Closes-Bug: #1522597, Server Manager support for tls certificate and …

…key distribution - enable server manager code to generate certs - fix default names to match with puppet code - Add fileserver.conf to support puppet cert link point Change-Id: I14e7ff379ba0d6f3c3ace980ac5884450a658821
Juniper · Dec 17, 2015 · 30f90d4 · 30f90d4
1 parent 409eee0
commit 30f90d4
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/src/puppet/fileserver.conf b/src/puppet/fileserver.conf
@@ -10,3 +10,6 @@
 #  allow *.example.com
 #  deny *.evil.example.com
 #  allow 192.168.0.0/24
+[ssl_certs]
+  path /etc/contrail_smgr/puppet/ssl
+  allow *
diff --git a/src/server_mgr_certs.py b/src/server_mgr_certs.py
@@ -25,8 +25,8 @@ def __init__(self, cert_location=_DEF_CERT_LOCATION, log_file=_DEF_CERT_LOG,
                             log_level=log_level)
 
     def create_sm_ca_cert(self, force=False):
-        sm_ca_private_key = self._smgr_cert_location + 'sm_ca.key'
-        sm_ca_cert = self._smgr_cert_location + 'sm_ca.cert'
+        sm_ca_private_key = self._smgr_cert_location + 'ca-cert-privkey.pem'
+        sm_ca_cert = self._smgr_cert_location + 'ca-cert.pem'
         if not force and os.path.isfile(sm_ca_private_key) and os.path.isfile(sm_ca_cert):
             self._smgr_ca_private_key = sm_ca_private_key
             self._smgr_ca_cert = sm_ca_cert
@@ -40,7 +40,7 @@ def create_sm_ca_cert(self, force=False):
         return sm_ca_private_key, sm_ca_cert
 
     def create_server_cert(self, server, force=False):
-        server_private_key = self._smgr_cert_location + server['id'] + '.key'
+        server_private_key = self._smgr_cert_location + server['id'] + '-privkey.pem'
         server_csr = self._smgr_cert_location + server['id'] + '.csr'
         server_pem = self._smgr_cert_location + server['id'] + '.pem'
         if not force and os.path.isfile(server_private_key) and os.path.isfile(server_pem):
@@ -53,7 +53,7 @@ def create_server_cert(self, server, force=False):
         return server_private_key, server_csr, server_pem
 
     def delete_server_cert(self, server):
-        server_private_key = self._smgr_cert_location + server['id'] + '.key'
+        server_private_key = self._smgr_cert_location + server['id'] + '-privkey.pem'
         server_csr = self._smgr_cert_location + server['id'] + '.csr'
         server_pem = self._smgr_cert_location + server['id'] + '.pem'
         if os.path.isfile(server_private_key):

diff --git a/src/server_mgr_main.py b/src/server_mgr_main.py
@@ -14,11 +14,11 @@
 import sys
 import re
 import datetime
-import subprocess
 import json
 import argparse
 from gevent import monkey
 monkey.patch_all(thread=not 'unittest' in sys.modules)
+import subprocess
 import bottle
 from bottle import route, run, request, abort
 import ConfigParser
@@ -42,6 +42,7 @@
 from server_mgr_err import *
 from server_mgr_status import *
 from server_mgr_db import ServerMgrDb as db
+from server_mgr_certs import ServerMgrCerts
 try:
     from server_mgr_cobbler import ServerMgrCobbler as ServerMgrCobbler
 except ImportError:
@@ -393,6 +394,10 @@ def __init__(self, args_str=None):
                      "Error starting the status thread")
             exit()
 
+        # Generate SM Certs
+        self._smgr_certs = ServerMgrCerts()
+        sm_private_key, sm_cert = self._smgr_certs.create_sm_ca_cert()
+
         # Read the JSON file, validate for correctness and add the entries to
         # our DB.
         if self._args.server_list is not None:
@@ -2320,6 +2325,7 @@ def delete_server(self):
             # Inventory Delete Info Trigger
             if self._server_inventory_obj:
                 gevent.spawn(self._server_inventory_obj.handle_inventory_trigger, "delete", servers)
+            self._smgr_certs.delete_server_cert(server)
         except ServerMgrException as e:
             self._smgr_trans_log.log(bottle.request,
                                 self._smgr_trans_log.DELETE_SMGR_CFG_SERVER,
@@ -3612,6 +3618,8 @@ def provision_server(self):
                 provision_params['keystone_tenant'] = cluster_params['keystone_tenant']
                 provision_params['analytics_data_ttl'] = cluster_params['analytics_data_ttl']
                 provision_params['phy_interface'] = server_params['interface_name']
+                if 'xmpp_auth_enabled' in cluster_params:
+                    provision_params['xmpp_auth_enabled'] = cluster_params['xmpp_auth_enabled']
                 if 'contrail' in server:
                     provision_params['contrail_params']  = server['contrail']
                 if 'gateway' in server and server['gateway']:
@@ -4314,7 +4322,7 @@ def _do_provision_server(
                 server,
                 cluster,
                 cluster_servers)
-
+            self._smgr_certs.create_server_cert(server)
             # Update Server table with provisioned id
             update = {'id': provision_parameters['server_id'],
                       'provisioned_id': provision_parameters['package_image_id']}

diff --git a/src/server_mgr_puppet.py b/src/server_mgr_puppet.py
@@ -18,6 +18,7 @@
 import re
 import openstack_hieradata
 import yaml
+from server_mgr_err import *
 from server_mgr_logger import ServerMgrlogger as ServerMgrlogger
 from server_mgr_exception import ServerMgrException as ServerMgrException
 from esxi_contrailvm import ContrailVM as ContrailVM
@@ -277,7 +278,8 @@ def add_cluster_parameters(self, cluster_params):
             "external_bgp" : ["external_bgp", "string"],
             "use_certificates" : ["use_certs", "boolean"],
             "contrail_logoutput" : ["contrail_logoutput", "boolean"],
-            "enable_ceilometer": ["enable_ceilometer", "boolean"]
+            "enable_ceilometer": ["enable_ceilometer", "boolean"],
+            "xmpp_auth_enabled": ["xmpp_auth_enabled", "boolean"]
         }
 
         data = ''