global-requirement-pins.txt", dest: "{{openstack_osa_path}}/global-requirement-pins.txt", cond: openstack_osa_version != "master" } - - { src: "{{ remote_xci_path }}/xci/installer/osa/files/openstack_services.yml", dest: "{{ openstack_osa_path }}/playbooks/defaults/repo_packages/openstack_services.yml", cond: openstack_osa_version != "master" } + - { src: "{{ remote_xci_path }}/xci/installer/osa/files/ansible-role-requirements.yml", dest: "{{openstack_osa_path}}/ansible-role-requirements.yml", cond: "{{ openstack_osa_version != 'master' }}" } + - { src: "{{ remote_xci_path }}/xci/installer/osa/files/global-requirement-pins.txt", dest: "{{openstack_osa_path}}/global-requirement-pins.txt", cond: "{{ openstack_osa_version != 'master' }}" } + - { src: "{{ remote_xci_path }}/xci/installer/osa/files/openstack_services.yml", dest: "{{ openstack_osa_path }}/playbooks/defaults/repo_packages/openstack_services.yml", cond: "{{ openstack_osa_version != 'master' }}" } when: item.cond is not defined or (item.cond is defined and item.cond | bool) loop_control: label: "{{ item.src }}" @@ -118,8 +109,12 @@ - lookup('env','http_proxy') != "" - include: "{{ xci_path }}/xci/playbooks/bootstrap-scenarios.yml" + - name: bootstrap ansible on opnfv host command: "/bin/bash ./scripts/bootstrap-ansible.sh" + args: + creates: "/usr/local/bin/openstack-ansible" + changed_when: True args: chdir: "{{openstack_osa_path}}" @@ -157,30 +152,12 @@ args: chdir: "{{openstack_osa_path}}/scripts" changed_when: True - - name: check if certificate directory /etc/ssl/certs exists already - stat: path=/etc/ssl/certs - register: check_etc_ssl_certs - - name: create certificate directory /etc/ssl/certs - file: - path: "/etc/ssl/certs" - state: directory - when: check_etc_ssl_certs.stat.exists == false - - name: create key directory /etc/ssl/private - file: - path: "/etc/ssl/private" - state: directory - - name: copy certificate to /etc/ssl/certs - copy: - src: "/etc/ssl/certs/xci.crt" - dest: "/etc/ssl/certs/" - - name: read remote key from /etc/ssl/private - set_fact: - xci_ssl_key: "{{ lookup('pipe', 'sudo cat /etc/ssl/private/xci.key' ) }}" - - name: copy key to /etc/ssl/private - copy: - content: "{{ xci_ssl_key }}" - dest: "/etc/ssl/private/xci.key" - become: true + + - name: Configure SSL certificates + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml" + vars: + extra_args: "-c https://raw.githubusercontent.com/openstack/requirements/{{ requirements_git_install_branch }}/upper-constraints.txt" + - name: fetch xci environment copy: src: "{{ xci_path }}/.cache/xci.env" @@ -206,24 +183,5 @@ dest: "{{ xci_path }}/.cache/openrc" flat: true - - name: Determine local user - become: no - local_action: command whoami - changed_when: False - register: _ansible_user - - - name: Fetch local SSH key - delegate_to: localhost - become: no - slurp: - src: "/home/{{ _ansible_user.stdout }}/.ssh/id_rsa.pub" - register: _local_ssh_key - - - name: Configure OPNFV authorized_keys file - authorized_key: - exclusive: yes - user: root - state: present - manage_dir: yes - comment: "{{ _ansible_user.stdout }} key" - key: "{{ _local_ssh_key['content'] | b64decode }}" + - name: Manage SSH keys + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml" diff --git a/xci/installer/osa/playbooks/configure-targethosts.yml b/xci/installer/osa/playbooks/configure-targethosts.yml index b76a5950..cb817cfc 100644 --- a/xci/installer/osa/playbooks/configure-targethosts.yml +++ b/xci/installer/osa/playbooks/configure-targethosts.yml @@ -33,33 +33,5 @@ - xci_ceph_enabled == "true" - "'compute' in group_names" tasks: - - name: Determine local user - become: no - local_action: command whoami - changed_when: False - register: _ansible_user - - - name: Fetch local SSH key - delegate_to: localhost - become: no - slurp: - src: "/home/{{ _ansible_user.stdout }}/.ssh/id_rsa.pub" - register: _local_ssh_key - - - name: Fetch OPNFV SSH key - delegate_to: opnfv - slurp: - src: "{{ ansible_env.HOME }}/.ssh/id_rsa.pub" - register: _opnfv_ssh_key - - - name: "Configure {{ inventory_hostname }} authorized_keys file" - authorized_key: - exclusive: "{{ item.exclusive }}" - user: root - state: present - manage_dir: yes - key: "{{ item.key }}" - comment: "{{ item.comment }}" - with_items: - - { key: "{{ _local_ssh_key['content'] | b64decode }}", comment: "{{ _ansible_user.stdout }} key", exclusive: yes } - - { key: "{{ _opnfv_ssh_key['content'] | b64decode }}", comment: "opnfv host key", exclusive: no } + - name: Manage SSH keys + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml" diff --git a/xci/playbooks/configure-localhost.yml b/xci/playbooks/configure-localhost.yml index 1f010528..5f091c92 100644 --- a/xci/playbooks/configure-localhost.yml +++ b/xci/playbooks/configure-localhost.yml @@ -69,34 +69,16 @@ path: "{{log_path}}" state: directory recurse: no - - block: - - name: check if certificate directory /etc/ssl/certs exists already - stat: path=/etc/ssl/certs - register: check_etc_ssl_certs - - name: create certificate directory /etc/ssl/certs - become: true - file: - path: "/etc/ssl/certs" - state: directory - when: check_etc_ssl_certs.stat.exists == false - - name: create key directory /etc/ssl/private - become: true - file: - path: "/etc/ssl/private" - state: directory - - name: generate self signed certificate - command: openssl req -new -nodes -x509 -subj "{{ xci_ssl_subject }}" -days 3650 -keyout "/etc/ssl/private/xci.key" -out "/etc/ssl/certs/xci.crt" -extensions v3_ca - become: true - - name: Synchronize local development OSA repository to XCI paths - # command module is much faster than the copy module - synchronize: - src: "{{ openstack_osa_dev_path }}" - dest: "{{ xci_cache }}/repos/openstack-ansible" - recursive: yes - delete: yes - when: - - openstack_osa_dev_path != "" + + - name: Synchronize local development OSA repository to XCI paths + # command module is much faster than the copy module + synchronize: + src: "{{ openstack_osa_dev_path }}" + dest: "{{ xci_cache }}/repos/openstack-ansible" + recursive: yes + delete: yes when: + - openstack_osa_dev_path != "" - installer_type == "osa" - name: Configure SSH key for local user diff --git a/xci/playbooks/get-opnfv-scenario-requirements.yml b/xci/playbooks/get-opnfv-scenario-requirements.yml index f37de61a..af97ceb2 100644 --- a/xci/playbooks/get-opnfv-scenario-requirements.yml +++ b/xci/playbooks/get-opnfv-scenario-requirements.yml @@ -80,7 +80,7 @@ dest: "{{ role_path_default }}/{{ item.item.role | basename }}" archive: no times: no - recurse: yes + recursive: yes checksum: yes owner: yes group: yes diff --git a/xci/playbooks/manage-ssh-keys.yml b/xci/playbooks/manage-ssh-keys.yml new file mode 100644 index 00000000..ff797aad --- /dev/null +++ b/xci/playbooks/manage-ssh-keys.yml @@ -0,0 +1,47 @@ +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 SUSE Linux GmbH and others. +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +- name: Configure SSH key for root user + user: + name: root + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_comment: xci + ssh_key_type: rsa + state: present + +- name: Determine local user + become: no + local_action: command whoami + changed_when: False + register: _ansible_user + +- name: Fetch local SSH key + delegate_to: localhost + become: no + slurp: + src: "/home/{{ _ansible_user.stdout }}/.ssh/id_rsa.pub" + register: _local_ssh_key + +- name: Fetch OPNFV SSH key + delegate_to: opnfv + slurp: + src: "{{ ansible_env.HOME }}/.ssh/id_rsa.pub" + register: _opnfv_ssh_key + +- name: "Configure {{ inventory_hostname }} authorized_keys file" + authorized_key: + exclusive: "{{ item.exclusive }}" + user: root + state: present + manage_dir: yes + key: "{{ item.key }}" + comment: "{{ item.comment }}" + with_items: + - { key: "{{ _local_ssh_key['content'] | b64decode }}", comment: "{{ _ansible_user.stdout }} key", exclusive: yes } + - { key: "{{ _opnfv_ssh_key['content'] | b64decode }}", comment: "opnfv host key", exclusive: no } diff --git a/xci/playbooks/manage-ssl-certs.yml b/xci/playbooks/manage-ssl-certs.yml new file mode 100644 index 00000000..d0c5c518 --- /dev/null +++ b/xci/playbooks/manage-ssl-certs.yml @@ -0,0 +1,32 @@ +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 SUSE Linux GmbH and others. +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +- name: Install required pip packages for SSL + pip: + name: pyOpenSSL + state: present + extra_args: "{{ extra_args | default(omit) }}" + +- name: Generate XCI private key + openssl_privatekey: + path: /etc/ssl/private/xci.key + size: 2048 + +- name: Generate XCI certificate request + openssl_csr: + privatekey_path: /etc/ssl/private/xci.key + path: /etc/ssl/private/xci.csr + common_name: "{{ xci_ssl_subject }}" + +- name: Generate XCI self signed certificate + openssl_certificate: + path: /etc/ssl/certs/xci.crt + privatekey_path: /etc/ssl/private/xci.key + csr_path: /etc/ssl/private/xci.csr + provider: selfsigned + selfsigned_not_after: 20800101000000Z |