bb7bd1c58e
The current implementation of airship-libvirt-gate is using sushy-emulator binary to emulate redfish. Sushy-emulator works only for http and also can’t authenticate users out-of-box if ran by itself. In order to check https and authentication the reverse-proxy was introduced. This approach had several drawbacks: 1) http still doesn’t check auth 2) to use apache for https only is too heavy solution for https This change converts reverse proxy to apache running sushy-emulator as wsgi backend, that gives an ability to check authentication for both http and https. We’re also getting rid of ad-hoc sushy-emulator service and using out-of-box apache service implementation. The code also introduces gathering of apache resulting configs and logs for quicker debug if needed. Right now authentication is disabled, since manifests are written in a way so they don’t use them. If it’s necessary to enable it, just set username here[1] PS There is ability to use apache for http-server [2], but it’s better to do as a separate PR [1] roles/airship-libvirt-gate/defaults/main.yaml [2] roles/http-fileserver Change-Id: I43b5bca41519c88b01535c156b2db0e9edaa81bb
54 lines
1.6 KiB
YAML
54 lines
1.6 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Generating ssl key & certificate
|
|
become: true
|
|
block:
|
|
- name: Ensure needed packages
|
|
apt:
|
|
name:
|
|
- python3-passlib
|
|
- python3-openssl
|
|
state: present
|
|
|
|
- name: Generate private key
|
|
openssl_privatekey:
|
|
path: "{{ apache_server_ssl_key_path }}"
|
|
|
|
- name: Create temporary CSR file
|
|
tempfile:
|
|
state: file
|
|
suffix: csr
|
|
register: csr_tempfile
|
|
|
|
- name: Generate CSR
|
|
openssl_csr:
|
|
path: "{{ csr_tempfile.path }}"
|
|
privatekey_path: "{{ apache_server_ssl_key_path }}"
|
|
common_name: "{{ apache_server_ssl_cn }}"
|
|
subject_alt_name: "{{ apache_server_ssl_alt_name }}"
|
|
|
|
- name: Generate the self signed certificate for sushy-emulator
|
|
openssl_certificate:
|
|
path: "{{ apache_server_ssl_cert_path }}"
|
|
privatekey_path: "{{ apache_server_ssl_key_path }}"
|
|
csr_path: "{{ csr_tempfile.path }}"
|
|
provider: selfsigned
|
|
|
|
always:
|
|
- name: Cleanup CSR file
|
|
file:
|
|
path: "{{ csr_tempfile.path }}"
|
|
state: absent
|
|
when: csr_tempfile.path is defined
|
|
|