Example #1
0
def copy_apiserver_ssl_certs_to_node(*nodes):
    ssl_certs = (get_apiserver_certfile(),
                 get_apiserver_cafile(),
                 get_apiserver_keyfile(),
                 get_apiserver_cert_bundle())
    cfgm_host = env.roledefs['cfgm'][0]
    for node in nodes:
        with settings(host_string=node, password=get_env_passwords(node)):
            for ssl_cert in ssl_certs:
                cert_file = '/etc/contrail/ssl/certs/%s' % os.path.basename(ssl_cert)
                if ssl_cert.endswith('.key'):
                    cert_file = '/etc/contrail/ssl/private/%s' % os.path.basename(ssl_cert)
                if node not in env.roledefs['cfgm']:
                    # Clear old certificate
                    sudo('rm -f %s' % cert_file)
                if exists(cert_file, use_sudo=True):
                    continue
                with settings(host_string=cfgm_host,
                              password=get_env_passwords(cfgm_host)):
                    tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert))
                    get_as_sudo(ssl_cert, tmp_fname)
                sudo("mkdir -p /etc/contrail/ssl/certs/")
                sudo("mkdir -p /etc/contrail/ssl/private/")
                put(tmp_fname, cert_file, use_sudo=True)
                os.remove(tmp_fname)
                with settings(warn_only=True):
                   sudo("chown -R contrail:contrail /etc/contrail/ssl")
Example #2
0
def copy_apiserver_ssl_certs_to_node(*nodes):
    ssl_certs = (get_apiserver_certfile(),
                 get_apiserver_cafile(),
                 get_apiserver_keyfile(),
                 get_apiserver_cert_bundle())
    cfgm_host = env.roledefs['cfgm'][0]
    for node in nodes:
        with settings(host_string=node, password=get_env_passwords(node)):
            for ssl_cert in ssl_certs:
                cert_file = '/etc/contrail/ssl/certs/%s' % os.path.basename(ssl_cert)
                if ssl_cert.endswith('.key'):
                    cert_file = '/etc/contrail/ssl/private/%s' % os.path.basename(ssl_cert)
                if node not in env.roledefs['cfgm']:
                    # Clear old certificate
                    sudo('rm -f %s' % cert_file)
                if exists(cert_file, use_sudo=True):
                    continue
                with settings(host_string=cfgm_host,
                              password=get_env_passwords(cfgm_host)):
                    tmp_dir= tempfile.mkdtemp()
                    tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert))
                    get_as_sudo(ssl_cert, tmp_fname)
                sudo("mkdir -p /etc/contrail/ssl/certs/")
                sudo("mkdir -p /etc/contrail/ssl/private/")
                put(tmp_fname, cert_file, use_sudo=True)
                os.remove(tmp_fname)
                with settings(warn_only=True):
                   sudo("chown -R contrail:contrail /etc/contrail/ssl")
Example #3
0
def setup_apiserver_ssl_certs_node(*nodes):
    default_certfile = '/etc/contrail/ssl/certs/contrail.pem'
    default_keyfile = '/etc/contrail/ssl/private/contrail.key'
    default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem'
    contrailcertbundle = get_apiserver_cert_bundle()
    ssl_certs = ((get_apiserver_certfile(), default_certfile),
                 (get_apiserver_keyfile(), default_keyfile),
                 (get_apiserver_cafile(), default_cafile))
    index = env.roledefs['cfgm'].index(env.host_string) + 1
    for node in nodes:
        with settings(host_string=node, password=get_env_passwords(node)):
            for ssl_cert, default in ssl_certs:
                if ssl_cert == default:
                    # Clear old certificate
                    sudo('rm -f %s' % ssl_cert)
                    sudo('rm -f %s' % contrailcertbundle)
            for ssl_cert, default in ssl_certs:
                if ssl_cert == default:
                    cfgm_host = env.roledefs['cfgm'][0]
                    if index == 1:
                        if not exists(ssl_cert, use_sudo=True):
                            print "Creating apiserver SSL certs in first cfgm node"
                            subject_alt_names_mgmt = [hstr_to_ip(host)
                                                      for host in env.roledefs['cfgm']]
                            subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host))
                                                      for host in env.roledefs['cfgm']]
                            subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl
                            if get_contrail_external_vip():
                                subject_alt_names.append(get_contrail_external_vip())
                            cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host))
                            sudo('create-api-ssl-certs.sh %s %s' % (cfgm_ip, ','.join(subject_alt_names)))
                    else:
                        with settings(host_string=cfgm_host,
                                      password=get_env_passwords(cfgm_host)):
                            while not exists(ssl_cert, use_sudo=True):
                                print "Wait for SSL certs to be created in first cfgm"
                                sleep(0.1)
                            print "Get SSL cert(%s) from first cfgm" % ssl_cert
                            tmp_dir= tempfile.mkdtemp()
                            tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert))
                            get_as_sudo(ssl_cert, tmp_fname)
                        print "Copy to this(%s) cfgm node" % env.host_string 
                        sudo('mkdir -p /etc/contrail/ssl/certs/')
                        sudo('mkdir -p /etc/contrail/ssl/private/')
                        put(tmp_fname, ssl_cert, use_sudo=True)
                        os.remove(tmp_fname)
                elif os.path.isfile(ssl_cert): 
                    print "Certificate (%s) exists locally" % ssl_cert
                    put(ssl_cert, default, use_sudo=True)
                elif exists(ssl_cert, use_sudo=True): 
                    print "Certificate (%s) exists in cfgm node" % ssl_cert
                else:
                    raise RuntimeError("%s doesn't exists locally or in cfgm node" % ssl_cert)
            if not exists(contrailcertbundle, use_sudo=True):
                ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs
                sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle))
            sudo("chown -R contrail:contrail /etc/contrail/ssl")
Example #4
0
def use_keystone_ssl_certs_in_node(*nodes):
    for node in nodes:
        execute('copy_keystone_ssl_certs_to_node', node)
        execute('copy_keystone_ssl_key_to_node', node)
        with settings(host_string=node, password=get_env_passwords(node)):
            cert_path = '/etc/contrail/ssl/certs/'
            ssl_certs = (get_keystone_certfile(),
                         get_keystone_cafile())
            for ssl_cert in ssl_certs:
                src = os.path.join(cert_path, os.path.basename(ssl_cert))
                dst = os.path.join(cert_path, os.path.basename(ssl_cert).replace('keystone', 'contrail'))
                sudo("cp %s %s" % (src, dst))

            key_path = '/etc/contrail/ssl/private/'
            ssl_key = get_keystone_keyfile()
            src_key = os.path.join(key_path, os.path.basename(ssl_key))
            dst_key = os.path.join(key_path, os.path.basename(ssl_key).replace('keystone', 'contrail'))
            sudo("cp %s %s" % (src_key, dst_key))

            certfile = '/etc/contrail/ssl/certs/contrail.pem'
            cafile = '/etc/contrail/ssl/certs/contrail_ca.pem'
            contrailcertbundle = get_apiserver_cert_bundle()
            sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle))
            sudo("chown -R contrail:contrail /etc/contrail/ssl")