Code Review / releng-xci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 8199744)
xci: osa: Use Ansible modules to create ssl certificates 95/54895/1
authorMarkos Chandras <mchandras@suse.de>
Tue, 3 Apr 2018 11:47:54 +0000 (12:47 +0100)
committerMarkos Chandras <mchandras@suse.de>
Wed, 4 Apr 2018 09:55:12 +0000 (10:55 +0100)
Ansible already provides modules to create ssl certificates so we can
use these instead of running the openssl commands directly. Moreover, we
can drop all the tasks which create the ssl directories since there are
being created by the openssl package which also creates the appropriate
symlinks. Finally, there is no need to generate the certificate on
localhost if only the OPNFV host consumes it, so move these steps to
the appropriate playbook.

Change-Id: I0045945c502013be3d76440876e894a44a092690
Signed-off-by: Markos Chandras <mchandras@suse.de>
xci/installer/osa/playbooks/configure-opnfvhost.yml patch | blob | history
xci/playbooks/configure-localhost.yml patch | blob | history

diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml
index 6c2b1d3..0e6fdd1 100644 (file)
--- a/xci/installer/osa/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml
@@ -123,6 +123,7 @@
         - pyyaml
         - python-neutronclient
         - python-openstackclient
+        - pyOpenSSL
     - name: Install ARA callback plugin in OSA virtualenv
       pip:
         name: ara
@@ -148,30 +149,26 @@
       args:
         chdir: "{{openstack_osa_path}}/scripts"
       changed_when: True
-    - name: check if certificate directory /etc/ssl/certs exists already
-      stat: path=/etc/ssl/certs
-      register: check_etc_ssl_certs
-    - name: create certificate directory /etc/ssl/certs
-      file:
-        path: "/etc/ssl/certs"
-        state: directory
-      when: check_etc_ssl_certs.stat.exists == false
-    - name: create key directory /etc/ssl/private
-      file:
-        path: "/etc/ssl/private"
-        state: directory
-    - name: copy certificate to /etc/ssl/certs
-      copy:
-        src: "/etc/ssl/certs/xci.crt"
-        dest: "/etc/ssl/certs/"
-    - name: read remote key from /etc/ssl/private
-      set_fact:
-        xci_ssl_key: "{{ lookup('pipe', 'sudo cat /etc/ssl/private/xci.key' ) }}"
-    - name: copy key to /etc/ssl/private
-      copy:
-        content: "{{ xci_ssl_key }}"
-        dest: "/etc/ssl/private/xci.key"
-      become: true
+
+    - name: Generate XCI private key
+      openssl_privatekey:
+        path: /etc/ssl/private/xci.key
+        size: 2048
+
+    - name: Generate XCI certificate request
+      openssl_csr:
+        privatekey_path: /etc/ssl/private/xci.key
+        path: /etc/ssl/private/xci.csr
+        common_name: "{{ xci_ssl_subject }}"
+
+    - name: Generate XCI self signed certificate
+      openssl_certificate:
+        path: /etc/ssl/certs/xci.crt
+        privatekey_path: /etc/ssl/private/xci.key
+        csr_path: /etc/ssl/private/xci.csr
+        provider: selfsigned
+        selfsigned_not_after: 20800101000000Z
+
     - name: fetch xci environment
       copy:
         src: "{{ xci_path }}/.cache/xci.env"
diff --git a/xci/playbooks/configure-localhost.yml b/xci/playbooks/configure-localhost.yml
index 1f01052..5f091c9 100644 (file)
--- a/xci/playbooks/configure-localhost.yml
+++ b/xci/playbooks/configure-localhost.yml
@@ -69,34 +69,16 @@
         path: "{{log_path}}"
         state: directory
         recurse: no
-    - block:
-        - name: check if certificate directory /etc/ssl/certs exists already
-          stat: path=/etc/ssl/certs
-          register: check_etc_ssl_certs
-        - name: create certificate directory /etc/ssl/certs
-          become: true
-          file:
-            path: "/etc/ssl/certs"
-            state: directory
-          when: check_etc_ssl_certs.stat.exists == false
-        - name: create key directory /etc/ssl/private
-          become: true
-          file:
-            path: "/etc/ssl/private"
-            state: directory
-        - name: generate self signed certificate
-          command: openssl req -new -nodes -x509 -subj "{{ xci_ssl_subject }}" -days 3650 -keyout "/etc/ssl/private/xci.key" -out "/etc/ssl/certs/xci.crt" -extensions v3_ca
-          become: true
-        - name: Synchronize local development OSA repository to XCI paths
-          # command module is much faster than the copy module
-          synchronize:
-            src: "{{ openstack_osa_dev_path }}"
-            dest: "{{ xci_cache }}/repos/openstack-ansible"
-            recursive: yes
-            delete: yes
-          when:
-            - openstack_osa_dev_path != ""
+
+    - name: Synchronize local development OSA repository to XCI paths
+      # command module is much faster than the copy module
+      synchronize:
+        src: "{{ openstack_osa_dev_path }}"
+        dest: "{{ xci_cache }}/repos/openstack-ansible"
+        recursive: yes
+        delete: yes
       when:
+        - openstack_osa_dev_path != ""
         - installer_type == "osa"
 
     - name: Configure SSH key for local user