Install limestone CA on hosts using openstacksdk
In order to talk to limestone clouds we need to configure a custom CA. Do this in ansible instead of puppet. A followup should add writing out clouds.yaml files. Change-Id: I355df1efb31feb31e039040da4ca6088ea632b7e Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
parent
21a81de59f
commit
eb086094a8
@ -495,30 +495,6 @@ cacti_hosts:
|
||||
- zm07.openstack.org
|
||||
- zm08.openstack.org
|
||||
- zuul01.openstack.org
|
||||
limestone_ssl_cert_file_contents: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
|
||||
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ
|
||||
BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW
|
||||
SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx
|
||||
NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL
|
||||
U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91
|
||||
cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI
|
||||
hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I
|
||||
edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl
|
||||
ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse
|
||||
cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8
|
||||
80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5
|
||||
eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w
|
||||
HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i
|
||||
yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
|
||||
AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE
|
||||
y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs
|
||||
XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2
|
||||
HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia
|
||||
ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p
|
||||
NhQjSPoo+M+vDa6hxK8/Z/c=
|
||||
-----END CERTIFICATE-----
|
||||
statusbot_auth_nicks:
|
||||
- jeblair
|
||||
- corvus
|
||||
|
@ -29,6 +29,8 @@ groups:
|
||||
mailman: inventory_hostname.startswith('lists')
|
||||
mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org')
|
||||
nodepool: inventory_hostname is match('(nodepool|nb|nl)')
|
||||
nodepool-builder: inventory_hostname is match('nb\d*\.openstack\.org')
|
||||
nodepool-launcher: inventory_hostname is match('nl\d*\.openstack\.org')
|
||||
ns: inventory_hostname.startswith('ns')
|
||||
paste: inventory_hostname.startswith('paste')
|
||||
pbx: inventory_hostname.startswith('pbx')
|
||||
|
@ -171,14 +171,6 @@ node 'puppetmaster.openstack.org' {
|
||||
class { 'openstack_project::puppetmaster':
|
||||
puppetmaster_clouds => hiera('puppetmaster_clouds'),
|
||||
}
|
||||
file { '/etc/openstack/limestone_cacert.pem':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0444',
|
||||
content => hiera('limestone_ssl_cert_file_contents'),
|
||||
require => Class['::openstack_project::puppetmaster'],
|
||||
}
|
||||
}
|
||||
|
||||
# Node-OS: trusty
|
||||
@ -841,15 +833,6 @@ node /^nl\d+\.openstack\.org$/ {
|
||||
python_version => 3,
|
||||
enable_webapp => true,
|
||||
}
|
||||
|
||||
file { '/home/nodepool/.config/openstack/limestone_cacert.pem':
|
||||
ensure => present,
|
||||
owner => 'nodepool',
|
||||
group => 'nodepool',
|
||||
mode => '0600',
|
||||
content => hiera('limestone_ssl_cert_file_contents'),
|
||||
require => Class['::openstackci::nodepool_launcher'],
|
||||
}
|
||||
}
|
||||
|
||||
# Node-OS: xenial
|
||||
@ -907,15 +890,6 @@ node /^nb\d+\.openstack\.org$/ {
|
||||
ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
|
||||
}
|
||||
|
||||
file { '/home/nodepool/.config/openstack/limestone_cacert.pem':
|
||||
ensure => present,
|
||||
owner => 'nodepool',
|
||||
group => 'nodepool',
|
||||
mode => '0600',
|
||||
content => hiera('limestone_ssl_cert_file_contents'),
|
||||
require => Class['::openstackci::nodepool_builder'],
|
||||
}
|
||||
|
||||
cron { 'mirror_gitgc':
|
||||
user => 'nodepool',
|
||||
hour => '20',
|
||||
|
@ -11,6 +11,11 @@
|
||||
- timezone
|
||||
- unbound
|
||||
|
||||
- hosts: nodepool-launcher:nodepool-builder:bridge.openstack.org:!disabled
|
||||
strategy: free
|
||||
roles:
|
||||
- configure-openstacksdk
|
||||
|
||||
- hosts: "puppet:!disabled"
|
||||
roles:
|
||||
- puppet-install
|
||||
|
3
playbooks/group_vars/nodepool-builder.yaml
Normal file
3
playbooks/group_vars/nodepool-builder.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
openstacksdk_config_dir: /home/nodepool/.config/openstack
|
||||
openstacksdk_config_owner: nodepool
|
||||
openstacksdk_config_group: nodepool
|
3
playbooks/group_vars/nodepool-launcher.yaml
Normal file
3
playbooks/group_vars/nodepool-launcher.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
openstacksdk_config_dir: /home/nodepool/.config/openstack
|
||||
openstacksdk_config_owner: nodepool
|
||||
openstacksdk_config_group: nodepool
|
14
playbooks/roles/configure-openstacksdk/README.rst
Normal file
14
playbooks/roles/configure-openstacksdk/README.rst
Normal file
@ -0,0 +1,14 @@
|
||||
Configure openstacksdk files
|
||||
|
||||
Configure openstacksdk files needed by nodepool and ansible.
|
||||
|
||||
**Role Variables**
|
||||
|
||||
.. zuul:rolevar:: openstacksdk_config_dir
|
||||
:default: /etc/openstack
|
||||
|
||||
.. zuul:rolevar:: openstacksdk_config_owner
|
||||
:default: root
|
||||
|
||||
.. zuul:rolevar:: openstacksdf_config_group
|
||||
:default: root
|
@ -0,0 +1,3 @@
|
||||
openstacksdk_config_dir: /etc/openstack
|
||||
openstacksdk_config_owner: root
|
||||
openstacksdk_config_group: root
|
@ -0,0 +1,23 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDzTCCArWgAwIBAgIJAMjKv/sJrt0JMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
|
||||
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xCzAJ
|
||||
BgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91cy5wdzEfMB0GA1UdEQwW
|
||||
SVAuMT1vc2EuY29udGludW91cy5wdzAeFw0xODAzMDIxNTM1NDZaFw0yODAyMjgx
|
||||
NTM1NDZaMH0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwL
|
||||
U2FuIEFudG9uaW8xCzAJBgNVBAoMAklUMRowGAYDVQQDDBFvc2EuY29udGludW91
|
||||
cy5wdzEfMB0GA1UdEQwWSVAuMT1vc2EuY29udGludW91cy5wdzCCASIwDQYJKoZI
|
||||
hvcNAQEBBQADggEPADCCAQoCggEBANjzeNQOfZPLWEYXcyn4htcjli6QCT8FKU8I
|
||||
edvaPDEjefcdBmD2f49bc8RRqbB8cje/B6vAAeBfXoQKoh5HQ/rec1S2aSQsYObl
|
||||
ecaQTYKVVVUsAhbsmLf39rpqIhmKKA+qZCAJPsdtUQ2fTfwNnF2+9XhZ40LsZDse
|
||||
cCCtwM3sKq5OymZ1JsHKMp1FEJINDAiV1aekmNjoaOeCCbuEgKKiniGJ7iVp18x8
|
||||
80tGUwFq2gXrlmzYQntA80vN9MtWgnkn5KACVvE3vLpzPyKRsn5htsedmccNWGa5
|
||||
eQHgAIoaP1AI57ryZHOFQxebWCWanxm19RdekyhTeqsGSso70b8CAwEAAaNQME4w
|
||||
HQYDVR0OBBYEFHHOdo0iyJbl15Q3/61oYMMAGLH1MB8GA1UdIwQYMBaAFHHOdo0i
|
||||
yJbl15Q3/61oYMMAGLH1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
|
||||
AAFh2mLQmGePooS/OoDNfeTORVSmq3u+l/F+5XGSSXjujY3tkl8AvXhvwVRKYFkE
|
||||
y8viOR8yTvT6kyA7jQ2Fe2g0CVK+TyxpFiXQgCxISN9zAM/E2mGiM4FXqkrkl6vs
|
||||
XacpMa7FAr1ZCp//rWT8NDPPMdq1L5BO4BEpE1tseaJSRv8SWztLpQZUic4YgvN2
|
||||
HKnG4qpuA90nrDL30uB/dQxcVad4lG9f2vXYgbjg6QMyY1s4VVd3v9w+do8GLeia
|
||||
ddlRJ6Pnmk26Kgs/0WoVVBNYVUrdo+Hk0k2BpO0/Yk+0+rz8wa+Ee4vAA3M4xT1p
|
||||
NhQjSPoo+M+vDa6hxK8/Z/c=
|
||||
-----END CERTIFICATE-----
|
15
playbooks/roles/configure-openstacksdk/tasks/main.yaml
Normal file
15
playbooks/roles/configure-openstacksdk/tasks/main.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
- name: Ensure openstacksdk config directory
|
||||
file:
|
||||
group: '{{ openstacksdk_config_group }}'
|
||||
owner: '{{ openstacksdk_config_owner }}'
|
||||
mode: 0750
|
||||
path: '{{ openstacksdk_config_dir }}'
|
||||
state: directory
|
||||
|
||||
- name: Install limestone cacert
|
||||
copy:
|
||||
dest: '{{ openstacksdk_config_dir }}/limestone_cacert.pem'
|
||||
group: '{{ openstacksdk_config_group }}'
|
||||
mode: 0640
|
||||
owner: '{{ openstacksdk_config_owner }}'
|
||||
src: limestone_cacert.pem
|
@ -149,3 +149,22 @@ def test_unattended_upgrades(host):
|
||||
cfg_file = host.file("/etc/yum/yum-cron.conf")
|
||||
assert cfg_file.exists
|
||||
assert cfg_file.contains('apply_updates = yes')
|
||||
|
||||
|
||||
def test_openstacksdk_config(host):
|
||||
ansible_vars = host.ansible.get_variables()
|
||||
if ansible_vars['inventory_hostname'] == 'bridge.openstack.org':
|
||||
f = host.file('/etc/openstack')
|
||||
assert f.exists
|
||||
assert f.is_directory
|
||||
assert f.user == 'root'
|
||||
assert f.group == 'root'
|
||||
assert f.mode == 0o750
|
||||
del f
|
||||
|
||||
f = host.file('/etc/openstack/limestone_cacert.pem')
|
||||
assert f.exists
|
||||
assert f.is_file
|
||||
assert f.user == 'root'
|
||||
assert f.group == 'root'
|
||||
assert f.mode == 0o640
|
||||
|
Loading…
x
Reference in New Issue
Block a user