def test_create_ca_and_signing_pairs(self): # use one common test to avoid generating CA pair twice # do not mock out pyOpenSSL, test generated keys/certs # create CA pair ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair() ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem) ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_pem) # check CA key properties self.assertTrue(ca_key.check()) self.assertEqual(2048, ca_key.bits()) # check CA cert properties self.assertFalse(ca_cert.has_expired()) self.assertEqual('Keystone CA', ca_cert.get_issuer().CN) self.assertEqual('Keystone CA', ca_cert.get_subject().CN) # create signing pair signing_key_pem, signing_cert_pem = keystone_pki.create_signing_pair( ca_key_pem, ca_cert_pem) signing_key = crypto.load_privatekey(crypto.FILETYPE_PEM, signing_key_pem) signing_cert = crypto.load_certificate(crypto.FILETYPE_PEM, signing_cert_pem) # check signing key properties self.assertTrue(signing_key.check()) self.assertEqual(2048, signing_key.bits()) # check signing cert properties self.assertFalse(signing_cert.has_expired()) self.assertEqual('Keystone CA', signing_cert.get_issuer().CN) self.assertEqual('Keystone Signing', signing_cert.get_subject().CN)
def _make_keystone_certificates(self, wanted_generated_params): generated_params = {} for cert_param in KEYSTONE_CERTIFICATE_PARAMS: if cert_param in wanted_generated_params.keys(): # If one of the keystone certificates is not set, we have # to generate all of them. generate_certificates = True break else: generate_certificates = False # Generate keystone certificates if generate_certificates: ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair() signing_key_pem, signing_cert_pem = ( keystone_pki.create_signing_pair(ca_key_pem, ca_cert_pem)) generated_params['KeystoneSigningCertificate'] = (signing_cert_pem) generated_params['KeystoneCACertificate'] = ca_cert_pem generated_params['KeystoneSigningKey'] = signing_key_pem return generated_params
def _make_keystone_certificates(self, wanted_generated_params): generated_params = {} for cert_param in KEYSTONE_CERTIFICATE_PARAMS: if cert_param in wanted_generated_params.keys(): # If one of the keystone certificates is not set, we have # to generate all of them. generate_certificates = True break else: generate_certificates = False # Generate keystone certificates if generate_certificates: ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair() signing_key_pem, signing_cert_pem = ( keystone_pki.create_signing_pair(ca_key_pem, ca_cert_pem)) generated_params['KeystoneSigningCertificate'] = ( signing_cert_pem) generated_params['KeystoneCACertificate'] = ca_cert_pem generated_params['KeystoneSigningKey'] = signing_key_pem return generated_params
def _deploy_tuskar(self, stack, parsed_args): clients = self.app.client_manager management = clients.rdomanager_oscplugin.management() network_client = clients.network # TODO(dmatthews): The Tuskar client has very similar code to this for # downloading templates. It should be refactored upstream so we can use # it. if parsed_args.output_dir: output_dir = parsed_args.output_dir else: output_dir = tempfile.mkdtemp() if not os.path.isdir(output_dir): os.mkdir(output_dir) management_plan = tuskarutils.find_resource( management.plans, parsed_args.plan) # retrieve templates templates = management.plans.templates(management_plan.uuid) parameters = self._update_paramaters( parsed_args, network_client, stack) if stack is None: ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair() signing_key_pem, signing_cert_pem = ( keystone_pki.create_signing_pair(ca_key_pem, ca_cert_pem)) parameters['Controller-1::KeystoneCACertificate'] = ca_cert_pem parameters['Controller-1::KeystoneSigningCertificate'] = ( signing_cert_pem) parameters['Controller-1::KeystoneSigningKey'] = signing_key_pem # Save the parameters to Tuskar so they can be used when redeploying. # Tuskar expects to get all values as strings. So we convert them all # below. management.plans.patch( management_plan.uuid, [{'name': x[0], 'value': six.text_type(x[1])} for x in parameters.items()] ) # write file for each key-value in templates print("The following templates will be written:") for template_name, template_content in templates.items(): # It's possible to organize the role templates and their dependent # files into directories, in which case the template_name will # carry the directory information. If that's the case, first # create the directory structure (if it hasn't already been # created by another file in the templates list). template_dir = os.path.dirname(template_name) output_template_dir = os.path.join(output_dir, template_dir) if template_dir and not os.path.exists(output_template_dir): os.makedirs(output_template_dir) filename = os.path.join(output_dir, template_name) with open(filename, 'w+') as template_file: template_file.write(template_content) print(filename) overcloud_yaml = os.path.join(output_dir, 'plan.yaml') environment_yaml = os.path.join(output_dir, 'environment.yaml') environments = [environment_yaml, ] if parsed_args.rhel_reg: reg_env = self._create_registration_env(parsed_args) environments.extend(reg_env) if parsed_args.environment_files: environments.extend(parsed_args.environment_files) self._heat_deploy(stack, overcloud_yaml, parameters, environments, parsed_args.timeout)
def _deploy_tuskar(self, stack, parsed_args): clients = self.app.client_manager management = clients.rdomanager_oscplugin.management() network_client = clients.network # TODO(dmatthews): The Tuskar client has very similar code to this for # downloading templates. It should be refactored upstream so we can use # it. if parsed_args.output_dir: output_dir = parsed_args.output_dir else: output_dir = tempfile.mkdtemp() if not os.path.isdir(output_dir): os.mkdir(output_dir) management_plan = tuskarutils.find_resource(management.plans, parsed_args.plan) # retrieve templates templates = management.plans.templates(management_plan.uuid) parameters = self._update_paramaters(parsed_args, network_client, stack) if stack is None: ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair() signing_key_pem, signing_cert_pem = ( keystone_pki.create_signing_pair(ca_key_pem, ca_cert_pem)) parameters['Controller-1::KeystoneCACertificate'] = ca_cert_pem parameters['Controller-1::KeystoneSigningCertificate'] = ( signing_cert_pem) parameters['Controller-1::KeystoneSigningKey'] = signing_key_pem # Save the parameters to Tuskar so they can be used when redeploying. # Tuskar expects to get all values as strings. So we convert them all # below. management.plans.patch(management_plan.uuid, [{ 'name': x[0], 'value': six.text_type(x[1]) } for x in parameters.items()]) # write file for each key-value in templates print("The following templates will be written:") for template_name, template_content in templates.items(): # It's possible to organize the role templates and their dependent # files into directories, in which case the template_name will # carry the directory information. If that's the case, first # create the directory structure (if it hasn't already been # created by another file in the templates list). template_dir = os.path.dirname(template_name) output_template_dir = os.path.join(output_dir, template_dir) if template_dir and not os.path.exists(output_template_dir): os.makedirs(output_template_dir) filename = os.path.join(output_dir, template_name) with open(filename, 'w+') as template_file: template_file.write(template_content) print(filename) overcloud_yaml = os.path.join(output_dir, 'plan.yaml') environment_yaml = os.path.join(output_dir, 'environment.yaml') environments = [ environment_yaml, ] if parsed_args.rhel_reg: reg_env = self._create_registration_env(parsed_args) environments.extend(reg_env) if parsed_args.environment_files: environments.extend(parsed_args.environment_files) self._heat_deploy(stack, overcloud_yaml, parameters, environments, parsed_args.timeout)