Merge "Implement SSL keys generation"
This commit is contained in:
commit
8f1bc80b6c
|
@ -0,0 +1,34 @@
|
|||
#!/bin/sh
|
||||
|
||||
while getopts ":i:h:o:p:" opt; do
|
||||
case $opt in
|
||||
i) cluster_id=$OPTARG
|
||||
;;
|
||||
h) cn_name=$OPTARG
|
||||
;;
|
||||
o) open_ssl_keys=$OPTARG
|
||||
;;
|
||||
p) keys_path=$OPTARG
|
||||
;;
|
||||
esac
|
||||
done
|
||||
BASE_PATH="$keys_path/$cluster_id"
|
||||
CONF_PATH=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
|
||||
|
||||
function generate_open_ssl_keys {
|
||||
for i in $open_ssl_keys
|
||||
do
|
||||
local dir_path="$BASE_PATH/$i"
|
||||
local key_path="$dir_path/public_$i.key"
|
||||
local crt_path="$dir_path/public_$i.crt"
|
||||
mkdir -p $dir_path
|
||||
if [ ! -f $key_path ]; then
|
||||
env SSL_CN_NAME="$cn_name" bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -out $crt_path -config $CONF_PATH/openssl.cnf 2>&1"
|
||||
cat "$crt_path" "$key_path" > "$dir_path/public_$i.pem"
|
||||
else
|
||||
echo "Key $key_path already exists"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
generate_open_ssl_keys
|
|
@ -0,0 +1,19 @@
|
|||
[ req ]
|
||||
default_bits = 2048
|
||||
default_keyfile = keyfile.key
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
req_extensions = v3_req
|
||||
|
||||
[ req_distinguished_name ]
|
||||
CN = US
|
||||
ST = California
|
||||
L = Mountain View
|
||||
O = Mirantis
|
||||
OU = Mirantis Deploy Team
|
||||
CN = ${ENV::SSL_CN_NAME}
|
||||
emailAddress = root@fuel.local
|
||||
|
||||
[ v3_req ]
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
|
@ -150,6 +150,31 @@
|
|||
cmd: sh /etc/puppet/modules/osnailyfacter/modular/astute/generate_keys.sh -i {CLUSTER_ID} -o 'mongodb' -s 'neutron nova mysql' -p /var/lib/fuel/keys/
|
||||
timeout: 180
|
||||
|
||||
- id: generate_haproxy_keys
|
||||
type: shell
|
||||
role: master
|
||||
requires: [pre_deployment_start]
|
||||
condition: "(settings:public_ssl.horizon.value == true or settings:public_ssl.services.value == true) and settings:public_ssl.cert_source.value == 'self_signed'"
|
||||
required_for: [copy_haproxy_keys]
|
||||
parameters:
|
||||
cmd: sh /etc/puppet/modules/osnailyfacter/modular/astute/generate_haproxy_keys.sh -i {CLUSTER_ID} -h {CN_HOSTNAME} -o 'haproxy' -p /var/lib/fuel/keys/
|
||||
timeout: 180
|
||||
|
||||
- id: copy_haproxy_keys
|
||||
type: copy_files
|
||||
role: '*'
|
||||
required_for: [pre_deployment_end]
|
||||
requires: [generate_haproxy_keys]
|
||||
condition: "(settings:public_ssl.horizon.value == true or settings:public_ssl.services.value == true) and settings:public_ssl.cert_source.value == 'self_signed'"
|
||||
parameters:
|
||||
files:
|
||||
- src: /var/lib/fuel/keys/{CLUSTER_ID}/haproxy/public_haproxy.pem
|
||||
dst: /var/lib/astute/haproxy/public_haproxy.pem
|
||||
- src: /var/lib/fuel/keys/{CLUSTER_ID}/haproxy/public_haproxy.crt
|
||||
dst: /etc/pki/tls/certs/public_haproxy.pem
|
||||
permissions: '0600'
|
||||
dir_permissions: '0700'
|
||||
|
||||
- id: sync_time
|
||||
type: shell
|
||||
role: '*'
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
notice('MODULAR: ssl_add_trust_chain.pp')
|
||||
|
||||
$public_ssl_hash = hiera('public_ssl')
|
||||
$ip = hiera('public_vip')
|
||||
|
||||
case $::osfamily {
|
||||
/(?i)redhat/: {
|
||||
file { '/etc/pki/ca-trust/source/anchors/public_haproxy.pem':
|
||||
ensure => 'link',
|
||||
target => '/etc/pki/tls/certs/public_haproxy.pem',
|
||||
}->
|
||||
|
||||
exec { 'enable_trust':
|
||||
path => '/bin:/usr/bin:/sbin:/usr/sbin',
|
||||
command => 'update-ca-trust force-enable',
|
||||
}->
|
||||
|
||||
exec { 'add_trust':
|
||||
path => '/bin:/usr/bin:/sbin:/usr/sbin',
|
||||
command => 'update-ca-trust extract',
|
||||
}
|
||||
}
|
||||
/(?i)debian/: {
|
||||
file { '/usr/local/share/ca-certificates/public_haproxy.crt':
|
||||
ensure => 'link',
|
||||
target => '/etc/pki/tls/certs/public_haproxy.pem',
|
||||
}->
|
||||
|
||||
exec { 'add_trust':
|
||||
path => '/bin:/usr/bin:/sbin:/usr/sbin',
|
||||
command => 'update-ca-certificates',
|
||||
}
|
||||
}
|
||||
default: {
|
||||
fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
|
||||
}
|
||||
}
|
||||
|
||||
host { $public_ssl_hash['hostname']:
|
||||
ensure => present,
|
||||
ip => $ip,
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
notice('MODULAR: ssl_keys_saving.pp')
|
||||
|
||||
$public_ssl_hash = hiera_hash('public_ssl')
|
||||
$pub_certificate_content = $public_ssl_hash['cert_data']['content']
|
||||
$base_path = "/etc/pki/tls/certs"
|
||||
$pki_path = [ "/etc/pki", "/etc/pki/tls" ]
|
||||
$astute_base_path = "/var/lib/astute/haproxy"
|
||||
|
||||
File {
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
file { [ $pki_path, $base_path, $astute_base_path ]:
|
||||
ensure => directory,
|
||||
}
|
||||
|
||||
file { ["$base_path/public_haproxy.pem", "$astute_base_path/public_haproxy.pem"]:
|
||||
ensure => present,
|
||||
content => $pub_certificate_content,
|
||||
}
|
|
@ -0,0 +1,14 @@
|
|||
require File.join File.dirname(__FILE__), '../test_common.rb'
|
||||
|
||||
class SslKeysSavingPostTest < Test::Unit::TestCase
|
||||
|
||||
def has_public_ssl?
|
||||
TestCommon::Settings.lookup 'public_ssl'
|
||||
end
|
||||
|
||||
def test_ssl_keys_availability
|
||||
return unless has_public_ssl
|
||||
assert File.file?('/var/lib/astute/haproxy/public_haproxy.pem'), 'No public keypair saved!'
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,9 @@
|
|||
require File.join File.dirname(__FILE__), '../test_common.rb'
|
||||
|
||||
class SslKeysSavingPreTest < Test::Unit::TestCase
|
||||
|
||||
def test_ssl_data
|
||||
assert TestCommon::Settings.lookup('public_ssl'), 'No SSL hash found in Hiera!'
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,25 @@
|
|||
- id: ssl-keys-saving
|
||||
type: puppet
|
||||
groups: [primary-controller, controller]
|
||||
requires: [firewall]
|
||||
condition: "(settings:public_ssl.horizon.value == true or settings:public_ssl.services.value == true) and settings:public_ssl.cert_source.value == 'user_uploaded'"
|
||||
required_for: [deploy_end]
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_keys_saving.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 3600
|
||||
test_pre:
|
||||
cmd: ruby /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_keys_saving_pre.rb
|
||||
|
||||
- id: ssl-add-trust-chain
|
||||
type: puppet
|
||||
groups: [primary-controller, controller]
|
||||
requires: [firewall, ssl-keys-saving]
|
||||
condition: "settings:public_ssl.horizon.value == true or settings:public_ssl.services.value == true"
|
||||
required_for: [deploy_end]
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_add_trust_chain.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 3600
|
||||
test_pre:
|
||||
cmd: ruby /etc/puppet/modules/osnailyfacter/modular/ssl/ssl_keys_saving_pre.rb
|
|
@ -57,6 +57,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: false
|
||||
fqdn: node-118.test.domain.local
|
||||
fuel_version: '6.1'
|
||||
|
|
|
@ -57,6 +57,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: false
|
||||
fqdn: node-132.test.domain.local
|
||||
fuel_version: '6.1'
|
||||
|
|
|
@ -57,6 +57,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: false
|
||||
fqdn: node-129.test.domain.local
|
||||
fuel_version: '6.1'
|
||||
|
|
|
@ -57,6 +57,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: true
|
||||
fqdn: node-128.test.domain.local
|
||||
fuel_version: '6.1'
|
||||
|
|
|
@ -57,6 +57,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: true
|
||||
fqdn: node-124.test.domain.local
|
||||
fuel_version: '6.1'
|
||||
|
|
|
@ -57,6 +57,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: false
|
||||
fqdn: node-127.test.domain.local
|
||||
fuel_version: '6.1'
|
||||
|
|
|
@ -57,6 +57,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: true
|
||||
fqdn: node-125.test.domain.local
|
||||
fuel_version: '6.1'
|
||||
|
|
|
@ -57,6 +57,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: true
|
||||
fqdn: node-121.test.domain.local
|
||||
fuel_version: '6.1'
|
||||
|
|
|
@ -60,6 +60,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: false
|
||||
fixed_network_range: 10.0.0.0/16
|
||||
floating_network_range:
|
||||
|
|
|
@ -60,6 +60,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: true
|
||||
fixed_network_range: 10.0.0.0/16
|
||||
floating_network_range:
|
||||
|
|
|
@ -60,6 +60,16 @@ external_ntp:
|
|||
label: Upstream NTP
|
||||
weight: 100
|
||||
ntp_list: 0.pool.ntp.org, 1.pool.ntp.org
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
fail_if_error: false
|
||||
fixed_network_range: 10.0.0.0/16
|
||||
floating_network_range:
|
||||
|
|
|
@ -504,6 +504,16 @@ external_ntp:
|
|||
metadata:
|
||||
weight: 100
|
||||
label: Upstream NTP
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
metadata:
|
||||
weight: 30
|
||||
label: Common
|
||||
|
|
|
@ -514,6 +514,16 @@ external_ntp:
|
|||
metadata:
|
||||
weight: 100
|
||||
label: Upstream NTP
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
metadata:
|
||||
weight: 30
|
||||
label: Common
|
||||
|
|
|
@ -514,6 +514,16 @@ external_ntp:
|
|||
metadata:
|
||||
weight: 100
|
||||
label: Upstream NTP
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
metadata:
|
||||
weight: 30
|
||||
label: Common
|
||||
|
|
|
@ -514,6 +514,16 @@ external_ntp:
|
|||
metadata:
|
||||
weight: 100
|
||||
label: Upstream NTP
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
metadata:
|
||||
weight: 30
|
||||
label: Common
|
||||
|
|
|
@ -503,6 +503,16 @@ external_ntp:
|
|||
metadata:
|
||||
weight: 100
|
||||
label: Upstream NTP
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
metadata:
|
||||
weight: 30
|
||||
label: Common
|
||||
|
|
|
@ -514,6 +514,16 @@ external_ntp:
|
|||
metadata:
|
||||
weight: 100
|
||||
label: Upstream NTP
|
||||
public_ssl:
|
||||
metadata:
|
||||
label: Public TLS
|
||||
weight: 110
|
||||
horizon: true
|
||||
services: true
|
||||
cert_source: self_signed
|
||||
cert_data:
|
||||
content: 'somedataaboutyourkeypair'
|
||||
hostname: public.fuel.local
|
||||
metadata:
|
||||
weight: 30
|
||||
label: Common
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
require 'spec_helper'
|
||||
require 'shared-examples'
|
||||
manifest = 'ssl/ssl_add_trust_chain.pp'
|
||||
|
||||
describe manifest do
|
||||
test_ubuntu_and_centos manifest
|
||||
end
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
require 'spec_helper'
|
||||
require 'shared-examples'
|
||||
manifest = 'ssl/ssl_keys_saving.pp'
|
||||
|
||||
describe manifest do
|
||||
test_ubuntu_and_centos manifest
|
||||
end
|
||||
|
Loading…
Reference in New Issue