From 915730a416b631593c4eec36448379a1bb9676a8 Mon Sep 17 00:00:00 2001 From: Ignatious Johnson Christopher Date: Tue, 14 Feb 2017 00:40:15 -0800 Subject: [PATCH] Revert "In multi interface setup, ssl certs are created with" This reverts commit 142743ad0b3d3ad62e8c42a74a5ebe3a9475d40c. Also have added subject alternative names with list of physical ip's and vip's in the certificates, so that the same certificate can be used to secure all the ip's of keystone nodes and their vips, similarly for all api-servers and their vip's. Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1 Closes-Bug: 1663076 --- fabfile/tasks/provision.py | 19 +---------- fabfile/tasks/ssl.py | 67 +++++++++++++++++++------------------- fabfile/utils/host.py | 19 ----------- 3 files changed, 35 insertions(+), 70 deletions(-) diff --git a/fabfile/tasks/provision.py b/fabfile/tasks/provision.py index 7f49b61a5..72638e3bc 100644 --- a/fabfile/tasks/provision.py +++ b/fabfile/tasks/provision.py @@ -127,8 +127,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): $__quantum_server_frontend__ default_backend quantum-server-backend -$__contrail_api_frontend_ext__ - $__contrail_api_frontend__ default_backend contrail-api-backend timeout client 3m @@ -170,7 +168,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): q_frontend = 'frontend quantum-server *:9696' q_ssl_forwarding = '' api_listen_port = 9100 - api_frontend_ext = '' api_frontend = 'frontend contrail-api *:8082' api_ssl_forwarding = '' api_server_lines = '' @@ -228,16 +225,7 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): q_ssl_forwarding = """ option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }""" - if get_contrail_external_vip(): - api_frontend_ext = """frontend contrail-api-external - bind %s:8082 ssl crt /etc/contrail/ssl/external/certs/contrailcertbundle.pem - default_backend contrail-api-backend - timeout client 3m""" % get_contrail_external_vip() - api_frontend = """frontend contrail-api - bind %s:8082 ssl crt /etc/contrail/ssl/certs/contrailcertbundle.pem""" % get_contrail_internal_vip() - else: - api_frontend_ext = '' - api_frontend = """frontend contrail-api + api_frontend = """frontend contrail-api bind *:8082 ssl crt /etc/contrail/ssl/certs/contrailcertbundle.pem""" api_ssl_forwarding = """ option forwardfor http-request set-header X-Forwarded-Port %[dst_port] @@ -249,7 +237,6 @@ def fixup_restart_haproxy_in_all_cfgm(nworkers): '__contrail_quantum_servers__': q_server_lines, '__quantum_server_frontend__': q_frontend, '__quantum_ssl_forwarding__': q_ssl_forwarding, - '__contrail_api_frontend_ext__': api_frontend_ext, '__contrail_api_frontend__': api_frontend, '__contrail_api_ssl_forwarding__': api_ssl_forwarding, '__contrail_api_backend_servers__': api_server_lines, @@ -630,10 +617,6 @@ def setup_cfgm_node(*args): with settings(host_string=host_string): if apiserver_ssl_enabled(): execute("setup_apiserver_ssl_certs_node", host_string) - if get_contrail_external_vip(): - execute("setup_apiserver_ssl_certs_node", host_string, - cfgm_ip=get_contrail_external_vip(), - vip='external') if keystone_ssl_enabled(): execute("copy_keystone_ssl_certs_to_node", host_string) if apiserver_ssl_enabled(): diff --git a/fabfile/tasks/ssl.py b/fabfile/tasks/ssl.py index 68768a406..d127ccd62 100644 --- a/fabfile/tasks/ssl.py +++ b/fabfile/tasks/ssl.py @@ -12,9 +12,8 @@ get_env_passwords, get_openstack_internal_vip, get_contrail_internal_vip, hstr_to_ip, get_apiserver_cert_bundle, get_control_host_string, - get_keystone_cert_bundle, get_apiserver_ext_keyfile, - get_apiserver_ext_cafile, get_apiserver_ext_certfile, - get_apiserver_ext_cert_bundle + get_keystone_cert_bundle, get_openstack_external_vip, + get_contrail_external_vip ) from fabfile.utils.fabos import get_as_sudo, get_openstack_services @@ -49,9 +48,17 @@ def setup_keystone_ssl_certs_node(*nodes): if index == 1: if not exists(ssl_cert, use_sudo=True): print "Creating keystone SSL certs in first openstack node" - sudo('create-keystone-ssl-certs.sh %s' % ( + subject_alt_names_mgmt = [hstr_to_ip(host) + for host in env.roledefs['openstack']] + subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host)) + for host in env.roledefs['openstack']] + subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl + if get_openstack_external_vip(): + subject_alt_names.append(get_openstack_external_vip()) + sudo('create-keystone-ssl-certs.sh %s %s' % ( get_openstack_internal_vip() or - hstr_to_ip(get_control_host_string(openstack_host)))) + hstr_to_ip(get_control_host_string(openstack_host)), + ','.join(subject_alt_names))) else: with settings(host_string=openstack_host, password=get_env_passwords(openstack_host)): @@ -84,34 +91,19 @@ def setup_keystone_ssl_certs_node(*nodes): @task @EXECUTE_TASK @roles('cfgm') -def setup_apiserver_ssl_certs(vip='internal'): +def setup_apiserver_ssl_certs(): execute('setup_apiserver_ssl_certs_node', env.host_string) @task -def setup_apiserver_ssl_certs_node(*nodes, **kwargs): - vip = kwargs.get('vip', 'internal') - cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = kwargs.get('cfgm_ip', - get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host))) - if vip == 'external': - ssl_path = '/etc/contrail/ssl/external/' - default_certfile = '/etc/contrail/ssl/%s/certs/contrail.pem' % vip - default_keyfile = '/etc/contrail/ssl/%s/private/contrail.key' % vip - default_cafile = '/etc/contrail/ssl/%s/certs/contrail_ca.pem' % vip - ssl_certs = ((get_apiserver_ext_certfile(), default_certfile), - (get_apiserver_ext_keyfile(), default_keyfile), - (get_apiserver_ext_cafile(), default_cafile)) - contrailcertbundle = get_apiserver_ext_cert_bundle() - else: - ssl_path = '/etc/contrail/ssl/' - default_certfile = '/etc/contrail/ssl/certs/contrail.pem' - default_keyfile = '/etc/contrail/ssl/private/contrail.key' - default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem' - ssl_certs = ((get_apiserver_certfile(), default_certfile), - (get_apiserver_keyfile(), default_keyfile), - (get_apiserver_cafile(), default_cafile)) - contrailcertbundle = get_apiserver_cert_bundle() +def setup_apiserver_ssl_certs_node(*nodes): + default_certfile = '/etc/contrail/ssl/certs/contrail.pem' + default_keyfile = '/etc/contrail/ssl/private/contrail.key' + default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem' + contrailcertbundle = get_apiserver_cert_bundle() + ssl_certs = ((get_apiserver_certfile(), default_certfile), + (get_apiserver_keyfile(), default_keyfile), + (get_apiserver_cafile(), default_cafile)) index = env.roledefs['cfgm'].index(env.host_string) + 1 for node in nodes: with settings(host_string=node, password=get_env_passwords(node)): @@ -122,10 +114,19 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): sudo('rm -f %s' % contrailcertbundle) for ssl_cert, default in ssl_certs: if ssl_cert == default: + cfgm_host = env.roledefs['cfgm'][0] if index == 1: if not exists(ssl_cert, use_sudo=True): print "Creating apiserver SSL certs in first cfgm node" - sudo('create-ssl-certs.sh %s %s contrail' % (cfgm_ip, ssl_path)) + subject_alt_names_mgmt = [hstr_to_ip(host) + for host in env.roledefs['cfgm']] + subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host)) + for host in env.roledefs['cfgm']] + subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl + if get_contrail_external_vip(): + subject_alt_names.append(get_contrail_external_vip()) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) + sudo('create-api-ssl-certs.sh %s %s' % (cfgm_ip, subject_alt_names)) else: with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): @@ -137,8 +138,8 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) print "Copy to this(%s) cfgm node" % env.host_string - sudo('mkdir -p %scerts/' % ssl_path) - sudo('mkdir -p %sprivate/' % ssl_path) + sudo('mkdir -p /etc/contrail/ssl/certs/') + sudo('mkdir -p /etc/contrail/ssl/private/') put(tmp_fname, ssl_cert, use_sudo=True) os.remove(tmp_fname) elif os.path.isfile(ssl_cert): @@ -151,7 +152,7 @@ def setup_apiserver_ssl_certs_node(*nodes, **kwargs): if not exists(contrailcertbundle, use_sudo=True): ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) - sudo("chown -R contrail:contrail %s" % ssl_path) + sudo("chown -R contrail:contrail /etc/contrail/ssl") @task diff --git a/fabfile/utils/host.py b/fabfile/utils/host.py index 7fe5ec4c5..441907fef 100644 --- a/fabfile/utils/host.py +++ b/fabfile/utils/host.py @@ -441,25 +441,6 @@ def get_keystone_cert_bundle(): return '/etc/keystone/ssl/certs/keystonecertbundle.pem' -def get_apiserver_ext_certfile(): - default = '/etc/contrail/ssl/external/certs/contrail.pem' - return get_from_testbed_dict('cfgm','certfile', default) - - -def get_apiserver_ext_keyfile(): - default = '/etc/contrail/ssl/external/private/contrail.key' - return get_from_testbed_dict('cfgm','keyfile', default) - - -def get_apiserver_ext_cafile(): - default = '/etc/contrail/ssl/external/certs/contrail_ca.pem' - return get_from_testbed_dict('cfgm','cafile', default) - - -def get_apiserver_ext_cert_bundle(): - return '/etc/contrail/ssl/external/certs/contrailcertbundle.pem' - - def get_apiserver_certfile(): default = '/etc/contrail/ssl/certs/contrail.pem' return get_from_testbed_dict('cfgm','certfile', default)