microstack/tests/configure-the-things.sh
Corey Bryant 064aae8458 Add TLS OpenStack API endpoints
This patch provides TLS endpoints secured by a self-signed
certificate. Another patch will provide support for trusted CA-signed
certificates.

A new config.tls.generate-cert option is added that defaults to true.
When true, a self-signed certificate will be generated and OpenStack
API endpoints will be configured to use TLS with that self-signed
certificate. The following config options are added:

snap get microstack config.tls.generate-self-signed
snap get microstack config.tls.cacert-path
snap get microstack config.tls.cert-path
snap get microstack config.tls.key-path

Users can provide their own self-signed certificate by setting
generate-self-signed to false and storing their own certificates/key
at the paths specified by cacert-path, cert-path, and key-path.
'snap set' can also be used to change the cert/key file names.

If using clustering, the certificates/key will be copied from the
control node to the compute nodes. The config for cacert-path,
cert-path, and key-path will be set to the same values as on the
control node.

Other notable changes:
* The existing generate_selfsigned() function is modified to change
  the subject alternative name to be made up of the hostname and
  optionally an IP. The controller hostname and IP are used when
  generating the certificate for self-signed TLS endpoints. The
  hostname is now used instead of 'microstack.run' when generating
  the clustering certificate.
* This change also aligns logging for nginx and corresponding sites
  and moves all nginx sites to {snap_common}/etc/nginx/sites-enabled.

Change-Id: Iceea3127822404a3275fcf8a221cbedc4b52c217
2021-05-26 16:39:33 -04:00

38 lines
1.6 KiB
Bash

#!/bin/bash
# This is a script that helps test configure and install hook commands,
# without the need to rebuild the snap with each change. It works in
# concert with a "configure-the-things" app in the snap, which will
# find and run this script if you put it in the right place.
# To use this script:
# 1) Install microstack on a machine
# 2) Copy (or symlink) this script into
# /var/snap/microstack/common/bin/configure-the-things.sh
# 3) Run microstack.configure-the-things
set -ex
MYSQL_PASSWORD=fnord # TODO use snapctl
MYSQL_TMP_PASSWORD=`sudo cat /var/snap/microstack/common/log/error.log | grep "temporary password" | cut -d " " -f11`
echo "ALTER USER 'root'@'10.20.20.1' IDENTIFIED BY 'fnord';" | microstack.mysql-client -u root -p"$MYSQL_TMP_PASSWORD" --connect-expired-password
echo "CREATE DATABASE IF NOT EXISTS keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'10.20.20.1' IDENTIFIED BY 'keystone';" | sudo microstack.mysql-client -u root -p"$MYSQL_PASSWORD"
sudo microstack.keystone-manage fernet_setup --keystone-user root --keystone-group root
sudo microstack.keystone-manage db_sync
sudo systemctl restart snap.microstack.*
microstack.openstack user show admin || {
sudo microstack.keystone-manage bootstrap \
--bootstrap-password $OS_PASSWORD \
--bootstrap-admin-url https://10.20.20.1:5000/v3/ \
--bootstrap-internal-url https://10.20.20.1:5000/v3/ \
--bootstrap-public-url https://10.20.20.1:5000/v3/ \
--bootstrap-region-id microstack
}
microstack.openstack project show service || {
microstack.openstack project create --domain default --description "Service Project" service
}