diff --git a/contrail_provisioning/collector/setup.py b/contrail_provisioning/collector/setup.py index 6e937206..49cce251 100755 --- a/contrail_provisioning/collector/setup.py +++ b/contrail_provisioning/collector/setup.py @@ -29,9 +29,18 @@ def __init__(self, args_str = None): 'keystone_admin_tenant_name': 'admin', 'keystone_service_tenant_name' : 'service', 'keystone_auth_protocol': 'http', + 'keystone_insecure': False, + 'keystone_certfile': None, + 'keystone_keyfile': None, + 'keystone_cafile': None, 'keystone_auth_port': '35357', 'aaa_mode': 'cloud-admin', 'keystone_version': 'v2.0', + 'apiserver_insecure': False, + 'apiserver_certfile': None, + 'apiserver_keyfile': None, + 'apiserver_cafile': None, + 'orchestrator' : 'openstack', } self.parse_args(args_str) @@ -46,6 +55,16 @@ def __init__(self, args_str = None): self.zookeeper_server_list = [(zookeeper_server_ip, zookeeper_port) for \ zookeeper_server_ip in self._args.zookeeper_ip_list] + self.api_ssl_enabled = False + if (self._args.apiserver_keyfile and + self._args.apiserver_certfile and self._args.apiserver_cafile): + self.api_ssl_enabled = True + self.keystone_ssl_enabled = False + if (self._args.keystone_keyfile and + self._args.keystone_certfile and self._args.keystone_cafile): + self.keystone_ssl_enabled = True + + def parse_args(self, args_str): ''' Eg. setup-vnc-collector --cassandra_ip_list 10.1.1.1 10.1.1.2 @@ -87,6 +106,9 @@ def parse_args(self, args_str): default = 'False') parser.add_argument("--keystone_version", choices=['v2.0', 'v3'], help = "Keystone Version") + parser.add_argument("--keystone_certfile", help="") + parser.add_argument("--keystone_keyfile", help="") + parser.add_argument("--keystone_cafile", help="") parser.add_argument("--aaa_mode", help="AAA mode", choices=['no-auth', 'cloud-admin', 'cloud-admin-only']) parser.add_argument("--cloud_admin_role", @@ -98,6 +120,12 @@ def parse_args(self, args_str): parser.add_argument("--amqp_ip_list", help="List of IP addresses of AMQP servers", nargs="+", type=str) parser.add_argument("--amqp_port", help="Port number of AMQP server") + parser.add_argument("--apiserver_insecure", + help = "Connect to apiserver in secure or insecure mode if in https mode") + parser.add_argument("--apiserver_certfile", help="") + parser.add_argument("--apiserver_keyfile", help="") + parser.add_argument("--apiserver_cafile", help="") + parser.add_argument("--orchestrator", help="Orchestrator used by contrail") self._args = parser.parse_args(self.remaining_argv) def fixup_config_files(self): @@ -109,6 +137,8 @@ def fixup_config_files(self): self.fixup_contrail_analytics_nodemgr() if not os.path.exists('/etc/contrail/contrail-keystone-auth.conf'): self.fixup_keystone_auth_config_file(False) + if not os.path.exists('/etc/contrail/vnc_api_lib.ini'): + self.fixup_vnc_api_lib_ini() self.fixup_contrail_alarm_gen() self.fixup_cassandra_config() self.fixup_ini_files() @@ -317,6 +347,7 @@ def fixup_contrail_analytics_api(self): 'analytics_statistics_ttl' : self._args.analytics_statistics_ttl, 'analytics_flow_ttl' : self._args.analytics_flow_ttl, 'api_server' : self._args.cfgm_ip + ':8082', + 'api_server_use_ssl': 'True' if self.api_ssl_enabled else 'False', 'aaa_mode' : 'cloud-admin' if self._args.aaa_mode == 'cloud-admin-only' else self._args.aaa_mode, }, 'REDIS' : { @@ -367,7 +398,8 @@ def run_services(self): local("sudo collector-server-setup.sh multinode") else: local("sudo collector-server-setup.sh") -#end class SetupVncCollector + +#end class CollectorSetup def main(args_str = None): collector = CollectorSetup(args_str) diff --git a/contrail_provisioning/common/base.py b/contrail_provisioning/common/base.py index 1e9ec371..d03cb893 100644 --- a/contrail_provisioning/common/base.py +++ b/contrail_provisioning/common/base.py @@ -16,6 +16,7 @@ from fabric.api import * from contrail_provisioning.common.templates import contrail_keystone_auth_conf +from contrail_provisioning.config.templates import vnc_api_lib_ini class ContrailSetup(object): def __init__(self): @@ -294,14 +295,48 @@ def fixup_keystone_auth_config_file(self, configure_memcache): '__contrail_memcached_opt__': 'memcache_servers=127.0.0.1:11211' if configure_memcache else '', '__contrail_ks_auth_url__': '%s://%s:%s/%s' % (self._args.keystone_auth_protocol, self._args.keystone_ip, self._args.keystone_auth_port, self._args.keystone_version), - '__keystone_cert_file_opt__': 'certfile=%s' % self._args.keystone_certfile or '', - '__keystone_key_file_opt__': 'keyfile=%s' % self._args.keystone_keyfile or '', - '__keystone_ca_file_opt__': 'cafile=%s' % self._args.keystone_cafile or '', + '__keystone_cert_file_opt__': 'certfile=%s' % self._args.keystone_certfile if self._args.keystone_certfile else '', + '__keystone_key_file_opt__': 'keyfile=%s' % self._args.keystone_keyfile if self._args.keystone_keyfile else '', + '__keystone_ca_file_opt__': 'cafile=%s' % self._args.keystone_cafile if self._args.keystone_cafile else '', } self._template_substitute_write(contrail_keystone_auth_conf.template, template_vals, self._temp_dir_name + '/contrail-keystone-auth.conf') local("sudo mv %s/contrail-keystone-auth.conf /etc/contrail/" %(self._temp_dir_name)) + def fixup_vnc_api_lib_ini(self): + if hasattr(self, 'contrail_internal_vip'): + api_server = self.contrail_internal_vip or self.cfgm_ip + else: + api_server = self._args.cfgm_ip + # vnc_api_lib.ini + authn_url = '/v3/auth/tokens' if 'v3' in self._args.keystone_version else '/v2.0/tokens' + template_vals = { + '__contrail_apiserver_ip__': api_server, + '__contrail_keystone_ip__': self._args.keystone_ip or '127.0.0.1', + '__contrail_authn_url__': authn_url, + '__auth_protocol__': self._args.keystone_auth_protocol, + } + self._template_substitute_write(vnc_api_lib_ini.template, + template_vals, self._temp_dir_name + '/vnc_api_lib.ini') + local("sudo mv %s/vnc_api_lib.ini /etc/contrail/" %(self._temp_dir_name)) + conf_file = "/etc/contrail/vnc_api_lib.ini" + if self.api_ssl_enabled: + configs = {'certfile': self._args.apiserver_certfile, + 'keyfile': self._args.apiserver_keyfile, + 'cafile': self._args.apiserver_cafile, + 'insecure': self._args.apiserver_insecure} + for param, value in configs.items(): + self.set_config(conf_file, 'global', param, value) + if self.keystone_ssl_enabled: + configs = {'cafile': self._args.keystone_cafile, + 'insecure': self._args.keystone_insecure} + for param, value in configs.items(): + self.set_config(conf_file, 'auth', param, value) + if self._args.orchestrator == 'vcenter': + # Remove the auth setion from /etc/contrail/vnc_api_lib.ini + # if orchestrator is not openstack + local("sudo contrail-config --del %s auth" % conf_file) + def set_config(self, fl, sec, var, val=''): with settings(warn_only=True): local("contrail-config --set %s %s %s '%s'" % ( diff --git a/contrail_provisioning/config/common.py b/contrail_provisioning/config/common.py index c6519cbd..95b42833 100755 --- a/contrail_provisioning/config/common.py +++ b/contrail_provisioning/config/common.py @@ -27,7 +27,6 @@ from contrail_provisioning.config.templates import contrail_discovery_ini from contrail_provisioning.config.templates import contrail_discovery_ini_centos from contrail_provisioning.config.templates import contrail_discovery_svc -from contrail_provisioning.config.templates import vnc_api_lib_ini from contrail_provisioning.config.templates import contrail_sudoers from contrail_provisioning.config.templates import contrail_config_nodemgr_template from contrail_provisioning.common.templates import contrail_database_template @@ -58,8 +57,10 @@ def __init__(self, config_args, args_str=None): for amqp in amqp_ip_list]) self.contrail_internal_vip = (self._args.contrail_internal_vip or self._args.internal_vip) - self.api_ssl_enabled = (self._args.apiserver_keyfile and - self._args.apiserver_certfile and self._args.apiserver_cafile) + self.api_ssl_enabled = False + if (self._args.apiserver_keyfile and + self._args.apiserver_certfile and self._args.apiserver_cafile): + self.api_ssl_enabled = True def fixup_config_files(self): self.fixup_cassandra_config() @@ -320,34 +321,6 @@ def fixup_discovery_initd(self): local("sudo mv %s/contrail-discovery /etc/init.d/" %(self._temp_dir_name)) local("sudo chmod a+x /etc/init.d/contrail-discovery") - def fixup_vnc_api_lib_ini(self): - # vnc_api_lib.ini - authn_url = '/v3/auth/tokens' if 'v3' in self._args.keystone_version else '/v2.0/tokens' - template_vals = { - '__contrail_keystone_ip__': '127.0.0.1', - '__contrail_authn_url__': authn_url, - '__auth_protocol__': 'https' if self.api_ssl_enabled else 'http', - '__contrail_apiserver_ip__': self.contrail_internal_vip or self.cfgm_ip, - } - self._template_substitute_write(vnc_api_lib_ini.template, - template_vals, self._temp_dir_name + '/vnc_api_lib.ini') - local("sudo mv %s/vnc_api_lib.ini /etc/contrail/" %(self._temp_dir_name)) - conf_file = "/etc/contrail/vnc_api_lib.ini" - if self.api_ssl_enabled: - configs = {'certfile': self._args.apiserver_certfile, - 'keyfile': self._args.apiserver_keyfile, - 'cafile': self._args.apiserver_cafile, - 'insecure': self._args.apiserver_insecure} - for param, value in configs.items(): - self.set_config(conf_file, 'global', param, value) - config = {'cafile' : self._args.keystone_cafile, - 'insecure': self._args.keystone_insecure} - for param, value in configs.items(): - self.set_config(conf_file, 'auth', param, value) - # Remove the auth setion from /etc/contrail/vnc_api_lib.ini, will be added by - # Orchestrator specific setup if required. - local("sudo contrail-config --del %s auth" % conf_file) - def fixup_contrail_sudoers(self): # sudoers for contrail template_vals = { diff --git a/contrail_provisioning/config/openstack.py b/contrail_provisioning/config/openstack.py index cbd7114b..033e59a9 100755 --- a/contrail_provisioning/config/openstack.py +++ b/contrail_provisioning/config/openstack.py @@ -11,7 +11,6 @@ from fabric.context_managers import settings from contrail_provisioning.config.common import ConfigBaseSetup -from contrail_provisioning.config.templates import vnc_api_lib_ini from contrail_provisioning.config.templates import contrail_plugin_ini from contrail_provisioning.config.templates import contrail_config_nodemgr_template from contrail_provisioning.common.templates import contrail_database_template @@ -20,8 +19,10 @@ class ConfigOpenstackSetup(ConfigBaseSetup): def __init__(self, config_args, args_str=None): super(ConfigOpenstackSetup, self).__init__(config_args) self._args = config_args - self.keystone_ssl_enabled = (self._args.keystone_keyfile and - self._args.keystone_certfile and self._args.keystone_cafile) + self.keystone_ssl_enabled = False + if (self._args.keystone_keyfile and + self._args.keystone_certfile and self._args.keystone_cafile): + self.keystone_ssl_enabled = True def fixup_config_files(self): self.fixup_cassandra_config() @@ -120,31 +121,6 @@ def fixup_contrail_plugin_ini(self): if os.path.exists(neutron_def_file): local("sudo sed -i 's/NEUTRON_PLUGIN_CONFIG=.*/NEUTRON_PLUGIN_CONFIG=\"\/etc\/neutron\/plugins\/opencontrail\/ContrailPlugin.ini\"/g' %s" %(neutron_def_file)) - def fixup_vnc_api_lib_ini(self): - # vnc_api_lib.ini - authn_url = '/v3/auth/tokens' if 'v3' in self._args.keystone_version else '/v2.0/tokens' - template_vals = { - '__contrail_apiserver_ip__': self.contrail_internal_vip or self.cfgm_ip, - '__contrail_keystone_ip__': self._args.keystone_ip, - '__contrail_authn_url__': authn_url, - '__auth_protocol__': 'https' if self.api_ssl_enabled else 'http', - } - self._template_substitute_write(vnc_api_lib_ini.template, - template_vals, self._temp_dir_name + '/vnc_api_lib.ini') - local("sudo mv %s/vnc_api_lib.ini /etc/contrail/" %(self._temp_dir_name)) - conf_file = "/etc/contrail/vnc_api_lib.ini" - configs = {'certfile': self._args.apiserver_certfile, - 'keyfile': self._args.apiserver_keyfile, - 'cafile': self._args.apiserver_cafile, - 'insecure': self._args.apiserver_insecure} - for param, value in configs.items(): - self.set_config(conf_file, 'global', param, value) - if self.keystone_ssl_enabled: - configs = {'cafile': self._args.keystone_cafile, - 'insecure': self._args.keystone_insecure} - for param, value in configs.items(): - self.set_config(conf_file, 'auth', param, value) - def build_ctrl_details(self): ctrl_infos = [] ctrl_details = "%s/ctrl-details" % self._temp_dir_name