CORD-1007 Generate certs and keys on the corddev VM
Change-Id: I18e9662f3efc7bf249ed319b1f7f7086f9424270
diff --git a/roles/cord-profile/tasks/main.yml b/roles/cord-profile/tasks/main.yml
index de66651..2ce0269 100644
--- a/roles/cord-profile/tasks/main.yml
+++ b/roles/cord-profile/tasks/main.yml
@@ -35,17 +35,6 @@
mode: 0600
with_items: "{{ xos_service_sshkeys }}"
-- name: Copy over core api key
- copy:
- src: "{{ playbook_dir }}/pki/intermediate_ca/private/xos-core.{{ site_suffix }}_key.pem"
- dest: "{{ cord_profile_dir }}/core_api_key.pem"
- mode: 0600
-
-- name: Copy over core api cert
- copy:
- src: "{{ playbook_dir }}/pki/intermediate_ca/certs/xos-core.{{ site_suffix }}_cert_chain.pem"
- dest: "{{ cord_profile_dir }}/core_api_cert.pem"
-
- name: Make Image directory ( outside of profile directory to avoid repeat downloads on sequential runs)
become: yes
file:
@@ -122,4 +111,3 @@
src: "{{ ansible_user_dir }}/node_key"
dest: "{{ cord_profile_dir }}/node_key"
mode: 0600
-
diff --git a/roles/create-lxd/tasks/main.yml b/roles/create-lxd/tasks/main.yml
index 3e081a2..a86fe66 100644
--- a/roles/create-lxd/tasks/main.yml
+++ b/roles/create-lxd/tasks/main.yml
@@ -44,6 +44,10 @@
nictype: bridged
parent: mgmtbr
type: nic
+ certs:
+ type: disk
+ path: /usr/local/share/ca-certificates/cord/
+ source: /usr/local/share/ca-certificates/
- name: Create containers for the OpenStack services
become: yes
@@ -124,6 +128,11 @@
tags:
- skip_ansible_lint # running a sub job
+- name: Update CA certificates in containers
+ command: ansible containers -m shell -b -u ubuntu -a "update-ca-certificates"
+ tags:
+ - skip_ansible_lint # running a sub job
+
- name: Create containers' eth0 interface config file for DNS config via resolvconf program
when: not on_maas
template:
diff --git a/roles/juju-setup/defaults/main.yml b/roles/juju-setup/defaults/main.yml
index 74d7eee..840f49d 100644
--- a/roles/juju-setup/defaults/main.yml
+++ b/roles/juju-setup/defaults/main.yml
@@ -9,3 +9,4 @@
juju_config_path: /usr/local/src/juju_config.yml
charm_versions: {}
+pki_dir: "/opt/pki"
diff --git a/roles/juju-setup/templates/cord_juju_config.yml.j2 b/roles/juju-setup/templates/cord_juju_config.yml.j2
index 0b07590..e640289 100644
--- a/roles/juju-setup/templates/cord_juju_config.yml.j2
+++ b/roles/juju-setup/templates/cord_juju_config.yml.j2
@@ -16,9 +16,9 @@
ha-mcastport: 5403
openstack-origin: "cloud:trusty-kilo"
use-https: "yes"
- ssl_key: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/private/keystone.{{ site_suffix }}_key.pem') | b64encode }}
- ssl_cert: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/certs/keystone.{{ site_suffix }}_cert.pem') | b64encode }}
- ssl_ca: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/certs/im_cert_chain.pem') | b64encode }}
+ ssl_key: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_key.pem') | b64encode }}
+ ssl_cert: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_cert.pem') | b64encode }}
+ ssl_ca: {{ lookup('file', '{{ pki_dir }}/im_cert_chain.pem') | b64encode }}
mongodb: {}
@@ -58,4 +58,3 @@
rabbitmq-server:
ssl: "on"
-
diff --git a/roles/juju-setup/templates/opencloud_juju_config.yml.j2 b/roles/juju-setup/templates/opencloud_juju_config.yml.j2
index 4379a9f..b0d3e88 100644
--- a/roles/juju-setup/templates/opencloud_juju_config.yml.j2
+++ b/roles/juju-setup/templates/opencloud_juju_config.yml.j2
@@ -13,9 +13,9 @@
os-public-hostname: "keystone.{{ site_suffix }}"
use-https: "yes"
openstack-origin: "cloud:trusty-kilo"
- ssl_key: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/private/keystone.{{ site_suffix }}_key.pem') | b64encode }}
- ssl_cert: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/certs/keystone.{{ site_suffix }}_cert_chain.pem') | b64encode }}
- ssl_ca: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/certs/im_cert_chain.pem') | b64encode }}
+ ssl_key: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_key.pem') | b64encode }}
+ ssl_cert: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_cert_chain.pem') | b64encode }}
+ ssl_ca: {{ lookup('file', '{{ pki_dir }}/im_cert_chain.pem') | b64encode }}
mongodb: {}
@@ -57,4 +57,3 @@
rabbitmq-server:
ssl: "on"
-
diff --git a/roles/onos-cord-install/tasks/main.yml b/roles/onos-cord-install/tasks/main.yml
index 16991ff..441dc07 100644
--- a/roles/onos-cord-install/tasks/main.yml
+++ b/roles/onos-cord-install/tasks/main.yml
@@ -56,4 +56,3 @@
command: chdir="{{ onos_cord_dest }}" docker-compose up -d
tags:
- skip_ansible_lint
-
diff --git a/roles/pki-install/defaults/main.yml b/roles/pki-install/defaults/main.yml
new file mode 100644
index 0000000..86c15ae
--- /dev/null
+++ b/roles/pki-install/defaults/main.yml
@@ -0,0 +1,4 @@
+# pki-install/defaults/main.yml
+
+pki_dir: "/opt/pki"
+use_openstack: True
diff --git a/roles/pki-install/handlers/main.yml b/roles/pki-install/handlers/main.yml
index 409ab0f..70b0e2c 100644
--- a/roles/pki-install/handlers/main.yml
+++ b/roles/pki-install/handlers/main.yml
@@ -4,13 +4,3 @@
- name: Run update-ca-certificates on head node
become: yes
command: update-ca-certificates
-
-- name: Copy root CA cert to all service VMs
- command: ansible services -b -u ubuntu -m copy -a "src=/usr/local/share/ca-certificates/cord_root_ca.crt dest=/usr/local/share/ca-certificates/cord_root_ca.crt owner=root group=root mode=0644"
-
-- name: Copy intermediate CA cert to all service VMs
- command: ansible services -b -u ubuntu -m copy -a "src=/usr/local/share/ca-certificates/cord_intermediate_ca.crt dest=/usr/local/share/ca-certificates/cord_intermediate_ca.crt owner=root group=root mode=0644"
-
-- name: update-ca-certificates in service VMs
- command: ansible services -b -u ubuntu -m command -a "update-ca-certificates"
-
diff --git a/roles/pki-install/tasks/main.yml b/roles/pki-install/tasks/main.yml
index 136b8c7..72cd0f8 100644
--- a/roles/pki-install/tasks/main.yml
+++ b/roles/pki-install/tasks/main.yml
@@ -4,7 +4,7 @@
- name: Copy CA certificates to head node
become: yes
copy:
- src: "{{ playbook_dir }}/pki/{{ item.src }}"
+ src: "{{ pki_dir }}/{{ item.src }}"
dest: "/usr/local/share/ca-certificates/{{ item.dest }}"
with_items:
- src: "root_ca/certs/ca_cert.pem"
@@ -13,6 +13,30 @@
dest: "cord_intermediate_ca.crt"
notify:
- Run update-ca-certificates on head node
- - Copy root CA cert to all service VMs
- - Copy intermediate CA cert to all service VMs
- - update-ca-certificates in service VMs
+
+- name: Ensure PKI directory
+ become: yes
+ file:
+ path: "{{ pki_dir }}"
+ state: directory
+
+- name: Copy certs needed by XOS
+ become: yes
+ copy:
+ src: "{{ pki_dir }}/{{ item.src }}"
+ dest: "{{ pki_dir }}/{{ item.dest }}"
+ with_items:
+ - src: "intermediate_ca/certs/im_cert_chain.pem"
+ dest: "im_cert_chain.pem"
+
+- name: Copy certs needed by OpenStack
+ become: yes
+ when: use_openstack
+ copy:
+ src: "{{ pki_dir }}/{{ item.src }}"
+ dest: "{{ pki_dir }}/{{ item.dest }}"
+ with_items:
+ - src: "intermediate_ca/private/keystone.{{ site_suffix }}_key.pem"
+ dest: "keystone.{{ site_suffix }}_key.pem"
+ - src: "intermediate_ca/certs/keystone.{{ site_suffix }}_cert.pem"
+ dest: "keystone.{{ site_suffix }}_cert.pem"
diff --git a/roles/pki-intermediate-ca/defaults/main.yml b/roles/pki-intermediate-ca/defaults/main.yml
index 24801d3..feecca8 100644
--- a/roles/pki-intermediate-ca/defaults/main.yml
+++ b/roles/pki-intermediate-ca/defaults/main.yml
@@ -1,7 +1,8 @@
---
# pki-intermediate-ca/defaults/main.yml
-pki_dir: "{{ playbook_dir }}/pki"
+pki_dir: "/opt/pki"
+credentials_dir: "/opt/credentials"
# crypto parameters
ca_digest: "sha256"
@@ -9,8 +10,7 @@
ca_im_days: 730
# passphrases for the certificate
-ca_im_phrase: "{{ lookup('password', 'credentials/ca_im_phrase length=64') }}"
+ca_im_phrase: "{{ lookup('password', credentials_dir+'/ca_im_phrase length=64') }}"
# noninteractive csr subject
ca_im_subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=CORD Test Deployment Intermediate CA"
-
diff --git a/roles/pki-intermediate-ca/tasks/main.yml b/roles/pki-intermediate-ca/tasks/main.yml
index ac066ac..fe8aeea 100644
--- a/roles/pki-intermediate-ca/tasks/main.yml
+++ b/roles/pki-intermediate-ca/tasks/main.yml
@@ -1,6 +1,14 @@
---
# pki-ca/tasks/main.yml
+- name: Create PKI directory
+ become: yes
+ file:
+ dest: "{{ pki_dir }}"
+ state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0755
+
- name: Create intermediate CA directory
become: yes
file:
@@ -117,4 +125,3 @@
copy:
dest: "{{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem"
content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"
-
diff --git a/roles/pki-root-ca/defaults/main.yml b/roles/pki-root-ca/defaults/main.yml
index 326eb36..8f6888c 100644
--- a/roles/pki-root-ca/defaults/main.yml
+++ b/roles/pki-root-ca/defaults/main.yml
@@ -1,8 +1,8 @@
---
# pki-root-ca/defaults/main.yml
-pki_dir: "{{ playbook_dir }}/pki"
-credentials_dir: "{{ playbook_dir }}/credentials"
+pki_dir: "/opt/pki"
+credentials_dir: "/opt/credentials"
# ca parameters
ca_digest: "sha256"
@@ -10,7 +10,7 @@
ca_root_days: 3650
# passphrases for the key
-ca_root_phrase: "{{ lookup('password', 'credentials/ca_root_phrase length=64') }}"
+ca_root_phrase: "{{ lookup('password', credentials_dir+'/ca_root_phrase length=64') }}"
# noninteractive csr subject
ca_root_subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=CORD Test Deployment Root CA"
diff --git a/roles/pki-root-ca/tasks/main.yml b/roles/pki-root-ca/tasks/main.yml
index 6da6e9b..8c2f34d 100644
--- a/roles/pki-root-ca/tasks/main.yml
+++ b/roles/pki-root-ca/tasks/main.yml
@@ -1,7 +1,7 @@
---
# pki-root-ca/tasks/main.yml
-- name: Make sure credentials directory has proper ownership
+- name: Create credentials directory
become: yes
file:
dest: "{{ credentials_dir }}"
@@ -9,6 +9,14 @@
owner: "{{ ansible_user_id }}"
mode: 0700
+- name: Create PKI directory
+ become: yes
+ file:
+ dest: "{{ pki_dir }}"
+ state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0755
+
- name: Create root CA directory
become: yes
file:
@@ -88,4 +96,3 @@
-out {{ pki_dir }}/root_ca/certs/ca_cert.pem
args:
creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
-
diff --git a/roles/xos-docker-images/defaults/main.yml b/roles/xos-docker-images/defaults/main.yml
index 22943b2..bb96fea 100644
--- a/roles/xos-docker-images/defaults/main.yml
+++ b/roles/xos-docker-images/defaults/main.yml
@@ -1,6 +1,7 @@
---
# xos-docker-images/defaults/main.yml
+pki_dir: "/opt/pki"
cord_dir: "{{ ansible_user_dir + '/cord' }}"
build_xos_base_image: False
@@ -11,4 +12,3 @@
push_xos_base_image: False
push_xos_image: False
-
diff --git a/roles/xos-docker-images/tasks/main.yml b/roles/xos-docker-images/tasks/main.yml
index ed9670f..421fb6f 100644
--- a/roles/xos-docker-images/tasks/main.yml
+++ b/roles/xos-docker-images/tasks/main.yml
@@ -21,9 +21,10 @@
tags:
- skip_ansible_lint # idempotent git metadata retrieval, git module can't do this
+# Should mount certs in the image rather than baking them in
- name: Copy over SSL CA certificates
copy:
- src: "{{ playbook_dir }}/pki/intermediate_ca/certs/im_cert_chain.pem"
+ src: "{{ pki_dir }}/im_cert_chain.pem"
dest: "{{ cord_dir }}/orchestration/xos/containers/xos/local_certs.crt"
mode: 0644
@@ -44,9 +45,9 @@
pull: False # use the locally built copy of xosproject/xos
- name: Clean up chameleon temp directory
- shell: rm -rf {{ cord_dir }}/orchestration/xos/containers/chameleon/tmp.chameleon
- tags:
- - skip_ansible_lint # docker can't access files outside of build context, so we must copy
+ file:
+ path: "{{ cord_dir }}/orchestration/xos/containers/chameleon/tmp.chameleon"
+ state: absent
- name: Populate chameleon temp directory
shell: cp -a "{{ cord_dir }}/component/chameleon" "{{ cord_dir }}/orchestration/xos/containers/chameleon/tmp.chameleon"
@@ -87,4 +88,3 @@
name: "{{ deploy_docker_registry }}/xosproject/xos"
tag: "{{ deploy_docker_tag }}"
push: True
-