xci: osa: Restore self-signed XCI certificate

This reverts commit cc583f30f881ba956fb4f1402aa4dd1608b27da2.

We still need to have control over the generated certificates so lets
keep creating our own.

deploy-scenario:os-nosdn-nofeature
installer-type:osa

Change-Id: I9e730bce2dba578ca0b561b168eaf1c2eca1282d

diff --git a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
index 36104b6..00a8053 100644 (file)
--- a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
@@ -83,6 +83,9 @@
         - { name: 'netaddr' }
         - { name: 'ansible-modules-hashivault' }
 
+    - name: Configure SSL certificates
+      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml"
+
     - name: fetch xci environment
       copy:
         src: "{{ xci_path }}/.cache/xci.env"

diff --git a/xci/installer/kubespray/playbooks/configure-targethosts.yml b/xci/installer/kubespray/playbooks/configure-targethosts.yml
index 859460c..7989bfb 100644 (file)
--- a/xci/installer/kubespray/playbooks/configure-targethosts.yml
+++ b/xci/installer/kubespray/playbooks/configure-targethosts.yml
@@ -37,4 +37,6 @@
       when:  xci_flavor == 'ha'
     - role: "haproxy_server"
       haproxy_service_configs: "{{ haproxy_default_services}}"
+      haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+      haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
       when:  xci_flavor == 'ha'

diff --git a/xci/installer/osa/files/ha/user_variables.yml b/xci/installer/osa/files/ha/user_variables.yml
index 8c2e9f0..abbe688 100644 (file)
--- a/xci/installer/osa/files/ha/user_variables.yml
+++ b/xci/installer/osa/files/ha/user_variables.yml
@@ -164,5 +164,7 @@ openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
 openrc_insecure: true
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true

diff --git a/xci/installer/osa/files/mini/user_variables.yml b/xci/installer/osa/files/mini/user_variables.yml
index b4d847b..db956e3 100644 (file)
--- a/xci/installer/osa/files/mini/user_variables.yml
+++ b/xci/installer/osa/files/mini/user_variables.yml
@@ -164,5 +164,7 @@ openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
 openrc_insecure: true
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true

diff --git a/xci/installer/osa/files/noha/user_variables.yml b/xci/installer/osa/files/noha/user_variables.yml
index 5e7ed83..b9fd2e8 100644 (file)
--- a/xci/installer/osa/files/noha/user_variables.yml
+++ b/xci/installer/osa/files/noha/user_variables.yml
@@ -164,5 +164,7 @@ openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
 openrc_insecure: true
+haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true

diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml
index 768b656..b677fec 100644 (file)
--- a/xci/installer/osa/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml
@@ -158,6 +158,11 @@
         chdir: "{{openstack_osa_path}}/scripts"
       changed_when: True
 
+    - name: Configure SSL certificates
+      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml"
+      vars:
+        extra_args: "-c https://raw.githubusercontent.com/openstack/requirements/{{ requirements_git_install_branch }}/upper-constraints.txt"
+
     - name: fetch xci environment
       copy:
         src: "{{ xci_path }}/.cache/xci.env"

diff --git a/xci/playbooks/manage-ssl-certs.yml b/xci/playbooks/manage-ssl-certs.yml
new file mode 100644 (file)
index 0000000..d0c5c51
--- /dev/null
+++ b/xci/playbooks/manage-ssl-certs.yml
@@ -0,0 +1,32 @@
+# SPDX-license-identifier: Apache-2.0
+##############################################################################
+# Copyright (c) 2018 SUSE Linux GmbH and others.
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+- name: Install required pip packages for SSL
+  pip:
+    name: pyOpenSSL
+    state: present
+    extra_args: "{{ extra_args | default(omit) }}"
+
+- name: Generate XCI private key
+  openssl_privatekey:
+    path: /etc/ssl/private/xci.key
+    size: 2048
+
+- name: Generate XCI certificate request
+  openssl_csr:
+    privatekey_path: /etc/ssl/private/xci.key
+    path: /etc/ssl/private/xci.csr
+    common_name: "{{ xci_ssl_subject }}"
+
+- name: Generate XCI self signed certificate
+  openssl_certificate:
+    path: /etc/ssl/certs/xci.crt
+    privatekey_path: /etc/ssl/private/xci.key
+    csr_path: /etc/ssl/private/xci.csr
+    provider: selfsigned
+    selfsigned_not_after: 20800101000000Z