From 3cf4e396fe8621afad624f3935ab69e9e082388f Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras@suse.de>
Date: Fri, 14 Sep 2018 16:33:11 +0100
Subject: xci: Drop custom XCI certificates

OSM requires a CA even when we create a self-signed certificate. We
don't actually need to do that since HAproxy and friends can create the
whole chain for us, so we can finally get rid of this playbook.

installer-type:osa
deploy-scenario:os-nosdn-nofeature

Change-Id: I14a3adbe3492cd6c562c5167c42dd45756e8e3dd
Signed-off-by: Markos Chandras <mchandras@suse.de>
---
 xci/config/env-vars                                |  2 --
 .../kubespray/playbooks/configure-opnfvhost.yml    |  3 --
 .../kubespray/playbooks/configure-targethosts.yml  |  2 --
 xci/installer/osa/files/ha/user_variables.yml      |  2 --
 xci/installer/osa/files/mini/user_variables.yml    |  2 --
 xci/installer/osa/files/noha/user_variables.yml    |  2 --
 .../osa/playbooks/configure-opnfvhost.yml          |  5 ----
 xci/playbooks/manage-ssl-certs.yml                 | 32 ----------------------
 .../prepare-tests/templates/run-yardstick.sh.j2    |  2 +-
 9 files changed, 1 insertion(+), 51 deletions(-)
 delete mode 100644 xci/playbooks/manage-ssl-certs.yml

diff --git a/xci/config/env-vars b/xci/config/env-vars
index e8472a0d..7ab7e2ba 100755
--- a/xci/config/env-vars
+++ b/xci/config/env-vars
@@ -52,8 +52,6 @@ export LOG_PATH=${LOG_PATH:-${XCI_PATH}/xci/logs}
 export XCI_ANSIBLE_PIP_VERSION="2.5.8"
 
 export ANSIBLE_HOST_KEY_CHECKING=False
-# subject of the certificate
-export XCI_SSL_SUBJECT=${XCI_SSL_SUBJECT:-"/C=US/ST=California/L=San Francisco/O=IT/CN=xci.releng.opnfv.org"}
 export DEPLOY_SCENARIO=${DEPLOY_SCENARIO:-"os-nosdn-nofeature"}
 # attempt to sync Ansible version used by Kubespray with the rest
 export XCI_KUBE_ANSIBLE_PIP_VERSION=$XCI_ANSIBLE_PIP_VERSION
diff --git a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
index 11866bd3..82ece961 100644
--- a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
@@ -100,9 +100,6 @@
         - { name: 'netaddr' }
         - { name: 'ansible-modules-hashivault' }
 
-    - name: Configure SSL certificates
-      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml"
-
     - name: fetch xci environment
       copy:
         src: "{{ xci_path }}/.cache/xci.env"
diff --git a/xci/installer/kubespray/playbooks/configure-targethosts.yml b/xci/installer/kubespray/playbooks/configure-targethosts.yml
index 7989bfb6..859460c6 100644
--- a/xci/installer/kubespray/playbooks/configure-targethosts.yml
+++ b/xci/installer/kubespray/playbooks/configure-targethosts.yml
@@ -37,6 +37,4 @@
       when:  xci_flavor == 'ha'
     - role: "haproxy_server"
       haproxy_service_configs: "{{ haproxy_default_services}}"
-      haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
-      haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
       when:  xci_flavor == 'ha'
diff --git a/xci/installer/osa/files/ha/user_variables.yml b/xci/installer/osa/files/ha/user_variables.yml
index abbe688e..8c2e9f0c 100644
--- a/xci/installer/osa/files/ha/user_variables.yml
+++ b/xci/installer/osa/files/ha/user_variables.yml
@@ -164,7 +164,5 @@ openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
 openrc_insecure: true
-haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
-haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true
diff --git a/xci/installer/osa/files/mini/user_variables.yml b/xci/installer/osa/files/mini/user_variables.yml
index db956e38..b4d847bc 100644
--- a/xci/installer/osa/files/mini/user_variables.yml
+++ b/xci/installer/osa/files/mini/user_variables.yml
@@ -164,7 +164,5 @@ openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
 openrc_insecure: true
-haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
-haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true
diff --git a/xci/installer/osa/files/noha/user_variables.yml b/xci/installer/osa/files/noha/user_variables.yml
index b9fd2e89..5e7ed83c 100644
--- a/xci/installer/osa/files/noha/user_variables.yml
+++ b/xci/installer/osa/files/noha/user_variables.yml
@@ -164,7 +164,5 @@ openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
 openrc_insecure: true
-haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
-haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true
diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml
index 994a2607..4fc966a3 100644
--- a/xci/installer/osa/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml
@@ -175,11 +175,6 @@
         chdir: "{{openstack_osa_path}}/scripts"
       changed_when: True
 
-    - name: Configure SSL certificates
-      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml"
-      vars:
-        extra_args: "-c https://raw.githubusercontent.com/openstack/requirements/{{ requirements_git_install_branch }}/upper-constraints.txt"
-
     - name: fetch xci environment
       copy:
         src: "{{ xci_path }}/.cache/xci.env"
diff --git a/xci/playbooks/manage-ssl-certs.yml b/xci/playbooks/manage-ssl-certs.yml
deleted file mode 100644
index d0c5c518..00000000
--- a/xci/playbooks/manage-ssl-certs.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-# SPDX-license-identifier: Apache-2.0
-##############################################################################
-# Copyright (c) 2018 SUSE Linux GmbH and others.
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Apache License, Version 2.0
-# which accompanies this distribution, and is available at
-# http://www.apache.org/licenses/LICENSE-2.0
-##############################################################################
-- name: Install required pip packages for SSL
-  pip:
-    name: pyOpenSSL
-    state: present
-    extra_args: "{{ extra_args | default(omit) }}"
-
-- name: Generate XCI private key
-  openssl_privatekey:
-    path: /etc/ssl/private/xci.key
-    size: 2048
-
-- name: Generate XCI certificate request
-  openssl_csr:
-    privatekey_path: /etc/ssl/private/xci.key
-    path: /etc/ssl/private/xci.csr
-    common_name: "{{ xci_ssl_subject }}"
-
-- name: Generate XCI self signed certificate
-  openssl_certificate:
-    path: /etc/ssl/certs/xci.crt
-    privatekey_path: /etc/ssl/private/xci.key
-    csr_path: /etc/ssl/private/xci.csr
-    provider: selfsigned
-    selfsigned_not_after: 20800101000000Z
diff --git a/xci/playbooks/roles/prepare-tests/templates/run-yardstick.sh.j2 b/xci/playbooks/roles/prepare-tests/templates/run-yardstick.sh.j2
index 1cb43be2..6a7fd8be 100644
--- a/xci/playbooks/roles/prepare-tests/templates/run-yardstick.sh.j2
+++ b/xci/playbooks/roles/prepare-tests/templates/run-yardstick.sh.j2
@@ -22,7 +22,7 @@ DEPLOY_SCENARIO="k8-nosdn-nofeature-noha"
 rc_file_vol="-v /root/admin.conf:/etc/yardstick/admin.conf"
 {% endif %}
 
-OS_CACERT="/etc/ssl/certs/xci.crt"
+OS_CACERT="/etc/ssl/certs/haproxy.cert"
 DOCKER_IMAGE_NAME="opnfv/yardstick"
 YARDSTICK_SCENARIO_SUITE_NAME="opnfv_${DEPLOY_SCENARIO}_daily.yaml"
 
-- 
cgit 1.2.3-korg