Revert "xci: osa: Disable haproxy ssl configuration"

This reverts commit 42501f0ef7e0f0729b1c780102fb9713ef383fb3.

This also removes the entire SSL management code and we let the
haproxy_server role generate the certificates for us.

We also need to bump the openrc role to include an upstream patch
which fixes the openrc template file.

deploy-scenario:os-nosdn-nofeature
installer-type:osa

Change-Id: I9bb590c9f1d5bc63519cfb4794dc15f794cc5b07
Signed-off-by: Markos Chandras <mchandras@suse.de>

diff --git a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
index 00a8053..36104b6 100644 (file)
--- a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
@@ -83,9 +83,6 @@
         - { name: 'netaddr' }
         - { name: 'ansible-modules-hashivault' }
 
-    - name: Configure SSL certificates
-      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml"
-
     - name: fetch xci environment
       copy:
         src: "{{ xci_path }}/.cache/xci.env"

diff --git a/xci/installer/kubespray/playbooks/configure-targethosts.yml b/xci/installer/kubespray/playbooks/configure-targethosts.yml
index 7989bfb..859460c 100644 (file)
--- a/xci/installer/kubespray/playbooks/configure-targethosts.yml
+++ b/xci/installer/kubespray/playbooks/configure-targethosts.yml
@@ -37,6 +37,4 @@
       when:  xci_flavor == 'ha'
     - role: "haproxy_server"
       haproxy_service_configs: "{{ haproxy_default_services}}"
-      haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
-      haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
       when:  xci_flavor == 'ha'

diff --git a/xci/installer/osa/files/ansible-role-requirements.yml b/xci/installer/osa/files/ansible-role-requirements.yml
index 5905dc5..c958a2f 100644 (file)
--- a/xci/installer/osa/files/ansible-role-requirements.yml
+++ b/xci/installer/osa/files/ansible-role-requirements.yml
@@ -64,7 +64,8 @@
 - name: openstack_openrc
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc
-  version: 33d59ddb00f27e9a2a3bb816621a55efd1b37ba7
+  version: 3b31242d4ecde28ac747dff83568f202112c79bf
+  refspec: refs/changes/78/598978/2
 - name: os_aodh
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_aodh

diff --git a/xci/installer/osa/files/ha/user_variables.yml b/xci/installer/osa/files/ha/user_variables.yml
index c51a6e1..8c2e9f0 100644 (file)
--- a/xci/installer/osa/files/ha/user_variables.yml
+++ b/xci/installer/osa/files/ha/user_variables.yml
@@ -154,7 +154,7 @@ trove_wsgi_processes: 1
 sahara_api_workers_max: 2
 sahara_api_workers: 1
 
-openrc_os_auth_url: "http://192.168.122.220:5000/v3"
+openrc_os_auth_url: "https://192.168.122.220:5000/v3"
 keystone_auth_admin_password: "opnfv-secret-password"
 openrc_os_password: "opnfv-secret-password"
 openrc_os_domain_name: "Default"
@@ -163,9 +163,6 @@ openrc_nova_endpoint_type: "publicURL"
 openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
-haproxy_ssl: false
-openstack_service_publicuri_proto: http
-haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
-haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+openrc_insecure: true
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true

diff --git a/xci/installer/osa/files/mini/user_variables.yml b/xci/installer/osa/files/mini/user_variables.yml
index ef56dd2..b4d847b 100644 (file)
--- a/xci/installer/osa/files/mini/user_variables.yml
+++ b/xci/installer/osa/files/mini/user_variables.yml
@@ -154,7 +154,7 @@ trove_wsgi_processes: 1
 sahara_api_workers_max: 2
 sahara_api_workers: 1
 
-openrc_os_auth_url: "http://192.168.122.3:5000/v3"
+openrc_os_auth_url: "https://192.168.122.3:5000/v3"
 keystone_auth_admin_password: "opnfv-secret-password"
 openrc_os_password: "opnfv-secret-password"
 openrc_os_domain_name: "Default"
@@ -163,9 +163,6 @@ openrc_nova_endpoint_type: "publicURL"
 openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
-haproxy_ssl: false
-openstack_service_publicuri_proto: http
-haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
-haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+openrc_insecure: true
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true

diff --git a/xci/installer/osa/files/noha/user_variables.yml b/xci/installer/osa/files/noha/user_variables.yml
index 4e57881..5e7ed83 100644 (file)
--- a/xci/installer/osa/files/noha/user_variables.yml
+++ b/xci/installer/osa/files/noha/user_variables.yml
@@ -154,7 +154,7 @@ trove_wsgi_processes: 1
 sahara_api_workers_max: 2
 sahara_api_workers: 1
 
-openrc_os_auth_url: "http://192.168.122.3:5000/v3"
+openrc_os_auth_url: "https://192.168.122.3:5000/v3"
 keystone_auth_admin_password: "opnfv-secret-password"
 openrc_os_password: "opnfv-secret-password"
 openrc_os_domain_name: "Default"
@@ -163,9 +163,6 @@ openrc_nova_endpoint_type: "publicURL"
 openrc_os_endpoint_type: "publicURL"
 openrc_clouds_yml_interface: "public"
 openrc_region_name: RegionOne
-haproxy_ssl: false
-openstack_service_publicuri_proto: http
-haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
-haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
+openrc_insecure: true
 keystone_service_adminuri_insecure: true
 keystone_service_internaluri_insecure: true

diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml
index c92abd9..b3b798d 100644 (file)
--- a/xci/installer/osa/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml
@@ -158,11 +158,6 @@
         chdir: "{{openstack_osa_path}}/scripts"
       changed_when: True
 
-    - name: Configure SSL certificates
-      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml"
-      vars:
-        extra_args: "-c https://raw.githubusercontent.com/openstack/requirements/{{ requirements_git_install_branch }}/upper-constraints.txt"
-
     - name: fetch xci environment
       copy:
         src: "{{ xci_path }}/.cache/xci.env"
@@ -176,12 +171,6 @@
       include_role:
         name: "openstack-ansible-openstack_openrc"
 
-    - name: add extra insecure flag to generated openrc
-      blockinfile:
-          dest: "{{ ansible_env.HOME }}/openrc"
-          block: |
-              export OS_INSECURE=true
-
     - name: fetch generated openrc
       fetch:
         src: "{{ ansible_env.HOME }}/openrc"

diff --git a/xci/playbooks/manage-ssl-certs.yml b/xci/playbooks/manage-ssl-certs.yml
deleted file mode 100644 (file)
index d0c5c51..0000000
--- a/xci/playbooks/manage-ssl-certs.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-# SPDX-license-identifier: Apache-2.0
-##############################################################################
-# Copyright (c) 2018 SUSE Linux GmbH and others.
-# All rights reserved. This program and the accompanying materials
-# are made available under the terms of the Apache License, Version 2.0
-# which accompanies this distribution, and is available at
-# http://www.apache.org/licenses/LICENSE-2.0
-##############################################################################
-- name: Install required pip packages for SSL
-  pip:
-    name: pyOpenSSL
-    state: present
-    extra_args: "{{ extra_args | default(omit) }}"
-
-- name: Generate XCI private key
-  openssl_privatekey:
-    path: /etc/ssl/private/xci.key
-    size: 2048
-
-- name: Generate XCI certificate request
-  openssl_csr:
-    privatekey_path: /etc/ssl/private/xci.key
-    path: /etc/ssl/private/xci.csr
-    common_name: "{{ xci_ssl_subject }}"
-
-- name: Generate XCI self signed certificate
-  openssl_certificate:
-    path: /etc/ssl/certs/xci.crt
-    privatekey_path: /etc/ssl/private/xci.key
-    csr_path: /etc/ssl/private/xci.csr
-    provider: selfsigned
-    selfsigned_not_after: 20800101000000Z