Revert "In multi interface setup, ssl certs are created with"

This reverts commit 61da0a0. Also have added subject alternative names with list of physical ip's and vip's in the certificates, so that the same certificate can be used to secure all the ip's of keystone nodes and their vips, similarly for all api-servers and their vip's. Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1 Closes-Bug: 1663076
Juniper · Feb 14, 2017 · 4fe4d5a · 4fe4d5a
1 parent d116298
commit 4fe4d5a
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 70 deletions.
diff --git a/fabfile/tasks/provision.py b/fabfile/tasks/provision.py
@@ -127,8 +127,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers):
 $__quantum_server_frontend__
     default_backend    quantum-server-backend
 
-$__contrail_api_frontend_ext__
-
 $__contrail_api_frontend__
     default_backend    contrail-api-backend
     timeout client 3m
@@ -170,7 +168,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers):
     q_frontend = 'frontend  quantum-server *:9696'
     q_ssl_forwarding = ''
     api_listen_port = 9100
-    api_frontend_ext = ''
     api_frontend = 'frontend  contrail-api *:8082'
     api_ssl_forwarding = ''
     api_server_lines = ''
@@ -220,16 +217,7 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers):
         q_ssl_forwarding = """    option forwardfor
     http-request set-header X-Forwarded-Port %[dst_port]
     http-request add-header X-Forwarded-Proto https if { ssl_fc }"""
-        if get_contrail_external_vip():
-            api_frontend_ext = """frontend  contrail-api-external
-    bind %s:8082 ssl crt /etc/contrail/ssl/external/certs/contrailcertbundle.pem
-    default_backend    contrail-api-backend
-    timeout client 3m""" % get_contrail_external_vip()
-            api_frontend = """frontend  contrail-api
-    bind %s:8082 ssl crt /etc/contrail/ssl/certs/contrailcertbundle.pem""" % get_contrail_internal_vip()
-        else:
-            api_frontend_ext = ''
-            api_frontend = """frontend  contrail-api
+        api_frontend = """frontend  contrail-api
     bind *:8082 ssl crt /etc/contrail/ssl/certs/contrailcertbundle.pem"""
         api_ssl_forwarding = """    option forwardfor
     http-request set-header X-Forwarded-Port %[dst_port]
@@ -241,7 +229,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers):
             '__contrail_quantum_servers__': q_server_lines,
             '__quantum_server_frontend__': q_frontend,
             '__quantum_ssl_forwarding__': q_ssl_forwarding,
-            '__contrail_api_frontend_ext__': api_frontend_ext,
             '__contrail_api_frontend__': api_frontend,
             '__contrail_api_ssl_forwarding__': api_ssl_forwarding,
             '__contrail_api_backend_servers__': api_server_lines,
@@ -622,10 +609,6 @@ def setup_cfgm_node(*args):
         with  settings(host_string=host_string):
             if apiserver_ssl_enabled():
                 execute("setup_apiserver_ssl_certs_node", host_string)
-                if get_contrail_external_vip():
-                    execute("setup_apiserver_ssl_certs_node", host_string,
-                            cfgm_ip=get_contrail_external_vip(),
-                            vip='external')
             if keystone_ssl_enabled():
                 execute("copy_keystone_ssl_certs_to_node", host_string)
             if apiserver_ssl_enabled():

diff --git a/fabfile/tasks/ssl.py b/fabfile/tasks/ssl.py
@@ -12,9 +12,8 @@
         get_env_passwords, get_openstack_internal_vip,
         get_contrail_internal_vip, hstr_to_ip,
         get_apiserver_cert_bundle, get_control_host_string,
-        get_keystone_cert_bundle, get_apiserver_ext_keyfile,
-        get_apiserver_ext_cafile, get_apiserver_ext_certfile,
-        get_apiserver_ext_cert_bundle
+        get_keystone_cert_bundle, get_openstack_external_vip,
+        get_contrail_external_vip
         )
 from fabfile.utils.fabos import get_as_sudo
 
@@ -49,9 +48,17 @@ def setup_keystone_ssl_certs_node(*nodes):
                     if index == 1:
                         if not exists(ssl_cert, use_sudo=True):
                             print "Creating keystone SSL certs in first openstack node"
-                            sudo('create-keystone-ssl-certs.sh %s' % (
+                            subject_alt_names_mgmt = [hstr_to_ip(host)
+                                                      for host in env.roledefs['openstack']]
+                            subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host))
+                                                      for host in env.roledefs['openstack']]
+                            subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl
+                            if get_openstack_external_vip():
+                                subject_alt_names.append(get_openstack_external_vip())
+                            sudo('create-keystone-ssl-certs.sh %s %s' % (
                                     get_openstack_internal_vip() or
-                                    hstr_to_ip(get_control_host_string(openstack_host))))
+                                    hstr_to_ip(get_control_host_string(openstack_host)),
+                                    ','.join(subject_alt_names)))
                     else:
                         with settings(host_string=openstack_host,
                                       password=get_env_passwords(openstack_host)):
@@ -84,34 +91,19 @@ def setup_keystone_ssl_certs_node(*nodes):
 @task
 @EXECUTE_TASK
 @roles('cfgm')
-def setup_apiserver_ssl_certs(vip='internal'):
+def setup_apiserver_ssl_certs():
     execute('setup_apiserver_ssl_certs_node', env.host_string)
 
 
 @task
-def setup_apiserver_ssl_certs_node(*nodes, **kwargs):
-    vip = kwargs.get('vip', 'internal')
-    cfgm_host = env.roledefs['cfgm'][0]
-    cfgm_ip = kwargs.get('cfgm_ip',
-            get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)))
-    if vip == 'external':
-        ssl_path = '/etc/contrail/ssl/external/'
-        default_certfile = '/etc/contrail/ssl/%s/certs/contrail.pem' % vip
-        default_keyfile = '/etc/contrail/ssl/%s/private/contrail.key' % vip
-        default_cafile = '/etc/contrail/ssl/%s/certs/contrail_ca.pem' % vip
-        ssl_certs = ((get_apiserver_ext_certfile(), default_certfile),
-                     (get_apiserver_ext_keyfile(), default_keyfile),
-                     (get_apiserver_ext_cafile(), default_cafile))
-        contrailcertbundle = get_apiserver_ext_cert_bundle()
-    else:
-        ssl_path = '/etc/contrail/ssl/'
-        default_certfile = '/etc/contrail/ssl/certs/contrail.pem'
-        default_keyfile = '/etc/contrail/ssl/private/contrail.key'
-        default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem'
-        ssl_certs = ((get_apiserver_certfile(), default_certfile),
-                     (get_apiserver_keyfile(), default_keyfile),
-                     (get_apiserver_cafile(), default_cafile))
-        contrailcertbundle = get_apiserver_cert_bundle()
+def setup_apiserver_ssl_certs_node(*nodes):
+    default_certfile = '/etc/contrail/ssl/certs/contrail.pem'
+    default_keyfile = '/etc/contrail/ssl/private/contrail.key'
+    default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem'
+    contrailcertbundle = get_apiserver_cert_bundle()
+    ssl_certs = ((get_apiserver_certfile(), default_certfile),
+                 (get_apiserver_keyfile(), default_keyfile),
+                 (get_apiserver_cafile(), default_cafile))
     index = env.roledefs['cfgm'].index(env.host_string) + 1
     for node in nodes:
         with settings(host_string=node, password=get_env_passwords(node)):
@@ -122,10 +114,19 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs):
                     sudo('rm -f %s' % contrailcertbundle)
             for ssl_cert, default in ssl_certs:
                 if ssl_cert == default:
+                    cfgm_host = env.roledefs['cfgm'][0]
                     if index == 1:
                         if not exists(ssl_cert, use_sudo=True):
                             print "Creating apiserver SSL certs in first cfgm node"
-                            sudo('create-ssl-certs.sh %s %s contrail' % (cfgm_ip, ssl_path))
+                            subject_alt_names_mgmt = [hstr_to_ip(host)
+                                                      for host in env.roledefs['cfgm']]
+                            subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host))
+                                                      for host in env.roledefs['cfgm']]
+                            subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl
+                            if get_contrail_external_vip():
+                                subject_alt_names.append(get_contrail_external_vip())
+                            cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host))
+                            sudo('create-api-ssl-certs.sh %s %s' % (cfgm_ip, subject_alt_names))
                     else:
                         with settings(host_string=cfgm_host,
                                       password=get_env_passwords(cfgm_host)):
@@ -137,8 +138,8 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs):
                             tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert))
                             get_as_sudo(ssl_cert, tmp_fname)
                         print "Copy to this(%s) cfgm node" % env.host_string 
-                        sudo('mkdir -p %scerts/' % ssl_path)
-                        sudo('mkdir -p %sprivate/' % ssl_path)
+                        sudo('mkdir -p /etc/contrail/ssl/certs/')
+                        sudo('mkdir -p /etc/contrail/ssl/private/')
                         put(tmp_fname, ssl_cert, use_sudo=True)
                         os.remove(tmp_fname)
                 elif os.path.isfile(ssl_cert): 
@@ -151,7 +152,7 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs):
             if not exists(contrailcertbundle, use_sudo=True):
                 ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs
                 sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle))
-            sudo("chown -R contrail:contrail %s" % ssl_path)
+            sudo("chown -R contrail:contrail /etc/contrail/ssl")
 
 
 @task

diff --git a/fabfile/utils/host.py b/fabfile/utils/host.py
@@ -437,25 +437,6 @@ def get_keystone_cert_bundle():
     return '/etc/keystone/ssl/certs/keystonecertbundle.pem'
 
 
-def get_apiserver_ext_certfile():
-    default = '/etc/contrail/ssl/external/certs/contrail.pem'
-    return get_from_testbed_dict('cfgm','certfile', default)
-
-
-def get_apiserver_ext_keyfile():
-    default = '/etc/contrail/ssl/external/private/contrail.key'
-    return get_from_testbed_dict('cfgm','keyfile', default)
-
-
-def get_apiserver_ext_cafile():
-    default = '/etc/contrail/ssl/external/certs/contrail_ca.pem'
-    return get_from_testbed_dict('cfgm','cafile', default)
-
-
-def get_apiserver_ext_cert_bundle():
-    return '/etc/contrail/ssl/external/certs/contrailcertbundle.pem'
-
-
 def get_apiserver_certfile():
     default = '/etc/contrail/ssl/certs/contrail.pem'
     return get_from_testbed_dict('cfgm','certfile', default)