1.Passing certificate files to setup-vnc-collector to be used

when creating contrail-keystone-auth.conf and vnc_api_lib.ini 2. Setting api_server_use_ssl parameter in contrail-analytics-api config file Change-Id: I57cfea8b39a6479d6fc1b81479f66b1d2fb1f0d3 Closes-Bug: 1610879
Juniper · Aug 8, 2016 · 751bb5c · 751bb5c
1 parent c7f97b6
commit 751bb5c
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 63 deletions.
diff --git a/contrail_provisioning/collector/setup.py b/contrail_provisioning/collector/setup.py
@@ -29,9 +29,18 @@ def __init__(self, args_str = None):
             'keystone_admin_tenant_name': 'admin',
             'keystone_service_tenant_name' : 'service',
             'keystone_auth_protocol': 'http',
+            'keystone_insecure': False,
+            'keystone_certfile': None,
+            'keystone_keyfile': None,
+            'keystone_cafile': None,
             'keystone_auth_port': '35357',
             'aaa_mode': 'cloud-admin',
             'keystone_version': 'v2.0',
+            'apiserver_insecure': False,
+            'apiserver_certfile': None,
+            'apiserver_keyfile': None,
+            'apiserver_cafile': None,
+            'orchestrator' : 'openstack',
         }
 
         self.parse_args(args_str)
@@ -46,6 +55,16 @@ def __init__(self, args_str = None):
             self.zookeeper_server_list = [(zookeeper_server_ip, zookeeper_port) for \
                 zookeeper_server_ip in self._args.zookeeper_ip_list]
 
+        self.api_ssl_enabled = False
+        if (self._args.apiserver_keyfile and
+                self._args.apiserver_certfile and self._args.apiserver_cafile):
+            self.api_ssl_enabled = True
+        self.keystone_ssl_enabled = False
+        if (self._args.keystone_keyfile and
+                self._args.keystone_certfile and self._args.keystone_cafile):
+            self.keystone_ssl_enabled = True
+
+
     def parse_args(self, args_str):
         '''
         Eg. setup-vnc-collector --cassandra_ip_list 10.1.1.1 10.1.1.2
@@ -87,6 +106,9 @@ def parse_args(self, args_str):
             default = 'False')
         parser.add_argument("--keystone_version", choices=['v2.0', 'v3'],
             help = "Keystone Version")
+        parser.add_argument("--keystone_certfile", help="")
+        parser.add_argument("--keystone_keyfile", help="")
+        parser.add_argument("--keystone_cafile", help="")
         parser.add_argument("--aaa_mode", help="AAA mode",
             choices=['no-auth', 'cloud-admin', 'cloud-admin-only'])
         parser.add_argument("--cloud_admin_role",
@@ -98,6 +120,12 @@ def parse_args(self, args_str):
         parser.add_argument("--amqp_ip_list",
             help="List of IP addresses of AMQP servers", nargs="+", type=str)
         parser.add_argument("--amqp_port", help="Port number of AMQP server")
+        parser.add_argument("--apiserver_insecure",
+            help = "Connect to apiserver in secure or insecure mode if in https mode")
+        parser.add_argument("--apiserver_certfile", help="")
+        parser.add_argument("--apiserver_keyfile", help="")
+        parser.add_argument("--apiserver_cafile", help="")
+        parser.add_argument("--orchestrator", help="Orchestrator used by contrail")
         self._args = parser.parse_args(self.remaining_argv)
 
     def fixup_config_files(self):
@@ -109,6 +137,8 @@ def fixup_config_files(self):
         self.fixup_contrail_analytics_nodemgr()
         if not os.path.exists('/etc/contrail/contrail-keystone-auth.conf'):
             self.fixup_keystone_auth_config_file(False)
+        if not os.path.exists('/etc/contrail/vnc_api_lib.ini'):
+            self.fixup_vnc_api_lib_ini()
         self.fixup_contrail_alarm_gen()
         self.fixup_cassandra_config()
         self.fixup_ini_files()
@@ -317,6 +347,7 @@ def fixup_contrail_analytics_api(self):
             'analytics_statistics_ttl' : self._args.analytics_statistics_ttl,
             'analytics_flow_ttl' : self._args.analytics_flow_ttl,
             'api_server' : self._args.cfgm_ip + ':8082',
+            'api_server_use_ssl': 'True' if self.api_ssl_enabled else 'False',
             'aaa_mode' : 'cloud-admin' if self._args.aaa_mode == 'cloud-admin-only' else self._args.aaa_mode,
             },
           'REDIS' : {
@@ -367,7 +398,8 @@ def run_services(self):
             local("sudo collector-server-setup.sh multinode")
         else:
             local("sudo collector-server-setup.sh")
-#end class SetupVncCollector
+
+#end class CollectorSetup
 
 def main(args_str = None):
     collector = CollectorSetup(args_str)

diff --git a/contrail_provisioning/common/base.py b/contrail_provisioning/common/base.py
@@ -16,6 +16,7 @@
 
 from fabric.api import *
 from contrail_provisioning.common.templates import contrail_keystone_auth_conf
+from contrail_provisioning.config.templates import vnc_api_lib_ini
 
 class ContrailSetup(object):
     def __init__(self):
@@ -294,14 +295,48 @@ def fixup_keystone_auth_config_file(self, configure_memcache):
                          '__contrail_memcached_opt__': 'memcache_servers=127.0.0.1:11211' if configure_memcache else '',
                          '__contrail_ks_auth_url__': '%s://%s:%s/%s' % (self._args.keystone_auth_protocol,
                              self._args.keystone_ip, self._args.keystone_auth_port, self._args.keystone_version),
-                         '__keystone_cert_file_opt__': 'certfile=%s' % self._args.keystone_certfile or '',
-                         '__keystone_key_file_opt__': 'keyfile=%s' % self._args.keystone_keyfile or '',
-                         '__keystone_ca_file_opt__': 'cafile=%s' % self._args.keystone_cafile or '',
+                         '__keystone_cert_file_opt__': 'certfile=%s' % self._args.keystone_certfile if self._args.keystone_certfile else '',
+                         '__keystone_key_file_opt__': 'keyfile=%s' % self._args.keystone_keyfile if self._args.keystone_keyfile else '',
+                         '__keystone_ca_file_opt__': 'cafile=%s' % self._args.keystone_cafile if self._args.keystone_cafile else '',
                         }
         self._template_substitute_write(contrail_keystone_auth_conf.template,
                                         template_vals, self._temp_dir_name + '/contrail-keystone-auth.conf')
         local("sudo mv %s/contrail-keystone-auth.conf /etc/contrail/" %(self._temp_dir_name))
 
+    def fixup_vnc_api_lib_ini(self):
+        if hasattr(self, 'contrail_internal_vip'):
+            api_server = self.contrail_internal_vip or self.cfgm_ip
+        else:
+            api_server = self._args.cfgm_ip
+        # vnc_api_lib.ini
+        authn_url = '/v3/auth/tokens' if 'v3' in self._args.keystone_version else '/v2.0/tokens'
+        template_vals = {
+                         '__contrail_apiserver_ip__': api_server,
+                         '__contrail_keystone_ip__': self._args.keystone_ip or '127.0.0.1',
+                         '__contrail_authn_url__': authn_url,
+                         '__auth_protocol__': self._args.keystone_auth_protocol,
+                        }
+        self._template_substitute_write(vnc_api_lib_ini.template,
+                                        template_vals, self._temp_dir_name + '/vnc_api_lib.ini')
+        local("sudo mv %s/vnc_api_lib.ini /etc/contrail/" %(self._temp_dir_name))
+        conf_file = "/etc/contrail/vnc_api_lib.ini"
+        if self.api_ssl_enabled:
+            configs = {'certfile': self._args.apiserver_certfile,
+                       'keyfile': self._args.apiserver_keyfile,
+                       'cafile': self._args.apiserver_cafile,
+                       'insecure': self._args.apiserver_insecure}
+            for param, value in configs.items():
+                self.set_config(conf_file, 'global', param, value)
+        if self.keystone_ssl_enabled:
+            configs = {'cafile': self._args.keystone_cafile,
+                       'insecure': self._args.keystone_insecure}
+            for param, value in configs.items():
+                self.set_config(conf_file, 'auth', param, value)
+        if self._args.orchestrator == 'vcenter':
+            # Remove the auth setion from /etc/contrail/vnc_api_lib.ini
+            # if orchestrator is not openstack
+            local("sudo contrail-config --del %s auth" % conf_file)
+
     def set_config(self, fl, sec, var, val=''):
         with settings(warn_only=True):
             local("contrail-config --set %s %s %s '%s'" % (

diff --git a/contrail_provisioning/config/common.py b/contrail_provisioning/config/common.py
@@ -27,7 +27,6 @@
 from contrail_provisioning.config.templates import contrail_discovery_ini
 from contrail_provisioning.config.templates import contrail_discovery_ini_centos
 from contrail_provisioning.config.templates import contrail_discovery_svc
-from contrail_provisioning.config.templates import vnc_api_lib_ini
 from contrail_provisioning.config.templates import contrail_sudoers
 from contrail_provisioning.config.templates import contrail_config_nodemgr_template
 from contrail_provisioning.common.templates import contrail_database_template
@@ -58,8 +57,10 @@ def __init__(self, config_args, args_str=None):
                                         for amqp in amqp_ip_list])
         self.contrail_internal_vip = (self._args.contrail_internal_vip or
                                  self._args.internal_vip)
-        self.api_ssl_enabled = (self._args.apiserver_keyfile and
-                self._args.apiserver_certfile and self._args.apiserver_cafile)
+        self.api_ssl_enabled = False
+        if (self._args.apiserver_keyfile and
+                self._args.apiserver_certfile and self._args.apiserver_cafile):
+            self.api_ssl_enabled = True
 
     def fixup_config_files(self):
         self.fixup_cassandra_config()
@@ -320,34 +321,6 @@ def fixup_discovery_initd(self):
         local("sudo mv %s/contrail-discovery /etc/init.d/" %(self._temp_dir_name))
         local("sudo chmod a+x /etc/init.d/contrail-discovery")
 
-    def fixup_vnc_api_lib_ini(self):
-        # vnc_api_lib.ini
-        authn_url = '/v3/auth/tokens' if 'v3' in self._args.keystone_version else '/v2.0/tokens'
-        template_vals = {
-                         '__contrail_keystone_ip__': '127.0.0.1',
-                         '__contrail_authn_url__': authn_url,
-                         '__auth_protocol__': 'https' if self.api_ssl_enabled else 'http',
-                         '__contrail_apiserver_ip__': self.contrail_internal_vip or self.cfgm_ip,
-                        }
-        self._template_substitute_write(vnc_api_lib_ini.template,
-                                        template_vals, self._temp_dir_name + '/vnc_api_lib.ini')
-        local("sudo mv %s/vnc_api_lib.ini /etc/contrail/" %(self._temp_dir_name))
-        conf_file = "/etc/contrail/vnc_api_lib.ini"
-        if self.api_ssl_enabled:
-            configs = {'certfile': self._args.apiserver_certfile,
-                       'keyfile': self._args.apiserver_keyfile,
-                       'cafile': self._args.apiserver_cafile,
-                       'insecure': self._args.apiserver_insecure}
-            for param, value in configs.items():
-                self.set_config(conf_file, 'global', param, value)
-            config = {'cafile' : self._args.keystone_cafile,
-                      'insecure': self._args.keystone_insecure}
-            for param, value in configs.items():
-                self.set_config(conf_file, 'auth', param, value)
-        # Remove the auth setion from /etc/contrail/vnc_api_lib.ini, will be added by
-        # Orchestrator specific setup if required.
-        local("sudo contrail-config --del %s auth" % conf_file)
-
     def fixup_contrail_sudoers(self):
         # sudoers for contrail
             template_vals = {

diff --git a/contrail_provisioning/config/openstack.py b/contrail_provisioning/config/openstack.py
@@ -11,7 +11,6 @@
 from fabric.context_managers import settings
 
 from contrail_provisioning.config.common import ConfigBaseSetup
-from contrail_provisioning.config.templates import vnc_api_lib_ini
 from contrail_provisioning.config.templates import contrail_plugin_ini
 from contrail_provisioning.config.templates import contrail_config_nodemgr_template
 from contrail_provisioning.common.templates import contrail_database_template
@@ -20,8 +19,10 @@ class ConfigOpenstackSetup(ConfigBaseSetup):
     def __init__(self, config_args, args_str=None):
         super(ConfigOpenstackSetup, self).__init__(config_args)
         self._args = config_args
-        self.keystone_ssl_enabled = (self._args.keystone_keyfile and
-                self._args.keystone_certfile and self._args.keystone_cafile)
+        self.keystone_ssl_enabled = False
+        if (self._args.keystone_keyfile and
+                self._args.keystone_certfile and self._args.keystone_cafile):
+            self.keystone_ssl_enabled = True
 
     def fixup_config_files(self):
         self.fixup_cassandra_config()
@@ -120,31 +121,6 @@ def fixup_contrail_plugin_ini(self):
             if os.path.exists(neutron_def_file):
                 local("sudo sed -i 's/NEUTRON_PLUGIN_CONFIG=.*/NEUTRON_PLUGIN_CONFIG=\"\/etc\/neutron\/plugins\/opencontrail\/ContrailPlugin.ini\"/g' %s" %(neutron_def_file))
 
-    def fixup_vnc_api_lib_ini(self):
-        # vnc_api_lib.ini
-        authn_url = '/v3/auth/tokens' if 'v3' in self._args.keystone_version else '/v2.0/tokens'
-        template_vals = {
-                         '__contrail_apiserver_ip__': self.contrail_internal_vip or self.cfgm_ip,
-                         '__contrail_keystone_ip__': self._args.keystone_ip,
-                         '__contrail_authn_url__': authn_url,
-                         '__auth_protocol__': 'https' if self.api_ssl_enabled else 'http',
-                        }
-        self._template_substitute_write(vnc_api_lib_ini.template,
-                                        template_vals, self._temp_dir_name + '/vnc_api_lib.ini')
-        local("sudo mv %s/vnc_api_lib.ini /etc/contrail/" %(self._temp_dir_name))
-        conf_file = "/etc/contrail/vnc_api_lib.ini"
-        configs = {'certfile': self._args.apiserver_certfile,
-                   'keyfile': self._args.apiserver_keyfile,
-                   'cafile': self._args.apiserver_cafile,
-                   'insecure': self._args.apiserver_insecure}
-        for param, value in configs.items():
-            self.set_config(conf_file, 'global', param, value)
-        if self.keystone_ssl_enabled:
-            configs = {'cafile': self._args.keystone_cafile,
-                       'insecure': self._args.keystone_insecure}
-            for param, value in configs.items():
-                self.set_config(conf_file, 'auth', param, value)
-
     def build_ctrl_details(self):
         ctrl_infos = []
         ctrl_details = "%s/ctrl-details" % self._temp_dir_name