HTTPS cert changes

o No longer use the self signed cert genetated by the mod_ssl package o generate our own self signed cert o add options so user can specify their own cert to use o close port 80 if using ssl for horizon o Adds a new resources member to the controller object, this contains a list of files to be copied to remote host Addresses some of the points raised in https://bugzilla.redhat.com/show_bug.cgi?id=919071 Change-Id: I9182b07481fd396a8a250ea045428a5c382eb2b1
2013-03-10 17:35:16 -04:00
parent b366123ecc
commit ae1b33dcc4
6 changed files with 156 additions and 3 deletions
--- a/packstack/installer/setup_controller.py
+++ b/packstack/installer/setup_controller.py
@@ -34,6 +34,21 @@ class Controller(object):
        #      only like data container
        self.temp_map = {}

+        # Resources that should be copied to each host along with the puppet
+        # files, on the remote host the file will be placed in
+        # $PACKSTACK_VAR_DIR/resources. As with temp_map, this controller
+        # should copy the files, for now the puppet plugin is doing it
+        # format {'host':[('/path/to/fileordirectory', 'filenameonremotehost'), ..]}
+        self.resources = {}
+
+
+    def addResource(self, host, localpath, remotename):
+        """ Populates self.resources """
+        current_value_for_host = self.resources.get(host, [])
+        current_value_for_host.append((localpath,remotename))
+        self.resources[host] = current_value_for_host
+
+
    # PLugins
    def addPlugin(self, plugObj):
        self.__PLUGINS.append(plugObj)
--- a/packstack/plugins/dashboard_500.py
+++ b/packstack/plugins/dashboard_500.py
@@ -3,11 +3,13 @@ Installs and configures OpenStack Horizon
 """

 import logging
+import os
 import uuid

 import packstack.installer.engine_validators as validate
 import packstack.installer.engine_processors as process
 from packstack.installer import basedefs, output_messages
+from packstack.installer import exceptions
 import packstack.installer.common_utils as utils

 from packstack.modules.ospluginutils import getManifestTemplate, appendManifestFile
@@ -61,6 +63,42 @@ def initConfig(controllerObject):

    controller.addGroup(groupDict, paramsList)

+    paramsList = [
+                  {"CMD_OPTION"      : "os-ssl-cert",
+                   "USAGE"           : "PEM encoded certificate to be used for ssl on the https server, leave blank if one should be generated, this certificate should not require a passphrase",
+                   "PROMPT"          : "Enter the path to a PEM encoded certificate to be used on thr https server, leave blank if one should be generated, this certificate should not require a passphrase",
+                   "OPTION_LIST"     : [],
+                   "VALIDATORS"      : [],
+                   "DEFAULT_VALUE"   : '',
+                   "MASK_INPUT"      : False,
+                   "LOOSE_VALIDATION": True,
+                   "CONF_NAME"       : "CONFIG_SSL_CERT",
+                   "USE_DEFAULT"     : False,
+                   "NEED_CONFIRM"    : False,
+                   "CONDITION"       : False },
+                  {"CMD_OPTION"      : "os-ssl-key",
+                   "USAGE"           : "Keyfile corresponding to the certificate if one was entered",
+                   "PROMPT"          : "Enter the keyfile corresponding to the certificate if one was entered",
+                   "OPTION_LIST"     : [],
+                   "VALIDATORS"      : [],
+                   "DEFAULT_VALUE"   : "",
+                   "MASK_INPUT"      : False,
+                   "LOOSE_VALIDATION": True,
+                   "CONF_NAME"       : "CONFIG_SSL_KEY",
+                   "USE_DEFAULT"     : False,
+                   "NEED_CONFIRM"    : False,
+                   "CONDITION"       : False },
+                 ]
+
+    groupDict = { "GROUP_NAME"            : "OSSSL",
+                  "DESCRIPTION"           : "SSL Config parameters",
+                  "PRE_CONDITION"         : "CONFIG_HORIZON_SSL",
+                  "PRE_CONDITION_MATCH"   : "y",
+                  "POST_CONDITION"        : False,
+                  "POST_CONDITION_MATCH"  : True}
+
+    controller.addGroup(groupDict, paramsList)
+

 def initSequences(controller):
    if controller.CONF['CONFIG_HORIZON_INSTALL'] != 'y':
@@ -83,13 +121,31 @@ def createmanifest():
    if controller.CONF["CONFIG_HORIZON_SSL"] == 'y':
        controller.CONF["CONFIG_HORIZON_PORT"] = "'443'"
        controller.MESSAGES.append(
-            "%sNOTE%s : A default self signed certificate was used for ssl, "
+            "%sNOTE%s : A certificate was generated to be used for ssl, "
            "You should change the ssl certificate configured in "
            "/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert."
            % (basedefs.RED, basedefs.NO_COLOR, horizon_host))
        proto = "https"
-        sslmanifestdata += ("class {'apache::mod::ssl': }\n"
-                            "file {'/etc/httpd/conf.d/ssl.conf':}\n")
+        sslmanifestdata += getManifestTemplate("https.pp")
+
+        # Are we using the users cert/key files
+        if controller.CONF["CONFIG_SSL_CERT"]:
+            ssl_cert = controller.CONF["CONFIG_SSL_CERT"]
+            ssl_key = controller.CONF["CONFIG_SSL_KEY"]
+
+            if not os.path.exists(ssl_cert):
+                raise exceptions.ParamValidationError(
+                    "The file %s doesn't exist" % ssl_cert)
+
+            if ssl_key and not os.path.exists(ssl_key):
+                raise exceptions.ParamValidationError(
+                    "The file %s doesn't exist" % ssl_key)
+
+            controller.addResource(horizon_host, ssl_cert, 'ssl_ps_server.crt')
+            if ssl_key:
+                controller.addResource(
+                    horizon_host, ssl_key, 'ssl_ps_server.key'
+                )

    manifestdata = getManifestTemplate("horizon.pp")
    manifestdata += sslmanifestdata
--- a/packstack/plugins/puppet_950.py
+++ b/packstack/plugins/puppet_950.py
@@ -94,6 +94,12 @@ def copyPuppetModules():
                      "ssh -o StrictHostKeyChecking=no "
                          "-o UserKnownHostsFile=/dev/null "
                          "root@%s tar -C %s -xpzf -" % (tar_opts, hostname, host_dir))
+
+        for path, localname in controller.resources.get(hostname, []):
+            server.append("scp -o StrictHostKeyChecking=no "
+                "-o UserKnownHostsFile=/dev/null %s root@%s:%s/resources/%s" %
+                (path, hostname, host_dir, localname))
+
    server.execute()


@@ -170,6 +176,7 @@ def applyPuppetManifest():
                server.append("export FACTERLIB=$FACTERLIB:%s/facts" % host_dir)
            server.append("touch %s" % running_logfile)
            server.append("chmod 600 %s" % running_logfile)
+            server.append("export PACKSTACK_VAR_DIR=%s" % host_dir)
            command = "( flock %s/ps.lock puppet apply --modulepath %s/modules %s > %s 2>&1 < /dev/null ; mv %s %s ) > /dev/null 2>&1 < /dev/null &" % (host_dir, host_dir, man_path, running_logfile, running_logfile, finished_logfile)
            server.append(command)
            server.execute()
--- a/packstack/plugins/serverprep_901.py
+++ b/packstack/plugins/serverprep_901.py
@@ -436,6 +436,7 @@ def serverprep():
            # the directory already exists
            host_dir = os.path.join(basedefs.PACKSTACK_VAR_DIR, uuid.uuid4().hex)
            server.append("mkdir --mode 0700 %s" % host_dir)
+            server.append("mkdir %s/resources" % host_dir)
            controller.temp_map[hostname] = host_dir

        # Add yum repositories if configured
--- a/packstack/puppet/modules/packstack/templates/ssl/generate_ssl_certs.sh.erb
+++ b/packstack/puppet/modules/packstack/templates/ssl/generate_ssl_certs.sh.erb
@@ -0,0 +1,37 @@
+#!/bin/env bash
+
+FQDN=`hostname`
+if [ "x${FQDN}" = "x" ]; then
+   FQDN=localhost.localdomain
+fi
+
+SSLKEY=/etc/pki/tls/private/ssl_ps_server.key
+SSLCERT=/etc/pki/tls/certs/ssl_ps_server.crt
+
+# If packstack dropped a cert in the resources directory then we
+# use that instead of generating one
+if [ -f $PACKSTACK_VAR_DIR/resources/ssl_ps_server.crt ] ; then
+    cp  $PACKSTACK_VAR_DIR/resources/ssl_ps_server.crt $SSLCERT
+    cp  $PACKSTACK_VAR_DIR/resources/ssl_ps_server.key $SSLKEY
+    exit 0
+fi
+
+umask 277
+
+answers() {
+        echo --
+        echo State
+        echo City
+        echo openstack
+        echo packstack
+        echo $1
+        echo admin@$1
+        echo
+        echo
+}
+
+
+# gen key and self signed host cert
+openssl genrsa -rand 2048 > $SSLKEY 2> /dev/null
+answers $FQDN | openssl req -new -x509 -days 1096 -key $SSLKEY -text -out $SSLCERT
+
--- a/packstack/puppet/templates/https.pp
+++ b/packstack/puppet/templates/https.pp
@@ -0,0 +1,37 @@
+
+class {'apache::mod::ssl': }
+file {'/etc/httpd/conf.d/ssl.conf':}
+
+file {'/etc/pki/tls/certs/ps_generate_ssl_certs.ssh':
+    content => template('packstack/ssl/generate_ssl_certs.sh.erb'),
+    ensure => present,
+    mode => '755',
+}
+
+exec {'/etc/pki/tls/certs/ps_generate_ssl_certs.ssh':
+    require => File['/etc/pki/tls/certs/ps_generate_ssl_certs.ssh'],
+    notify  => Service['httpd'],
+}
+
+# close port 80
+file_line{'nohttp':
+    path => '/etc/httpd/conf/httpd.conf',
+    match => '^#?Listen 80',
+    line => '#Listen 80',
+    require =>  Class['apache::mod::ssl']
+}
+
+# set the name of the ssl cert and key file
+file_line{'sslcert':
+    path => '/etc/httpd/conf.d/ssl.conf',
+    match => '^SSLCertificateFile ',
+    line => 'SSLCertificateFile /etc/pki/tls/certs/ssl_ps_server.crt',
+    require =>  Class['apache::mod::ssl']
+}
+
+file_line{'sslkey':
+    path => '/etc/httpd/conf.d/ssl.conf',
+    match => '^SSLCertificateKeyFile ',
+    line => 'SSLCertificateKeyFile /etc/pki/tls/private/ssl_ps_server.key',
+    require =>  Class['apache::mod::ssl']
+}