From 700c1f36a54814a82ead2a3294dc1477d907a159 Mon Sep 17 00:00:00 2001 From: Ignatious Johnson Christopher Date: Tue, 14 Feb 2017 00:40:15 -0800 Subject: [PATCH] Revert "In multi interface setup, ssl certs are created with" This reverts commit ee4823f07d966f854cbe8286999bb95fddb783ee. Also have added subject alternative names with list of physical ip's and vip's in the certificates, so that the same certificate can be used to secure all the ip's of keystone nodes and their vips, similarly for all api-servers and their vip's. Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1 Closes-Bug: 1663076 --- fabfile/tasks/provision.py | 19 +---------- fabfile/tasks/ssl.py | 67 +++++++++++++++++++------------------- 2 files changed, 35 insertions(+), 51 deletions(-) diff --git a/fabfile/tasks/provision.py b/fabfile/tasks/provision.py index 6d9e6b6dc..5d5737384 100644 --- a/fabfile/tasks/provision.py +++ b/fabfile/tasks/provision.py @@ -127,8 +127,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): $__quantum_server_frontend__ default_backend quantum-server-backend -$__contrail_api_frontend_ext__ - $__contrail_api_frontend__ default_backend contrail-api-backend timeout client 3m @@ -170,7 +168,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): q_frontend = 'frontend quantum-server *:9696' q_ssl_forwarding = '' api_listen_port = 9100 - api_frontend_ext = '' api_frontend = 'frontend contrail-api *:8082' api_ssl_forwarding = '' api_server_lines = '' @@ -228,16 +225,7 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): q_ssl_forwarding = """ option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }""" - if get_contrail_external_vip(): - api_frontend_ext = """frontend contrail-api-external - bind %s:8082 ssl crt /etc/contrail/ssl/external/certs/contrailcertbundle.pem - default_backend contrail-api-backend - timeout client 3m""" % get_contrail_external_vip() - api_frontend = """frontend contrail-api - bind %s:8082 ssl crt /etc/contrail/ssl/certs/contrailcertbundle.pem""" % get_contrail_internal_vip() - else: - api_frontend_ext = '' - api_frontend = """frontend contrail-api + api_frontend = """frontend contrail-api bind *:8082 ssl crt /etc/contrail/ssl/certs/contrailcertbundle.pem""" api_ssl_forwarding = """ option forwardfor http-request set-header X-Forwarded-Port %[dst_port] @@ -249,7 +237,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): '__contrail_quantum_servers__': q_server_lines, '__quantum_server_frontend__': q_frontend, '__quantum_ssl_forwarding__': q_ssl_forwarding, - '__contrail_api_frontend_ext__': api_frontend_ext, '__contrail_api_frontend__': api_frontend, '__contrail_api_ssl_forwarding__': api_ssl_forwarding, '__contrail_api_backend_servers__': api_server_lines, @@ -630,10 +617,6 @@ def setup_cfgm_node(*args): with settings(host_string=host_string): if apiserver_ssl_enabled(): execute("setup_apiserver_ssl_certs_node", host_string) - if get_contrail_external_vip(): - execute("setup_apiserver_ssl_certs_node", host_string, - cfgm_ip=get_contrail_external_vip(), - vip='external') if keystone_ssl_enabled(): execute("copy_keystone_ssl_certs_to_node", host_string) if apiserver_ssl_enabled(): diff --git a/fabfile/tasks/ssl.py b/fabfile/tasks/ssl.py index 68768a406..22ea7ae3f 100644 --- a/fabfile/tasks/ssl.py +++ b/fabfile/tasks/ssl.py @@ -12,9 +12,8 @@ get_env_passwords, get_openstack_internal_vip, get_contrail_internal_vip, hstr_to_ip, get_apiserver_cert_bundle, get_control_host_string, - get_keystone_cert_bundle, get_apiserver_ext_keyfile, - get_apiserver_ext_cafile, get_apiserver_ext_certfile, - get_apiserver_ext_cert_bundle + get_keystone_cert_bundle, get_openstack_external_vip, + get_contrail_external_vip ) from fabfile.utils.fabos import get_as_sudo, get_openstack_services @@ -49,9 +48,17 @@ def setup_keystone_ssl_certs_node(*nodes): if index == 1: if not exists(ssl_cert, use_sudo=True): print "Creating keystone SSL certs in first openstack node" - sudo('create-keystone-ssl-certs.sh %s' % ( + subject_alt_names_mgmt = [hstr_to_ip(host) + for host in env.roledefs['openstack']] + subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host)) + for host in env.roledefs['openstack']] + subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl + if get_openstack_external_vip(): + subject_alt_names.append(get_openstack_external_vip()) + sudo('create-keystone-ssl-certs.sh %s %s' % ( get_openstack_internal_vip() or - hstr_to_ip(get_control_host_string(openstack_host)))) + hstr_to_ip(get_control_host_string(openstack_host)), + ','.join(subject_alt_names))) else: with settings(host_string=openstack_host, password=get_env_passwords(openstack_host)): @@ -84,34 +91,19 @@ def setup_keystone_ssl_certs_node(*nodes): @task @EXECUTE_TASK @roles('cfgm') -def setup_apiserver_ssl_certs(vip='internal'): +def setup_apiserver_ssl_certs(): execute('setup_apiserver_ssl_certs_node', env.host_string) @task -def setup_apiserver_ssl_certs_node(*nodes, **kwargs): - vip = kwargs.get('vip', 'internal') - cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = kwargs.get('cfgm_ip', - get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host))) - if vip == 'external': - ssl_path = '/etc/contrail/ssl/external/' - default_certfile = '/etc/contrail/ssl/%s/certs/contrail.pem' % vip - default_keyfile = '/etc/contrail/ssl/%s/private/contrail.key' % vip - default_cafile = '/etc/contrail/ssl/%s/certs/contrail_ca.pem' % vip - ssl_certs = ((get_apiserver_ext_certfile(), default_certfile), - (get_apiserver_ext_keyfile(), default_keyfile), - (get_apiserver_ext_cafile(), default_cafile)) - contrailcertbundle = get_apiserver_ext_cert_bundle() - else: - ssl_path = '/etc/contrail/ssl/' - default_certfile = '/etc/contrail/ssl/certs/contrail.pem' - default_keyfile = '/etc/contrail/ssl/private/contrail.key' - default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem' - ssl_certs = ((get_apiserver_certfile(), default_certfile), - (get_apiserver_keyfile(), default_keyfile), - (get_apiserver_cafile(), default_cafile)) - contrailcertbundle = get_apiserver_cert_bundle() +def setup_apiserver_ssl_certs_node(*nodes): + default_certfile = '/etc/contrail/ssl/certs/contrail.pem' + default_keyfile = '/etc/contrail/ssl/private/contrail.key' + default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem' + contrailcertbundle = get_apiserver_cert_bundle() + ssl_certs = ((get_apiserver_certfile(), default_certfile), + (get_apiserver_keyfile(), default_keyfile), + (get_apiserver_cafile(), default_cafile)) index = env.roledefs['cfgm'].index(env.host_string) + 1 for node in nodes: with settings(host_string=node, password=get_env_passwords(node)): @@ -122,10 +114,19 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): sudo('rm -f %s' % contrailcertbundle) for ssl_cert, default in ssl_certs: if ssl_cert == default: + cfgm_host = env.roledefs['cfgm'][0] if index == 1: if not exists(ssl_cert, use_sudo=True): print "Creating apiserver SSL certs in first cfgm node" - sudo('create-ssl-certs.sh %s %s contrail' % (cfgm_ip, ssl_path)) + subject_alt_names_mgmt = [hstr_to_ip(host) + for host in env.roledefs['cfgm']] + subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host)) + for host in env.roledefs['cfgm']] + subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl + if get_contrail_external_vip(): + subject_alt_names.append(get_contrail_external_vip()) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) + sudo('create-api-ssl-certs.sh %s %s' % (cfgm_ip, ','.join(subject_alt_names))) else: with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): @@ -137,8 +138,8 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) print "Copy to this(%s) cfgm node" % env.host_string - sudo('mkdir -p %scerts/' % ssl_path) - sudo('mkdir -p %sprivate/' % ssl_path) + sudo('mkdir -p /etc/contrail/ssl/certs/') + sudo('mkdir -p /etc/contrail/ssl/private/') put(tmp_fname, ssl_cert, use_sudo=True) os.remove(tmp_fname) elif os.path.isfile(ssl_cert): @@ -151,7 +152,7 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): if not exists(contrailcertbundle, use_sudo=True): ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) - sudo("chown -R contrail:contrail %s" % ssl_path) + sudo("chown -R contrail:contrail /etc/contrail/ssl") @task