diff --git a/hiera/common.yaml b/hiera/common.yaml index 14d3b45f80..c9b6a7b05d 100644 --- a/hiera/common.yaml +++ b/hiera/common.yaml @@ -495,30 +495,6 @@ cacti_hosts: - zm07.openstack.org - zm08.openstack.org - zuul01.openstack.org -limestone_ssl_cert_file_contents: | - -----BEGIN CERTIFICATE----- - MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV - BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ - BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW - SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx - NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL - U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91 - cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI - hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I - edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl - ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse - cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8 - 80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5 - eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w - HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i - yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB - AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE - y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs - XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2 - HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia - ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p - NhQjSPoo+M+vDa6hxK8/Z/c= - -----END CERTIFICATE----- statusbot_auth_nicks: - jeblair - corvus diff --git a/inventory/groups.yaml b/inventory/groups.yaml index fe4ca1d1c6..8a6afe8371 100644 --- a/inventory/groups.yaml +++ b/inventory/groups.yaml @@ -29,6 +29,8 @@ groups: mailman: inventory_hostname.startswith('lists') mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org') nodepool: inventory_hostname is match('(nodepool|nb|nl)') + nodepool-builder: inventory_hostname is match('nb\d*\.openstack\.org') + nodepool-launcher: inventory_hostname is match('nl\d*\.openstack\.org') ns: inventory_hostname.startswith('ns') paste: inventory_hostname.startswith('paste') pbx: inventory_hostname.startswith('pbx') diff --git a/manifests/site.pp b/manifests/site.pp index 8a8118d55a..7d53a6b472 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -171,14 +171,6 @@ node 'puppetmaster.openstack.org' { class { 'openstack_project::puppetmaster': puppetmaster_clouds => hiera('puppetmaster_clouds'), } - file { '/etc/openstack/limestone_cacert.pem': - ensure => present, - owner => 'root', - group => 'root', - mode => '0444', - content => hiera('limestone_ssl_cert_file_contents'), - require => Class['::openstack_project::puppetmaster'], - } } # Node-OS: trusty @@ -841,15 +833,6 @@ node /^nl\d+\.openstack\.org$/ { python_version => 3, enable_webapp => true, } - - file { '/home/nodepool/.config/openstack/limestone_cacert.pem': - ensure => present, - owner => 'nodepool', - group => 'nodepool', - mode => '0600', - content => hiera('limestone_ssl_cert_file_contents'), - require => Class['::openstackci::nodepool_launcher'], - } } # Node-OS: xenial @@ -907,15 +890,6 @@ node /^nb\d+\.openstack\.org$/ { ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key', } - file { '/home/nodepool/.config/openstack/limestone_cacert.pem': - ensure => present, - owner => 'nodepool', - group => 'nodepool', - mode => '0600', - content => hiera('limestone_ssl_cert_file_contents'), - require => Class['::openstackci::nodepool_builder'], - } - cron { 'mirror_gitgc': user => 'nodepool', hour => '20', diff --git a/playbooks/base.yaml b/playbooks/base.yaml index 474d2e3673..56351a2f1c 100644 --- a/playbooks/base.yaml +++ b/playbooks/base.yaml @@ -11,6 +11,11 @@ - timezone - unbound +- hosts: nodepool-launcher:nodepool-builder:bridge.openstack.org:!disabled + strategy: free + roles: + - configure-openstacksdk + - hosts: "puppet:!disabled" roles: - puppet-install diff --git a/playbooks/group_vars/nodepool-builder.yaml b/playbooks/group_vars/nodepool-builder.yaml new file mode 100644 index 0000000000..542ccfec4f --- /dev/null +++ b/playbooks/group_vars/nodepool-builder.yaml @@ -0,0 +1,3 @@ +openstacksdk_config_dir: /home/nodepool/.config/openstack +openstacksdk_config_owner: nodepool +openstacksdk_config_group: nodepool diff --git a/playbooks/group_vars/nodepool-launcher.yaml b/playbooks/group_vars/nodepool-launcher.yaml new file mode 100644 index 0000000000..542ccfec4f --- /dev/null +++ b/playbooks/group_vars/nodepool-launcher.yaml @@ -0,0 +1,3 @@ +openstacksdk_config_dir: /home/nodepool/.config/openstack +openstacksdk_config_owner: nodepool +openstacksdk_config_group: nodepool diff --git a/playbooks/roles/configure-openstacksdk/README.rst b/playbooks/roles/configure-openstacksdk/README.rst new file mode 100644 index 0000000000..16ba44c249 --- /dev/null +++ b/playbooks/roles/configure-openstacksdk/README.rst @@ -0,0 +1,14 @@ +Configure openstacksdk files + +Configure openstacksdk files needed by nodepool and ansible. + +**Role Variables** + +.. zuul:rolevar:: openstacksdk_config_dir + :default: /etc/openstack + +.. zuul:rolevar:: openstacksdk_config_owner + :default: root + +.. zuul:rolevar:: openstacksdf_config_group + :default: root diff --git a/playbooks/roles/configure-openstacksdk/defaults/main.yaml b/playbooks/roles/configure-openstacksdk/defaults/main.yaml new file mode 100644 index 0000000000..8ca0dacd21 --- /dev/null +++ b/playbooks/roles/configure-openstacksdk/defaults/main.yaml @@ -0,0 +1,3 @@ +openstacksdk_config_dir: /etc/openstack +openstacksdk_config_owner: root +openstacksdk_config_group: root diff --git a/playbooks/roles/configure-openstacksdk/files/limestone_cacert.pem b/playbooks/roles/configure-openstacksdk/files/limestone_cacert.pem new file mode 100644 index 0000000000..0333f38af3 --- /dev/null +++ b/playbooks/roles/configure-openstacksdk/files/limestone_cacert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ +BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW +SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx +NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL +U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91 +cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I +edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl +ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse +cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8 +80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5 +eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w +HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i +yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB +AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE +y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs +XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2 +HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia +ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p +NhQjSPoo+M+vDa6hxK8/Z/c= +-----END CERTIFICATE----- diff --git a/playbooks/roles/configure-openstacksdk/tasks/main.yaml b/playbooks/roles/configure-openstacksdk/tasks/main.yaml new file mode 100644 index 0000000000..3094092717 --- /dev/null +++ b/playbooks/roles/configure-openstacksdk/tasks/main.yaml @@ -0,0 +1,15 @@ +- name: Ensure openstacksdk config directory + file: + group: '{{ openstacksdk_config_group }}' + owner: '{{ openstacksdk_config_owner }}' + mode: 0750 + path: '{{ openstacksdk_config_dir }}' + state: directory + +- name: Install limestone cacert + copy: + dest: '{{ openstacksdk_config_dir }}/limestone_cacert.pem' + group: '{{ openstacksdk_config_group }}' + mode: 0640 + owner: '{{ openstacksdk_config_owner }}' + src: limestone_cacert.pem diff --git a/testinfra/test_base.py b/testinfra/test_base.py index edf543d3d7..de39174d56 100644 --- a/testinfra/test_base.py +++ b/testinfra/test_base.py @@ -149,3 +149,22 @@ def test_unattended_upgrades(host): cfg_file = host.file("/etc/yum/yum-cron.conf") assert cfg_file.exists assert cfg_file.contains('apply_updates = yes') + + +def test_openstacksdk_config(host): + ansible_vars = host.ansible.get_variables() + if ansible_vars['inventory_hostname'] == 'bridge.openstack.org': + f = host.file('/etc/openstack') + assert f.exists + assert f.is_directory + assert f.user == 'root' + assert f.group == 'root' + assert f.mode == 0o750 + del f + + f = host.file('/etc/openstack/limestone_cacert.pem') + assert f.exists + assert f.is_file + assert f.user == 'root' + assert f.group == 'root' + assert f.mode == 0o640