From cc583f30f881ba956fb4f1402aa4dd1608b27da2 Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Tue, 28 Aug 2018 14:55:28 +0100 Subject: Revert "xci: osa: Disable haproxy ssl configuration" This reverts commit 42501f0ef7e0f0729b1c780102fb9713ef383fb3. This also removes the entire SSL management code and we let the haproxy_server role generate the certificates for us. We also need to bump the openrc role to include an upstream patch which fixes the openrc template file. deploy-scenario:os-nosdn-nofeature installer-type:osa Change-Id: I9bb590c9f1d5bc63519cfb4794dc15f794cc5b07 Signed-off-by: Markos Chandras --- .../kubespray/playbooks/configure-opnfvhost.yml | 3 -- .../kubespray/playbooks/configure-targethosts.yml | 2 -- .../osa/files/ansible-role-requirements.yml | 3 +- xci/installer/osa/files/ha/user_variables.yml | 7 ++--- xci/installer/osa/files/mini/user_variables.yml | 7 ++--- xci/installer/osa/files/noha/user_variables.yml | 7 ++--- .../osa/playbooks/configure-opnfvhost.yml | 11 -------- xci/playbooks/manage-ssl-certs.yml | 32 ---------------------- 8 files changed, 8 insertions(+), 64 deletions(-) delete mode 100644 xci/playbooks/manage-ssl-certs.yml diff --git a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml index 00a8053f..36104b6c 100644 --- a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml +++ b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml @@ -83,9 +83,6 @@ - { name: 'netaddr' } - { name: 'ansible-modules-hashivault' } - - name: Configure SSL certificates - include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml" - - name: fetch xci environment copy: src: "{{ xci_path }}/.cache/xci.env" diff --git a/xci/installer/kubespray/playbooks/configure-targethosts.yml b/xci/installer/kubespray/playbooks/configure-targethosts.yml index 7989bfb6..859460c6 100644 --- a/xci/installer/kubespray/playbooks/configure-targethosts.yml +++ b/xci/installer/kubespray/playbooks/configure-targethosts.yml @@ -37,6 +37,4 @@ when: xci_flavor == 'ha' - role: "haproxy_server" haproxy_service_configs: "{{ haproxy_default_services}}" - haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" - haproxy_user_ssl_key: "/etc/ssl/private/xci.key" when: xci_flavor == 'ha' diff --git a/xci/installer/osa/files/ansible-role-requirements.yml b/xci/installer/osa/files/ansible-role-requirements.yml index 5905dc51..c958a2fc 100644 --- a/xci/installer/osa/files/ansible-role-requirements.yml +++ b/xci/installer/osa/files/ansible-role-requirements.yml @@ -64,7 +64,8 @@ - name: openstack_openrc scm: git src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc - version: 33d59ddb00f27e9a2a3bb816621a55efd1b37ba7 + version: 3b31242d4ecde28ac747dff83568f202112c79bf + refspec: refs/changes/78/598978/2 - name: os_aodh scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_aodh diff --git a/xci/installer/osa/files/ha/user_variables.yml b/xci/installer/osa/files/ha/user_variables.yml index c51a6e12..8c2e9f0c 100644 --- a/xci/installer/osa/files/ha/user_variables.yml +++ b/xci/installer/osa/files/ha/user_variables.yml @@ -154,7 +154,7 @@ trove_wsgi_processes: 1 sahara_api_workers_max: 2 sahara_api_workers: 1 -openrc_os_auth_url: "http://192.168.122.220:5000/v3" +openrc_os_auth_url: "https://192.168.122.220:5000/v3" keystone_auth_admin_password: "opnfv-secret-password" openrc_os_password: "opnfv-secret-password" openrc_os_domain_name: "Default" @@ -163,9 +163,6 @@ openrc_nova_endpoint_type: "publicURL" openrc_os_endpoint_type: "publicURL" openrc_clouds_yml_interface: "public" openrc_region_name: RegionOne -haproxy_ssl: false -openstack_service_publicuri_proto: http -haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" -haproxy_user_ssl_key: "/etc/ssl/private/xci.key" +openrc_insecure: true keystone_service_adminuri_insecure: true keystone_service_internaluri_insecure: true diff --git a/xci/installer/osa/files/mini/user_variables.yml b/xci/installer/osa/files/mini/user_variables.yml index ef56dd2c..b4d847bc 100644 --- a/xci/installer/osa/files/mini/user_variables.yml +++ b/xci/installer/osa/files/mini/user_variables.yml @@ -154,7 +154,7 @@ trove_wsgi_processes: 1 sahara_api_workers_max: 2 sahara_api_workers: 1 -openrc_os_auth_url: "http://192.168.122.3:5000/v3" +openrc_os_auth_url: "https://192.168.122.3:5000/v3" keystone_auth_admin_password: "opnfv-secret-password" openrc_os_password: "opnfv-secret-password" openrc_os_domain_name: "Default" @@ -163,9 +163,6 @@ openrc_nova_endpoint_type: "publicURL" openrc_os_endpoint_type: "publicURL" openrc_clouds_yml_interface: "public" openrc_region_name: RegionOne -haproxy_ssl: false -openstack_service_publicuri_proto: http -haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" -haproxy_user_ssl_key: "/etc/ssl/private/xci.key" +openrc_insecure: true keystone_service_adminuri_insecure: true keystone_service_internaluri_insecure: true diff --git a/xci/installer/osa/files/noha/user_variables.yml b/xci/installer/osa/files/noha/user_variables.yml index 4e578819..5e7ed83c 100644 --- a/xci/installer/osa/files/noha/user_variables.yml +++ b/xci/installer/osa/files/noha/user_variables.yml @@ -154,7 +154,7 @@ trove_wsgi_processes: 1 sahara_api_workers_max: 2 sahara_api_workers: 1 -openrc_os_auth_url: "http://192.168.122.3:5000/v3" +openrc_os_auth_url: "https://192.168.122.3:5000/v3" keystone_auth_admin_password: "opnfv-secret-password" openrc_os_password: "opnfv-secret-password" openrc_os_domain_name: "Default" @@ -163,9 +163,6 @@ openrc_nova_endpoint_type: "publicURL" openrc_os_endpoint_type: "publicURL" openrc_clouds_yml_interface: "public" openrc_region_name: RegionOne -haproxy_ssl: false -openstack_service_publicuri_proto: http -haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt" -haproxy_user_ssl_key: "/etc/ssl/private/xci.key" +openrc_insecure: true keystone_service_adminuri_insecure: true keystone_service_internaluri_insecure: true diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml index c92abd97..b3b798d2 100644 --- a/xci/installer/osa/playbooks/configure-opnfvhost.yml +++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml @@ -158,11 +158,6 @@ chdir: "{{openstack_osa_path}}/scripts" changed_when: True - - name: Configure SSL certificates - include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml" - vars: - extra_args: "-c https://raw.githubusercontent.com/openstack/requirements/{{ requirements_git_install_branch }}/upper-constraints.txt" - - name: fetch xci environment copy: src: "{{ xci_path }}/.cache/xci.env" @@ -176,12 +171,6 @@ include_role: name: "openstack-ansible-openstack_openrc" - - name: add extra insecure flag to generated openrc - blockinfile: - dest: "{{ ansible_env.HOME }}/openrc" - block: | - export OS_INSECURE=true - - name: fetch generated openrc fetch: src: "{{ ansible_env.HOME }}/openrc" diff --git a/xci/playbooks/manage-ssl-certs.yml b/xci/playbooks/manage-ssl-certs.yml deleted file mode 100644 index d0c5c518..00000000 --- a/xci/playbooks/manage-ssl-certs.yml +++ /dev/null @@ -1,32 +0,0 @@ -# SPDX-license-identifier: Apache-2.0 -############################################################################## -# Copyright (c) 2018 SUSE Linux GmbH and others. -# All rights reserved. This program and the accompanying materials -# are made available under the terms of the Apache License, Version 2.0 -# which accompanies this distribution, and is available at -# http://www.apache.org/licenses/LICENSE-2.0 -############################################################################## -- name: Install required pip packages for SSL - pip: - name: pyOpenSSL - state: present - extra_args: "{{ extra_args | default(omit) }}" - -- name: Generate XCI private key - openssl_privatekey: - path: /etc/ssl/private/xci.key - size: 2048 - -- name: Generate XCI certificate request - openssl_csr: - privatekey_path: /etc/ssl/private/xci.key - path: /etc/ssl/private/xci.csr - common_name: "{{ xci_ssl_subject }}" - -- name: Generate XCI self signed certificate - openssl_certificate: - path: /etc/ssl/certs/xci.crt - privatekey_path: /etc/ssl/private/xci.key - csr_path: /etc/ssl/private/xci.csr - provider: selfsigned - selfsigned_not_after: 20800101000000Z -- cgit 1.2.3-korg