openstack
/
fuel-library
Code Issues Proposed changes

Merge "Implement SSL keys generation"

This commit is contained in:
Jenkins 2015-07-14 17:04:01 +00:00 committed by Gerrit Code Review
parent 0ddf8bf8e8 db292165c5
commit 8f1bc80b6c
28 changed files with 376 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
deployment/puppet/osnailyfacter/modular/astute/generate_haproxy_keys.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/sh
while getopts ":i:h:o:p:" opt; do
case $opt in
i) cluster_id=$OPTARG
;;
h) cn_name=$OPTARG
;;
o) open_ssl_keys=$OPTARG
;;
p) keys_path=$OPTARG
;;
esac
done
BASE_PATH="$keys_path/$cluster_id"
CONF_PATH=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
function generate_open_ssl_keys {
for i in $open_ssl_keys
do
local dir_path="$BASE_PATH/$i"
local key_path="$dir_path/public_$i.key"
local crt_path="$dir_path/public_$i.crt"
mkdir -p $dir_path
if [ ! -f $key_path ]; then
env SSL_CN_NAME="$cn_name" bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -out $crt_path -config $CONF_PATH/openssl.cnf 2>&1"
cat "$crt_path" "$key_path" > "$dir_path/public_$i.pem"
else
echo "Key $key_path already exists"
fi
done
}
generate_open_ssl_keys

0
deployment/puppet/osnailyfacter/modular/astute/generate_keys.sh Normal file → Executable file
View File

19
deployment/puppet/osnailyfacter/modular/astute/openssl.cnf Normal file
View File

@ -0,0 +1,19 @@
[ req ]
default_bits = 2048
default_keyfile = keyfile.key
distinguished_name = req_distinguished_name
prompt = no
req_extensions = v3_req
[ req_distinguished_name ]
CN = US
ST = California
L = Mountain View
O = Mirantis
OU = Mirantis Deploy Team
CN = ${ENV::SSL_CN_NAME}
emailAddress = root@fuel.local
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

25
deployment/puppet/osnailyfacter/modular/astute/tasks.yaml
View File

@ -150,6 +150,31 @@
cmd: sh /etc/puppet/modules/osnailyfacter/modular/astute/generate_keys.sh -i {CLUSTER_ID} -o 'mongodb' -s 'neutron nova mysql' -p /var/lib/fuel/keys/
timeout: 180
- id: generate_haproxy_keys
type: shell
role: master
requires: [pre_deployment_start]
condition: "(settings:public_ssl.horizon.value == true or settings:public_ssl.services.value == true) and settings:public_ssl.cert_source.value == 'self_signed'"
required_for: [copy_haproxy_keys]
parameters:
cmd: sh /etc/puppet/modules/osnailyfacter/modular/astute/generate_haproxy_keys.sh -i {CLUSTER_ID} -h {CN_HOSTNAME} -o 'haproxy' -p /var/lib/fuel/keys/
timeout: 180
- id: copy_haproxy_keys
type: copy_files
role: '*'
required_for: [pre_deployment_end]
requires: [generate_haproxy_keys]
condition: "(settings:public_ssl.horizon.value == true or settings:public_ssl.services.value == true) and settings:public_ssl.cert_source.value == 'self_signed'"
parameters:
files:
- src: /var/lib/fuel/keys/{CLUSTER_ID}/haproxy/public_haproxy.pem
dst: /var/lib/astute/haproxy/public_haproxy.pem
- src: /var/lib/fuel/keys/{CLUSTER_ID}/haproxy/public_haproxy.crt
dst: /etc/pki/tls/certs/public_haproxy.pem
permissions: '0600'
dir_permissions: '0700'
- id: sync_time
type: shell
role: '*'

42
deployment/puppet/osnailyfacter/modular/ssl/ssl_add_trust_chain.pp Normal file
View File

@ -0,0 +1,42 @@
notice('MODULAR: ssl_add_trust_chain.pp')
$public_ssl_hash = hiera('public_ssl')
$ip = hiera('public_vip')
case $::osfamily {
/(?i)redhat/: {
file { '/etc/pki/ca-trust/source/anchors/public_haproxy.pem':
ensure => 'link',
target => '/etc/pki/tls/certs/public_haproxy.pem',
}->
exec { 'enable_trust':
path => '/bin:/usr/bin:/sbin:/usr/sbin',
command => 'update-ca-trust force-enable',
}->
exec { 'add_trust':
path => '/bin:/usr/bin:/sbin:/usr/sbin',
command => 'update-ca-trust extract',
}
}
/(?i)debian/: {
file { '/usr/local/share/ca-certificates/public_haproxy.crt':
ensure => 'link',
target => '/etc/pki/tls/certs/public_haproxy.pem',
}->
exec { 'add_trust':
path => '/bin:/usr/bin:/sbin:/usr/sbin',
command => 'update-ca-certificates',
}
}
default: {
fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
}
}
host { $public_ssl_hash['hostname']:
ensure => present,
ip => $ip,
}

22
deployment/puppet/osnailyfacter/modular/ssl/ssl_keys_saving.pp Normal file
View File

@ -0,0 +1,22 @@
notice('MODULAR: ssl_keys_saving.pp')
$public_ssl_hash = hiera_hash('public_ssl')
$pub_certificate_content = $public_ssl_hash['cert_data']['content']
$base_path = "/etc/pki/tls/certs"
$pki_path = [ "/etc/pki", "/etc/pki/tls" ]
$astute_base_path = "/var/lib/astute/haproxy"
File {
owner => 'root',
group => 'root',
mode => '0644',
}
file { [ $pki_path, $base_path, $astute_base_path ]:
ensure => directory,
}
file { ["$base_path/public_haproxy.pem", "$astute_base_path/public_haproxy.pem"]:
ensure => present,
content => $pub_certificate_content,
}

14
deployment/puppet/osnailyfacter/modular/ssl/ssl_keys_saving_post.rb Normal file
View File

@ -0,0 +1,14 @@
require File.join File.dirname(__FILE__), '../test_common.rb'
class SslKeysSavingPostTest < Test::Unit::TestCase
def has_public_ssl?
TestCommon::Settings.lookup 'public_ssl'
end
def test_ssl_keys_availability
return unless has_public_ssl
assert File.file?('/var/lib/astute/haproxy/public_haproxy.pem'), 'No public keypair saved!'
end
end

9
deployment/puppet/osnailyfacter/modular/ssl/ssl_keys_saving_pre.rb Normal file
View File

@ -0,0 +1,9 @@
require File.join File.dirname(__FILE__), '../test_common.rb'
class SslKeysSavingPreTest < Test::Unit::TestCase
def test_ssl_data
assert TestCommon::Settings.lookup('public_ssl'), 'No SSL hash found in Hiera!'
end
end

25
deployment/puppet/osnailyfacter/modular/ssl/tasks.yaml Normal file
View File

@ -0,0 +1,25 @@
- id: ssl-keys-saving
type: puppet
groups: [primary-controller, controller]
requires: [firewall]
condition: "(settings:public_ssl.horizon.value == true or settings:public_ssl.services.value == true) and settings:public_ssl.cert_source.value == 'user_uploaded'"
required_for: [deploy_end]
parameters:
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_keys_saving.pp
puppet_modules: /etc/puppet/modules
timeout: 3600
test_pre:
cmd: ruby /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_keys_saving_pre.rb
- id: ssl-add-trust-chain
type: puppet
groups: [primary-controller, controller]
requires: [firewall, ssl-keys-saving]
condition: "settings:public_ssl.horizon.value == true or settings:public_ssl.services.value == true"
required_for: [deploy_end]
parameters:
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_add_trust_chain.pp
puppet_modules: /etc/puppet/modules
timeout: 3600
test_pre:
cmd: ruby /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_keys_saving_pre.rb

10
tests/noop/astute.yaml/neut_gre.murano.sahara-cinder.yaml
View File

@ -57,6 +57,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: false
fqdn: node-118.test.domain.local
fuel_version: '6.1'

10
tests/noop/astute.yaml/neut_gre.murano.sahara-compute.yaml
View File

@ -57,6 +57,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: false
fqdn: node-132.test.domain.local
fuel_version: '6.1'

10
tests/noop/astute.yaml/neut_gre.murano.sahara-controller.yaml
View File

@ -57,6 +57,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: false
fqdn: node-129.test.domain.local
fuel_version: '6.1'

10
tests/noop/astute.yaml/neut_gre.murano.sahara-primary-controller.yaml
View File

@ -57,6 +57,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: true
fqdn: node-128.test.domain.local
fuel_version: '6.1'

10
tests/noop/astute.yaml/neut_vlan.ceph.ceil-ceph-osd.yaml
View File

@ -57,6 +57,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: true
fqdn: node-124.test.domain.local
fuel_version: '6.1'

10
tests/noop/astute.yaml/neut_vlan.ceph.ceil-compute.yaml
View File

@ -57,6 +57,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: false
fqdn: node-127.test.domain.local
fuel_version: '6.1'

10
tests/noop/astute.yaml/neut_vlan.ceph.ceil-primary-controller.yaml
View File

@ -57,6 +57,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: true
fqdn: node-125.test.domain.local
fuel_version: '6.1'

10
tests/noop/astute.yaml/neut_vlan.ceph.ceil-primary-mongo.yaml
View File

@ -57,6 +57,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: true
fqdn: node-121.test.domain.local
fuel_version: '6.1'

10
tests/noop/astute.yaml/novanet-compute.yaml
View File

@ -60,6 +60,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: false
fixed_network_range: 10.0.0.0/16
floating_network_range:

10
tests/noop/astute.yaml/novanet-primary-controller.yaml
View File

@ -60,6 +60,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: true
fixed_network_range: 10.0.0.0/16
floating_network_range:

10
tests/noop/astute.yaml/novanet-zabbix-server.yaml
View File

@ -60,6 +60,16 @@ external_ntp:
label: Upstream NTP
weight: 100
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
fail_if_error: false
fixed_network_range: 10.0.0.0/16
floating_network_range:

10
tests/noop/astute.yaml/novanet_flat.cinder-vmware.vcenter.yaml
View File

@ -504,6 +504,16 @@ external_ntp:
metadata:
weight: 100
label: Upstream NTP
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
metadata:
weight: 30
label: Common

10
tests/noop/astute.yaml/novanet_flat.controller.platforms.yaml
View File

@ -514,6 +514,16 @@ external_ntp:
metadata:
weight: 100
label: Upstream NTP
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
metadata:
weight: 30
label: Common

10
tests/noop/astute.yaml/novanet_flat.mongo.platforms.yaml
View File

@ -514,6 +514,16 @@ external_ntp:
metadata:
weight: 100
label: Upstream NTP
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
metadata:
weight: 30
label: Common

10
tests/noop/astute.yaml/novanet_flat.primary-controller.platforms.yaml
View File

@ -514,6 +514,16 @@ external_ntp:
metadata:
weight: 100
label: Upstream NTP
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
metadata:
weight: 30
label: Common

10
tests/noop/astute.yaml/novanet_flat.primary-controller.vcenter.yaml
View File

@ -503,6 +503,16 @@ external_ntp:
metadata:
weight: 100
label: Upstream NTP
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
metadata:
weight: 30
label: Common

10
tests/noop/astute.yaml/novanet_flat.primary-mongo.platforms.yaml
View File

@ -514,6 +514,16 @@ external_ntp:
metadata:
weight: 100
label: Upstream NTP
public_ssl:
metadata:
label: Public TLS
weight: 110
horizon: true
services: true
cert_source: self_signed
cert_data:
content: 'somedataaboutyourkeypair'
hostname: public.fuel.local
metadata:
weight: 30
label: Common

8
tests/noop/spec/hosts/ssl/ssl_add_trust_chain_spec.rb Normal file
View File

@ -0,0 +1,8 @@
require 'spec_helper'
require 'shared-examples'
manifest = 'ssl/ssl_add_trust_chain.pp'
describe manifest do
test_ubuntu_and_centos manifest
end

8
tests/noop/spec/hosts/ssl/ssl_keys_saving_spec.rb Normal file
View File

@ -0,0 +1,8 @@
require 'spec_helper'
require 'shared-examples'
manifest = 'ssl/ssl_keys_saving.pp'
describe manifest do
test_ubuntu_and_centos manifest
end