def test_create_ca_and_signing_pairs(self):
# use one common test to avoid generating CA pair twice
# do not mock out pyOpenSSL, test generated keys/certs
# create CA pair
ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair()
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem)
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_pem)
# check CA key properties
self.assertTrue(ca_key.check())
self.assertEqual(2048, ca_key.bits())
# check CA cert properties
self.assertFalse(ca_cert.has_expired())
self.assertEqual('Keystone CA', ca_cert.get_issuer().CN)
self.assertEqual('Keystone CA', ca_cert.get_subject().CN)
# create signing pair
signing_key_pem, signing_cert_pem = keystone_pki.create_signing_pair(
ca_key_pem, ca_cert_pem)
signing_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
signing_key_pem)
signing_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
signing_cert_pem)
# check signing key properties
self.assertTrue(signing_key.check())
self.assertEqual(2048, signing_key.bits())
# check signing cert properties
self.assertFalse(signing_cert.has_expired())
self.assertEqual('Keystone CA', signing_cert.get_issuer().CN)
self.assertEqual('Keystone Signing', signing_cert.get_subject().CN)
def test_create_ca_and_signing_pairs(self):
# use one common test to avoid generating CA pair twice
# do not mock out pyOpenSSL, test generated keys/certs
# create CA pair
ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair()
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem)
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_pem)
# check CA key properties
self.assertTrue(ca_key.check())
self.assertEqual(2048, ca_key.bits())
# check CA cert properties
self.assertFalse(ca_cert.has_expired())
self.assertEqual('Keystone CA', ca_cert.get_issuer().CN)
self.assertEqual('Keystone CA', ca_cert.get_subject().CN)
# create signing pair
signing_key_pem, signing_cert_pem = keystone_pki.create_signing_pair(
ca_key_pem, ca_cert_pem)
signing_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
signing_key_pem)
signing_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
signing_cert_pem)
# check signing key properties
self.assertTrue(signing_key.check())
self.assertEqual(2048, signing_key.bits())
# check signing cert properties
self.assertFalse(signing_cert.has_expired())
self.assertEqual('Keystone CA', signing_cert.get_issuer().CN)
self.assertEqual('Keystone Signing', signing_cert.get_subject().CN)
def _make_keystone_certificates(self, wanted_generated_params):
generated_params = {}
for cert_param in KEYSTONE_CERTIFICATE_PARAMS:
if cert_param in wanted_generated_params.keys():
# If one of the keystone certificates is not set, we have
# to generate all of them.
generate_certificates = True
break
else:
generate_certificates = False
# Generate keystone certificates
if generate_certificates:
ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair()
signing_key_pem, signing_cert_pem = (
keystone_pki.create_signing_pair(ca_key_pem, ca_cert_pem))
generated_params['KeystoneSigningCertificate'] = (signing_cert_pem)
generated_params['KeystoneCACertificate'] = ca_cert_pem
generated_params['KeystoneSigningKey'] = signing_key_pem
return generated_params
def _make_keystone_certificates(self, wanted_generated_params):
generated_params = {}
for cert_param in KEYSTONE_CERTIFICATE_PARAMS:
if cert_param in wanted_generated_params.keys():
# If one of the keystone certificates is not set, we have
# to generate all of them.
generate_certificates = True
break
else:
generate_certificates = False
# Generate keystone certificates
if generate_certificates:
ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair()
signing_key_pem, signing_cert_pem = (
keystone_pki.create_signing_pair(ca_key_pem, ca_cert_pem))
generated_params['KeystoneSigningCertificate'] = (
signing_cert_pem)
generated_params['KeystoneCACertificate'] = ca_cert_pem
generated_params['KeystoneSigningKey'] = signing_key_pem
return generated_params
def _deploy_tuskar(self, stack, parsed_args):
clients = self.app.client_manager
management = clients.rdomanager_oscplugin.management()
network_client = clients.network
# TODO(dmatthews): The Tuskar client has very similar code to this for
# downloading templates. It should be refactored upstream so we can use
# it.
if parsed_args.output_dir:
output_dir = parsed_args.output_dir
else:
output_dir = tempfile.mkdtemp()
if not os.path.isdir(output_dir):
os.mkdir(output_dir)
management_plan = tuskarutils.find_resource(
management.plans, parsed_args.plan)
# retrieve templates
templates = management.plans.templates(management_plan.uuid)
parameters = self._update_paramaters(
parsed_args, network_client, stack)
if stack is None:
ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair()
signing_key_pem, signing_cert_pem = (
keystone_pki.create_signing_pair(ca_key_pem, ca_cert_pem))
parameters['Controller-1::KeystoneCACertificate'] = ca_cert_pem
parameters['Controller-1::KeystoneSigningCertificate'] = (
signing_cert_pem)
parameters['Controller-1::KeystoneSigningKey'] = signing_key_pem
# Save the parameters to Tuskar so they can be used when redeploying.
# Tuskar expects to get all values as strings. So we convert them all
# below.
management.plans.patch(
management_plan.uuid,
[{'name': x[0], 'value': six.text_type(x[1])}
for x in parameters.items()]
)
# write file for each key-value in templates
print("The following templates will be written:")
for template_name, template_content in templates.items():
# It's possible to organize the role templates and their dependent
# files into directories, in which case the template_name will
# carry the directory information. If that's the case, first
# create the directory structure (if it hasn't already been
# created by another file in the templates list).
template_dir = os.path.dirname(template_name)
output_template_dir = os.path.join(output_dir, template_dir)
if template_dir and not os.path.exists(output_template_dir):
os.makedirs(output_template_dir)
filename = os.path.join(output_dir, template_name)
with open(filename, 'w+') as template_file:
template_file.write(template_content)
print(filename)
overcloud_yaml = os.path.join(output_dir, 'plan.yaml')
environment_yaml = os.path.join(output_dir, 'environment.yaml')
environments = [environment_yaml, ]
if parsed_args.rhel_reg:
reg_env = self._create_registration_env(parsed_args)
environments.extend(reg_env)
if parsed_args.environment_files:
environments.extend(parsed_args.environment_files)
self._heat_deploy(stack, overcloud_yaml, parameters, environments,
parsed_args.timeout)
def _deploy_tuskar(self, stack, parsed_args):
clients = self.app.client_manager
management = clients.rdomanager_oscplugin.management()
network_client = clients.network
# TODO(dmatthews): The Tuskar client has very similar code to this for
# downloading templates. It should be refactored upstream so we can use
# it.
if parsed_args.output_dir:
output_dir = parsed_args.output_dir
else:
output_dir = tempfile.mkdtemp()
if not os.path.isdir(output_dir):
os.mkdir(output_dir)
management_plan = tuskarutils.find_resource(management.plans,
parsed_args.plan)
# retrieve templates
templates = management.plans.templates(management_plan.uuid)
parameters = self._update_paramaters(parsed_args, network_client,
stack)
if stack is None:
ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair()
signing_key_pem, signing_cert_pem = (
keystone_pki.create_signing_pair(ca_key_pem, ca_cert_pem))
parameters['Controller-1::KeystoneCACertificate'] = ca_cert_pem
parameters['Controller-1::KeystoneSigningCertificate'] = (
signing_cert_pem)
parameters['Controller-1::KeystoneSigningKey'] = signing_key_pem
# Save the parameters to Tuskar so they can be used when redeploying.
# Tuskar expects to get all values as strings. So we convert them all
# below.
management.plans.patch(management_plan.uuid,
[{
'name': x[0],
'value': six.text_type(x[1])
} for x in parameters.items()])
# write file for each key-value in templates
print("The following templates will be written:")
for template_name, template_content in templates.items():
# It's possible to organize the role templates and their dependent
# files into directories, in which case the template_name will
# carry the directory information. If that's the case, first
# create the directory structure (if it hasn't already been
# created by another file in the templates list).
template_dir = os.path.dirname(template_name)
output_template_dir = os.path.join(output_dir, template_dir)
if template_dir and not os.path.exists(output_template_dir):
os.makedirs(output_template_dir)
filename = os.path.join(output_dir, template_name)
with open(filename, 'w+') as template_file:
template_file.write(template_content)
print(filename)
overcloud_yaml = os.path.join(output_dir, 'plan.yaml')
environment_yaml = os.path.join(output_dir, 'environment.yaml')
environments = [
environment_yaml,
]
if parsed_args.rhel_reg:
reg_env = self._create_registration_env(parsed_args)
environments.extend(reg_env)
if parsed_args.environment_files:
environments.extend(parsed_args.environment_files)
self._heat_deploy(stack, overcloud_yaml, parameters, environments,
parsed_args.timeout)
