Use trust for tls generation
Currently, we use the users auth token, which expires after a while. We need to use a trust instead. Change-Id: Ie18e6a1371871720fbfd4af0bd43e166075b0c6d Closes-Bug: #1503863 Partially-Implements: blueprint use-trust-for-tls-cert-generation
This commit is contained in:
parent
e8a108b182
commit
e8d537857a
|
@ -155,7 +155,8 @@ function create_magnum_conf {
|
||||||
configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
|
configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
|
||||||
|
|
||||||
iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_SERVICE_URI/v3
|
iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_SERVICE_URI/v3
|
||||||
iniset $MAGNUM_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v3
|
iniset $MAGNUM_CONF keystone_authtoken auth_uri \
|
||||||
|
${KEYSTONE_SERVICE_PROTOCOL}://${HOST_IP}:${KEYSTONE_SERVICE_PORT}/v3
|
||||||
iniset $MAGNUM_CONF keystone_authtoken auth_version v3
|
iniset $MAGNUM_CONF keystone_authtoken auth_version v3
|
||||||
|
|
||||||
if is_fedora || is_suse; then
|
if is_fedora || is_suse; then
|
||||||
|
@ -314,6 +315,7 @@ function configure_iptables {
|
||||||
sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
|
sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
|
||||||
# bay nodes will access m-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
|
# bay nodes will access m-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
|
||||||
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
|
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
|
||||||
|
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $KEYSTONE_SERVICE_PORT -j ACCEPT || true
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -36,6 +36,37 @@ CLIENT_CERT=$cert_dir/client.crt
|
||||||
CLIENT_CSR=$cert_dir/client.csr
|
CLIENT_CSR=$cert_dir/client.csr
|
||||||
CLIENT_KEY=$cert_dir/client.key
|
CLIENT_KEY=$cert_dir/client.key
|
||||||
|
|
||||||
|
#Get a token by user credentials and trust
|
||||||
|
cat > auth.json << EOF
|
||||||
|
{
|
||||||
|
"auth": {
|
||||||
|
"identity": {
|
||||||
|
"methods": [
|
||||||
|
"password"
|
||||||
|
],
|
||||||
|
"password": {
|
||||||
|
"user": {
|
||||||
|
"id": "$TRUSTEE_USER_ID",
|
||||||
|
"password": "$TRUSTEE_PASSWORD"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"scope": {
|
||||||
|
"OS-TRUST:trust": {
|
||||||
|
"id": "$TRUST_ID"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
#trust is introduced in Keystone v3 version
|
||||||
|
AUTH_URL=${AUTH_URL/v2.0/v3}
|
||||||
|
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||||
|
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
|
||||||
|
|
||||||
|
rm -rf auth.json
|
||||||
|
|
||||||
# Get CA certificate for this bay
|
# Get CA certificate for this bay
|
||||||
curl -X GET \
|
curl -X GET \
|
||||||
-H "X-Auth-Token: $USER_TOKEN" \
|
-H "X-Auth-Token: $USER_TOKEN" \
|
||||||
|
|
|
@ -43,6 +43,37 @@ SERVER_CERT=$cert_dir/server.crt
|
||||||
SERVER_CSR=$cert_dir/server.csr
|
SERVER_CSR=$cert_dir/server.csr
|
||||||
SERVER_KEY=$cert_dir/server.key
|
SERVER_KEY=$cert_dir/server.key
|
||||||
|
|
||||||
|
#Get a token by user credentials and trust
|
||||||
|
cat > auth.json << EOF
|
||||||
|
{
|
||||||
|
"auth": {
|
||||||
|
"identity": {
|
||||||
|
"methods": [
|
||||||
|
"password"
|
||||||
|
],
|
||||||
|
"password": {
|
||||||
|
"user": {
|
||||||
|
"id": "$TRUSTEE_USER_ID",
|
||||||
|
"password": "$TRUSTEE_PASSWORD"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"scope": {
|
||||||
|
"OS-TRUST:trust": {
|
||||||
|
"id": "$TRUST_ID"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
#trust is introduced in Keystone v3 version
|
||||||
|
AUTH_URL=${AUTH_URL/v2.0/v3}
|
||||||
|
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||||
|
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
|
||||||
|
|
||||||
|
rm -rf auth.json
|
||||||
|
|
||||||
# Get CA certificate for this bay
|
# Get CA certificate for this bay
|
||||||
curl -X GET \
|
curl -X GET \
|
||||||
-H "X-Auth-Token: $USER_TOKEN" \
|
-H "X-Auth-Token: $USER_TOKEN" \
|
||||||
|
|
|
@ -17,7 +17,6 @@ write_files:
|
||||||
FLANNEL_USE_VXLAN="$FLANNEL_USE_VXLAN"
|
FLANNEL_USE_VXLAN="$FLANNEL_USE_VXLAN"
|
||||||
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
|
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
|
||||||
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
|
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
|
||||||
AUTH_URL="$AUTH_URL"
|
|
||||||
USERNAME="$USERNAME"
|
USERNAME="$USERNAME"
|
||||||
PASSWORD="$PASSWORD"
|
PASSWORD="$PASSWORD"
|
||||||
TENANT_NAME="$TENANT_NAME"
|
TENANT_NAME="$TENANT_NAME"
|
||||||
|
@ -31,3 +30,7 @@ write_files:
|
||||||
NO_PROXY="$NO_PROXY"
|
NO_PROXY="$NO_PROXY"
|
||||||
WAIT_CURL="$WAIT_CURL"
|
WAIT_CURL="$WAIT_CURL"
|
||||||
KUBE_VERSION="$KUBE_VERSION"
|
KUBE_VERSION="$KUBE_VERSION"
|
||||||
|
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
|
||||||
|
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
|
||||||
|
TRUST_ID="$TRUST_ID"
|
||||||
|
AUTH_URL="$AUTH_URL"
|
||||||
|
|
|
@ -32,3 +32,7 @@ write_files:
|
||||||
NO_PROXY="$NO_PROXY"
|
NO_PROXY="$NO_PROXY"
|
||||||
WAIT_CURL="$WAIT_CURL"
|
WAIT_CURL="$WAIT_CURL"
|
||||||
KUBE_VERSION="$KUBE_VERSION"
|
KUBE_VERSION="$KUBE_VERSION"
|
||||||
|
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
|
||||||
|
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
|
||||||
|
TRUST_ID="$TRUST_ID"
|
||||||
|
AUTH_URL="$AUTH_URL"
|
||||||
|
|
|
@ -458,6 +458,10 @@ resources:
|
||||||
https_proxy: {get_param: https_proxy}
|
https_proxy: {get_param: https_proxy}
|
||||||
no_proxy: {get_param: no_proxy}
|
no_proxy: {get_param: no_proxy}
|
||||||
kube_version: {get_param: kube_version}
|
kube_version: {get_param: kube_version}
|
||||||
|
trustee_user_id: {get_param: trustee_user_id}
|
||||||
|
trustee_password: {get_param: trustee_password}
|
||||||
|
trust_id: {get_param: trust_id}
|
||||||
|
auth_url: {get_param: auth_url}
|
||||||
|
|
||||||
######################################################################
|
######################################################################
|
||||||
#
|
#
|
||||||
|
@ -509,6 +513,10 @@ resources:
|
||||||
https_proxy: {get_param: https_proxy}
|
https_proxy: {get_param: https_proxy}
|
||||||
no_proxy: {get_param: no_proxy}
|
no_proxy: {get_param: no_proxy}
|
||||||
kube_version: {get_param: kube_version}
|
kube_version: {get_param: kube_version}
|
||||||
|
trustee_user_id: {get_param: trustee_user_id}
|
||||||
|
trustee_password: {get_param: trustee_password}
|
||||||
|
trust_id: {get_param: trust_id}
|
||||||
|
auth_url: {get_param: auth_url}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
|
|
||||||
|
|
|
@ -158,6 +158,27 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
description: version of kubernetes used for kubernetes cluster
|
description: version of kubernetes used for kubernetes cluster
|
||||||
|
|
||||||
|
trustee_user_id:
|
||||||
|
type: string
|
||||||
|
description: user id of the trustee
|
||||||
|
default: ""
|
||||||
|
|
||||||
|
trustee_password:
|
||||||
|
type: string
|
||||||
|
description: password of the trustee
|
||||||
|
default: ""
|
||||||
|
hidden: true
|
||||||
|
|
||||||
|
trust_id:
|
||||||
|
type: string
|
||||||
|
description: id of the trust which is used by the trustee
|
||||||
|
default: ""
|
||||||
|
hidden: true
|
||||||
|
|
||||||
|
auth_url:
|
||||||
|
type: string
|
||||||
|
description: url for keystone
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
master_wait_handle:
|
master_wait_handle:
|
||||||
|
@ -210,6 +231,10 @@ resources:
|
||||||
"$NO_PROXY": {get_param: no_proxy}
|
"$NO_PROXY": {get_param: no_proxy}
|
||||||
"$KUBE_VERSION": {get_param: kube_version}
|
"$KUBE_VERSION": {get_param: kube_version}
|
||||||
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
|
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
|
||||||
|
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
|
||||||
|
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
|
||||||
|
"$TRUST_ID": {get_param: trust_id}
|
||||||
|
"$AUTH_URL": {get_param: auth_url}
|
||||||
|
|
||||||
make_cert:
|
make_cert:
|
||||||
type: OS::Heat::SoftwareConfig
|
type: OS::Heat::SoftwareConfig
|
||||||
|
|
|
@ -170,6 +170,27 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
description: version of kubenetes used for kubernetes cluster
|
description: version of kubenetes used for kubernetes cluster
|
||||||
|
|
||||||
|
trustee_user_id:
|
||||||
|
type: string
|
||||||
|
description: user id of the trustee
|
||||||
|
default: ""
|
||||||
|
|
||||||
|
trustee_password:
|
||||||
|
type: string
|
||||||
|
description: password of the trustee
|
||||||
|
default: ""
|
||||||
|
hidden: true
|
||||||
|
|
||||||
|
trust_id:
|
||||||
|
type: string
|
||||||
|
description: id of the trust which is used by the trustee
|
||||||
|
default: ""
|
||||||
|
hidden: true
|
||||||
|
|
||||||
|
auth_url:
|
||||||
|
type: string
|
||||||
|
description: url for keystone
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
minion_wait_handle:
|
minion_wait_handle:
|
||||||
|
@ -223,6 +244,10 @@ resources:
|
||||||
$NO_PROXY: {get_param: no_proxy}
|
$NO_PROXY: {get_param: no_proxy}
|
||||||
$KUBE_VERSION: {get_param: kube_version}
|
$KUBE_VERSION: {get_param: kube_version}
|
||||||
$WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
|
$WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
|
||||||
|
$TRUSTEE_USER_ID: {get_param: trustee_user_id}
|
||||||
|
$TRUSTEE_PASSWORD: {get_param: trustee_password}
|
||||||
|
$TRUST_ID: {get_param: trust_id}
|
||||||
|
$AUTH_URL: {get_param: auth_url}
|
||||||
|
|
||||||
write_kubeconfig:
|
write_kubeconfig:
|
||||||
type: OS::Heat::SoftwareConfig
|
type: OS::Heat::SoftwareConfig
|
||||||
|
|
Loading…
Reference in New Issue