From 30f90d4ab82a1c0c17420623d6794b570e70e358 Mon Sep 17 00:00:00 2001 From: Prasad Miriyala Date: Thu, 17 Dec 2015 14:45:10 -0800 Subject: [PATCH] Closes-Bug: #1522597, Server Manager support for tls certificate and key distribution - enable server manager code to generate certs - fix default names to match with puppet code - Add fileserver.conf to support puppet cert link point Change-Id: I14e7ff379ba0d6f3c3ace980ac5884450a658821 --- src/puppet/fileserver.conf | 3 +++ src/server_mgr_certs.py | 8 ++++---- src/server_mgr_main.py | 12 ++++++++++-- src/server_mgr_puppet.py | 4 +++- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/src/puppet/fileserver.conf b/src/puppet/fileserver.conf index 67e387ca..c3f956c8 100644 --- a/src/puppet/fileserver.conf +++ b/src/puppet/fileserver.conf @@ -10,3 +10,6 @@ # allow *.example.com # deny *.evil.example.com # allow 192.168.0.0/24 +[ssl_certs] + path /etc/contrail_smgr/puppet/ssl + allow * diff --git a/src/server_mgr_certs.py b/src/server_mgr_certs.py index 2cb0297a..d843d84d 100644 --- a/src/server_mgr_certs.py +++ b/src/server_mgr_certs.py @@ -25,8 +25,8 @@ def __init__(self, cert_location=_DEF_CERT_LOCATION, log_file=_DEF_CERT_LOG, log_level=log_level) def create_sm_ca_cert(self, force=False): - sm_ca_private_key = self._smgr_cert_location + 'sm_ca.key' - sm_ca_cert = self._smgr_cert_location + 'sm_ca.cert' + sm_ca_private_key = self._smgr_cert_location + 'ca-cert-privkey.pem' + sm_ca_cert = self._smgr_cert_location + 'ca-cert.pem' if not force and os.path.isfile(sm_ca_private_key) and os.path.isfile(sm_ca_cert): self._smgr_ca_private_key = sm_ca_private_key self._smgr_ca_cert = sm_ca_cert @@ -40,7 +40,7 @@ def create_sm_ca_cert(self, force=False): return sm_ca_private_key, sm_ca_cert def create_server_cert(self, server, force=False): - server_private_key = self._smgr_cert_location + server['id'] + '.key' + server_private_key = self._smgr_cert_location + server['id'] + '-privkey.pem' server_csr = self._smgr_cert_location + server['id'] + '.csr' server_pem = self._smgr_cert_location + server['id'] + '.pem' if not force and os.path.isfile(server_private_key) and os.path.isfile(server_pem): @@ -53,7 +53,7 @@ def create_server_cert(self, server, force=False): return server_private_key, server_csr, server_pem def delete_server_cert(self, server): - server_private_key = self._smgr_cert_location + server['id'] + '.key' + server_private_key = self._smgr_cert_location + server['id'] + '-privkey.pem' server_csr = self._smgr_cert_location + server['id'] + '.csr' server_pem = self._smgr_cert_location + server['id'] + '.pem' if os.path.isfile(server_private_key): diff --git a/src/server_mgr_main.py b/src/server_mgr_main.py index ac2cafe5..153b20a4 100755 --- a/src/server_mgr_main.py +++ b/src/server_mgr_main.py @@ -14,11 +14,11 @@ import sys import re import datetime -import subprocess import json import argparse from gevent import monkey monkey.patch_all(thread=not 'unittest' in sys.modules) +import subprocess import bottle from bottle import route, run, request, abort import ConfigParser @@ -42,6 +42,7 @@ from server_mgr_err import * from server_mgr_status import * from server_mgr_db import ServerMgrDb as db +from server_mgr_certs import ServerMgrCerts try: from server_mgr_cobbler import ServerMgrCobbler as ServerMgrCobbler except ImportError: @@ -393,6 +394,10 @@ def __init__(self, args_str=None): "Error starting the status thread") exit() + # Generate SM Certs + self._smgr_certs = ServerMgrCerts() + sm_private_key, sm_cert = self._smgr_certs.create_sm_ca_cert() + # Read the JSON file, validate for correctness and add the entries to # our DB. if self._args.server_list is not None: @@ -2320,6 +2325,7 @@ def delete_server(self): # Inventory Delete Info Trigger if self._server_inventory_obj: gevent.spawn(self._server_inventory_obj.handle_inventory_trigger, "delete", servers) + self._smgr_certs.delete_server_cert(server) except ServerMgrException as e: self._smgr_trans_log.log(bottle.request, self._smgr_trans_log.DELETE_SMGR_CFG_SERVER, @@ -3612,6 +3618,8 @@ def provision_server(self): provision_params['keystone_tenant'] = cluster_params['keystone_tenant'] provision_params['analytics_data_ttl'] = cluster_params['analytics_data_ttl'] provision_params['phy_interface'] = server_params['interface_name'] + if 'xmpp_auth_enabled' in cluster_params: + provision_params['xmpp_auth_enabled'] = cluster_params['xmpp_auth_enabled'] if 'contrail' in server: provision_params['contrail_params'] = server['contrail'] if 'gateway' in server and server['gateway']: @@ -4314,7 +4322,7 @@ def _do_provision_server( server, cluster, cluster_servers) - + self._smgr_certs.create_server_cert(server) # Update Server table with provisioned id update = {'id': provision_parameters['server_id'], 'provisioned_id': provision_parameters['package_image_id']} diff --git a/src/server_mgr_puppet.py b/src/server_mgr_puppet.py index fbc3548b..92b94e57 100644 --- a/src/server_mgr_puppet.py +++ b/src/server_mgr_puppet.py @@ -18,6 +18,7 @@ import re import openstack_hieradata import yaml +from server_mgr_err import * from server_mgr_logger import ServerMgrlogger as ServerMgrlogger from server_mgr_exception import ServerMgrException as ServerMgrException from esxi_contrailvm import ContrailVM as ContrailVM @@ -277,7 +278,8 @@ def add_cluster_parameters(self, cluster_params): "external_bgp" : ["external_bgp", "string"], "use_certificates" : ["use_certs", "boolean"], "contrail_logoutput" : ["contrail_logoutput", "boolean"], - "enable_ceilometer": ["enable_ceilometer", "boolean"] + "enable_ceilometer": ["enable_ceilometer", "boolean"], + "xmpp_auth_enabled": ["xmpp_auth_enabled", "boolean"] } data = ''