def copy_apiserver_ssl_certs_to_node(*nodes): ssl_certs = (get_apiserver_certfile(), get_apiserver_cafile(), get_apiserver_keyfile(), get_apiserver_cert_bundle()) cfgm_host = env.roledefs['cfgm'][0] for node in nodes: with settings(host_string=node, password=get_env_passwords(node)): for ssl_cert in ssl_certs: cert_file = '/etc/contrail/ssl/certs/%s' % os.path.basename(ssl_cert) if ssl_cert.endswith('.key'): cert_file = '/etc/contrail/ssl/private/%s' % os.path.basename(ssl_cert) if node not in env.roledefs['cfgm']: # Clear old certificate sudo('rm -f %s' % cert_file) if exists(cert_file, use_sudo=True): continue with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) sudo("mkdir -p /etc/contrail/ssl/certs/") sudo("mkdir -p /etc/contrail/ssl/private/") put(tmp_fname, cert_file, use_sudo=True) os.remove(tmp_fname) with settings(warn_only=True): sudo("chown -R contrail:contrail /etc/contrail/ssl")
def copy_apiserver_ssl_certs_to_node(*nodes): ssl_certs = (get_apiserver_certfile(), get_apiserver_cafile(), get_apiserver_keyfile(), get_apiserver_cert_bundle()) cfgm_host = env.roledefs['cfgm'][0] for node in nodes: with settings(host_string=node, password=get_env_passwords(node)): for ssl_cert in ssl_certs: cert_file = '/etc/contrail/ssl/certs/%s' % os.path.basename(ssl_cert) if ssl_cert.endswith('.key'): cert_file = '/etc/contrail/ssl/private/%s' % os.path.basename(ssl_cert) if node not in env.roledefs['cfgm']: # Clear old certificate sudo('rm -f %s' % cert_file) if exists(cert_file, use_sudo=True): continue with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): tmp_dir= tempfile.mkdtemp() tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) sudo("mkdir -p /etc/contrail/ssl/certs/") sudo("mkdir -p /etc/contrail/ssl/private/") put(tmp_fname, cert_file, use_sudo=True) os.remove(tmp_fname) with settings(warn_only=True): sudo("chown -R contrail:contrail /etc/contrail/ssl")
def setup_apiserver_ssl_certs_node(*nodes): default_certfile = '/etc/contrail/ssl/certs/contrail.pem' default_keyfile = '/etc/contrail/ssl/private/contrail.key' default_cafile = '/etc/contrail/ssl/certs/contrail_ca.pem' contrailcertbundle = get_apiserver_cert_bundle() ssl_certs = ((get_apiserver_certfile(), default_certfile), (get_apiserver_keyfile(), default_keyfile), (get_apiserver_cafile(), default_cafile)) index = env.roledefs['cfgm'].index(env.host_string) + 1 for node in nodes: with settings(host_string=node, password=get_env_passwords(node)): for ssl_cert, default in ssl_certs: if ssl_cert == default: # Clear old certificate sudo('rm -f %s' % ssl_cert) sudo('rm -f %s' % contrailcertbundle) for ssl_cert, default in ssl_certs: if ssl_cert == default: cfgm_host = env.roledefs['cfgm'][0] if index == 1: if not exists(ssl_cert, use_sudo=True): print "Creating apiserver SSL certs in first cfgm node" subject_alt_names_mgmt = [hstr_to_ip(host) for host in env.roledefs['cfgm']] subject_alt_names_ctrl = [hstr_to_ip(get_control_host_string(host)) for host in env.roledefs['cfgm']] subject_alt_names = subject_alt_names_mgmt + subject_alt_names_ctrl if get_contrail_external_vip(): subject_alt_names.append(get_contrail_external_vip()) cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) sudo('create-api-ssl-certs.sh %s %s' % (cfgm_ip, ','.join(subject_alt_names))) else: with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): while not exists(ssl_cert, use_sudo=True): print "Wait for SSL certs to be created in first cfgm" sleep(0.1) print "Get SSL cert(%s) from first cfgm" % ssl_cert tmp_dir= tempfile.mkdtemp() tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) print "Copy to this(%s) cfgm node" % env.host_string sudo('mkdir -p /etc/contrail/ssl/certs/') sudo('mkdir -p /etc/contrail/ssl/private/') put(tmp_fname, ssl_cert, use_sudo=True) os.remove(tmp_fname) elif os.path.isfile(ssl_cert): print "Certificate (%s) exists locally" % ssl_cert put(ssl_cert, default, use_sudo=True) elif exists(ssl_cert, use_sudo=True): print "Certificate (%s) exists in cfgm node" % ssl_cert else: raise RuntimeError("%s doesn't exists locally or in cfgm node" % ssl_cert) if not exists(contrailcertbundle, use_sudo=True): ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) sudo("chown -R contrail:contrail /etc/contrail/ssl")
def use_keystone_ssl_certs_in_node(*nodes): for node in nodes: execute('copy_keystone_ssl_certs_to_node', node) execute('copy_keystone_ssl_key_to_node', node) with settings(host_string=node, password=get_env_passwords(node)): cert_path = '/etc/contrail/ssl/certs/' ssl_certs = (get_keystone_certfile(), get_keystone_cafile()) for ssl_cert in ssl_certs: src = os.path.join(cert_path, os.path.basename(ssl_cert)) dst = os.path.join(cert_path, os.path.basename(ssl_cert).replace('keystone', 'contrail')) sudo("cp %s %s" % (src, dst)) key_path = '/etc/contrail/ssl/private/' ssl_key = get_keystone_keyfile() src_key = os.path.join(key_path, os.path.basename(ssl_key)) dst_key = os.path.join(key_path, os.path.basename(ssl_key).replace('keystone', 'contrail')) sudo("cp %s %s" % (src_key, dst_key)) certfile = '/etc/contrail/ssl/certs/contrail.pem' cafile = '/etc/contrail/ssl/certs/contrail_ca.pem' contrailcertbundle = get_apiserver_cert_bundle() sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) sudo("chown -R contrail:contrail /etc/contrail/ssl")