Install limestone CA on hosts using openstacksdk
In order to talk to limestone clouds we need to configure a custom CA. Do this in ansible instead of puppet. A followup should add writing out clouds.yaml files. Change-Id: I355df1efb31feb31e039040da4ca6088ea632b7e Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
parent
21a81de59f
commit
eb086094a8
@ -495,30 +495,6 @@ cacti_hosts:
|
|||||||
- zm07.openstack.org
|
- zm07.openstack.org
|
||||||
- zm08.openstack.org
|
- zm08.openstack.org
|
||||||
- zuul01.openstack.org
|
- zuul01.openstack.org
|
||||||
limestone_ssl_cert_file_contents: |
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
|
|
||||||
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ
|
|
||||||
BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW
|
|
||||||
SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx
|
|
||||||
NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL
|
|
||||||
U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91
|
|
||||||
cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI
|
|
||||||
hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I
|
|
||||||
edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl
|
|
||||||
ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse
|
|
||||||
cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8
|
|
||||||
80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5
|
|
||||||
eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w
|
|
||||||
HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i
|
|
||||||
yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
|
|
||||||
AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE
|
|
||||||
y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs
|
|
||||||
XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2
|
|
||||||
HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia
|
|
||||||
ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p
|
|
||||||
NhQjSPoo+M+vDa6hxK8/Z/c=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
statusbot_auth_nicks:
|
statusbot_auth_nicks:
|
||||||
- jeblair
|
- jeblair
|
||||||
- corvus
|
- corvus
|
||||||
|
@ -29,6 +29,8 @@ groups:
|
|||||||
mailman: inventory_hostname.startswith('lists')
|
mailman: inventory_hostname.startswith('lists')
|
||||||
mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org')
|
mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org')
|
||||||
nodepool: inventory_hostname is match('(nodepool|nb|nl)')
|
nodepool: inventory_hostname is match('(nodepool|nb|nl)')
|
||||||
|
nodepool-builder: inventory_hostname is match('nb\d*\.openstack\.org')
|
||||||
|
nodepool-launcher: inventory_hostname is match('nl\d*\.openstack\.org')
|
||||||
ns: inventory_hostname.startswith('ns')
|
ns: inventory_hostname.startswith('ns')
|
||||||
paste: inventory_hostname.startswith('paste')
|
paste: inventory_hostname.startswith('paste')
|
||||||
pbx: inventory_hostname.startswith('pbx')
|
pbx: inventory_hostname.startswith('pbx')
|
||||||
|
@ -171,14 +171,6 @@ node 'puppetmaster.openstack.org' {
|
|||||||
class { 'openstack_project::puppetmaster':
|
class { 'openstack_project::puppetmaster':
|
||||||
puppetmaster_clouds => hiera('puppetmaster_clouds'),
|
puppetmaster_clouds => hiera('puppetmaster_clouds'),
|
||||||
}
|
}
|
||||||
file { '/etc/openstack/limestone_cacert.pem':
|
|
||||||
ensure => present,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0444',
|
|
||||||
content => hiera('limestone_ssl_cert_file_contents'),
|
|
||||||
require => Class['::openstack_project::puppetmaster'],
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Node-OS: trusty
|
# Node-OS: trusty
|
||||||
@ -841,15 +833,6 @@ node /^nl\d+\.openstack\.org$/ {
|
|||||||
python_version => 3,
|
python_version => 3,
|
||||||
enable_webapp => true,
|
enable_webapp => true,
|
||||||
}
|
}
|
||||||
|
|
||||||
file { '/home/nodepool/.config/openstack/limestone_cacert.pem':
|
|
||||||
ensure => present,
|
|
||||||
owner => 'nodepool',
|
|
||||||
group => 'nodepool',
|
|
||||||
mode => '0600',
|
|
||||||
content => hiera('limestone_ssl_cert_file_contents'),
|
|
||||||
require => Class['::openstackci::nodepool_launcher'],
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Node-OS: xenial
|
# Node-OS: xenial
|
||||||
@ -907,15 +890,6 @@ node /^nb\d+\.openstack\.org$/ {
|
|||||||
ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
|
ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
|
||||||
}
|
}
|
||||||
|
|
||||||
file { '/home/nodepool/.config/openstack/limestone_cacert.pem':
|
|
||||||
ensure => present,
|
|
||||||
owner => 'nodepool',
|
|
||||||
group => 'nodepool',
|
|
||||||
mode => '0600',
|
|
||||||
content => hiera('limestone_ssl_cert_file_contents'),
|
|
||||||
require => Class['::openstackci::nodepool_builder'],
|
|
||||||
}
|
|
||||||
|
|
||||||
cron { 'mirror_gitgc':
|
cron { 'mirror_gitgc':
|
||||||
user => 'nodepool',
|
user => 'nodepool',
|
||||||
hour => '20',
|
hour => '20',
|
||||||
|
@ -11,6 +11,11 @@
|
|||||||
- timezone
|
- timezone
|
||||||
- unbound
|
- unbound
|
||||||
|
|
||||||
|
- hosts: nodepool-launcher:nodepool-builder:bridge.openstack.org:!disabled
|
||||||
|
strategy: free
|
||||||
|
roles:
|
||||||
|
- configure-openstacksdk
|
||||||
|
|
||||||
- hosts: "puppet:!disabled"
|
- hosts: "puppet:!disabled"
|
||||||
roles:
|
roles:
|
||||||
- puppet-install
|
- puppet-install
|
||||||
|
3
playbooks/group_vars/nodepool-builder.yaml
Normal file
3
playbooks/group_vars/nodepool-builder.yaml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
openstacksdk_config_dir: /home/nodepool/.config/openstack
|
||||||
|
openstacksdk_config_owner: nodepool
|
||||||
|
openstacksdk_config_group: nodepool
|
3
playbooks/group_vars/nodepool-launcher.yaml
Normal file
3
playbooks/group_vars/nodepool-launcher.yaml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
openstacksdk_config_dir: /home/nodepool/.config/openstack
|
||||||
|
openstacksdk_config_owner: nodepool
|
||||||
|
openstacksdk_config_group: nodepool
|
14
playbooks/roles/configure-openstacksdk/README.rst
Normal file
14
playbooks/roles/configure-openstacksdk/README.rst
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
Configure openstacksdk files
|
||||||
|
|
||||||
|
Configure openstacksdk files needed by nodepool and ansible.
|
||||||
|
|
||||||
|
**Role Variables**
|
||||||
|
|
||||||
|
.. zuul:rolevar:: openstacksdk_config_dir
|
||||||
|
:default: /etc/openstack
|
||||||
|
|
||||||
|
.. zuul:rolevar:: openstacksdk_config_owner
|
||||||
|
:default: root
|
||||||
|
|
||||||
|
.. zuul:rolevar:: openstacksdf_config_group
|
||||||
|
:default: root
|
@ -0,0 +1,3 @@
|
|||||||
|
openstacksdk_config_dir: /etc/openstack
|
||||||
|
openstacksdk_config_owner: root
|
||||||
|
openstacksdk_config_group: root
|
@ -0,0 +1,23 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
|
||||||
|
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ
|
||||||
|
BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW
|
||||||
|
SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx
|
||||||
|
NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL
|
||||||
|
U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91
|
||||||
|
cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI
|
||||||
|
hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I
|
||||||
|
edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl
|
||||||
|
ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse
|
||||||
|
cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8
|
||||||
|
80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5
|
||||||
|
eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w
|
||||||
|
HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i
|
||||||
|
yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
|
||||||
|
AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE
|
||||||
|
y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs
|
||||||
|
XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2
|
||||||
|
HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia
|
||||||
|
ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p
|
||||||
|
NhQjSPoo+M+vDa6hxK8/Z/c=
|
||||||
|
-----END CERTIFICATE-----
|
15
playbooks/roles/configure-openstacksdk/tasks/main.yaml
Normal file
15
playbooks/roles/configure-openstacksdk/tasks/main.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
- name: Ensure openstacksdk config directory
|
||||||
|
file:
|
||||||
|
group: '{{ openstacksdk_config_group }}'
|
||||||
|
owner: '{{ openstacksdk_config_owner }}'
|
||||||
|
mode: 0750
|
||||||
|
path: '{{ openstacksdk_config_dir }}'
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Install limestone cacert
|
||||||
|
copy:
|
||||||
|
dest: '{{ openstacksdk_config_dir }}/limestone_cacert.pem'
|
||||||
|
group: '{{ openstacksdk_config_group }}'
|
||||||
|
mode: 0640
|
||||||
|
owner: '{{ openstacksdk_config_owner }}'
|
||||||
|
src: limestone_cacert.pem
|
@ -149,3 +149,22 @@ def test_unattended_upgrades(host):
|
|||||||
cfg_file = host.file("/etc/yum/yum-cron.conf")
|
cfg_file = host.file("/etc/yum/yum-cron.conf")
|
||||||
assert cfg_file.exists
|
assert cfg_file.exists
|
||||||
assert cfg_file.contains('apply_updates = yes')
|
assert cfg_file.contains('apply_updates = yes')
|
||||||
|
|
||||||
|
|
||||||
|
def test_openstacksdk_config(host):
|
||||||
|
ansible_vars = host.ansible.get_variables()
|
||||||
|
if ansible_vars['inventory_hostname'] == 'bridge.openstack.org':
|
||||||
|
f = host.file('/etc/openstack')
|
||||||
|
assert f.exists
|
||||||
|
assert f.is_directory
|
||||||
|
assert f.user == 'root'
|
||||||
|
assert f.group == 'root'
|
||||||
|
assert f.mode == 0o750
|
||||||
|
del f
|
||||||
|
|
||||||
|
f = host.file('/etc/openstack/limestone_cacert.pem')
|
||||||
|
assert f.exists
|
||||||
|
assert f.is_file
|
||||||
|
assert f.user == 'root'
|
||||||
|
assert f.group == 'root'
|
||||||
|
assert f.mode == 0o640
|
||||||
|
Loading…
Reference in New Issue
Block a user