commit 44845c69e17400b051fd2a7cb41de0a4bdb050b6
author Zack Williams <zdw@cs.arizona.edu> Fri Apr 21 13:57:14 2017 -0700
committer Zack Williams <zdw@cs.arizona.edu> Thu May 18 14:58:09 2017 -0700
tree cc2fd12ab7738f56180c07b7d2d9a71f0db63fa3
parent 4ef48392ffd9350ca407f047b63015d50401d351

Generate per-site SSL intermediate CA, fix cred/pki paths

Change-Id: I0bda0791d82142acac8c6af0e152d8d0954ef719

roles/pki-install/defaults/main.yml

diff --git a/roles/pki-install/defaults/main.yml b/roles/pki-install/defaults/main.yml
index 86c15ae..3221add 100644
--- a/roles/pki-install/defaults/main.yml
+++ b/roles/pki-install/defaults/main.yml
@@ -1,4 +1,4 @@
 # pki-install/defaults/main.yml
 
-pki_dir: "/opt/pki"
+pki_dir: "{{ playbook_dir }}/pki"
 use_openstack: True

roles/pki-install/handlers/main.yml

diff --git a/roles/pki-install/handlers/main.yml b/roles/pki-install/handlers/main.yml
index 70b0e2c..4b5cc54 100644
--- a/roles/pki-install/handlers/main.yml
+++ b/roles/pki-install/handlers/main.yml
@@ -1,6 +1,5 @@
 ---
 # pki-install/handlers/main.yml
 
-- name: Run update-ca-certificates on head node
-  become: yes
+- name: update-ca-certificates
   command: update-ca-certificates

roles/pki-install/tasks/main.yml

diff --git a/roles/pki-install/tasks/main.yml b/roles/pki-install/tasks/main.yml
index a49d88d..77c8806 100644
--- a/roles/pki-install/tasks/main.yml
+++ b/roles/pki-install/tasks/main.yml
@@ -1,46 +1,15 @@
 ---
 # pki-install/tasks/main.yml
 
-- name: Copy CA certificates to head node
-  become: yes
+- name: Copy CA certificates
   copy:
     src: "{{ pki_dir }}/{{ item.src }}"
     dest: "/usr/local/share/ca-certificates/{{ item.dest }}"
   with_items:
     - src: "root_ca/certs/ca_cert.pem"
       dest: "cord_root_ca.crt"
-    - src: "intermediate_ca/certs/im_cert.pem"
+    - src: "{{ site_name }}_im_ca/certs/im_cert.pem"
       dest: "cord_intermediate_ca.crt"
   notify:
-    - Run update-ca-certificates on head node
+    - update-ca-certificates
 
-- name: Ensure PKI directory
-  become: yes
-  file:
-    path: "{{ pki_dir }}"
-    state: directory
-
-- name: Copy certs needed by XOS
-  become: yes
-  copy:
-    src: "{{ pki_dir }}/{{ item.src }}"
-    dest: "{{ pki_dir }}/{{ item.dest }}"
-  with_items:
-    - src: "intermediate_ca/certs/im_cert_chain.pem"
-      dest: "im_cert_chain.pem"
-    - src: "intermediate_ca/private/xos-core.{{ site_suffix }}_key.pem"
-      dest: "core_api_key.pem"
-    - src: "intermediate_ca/certs/xos-core.{{ site_suffix }}_cert_chain.pem"
-      dest: "core_api_cert.pem"
-
-- name: Copy certs needed by OpenStack
-  become: yes
-  when: use_openstack
-  copy:
-    src: "{{ pki_dir }}/{{ item.src }}"
-    dest: "{{ pki_dir }}/{{ item.dest }}"
-  with_items:
-    - src: "intermediate_ca/private/keystone.{{ site_suffix }}_key.pem"
-      dest: "keystone.{{ site_suffix }}_key.pem"
-    - src: "intermediate_ca/certs/keystone.{{ site_suffix }}_cert.pem"
-      dest: "keystone.{{ site_suffix }}_cert.pem"