Install limestone CA on hosts using openstacksdk

In order to talk to limestone clouds we need to configure a custom CA.
Do this in ansible instead of puppet.

A followup should add writing out clouds.yaml files.

Change-Id: I355df1efb31feb31e039040da4ca6088ea632b7e
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
Monty Taylor 2018-08-17 06:17:16 -05:00 committed by James E. Blair
parent 21a81de59f
commit eb086094a8
11 changed files with 87 additions and 50 deletions

View File

@ -495,30 +495,6 @@ cacti_hosts:
- zm07.openstack.org
- zm08.openstack.org
- zuul01.openstack.org
limestone_ssl_cert_file_contents: |
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ
BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW
SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx
NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL
U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91
cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I
edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl
ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse
cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8
80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5
eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w
HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i
yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE
y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs
XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2
HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia
ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p
NhQjSPoo+M+vDa6hxK8/Z/c=
-----END CERTIFICATE-----
statusbot_auth_nicks:
- jeblair
- corvus

View File

@ -29,6 +29,8 @@ groups:
mailman: inventory_hostname.startswith('lists')
mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org')
nodepool: inventory_hostname is match('(nodepool|nb|nl)')
nodepool-builder: inventory_hostname is match('nb\d*\.openstack\.org')
nodepool-launcher: inventory_hostname is match('nl\d*\.openstack\.org')
ns: inventory_hostname.startswith('ns')
paste: inventory_hostname.startswith('paste')
pbx: inventory_hostname.startswith('pbx')

View File

@ -171,14 +171,6 @@ node 'puppetmaster.openstack.org' {
class { 'openstack_project::puppetmaster':
puppetmaster_clouds => hiera('puppetmaster_clouds'),
}
file { '/etc/openstack/limestone_cacert.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
content => hiera('limestone_ssl_cert_file_contents'),
require => Class['::openstack_project::puppetmaster'],
}
}
# Node-OS: trusty
@ -841,15 +833,6 @@ node /^nl\d+\.openstack\.org$/ {
python_version => 3,
enable_webapp => true,
}
file { '/home/nodepool/.config/openstack/limestone_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('limestone_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool_launcher'],
}
}
# Node-OS: xenial
@ -907,15 +890,6 @@ node /^nb\d+\.openstack\.org$/ {
ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
}
file { '/home/nodepool/.config/openstack/limestone_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('limestone_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool_builder'],
}
cron { 'mirror_gitgc':
user => 'nodepool',
hour => '20',

View File

@ -11,6 +11,11 @@
- timezone
- unbound
- hosts: nodepool-launcher:nodepool-builder:bridge.openstack.org:!disabled
strategy: free
roles:
- configure-openstacksdk
- hosts: "puppet:!disabled"
roles:
- puppet-install

View File

@ -0,0 +1,3 @@
openstacksdk_config_dir: /home/nodepool/.config/openstack
openstacksdk_config_owner: nodepool
openstacksdk_config_group: nodepool

View File

@ -0,0 +1,3 @@
openstacksdk_config_dir: /home/nodepool/.config/openstack
openstacksdk_config_owner: nodepool
openstacksdk_config_group: nodepool

View File

@ -0,0 +1,14 @@
Configure openstacksdk files
Configure openstacksdk files needed by nodepool and ansible.
**Role Variables**
.. zuul:rolevar:: openstacksdk_config_dir
:default: /etc/openstack
.. zuul:rolevar:: openstacksdk_config_owner
:default: root
.. zuul:rolevar:: openstacksdf_config_group
:default: root

View File

@ -0,0 +1,3 @@
openstacksdk_config_dir: /etc/openstack
openstacksdk_config_owner: root
openstacksdk_config_group: root

View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ
BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW
SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx
NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL
U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91
cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I
edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl
ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse
cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8
80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5
eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w
HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i
yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE
y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs
XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2
HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia
ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p
NhQjSPoo+M+vDa6hxK8/Z/c=
-----END CERTIFICATE-----

View File

@ -0,0 +1,15 @@
- name: Ensure openstacksdk config directory
file:
group: '{{ openstacksdk_config_group }}'
owner: '{{ openstacksdk_config_owner }}'
mode: 0750
path: '{{ openstacksdk_config_dir }}'
state: directory
- name: Install limestone cacert
copy:
dest: '{{ openstacksdk_config_dir }}/limestone_cacert.pem'
group: '{{ openstacksdk_config_group }}'
mode: 0640
owner: '{{ openstacksdk_config_owner }}'
src: limestone_cacert.pem

View File

@ -149,3 +149,22 @@ def test_unattended_upgrades(host):
cfg_file = host.file("/etc/yum/yum-cron.conf")
assert cfg_file.exists
assert cfg_file.contains('apply_updates = yes')
def test_openstacksdk_config(host):
ansible_vars = host.ansible.get_variables()
if ansible_vars['inventory_hostname'] == 'bridge.openstack.org':
f = host.file('/etc/openstack')
assert f.exists
assert f.is_directory
assert f.user == 'root'
assert f.group == 'root'
assert f.mode == 0o750
del f
f = host.file('/etc/openstack/limestone_cacert.pem')
assert f.exists
assert f.is_file
assert f.user == 'root'
assert f.group == 'root'
assert f.mode == 0o640