From d08ce6dfd4df2574be8f69419f5e5c027cae6d2a Mon Sep 17 00:00:00 2001 From: Yolanda Robla Date: Wed, 16 Aug 2017 16:28:28 +0200 Subject: Generate and use certificates for OSA Instead of making OSA to generate self signed certs, bring our own and pass them. By this way we will be able to trust in that certs, and start consuming OpenStack easily. It will also generate proper openrc file to source it and start consuming the cloud properly. Change-Id: Ic72a8b05e6efb222926fc5fa0800e033b2dbd22f Closes-Bug: RELENG-266 Signed-off-by: Yolanda Robla --- xci/playbooks/configure-localhost.yml | 20 +++++++++++++++- xci/playbooks/configure-opnfvhost.yml | 45 +++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) (limited to 'xci/playbooks') diff --git a/xci/playbooks/configure-localhost.yml b/xci/playbooks/configure-localhost.yml index 40147d31..2dfa0530 100644 --- a/xci/playbooks/configure-localhost.yml +++ b/xci/playbooks/configure-localhost.yml @@ -15,7 +15,7 @@ roles: - role: remove-folders - { role: clone-repository, project: "opnfv/releng-xci", repo: "{{ OPNFV_RELENG_GIT_URL }}", dest: "{{ OPNFV_RELENG_PATH }}", version: "{{ OPNFV_RELENG_VERSION }}" } - + - { role: clone-repository, project: "openstack/openstack-ansible-openstack_openrc", repo: "{{ OPENSTACK_OSA_OPENRC_GIT_URL }}", dest: "{{ OPENSTACK_OSA_OPENRC_PATH }}", version: "master" } - hosts: localhost connection: local gather_facts: false @@ -57,3 +57,21 @@ copy: src: "{{XCI_FLAVOR_ANSIBLE_FILE_PATH}}/flavor-vars.yml" dest: "{{OPNFV_RELENG_PATH}}/xci/var" +- hosts: localhost + connection: local + gather_facts: false + vars_files: + - ../var/{{ ansible_os_family }}.yml + - ../var/opnfv.yml + tasks: + - name: create certificate directory /etc/ssl/certs + file: + path: "/etc/ssl/certs" + state: directory + - name: create key directory /etc/ssl/private + file: + path: "/etc/ssl/private" + state: directory + - name: generate self signed certificate + command: openssl req -new -nodes -x509 -subj "{{ XCI_SSL_SUBJECT }}" -days 3650 -keyout "/etc/ssl/private/xci.key" -out "/etc/ssl/certs/xci.crt" -extensions v3_ca + become: true diff --git a/xci/playbooks/configure-opnfvhost.yml b/xci/playbooks/configure-opnfvhost.yml index 7bc434d7..5beddcd7 100644 --- a/xci/playbooks/configure-opnfvhost.yml +++ b/xci/playbooks/configure-opnfvhost.yml @@ -97,6 +97,28 @@ command: "python pw-token-gen.py --file {{OPENSTACK_OSA_ETC_PATH}}/user_secrets.yml" args: chdir: "{{OPENSTACK_OSA_PATH}}/scripts" + - name: create certificate directory /etc/ssl/certs + file: + path: "/etc/ssl/certs" + state: directory + - name: create key directory /etc/ssl/private + file: + path: "/etc/ssl/private" + state: directory + - name: copy certificate to /etc/ssl/certs + copy: + src: "/etc/ssl/certs/xci.crt" + dest: "/etc/ssl/certs/" + become: true + - name: read remote key from /etc/ssl/private + set_fact: + xci_ssl_key: "{{ lookup('pipe', 'sudo cat /etc/ssl/private/xci.key' ) }}" + - name: copy key to /etc/ssl/private + copy: + content: "{{ xci_ssl_key }}" + dest: "/etc/ssl/private/xci.key" + become: true + - hosts: localhost remote_user: root vars_files: @@ -106,3 +128,26 @@ shell: "/bin/cat {{ OPNFV_SSH_HOST_KEYS_PATH }}/opnfv/root/.ssh/id_rsa.pub >> ../file/authorized_keys" - name: Append public keys to authorized_keys shell: "/bin/cat {{ ansible_env.HOME }}/.ssh/id_rsa.pub >> ../file/authorized_keys" + +- hosts: opnfv + gather_facts: no + remote_user: root + vars_files: + - ../var/{{ ansible_os_family }}.yml + - ../var/flavor-vars.yml + - ../var/opnfv.yml + - "{{ XCI_FLAVOR_ANSIBLE_FILE_PATH }}/user_variables.yml" + roles: + - role: "openstack-ansible-openstack_openrc" + tasks: + - name: add extra insecure flag to generated openrc + blockinfile: + dest: "{{ ansible_env.HOME }}/openrc" + block: | + export OS_INSECURE=true + + - name: fetch generated openrc + fetch: + src: "{{ ansible_env.HOME }}/openrc" + dest: "{{ XCI_DEVEL_ROOT }}/" + flat: true -- cgit 1.2.3-korg