Generate per-site SSL intermediate CA, fix cred/pki paths
Change-Id: I0bda0791d82142acac8c6af0e152d8d0954ef719
diff --git a/roles/juju-setup/defaults/main.yml b/roles/juju-setup/defaults/main.yml
index 840f49d..3024e0e 100644
--- a/roles/juju-setup/defaults/main.yml
+++ b/roles/juju-setup/defaults/main.yml
@@ -1,12 +1,10 @@
---
# juju-setup/defaults/main.yml
-juju_config_name: opencloud
-
# note: juju_config_path and charm_versions are also set in
# `juju-compute-setup/defaults/main.yml`. Keep these in sync.
juju_config_path: /usr/local/src/juju_config.yml
charm_versions: {}
-pki_dir: "/opt/pki"
+pki_dir: "{{ playbook_dir }}/pki"
diff --git a/roles/juju-setup/tasks/main.yml b/roles/juju-setup/tasks/main.yml
index 159bd1b..d1607b8 100644
--- a/roles/juju-setup/tasks/main.yml
+++ b/roles/juju-setup/tasks/main.yml
@@ -28,7 +28,7 @@
- name: Copy over juju-config.yml for configuring Juju services
become: yes
template:
- src={{ juju_config_name }}_juju_config.yml.j2
+ src=juju_config.yml.j2
dest={{ juju_config_path }}
# check that containers are ready to be accessed, juju add-machine may error
diff --git a/roles/juju-setup/templates/cord_juju_config.yml.j2 b/roles/juju-setup/templates/juju_config.yml.j2
similarity index 74%
rename from roles/juju-setup/templates/cord_juju_config.yml.j2
rename to roles/juju-setup/templates/juju_config.yml.j2
index e640289..bf157ea 100644
--- a/roles/juju-setup/templates/cord_juju_config.yml.j2
+++ b/roles/juju-setup/templates/juju_config.yml.j2
@@ -11,40 +11,40 @@
ha-mcastport: 5402
keystone:
+ openstack-origin: "cloud:trusty-kilo"
admin-password: "{{ keystone_admin_password }}"
os-public-hostname: "keystone.{{ site_suffix }}"
ha-mcastport: 5403
- openstack-origin: "cloud:trusty-kilo"
use-https: "yes"
- ssl_key: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_key.pem') | b64encode }}
- ssl_cert: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_cert.pem') | b64encode }}
- ssl_ca: {{ lookup('file', '{{ pki_dir }}/im_cert_chain.pem') | b64encode }}
+ ssl_key: {{ lookup('file', '{{ pki_dir }}/{{ site_name }}_im_ca/private/keystone.{{ site_suffix }}_key.pem') | b64encode }}
+ ssl_cert: {{ lookup('file', '{{ pki_dir }}/{{ site_name }}_im_ca/certs/keystone.{{ site_suffix }}_cert.pem') | b64encode }}
+ ssl_ca: {{ lookup('file', '{{ pki_dir }}//{{ site_name }}_im_ca/certs/im_cert_chain.pem') | b64encode }}
mongodb: {}
nagios: {}
neutron-api:
+ openstack-origin: "cloud:trusty-kilo"
neutron-plugin: onosvtn
onos-vtn-ip: onos-cord
onos-vtn-port: 8182
neutron-security-groups: "True"
- openstack-origin: "cloud:trusty-kilo"
overlay-network-type: vxlan
neutron-openvswitch: {}
nova-cloud-controller:
+ openstack-origin: "cloud:trusty-kilo"
config-flags: "force_config_drive=always"
console-access-protocol: novnc
network-manager: Neutron
- openstack-origin: "cloud:trusty-kilo"
nova-compute:
+ openstack-origin: "cloud:trusty-kilo"
virt-type: kvm
config-flags: "firewall_driver=nova.virt.firewall.NoopFirewallDriver"
disable-neutron-security-groups: "True"
- openstack-origin: "cloud:trusty-kilo"
nrpe: {}
@@ -54,7 +54,7 @@
openstack-origin: "cloud:trusty-kilo"
percona-cluster:
- max-connections: 20000
+ max-connections: 20000
rabbitmq-server:
ssl: "on"
diff --git a/roles/juju-setup/templates/opencloud_juju_config.yml.j2 b/roles/juju-setup/templates/opencloud_juju_config.yml.j2
deleted file mode 100644
index b0d3e88..0000000
--- a/roles/juju-setup/templates/opencloud_juju_config.yml.j2
+++ /dev/null
@@ -1,59 +0,0 @@
----
-# juju configuration file for OpenCloud deployments
-
-ceilometer: {}
-
-ceilometer-agent: {}
-
-glance:
- openstack-origin: "cloud:trusty-kilo"
-
-keystone:
- admin-password: "{{ keystone_admin_password }}"
- os-public-hostname: "keystone.{{ site_suffix }}"
- use-https: "yes"
- openstack-origin: "cloud:trusty-kilo"
- ssl_key: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_key.pem') | b64encode }}
- ssl_cert: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_cert_chain.pem') | b64encode }}
- ssl_ca: {{ lookup('file', '{{ pki_dir }}/im_cert_chain.pem') | b64encode }}
-
-mongodb: {}
-
-neutron-api:
- flat-network-providers: "*"
- openstack-origin: "cloud:trusty-kilo"
- vlan-ranges: "physnet1:1000:2000 nat"
-
-neutron-gateway:
- bridge-mappings: "physnet1:br-data nat:br-nat"
- flat-network-providers: "*"
- instance-mtu: "1400"
- openstack-origin: "cloud:trusty-kilo"
- vlan-ranges: "physnet1:1000:2000 nat"
-
-neutron-openvswitch:
- bridge-mappings: "physnet1:br-data nat:br-nat"
- disable-security-groups: "True"
- flat-network-providers: "*"
- vlan-ranges: "physnet1:1000:2000 nat"
-
-nova-cloud-controller:
- console-access-protocol: "novnc"
- network-manager: "Neutron"
- openstack-origin: "cloud:trusty-kilo"
-
-nova-compute:
- virt-type: kvm
- config-flags: "firewall_driver=nova.virt.firewall.NoopFirewallDriver"
- openstack-origin: "cloud:trusty-kilo"
-
-ntp:
- source: "0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org"
-
-openstack-dashboard:
- openstack-origin: "cloud:trusty-kilo"
-
-percona-cluster: {}
-
-rabbitmq-server:
- ssl: "on"