From 4fe4d5add53219b3db62e0a0c3ab4e600e3422c7 Mon Sep 17 00:00:00 2001 From: Ignatious Johnson Christopher Date: Tue, 14 Feb 2017 00:40:15 -0800 Subject: [PATCH] Revert "In multi interface setup, ssl certs are created with" This reverts commit 61da0a0089324b326748d6adcd8a84e58fdc9e92. Also have added subject alternative names with list of physical ip's and vip's in the certificates, so that the same certificate can be used to secure all the ip's of keystone nodes and their vips, similarly for all api-servers and their vip's. Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1 Closes-Bug: 1663076 --- fabfile/tasks/provision.py | 19 +---------- fabfile/tasks/ssl.py | 67 +++++++++++++++++++------------------- fabfile/utils/host.py | 19 ----------- 3 files changed, 35 insertions(+), 70 deletions(-) diff --git a/fabfile/tasks/provision.py b/fabfile/tasks/provision.py index 631e6b155..70e67ecb7 100644 --- a/fabfile/tasks/provision.py +++ b/fabfile/tasks/provision.py @@ -127,8 +127,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): $__quantum_server_frontend__ default_backend quantum-server-backend -$__contrail_api_frontend_ext__ - $__contrail_api_frontend__ default_backend contrail-api-backend timeout client 3m @@ -170,7 +168,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): q_frontend = 'frontend quantum-server *:9696' q_ssl_forwarding = '' api_listen_port = 9100 - api_frontend_ext = '' api_frontend = 'frontend contrail-api *:8082' api_ssl_forwarding = '' api_server_lines = '' @@ -220,16 +217,7 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): q_ssl_forwarding = """ option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }""" - if get_contrail_external_vip(): - api_frontend_ext = """frontend contrail-api-external - bind %s:8082 ssl crt /etc/contrail/ssl/external/certs/contrailcertbundle.pem - default_backend contrail-api-backend - timeout client 3m""" % get_contrail_external_vip() - api_frontend = """frontend contrail-api - bind %s:8082 ssl crt /etc/contrail/ssl/certs/contrailcertbundle.pem""" % get_contrail_internal_vip() - else: - api_frontend_ext = '' - api_frontend = """frontend contrail-api + api_frontend = """frontend contrail-api bind *:8082 ssl crt /etc/contrail/ssl/certs/contrailcertbundle.pem""" api_ssl_forwarding = """ option forwardfor http-request set-header X-Forwarded-Port %[dst_port] @@ -241,7 +229,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): '__contrail_quantum_servers__': q_server_lines, '__quantum_server_frontend__': q_frontend, '__quantum_ssl_forwarding__': q_ssl_forwarding, - '__contrail_api_frontend_ext__': api_frontend_ext, '__contrail_api_frontend__': api_frontend, '__contrail_api_ssl_forwarding__': api_ssl_forwarding, '__contrail_api_backend_servers__': api_server_lines, @@ -622,10 +609,6 @@ def setup_cfgm_node(*args): with settings(host_string=host_string): if apiserver_ssl_enabled(): execute("setup_apiserver_ssl_certs_node", host_string) - if get_contrail_external_vip(): - execute("setup_apiserver_ssl_certs_node", host_string, - cfgm_ip=get_contrail_external_vip(), - vip='external') if keystone_ssl_enabled(): execute("copy_keystone_ssl_certs_to_node", host_string) if apiserver_ssl_enabled(): diff --git a/fabfile/tasks/ssl.py b/fabfile/tasks/ssl.py index 12b5dc830..c16ca0d3e 100644 --- a/fabfile/tasks/ssl.py +++ b/fabfile/tasks/ssl.py @@ -12,9 +12,8 @@ get_env_passwords, get_openstack_internal_vip, get_contrail_internal_vip, hstr_to_ip, get_apiserver_cert_bundle, get_control_host_string, - get_keystone_cert_bundle, get_apiserver_ext_keyfile, - get_apiserver_ext_cafile, get_apiserver_ext_certfile, - get_apiserver_ext_cert_bundle + get_keystone_cert_bundle, get_openstack_external_vip, + get_contrail_external_vip ) from fabfile.utils.fabos import get_as_sudo @@ -49,9 +48,17 @@ def setup_keystone_ssl_certs_node(*nodes): if index == 1: if not exists(ssl_cert, use_sudo=True): print "Creating keystone SSL certs in first openstack node" - sudo('create-keystone-ssl-certs.sh %s' % ( + subject_alt_names_mgmt = [hstr_to_ip(host) + for host in env.roledefs['openstack']] + subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host)) + for host in env.roledefs['openstack']] + subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl + if get_openstack_external_vip(): + subject_alt_names.append(get_openstack_external_vip()) + sudo('create-keystone-ssl-certs.sh %s %s' % ( get_openstack_internal_vip() or - hstr_to_ip(get_control_host_string(openstack_host)))) + hstr_to_ip(get_control_host_string(openstack_host)), + ','.join(subject_alt_names))) else: with settings(host_string=openstack_host, password=get_env_passwords(openstack_host)): @@ -84,34 +91,19 @@ def setup_keystone_ssl_certs_node(*nodes): @task @EXECUTE_TASK @roles('cfgm') -def setup_apiserver_ssl_certs(vip='internal'): +def setup_apiserver_ssl_certs(): execute('setup_apiserver_ssl_certs_node', env.host_string) @task -def setup_apiserver_ssl_certs_node(*nodes, **kwargs): - vip = kwargs.get('vip', 'internal') - cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = kwargs.get('cfgm_ip', - get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host))) - if vip == 'external': - ssl_path = '/etc/contrail/ssl/external/' - default_certfile = '/etc/contrail/ssl/%s/certs/contrail.pem' % vip - default_keyfile = '/etc/contrail/ssl/%s/private/contrail.key' % vip - default_cafile = '/etc/contrail/ssl/%s/certs/contrail_ca.pem' % vip - ssl_certs = ((get_apiserver_ext_certfile(), default_certfile), - (get_apiserver_ext_keyfile(), default_keyfile), - (get_apiserver_ext_cafile(), default_cafile)) - contrailcertbundle = get_apiserver_ext_cert_bundle() - else: - ssl_path = '/etc/contrail/ssl/' - default_certfile = '/etc/contrail/ssl/certs/contrail.pem' - default_keyfile = '/etc/contrail/ssl/private/contrail.key' - default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem' - ssl_certs = ((get_apiserver_certfile(), default_certfile), - (get_apiserver_keyfile(), default_keyfile), - (get_apiserver_cafile(), default_cafile)) - contrailcertbundle = get_apiserver_cert_bundle() +def setup_apiserver_ssl_certs_node(*nodes): + default_certfile = '/etc/contrail/ssl/certs/contrail.pem' + default_keyfile = '/etc/contrail/ssl/private/contrail.key' + default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem' + contrailcertbundle = get_apiserver_cert_bundle() + ssl_certs = ((get_apiserver_certfile(), default_certfile), + (get_apiserver_keyfile(), default_keyfile), + (get_apiserver_cafile(), default_cafile)) index = env.roledefs['cfgm'].index(env.host_string) + 1 for node in nodes: with settings(host_string=node, password=get_env_passwords(node)): @@ -122,10 +114,19 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): sudo('rm -f %s' % contrailcertbundle) for ssl_cert, default in ssl_certs: if ssl_cert == default: + cfgm_host = env.roledefs['cfgm'][0] if index == 1: if not exists(ssl_cert, use_sudo=True): print "Creating apiserver SSL certs in first cfgm node" - sudo('create-ssl-certs.sh %s %s contrail' % (cfgm_ip, ssl_path)) + subject_alt_names_mgmt = [hstr_to_ip(host) + for host in env.roledefs['cfgm']] + subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host)) + for host in env.roledefs['cfgm']] + subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl + if get_contrail_external_vip(): + subject_alt_names.append(get_contrail_external_vip()) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) + sudo('create-api-ssl-certs.sh %s %s' % (cfgm_ip, subject_alt_names)) else: with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): @@ -137,8 +138,8 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) print "Copy to this(%s) cfgm node" % env.host_string - sudo('mkdir -p %scerts/' % ssl_path) - sudo('mkdir -p %sprivate/' % ssl_path) + sudo('mkdir -p /etc/contrail/ssl/certs/') + sudo('mkdir -p /etc/contrail/ssl/private/') put(tmp_fname, ssl_cert, use_sudo=True) os.remove(tmp_fname) elif os.path.isfile(ssl_cert): @@ -151,7 +152,7 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): if not exists(contrailcertbundle, use_sudo=True): ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) - sudo("chown -R contrail:contrail %s" % ssl_path) + sudo("chown -R contrail:contrail /etc/contrail/ssl") @task diff --git a/fabfile/utils/host.py b/fabfile/utils/host.py index 43f151b17..143c7212c 100644 --- a/fabfile/utils/host.py +++ b/fabfile/utils/host.py @@ -437,25 +437,6 @@ def get_keystone_cert_bundle(): return '/etc/keystone/ssl/certs/keystonecertbundle.pem' -def get_apiserver_ext_certfile(): - default = '/etc/contrail/ssl/external/certs/contrail.pem' - return get_from_testbed_dict('cfgm','certfile', default) - - -def get_apiserver_ext_keyfile(): - default = '/etc/contrail/ssl/external/private/contrail.key' - return get_from_testbed_dict('cfgm','keyfile', default) - - -def get_apiserver_ext_cafile(): - default = '/etc/contrail/ssl/external/certs/contrail_ca.pem' - return get_from_testbed_dict('cfgm','cafile', default) - - -def get_apiserver_ext_cert_bundle(): - return '/etc/contrail/ssl/external/certs/contrailcertbundle.pem' - - def get_apiserver_certfile(): default = '/etc/contrail/ssl/certs/contrail.pem' return get_from_testbed_dict('cfgm','certfile', default)