Generate admin_url to enable https for admin endpoints

This commit updated platform services' sysinv puppet plugins to
generate proper admin_url hiera data to enable https for these endpoints
during controller unlock.

This commit also updated controller_config to copy and install dc admin
endpoint CA cert and haproxy cert for the second controller.

Change-Id: I21345a96f8a0ffb416069ff28dbcfa51b9e12359
Story: 2007347
Task: 39314
Signed-off-by: Andy Ning <andy.ning@windriver.com>

controllerconfig/controllerconfig/scripts/controller_config

@@ -319,6 +319,30 @@ start()
         fi
     fi
 
+    if [ -e $CONFIG_DIR/admin-ep-cert.pem ]
+    then
+        cp $CONFIG_DIR/admin-ep-cert.pem /etc/ssl/private/
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to copy $CONFIG_DIR/admin-ep-cert.pem to certificates dir"
+        fi
+    fi
+
+    if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ]
+    then
+        cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to copy $CONFIG_DIR/dc-adminep-root-ca.crt to certificates dir"
+        fi
+        # Update system trusted CA cert list with the new CA cert.
+        update-ca-trust extract
+        if [ $? -ne 0 ]
+        then
+            fatal_error "Unable to update system trusted CA certificate list"
+        fi
+    fi
+
     if [ -e $CONFIG_DIR/openstack ]
     then
         if [ ! -e /etc/ssl/private/openstack ]

sysinv/sysinv/sysinv/sysinv/common/constants.py

@@ -1542,6 +1542,8 @@ DEFAULT_DNS_SERVICE_DOMAIN = 'cluster.local'
 
 # Ansible bootstrap
 ANSIBLE_BOOTSTRAP_FLAG = os.path.join(tsc.VOLATILE_PATH, ".ansible_bootstrap")
+ANSIBLE_BOOTSTRAP_COMPLETED_FLAG = os.path.join(tsc.CONFIG_PATH,
+                                                ".bootstrap_completed")
 UNLOCK_READY_FLAG = os.path.join(tsc.PLATFORM_CONF_PATH, ".unlock_ready")
 INVENTORY_WAIT_TIMEOUT_IN_SECS = 90
 

sysinv/sysinv/sysinv/sysinv/puppet/barbican.py

@@ -89,7 +89,7 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
         return self._format_private_endpoint(self.SERVICE_PORT)
 
     def get_admin_url(self):
-        return self._format_private_endpoint(self.SERVICE_PORT)
+        return self._format_admin_endpoint(self.SERVICE_PORT)
 
     def get_region_name(self):
         return self._get_service_region_name(self.SERVICE_NAME)

sysinv/sysinv/sysinv/sysinv/puppet/dcdbsync.py

@@ -132,7 +132,7 @@ class DCDBsyncPuppet(openstack.OpenstackBasePuppet):
                                              path=self.SERVICE_PATH)
 
     def get_admin_url(self):
-        return self._format_private_endpoint(self.SERVICE_PORT,
+        return self._format_admin_endpoint(self.SERVICE_PORT,
                                              path=self.SERVICE_PATH)
 
     def get_region_name(self):

sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py

@@ -111,7 +111,7 @@ class DCManagerPuppet(openstack.OpenstackBasePuppet):
                                              path=self.SERVICE_PATH)
 
     def get_admin_url(self):
-        return self._format_private_endpoint(self.SERVICE_PORT,
+        return self._format_admin_endpoint(self.SERVICE_PORT,
                                              path=self.SERVICE_PATH)
 
     def get_region_name(self):

sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py

@@ -110,8 +110,19 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
                 self.get_proxy_public_url(self.PATCHING_SERVICE_PORT,
                                           self.PATCHING_SERVICE_PATH),
             'dcorch::keystone::auth::identity_proxy_public_url':
-                self.get_proxy_internal_url(self.IDENTITY_SERVICE_PORT,
-                                            self.IDENTITY_SERVICE_PATH),
+                self.get_proxy_public_url(self.IDENTITY_SERVICE_PORT,
+                                          self.IDENTITY_SERVICE_PATH),
+
+            'dcorch::keystone::auth::sysinv_proxy_admin_url':
+                self.get_proxy_admin_url(self.PLATFORM_SERVICE_PORT,
+                                         self.PLATFORM_SERVICE_PATH),
+            'dcorch::keystone::auth::identity_proxy_admin_url':
+                self.get_proxy_admin_url(self.IDENTITY_SERVICE_PORT,
+                                         self.IDENTITY_SERVICE_PATH),
+            'dcorch::keystone::auth::patching_proxy_admin_url':
+                self.get_proxy_admin_url(self.PATCHING_SERVICE_PORT,
+                                         self.PATCHING_SERVICE_PATH),
+
             'dcorch::keystone::auth::region': self.get_region_name(),
             'dcorch::keystone::auth::auth_name': ksuser,
             'dcorch::keystone::auth::service_name': self.SERVICE_NAME,
@@ -198,5 +209,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
     def get_proxy_public_url(self, port, service_path):
         return self._format_public_endpoint(port, path=service_path)
 
+    def get_proxy_admin_url(self, port, service_path):
+        return self._format_admin_endpoint(port, path=service_path)
+
     def get_region_name(self):
         return self._get_service_region_name(self.SERVICE_NAME)

sysinv/sysinv/sysinv/sysinv/puppet/fm.py

@@ -105,7 +105,7 @@ class FmPuppet(openstack.OpenstackBasePuppet):
         return self._format_private_endpoint(self.SERVICE_PORT)
 
     def get_admin_url(self):
-        return self._format_private_endpoint(self.SERVICE_PORT)
+        return self._format_admin_endpoint(self.SERVICE_PORT)
 
     def get_region_name(self):
         return self._get_service_region_name(self.SERVICE_NAME)

sysinv/sysinv/sysinv/sysinv/puppet/inventory.py

@@ -111,7 +111,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
                                              path=self.SERVICE_PATH)
 
     def get_admin_url(self):
-        return self._format_private_endpoint(self.SERVICE_PORT,
+        return self._format_admin_endpoint(self.SERVICE_PORT,
                                              path=self.SERVICE_PATH)
 
     def get_region_name(self):

sysinv/sysinv/sysinv/sysinv/puppet/keystone.py

@@ -242,7 +242,7 @@ class KeystonePuppet(openstack.OpenstackBasePuppet):
                     self.SERVICE_TYPE in self._get_shared_services()):
             return self._get_admin_url_from_service_config(self.SERVICE_NAME)
         else:
-            return self._format_private_endpoint(self.SERVICE_PORT)
+            return self._format_admin_endpoint(self.SERVICE_PORT)
 
     def get_auth_address(self):
         if self._region_config():

sysinv/sysinv/sysinv/sysinv/puppet/nfv.py

@@ -271,4 +271,4 @@ class NfvPuppet(openstack.OpenstackBasePuppet):
         return self._format_private_endpoint(self.SERVICE_PORT)
 
     def get_admin_url(self):
-        return self._format_private_endpoint(self.SERVICE_PORT)
+        return self._format_admin_endpoint(self.SERVICE_PORT)

sysinv/sysinv/sysinv/sysinv/puppet/openstack.py

@@ -6,6 +6,7 @@
 
 import abc
 import keyring
+import os
 
 from sysinv.common import constants
 
@@ -116,6 +117,23 @@ class OpenstackBasePuppet(base.BasePuppet):
     def _get_private_protocol(self):
         return 'http'
 
+    def _get_admin_protocol(self):
+        # Turn admin endpoint protocol to be https only after ansible
+        # bootstrap is completed. This is because https enabled admin
+        # endpoints work only after haproxy is properly configured,
+        # which will happen when puppet manifest apply during
+        # controller unlock. So if https is turned on during bootstrap
+        # (by services' endpoint reconfiguration), the system commands
+        # to add networks etc during ansible bootstrap will fail as
+        # haproxy has not been configured yet.
+        if os.path.isfile(constants.ANSIBLE_BOOTSTRAP_COMPLETED_FLAG) and \
+            (self._distributed_cloud_role() ==
+                constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER or
+                self._distributed_cloud_role() ==
+                    constants.DISTRIBUTED_CLOUD_ROLE_SUBCLOUD):
+            return 'https'
+        return 'http'
+
     def _format_public_endpoint(self, port, address=None, path=None):
         protocol = self._get_public_protocol()
         if address is None:
@@ -128,6 +146,15 @@ class OpenstackBasePuppet(base.BasePuppet):
             address = self._format_url_address(self._get_management_address())
         return self._format_keystone_endpoint(protocol, port, address, path)
 
+    def _format_admin_endpoint(self, port, address=None, path=None):
+        protocol = self._get_admin_protocol()
+        s_port = port
+        if address is None:
+            address = self._format_url_address(self._get_management_address())
+        if protocol == 'https':
+            s_port = s_port + 1
+        return self._format_keystone_endpoint(protocol, s_port, address, path)
+
     def _keystone_auth_address(self):
         return self._operator.keystone.get_auth_address()
 

sysinv/sysinv/sysinv/sysinv/puppet/patching.py

@@ -88,7 +88,7 @@ class PatchingPuppet(openstack.OpenstackBasePuppet):
         return self._format_private_endpoint(self.SERVICE_PORT)
 
     def get_admin_url(self):
-        return self._format_private_endpoint(self.SERVICE_PORT)
+        return self._format_admin_endpoint(self.SERVICE_PORT)
 
     def get_region_name(self):
         return self._get_service_region_name(self.SERVICE_NAME)

sysinv/sysinv/sysinv/sysinv/puppet/smapi.py

@@ -73,4 +73,4 @@ class SmPuppet(openstack.OpenstackBasePuppet):
         return self._format_private_endpoint(self.SERVICE_PORT)
 
     def get_admin_url(self):
-        return self._format_private_endpoint(self.SERVICE_PORT)
+        return self._format_admin_endpoint(self.SERVICE_PORT)