Generate admin_url to enable https for admin endpoints
This commit updated platform services' sysinv puppet plugins to generate proper admin_url hiera data to enable https for these endpoints during controller unlock. This commit also updated controller_config to copy and install dc admin endpoint CA cert and haproxy cert for the second controller. Change-Id: I21345a96f8a0ffb416069ff28dbcfa51b9e12359 Story: 2007347 Task: 39314 Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit is contained in:
parent
f2dd994914
commit
e169d1caea
|
@ -319,6 +319,30 @@ start()
|
|||
fi
|
||||
fi
|
||||
|
||||
if [ -e $CONFIG_DIR/admin-ep-cert.pem ]
|
||||
then
|
||||
cp $CONFIG_DIR/admin-ep-cert.pem /etc/ssl/private/
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
fatal_error "Unable to copy $CONFIG_DIR/admin-ep-cert.pem to certificates dir"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ]
|
||||
then
|
||||
cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
fatal_error "Unable to copy $CONFIG_DIR/dc-adminep-root-ca.crt to certificates dir"
|
||||
fi
|
||||
# Update system trusted CA cert list with the new CA cert.
|
||||
update-ca-trust extract
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
fatal_error "Unable to update system trusted CA certificate list"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -e $CONFIG_DIR/openstack ]
|
||||
then
|
||||
if [ ! -e /etc/ssl/private/openstack ]
|
||||
|
|
|
@ -1542,6 +1542,8 @@ DEFAULT_DNS_SERVICE_DOMAIN = 'cluster.local'
|
|||
|
||||
# Ansible bootstrap
|
||||
ANSIBLE_BOOTSTRAP_FLAG = os.path.join(tsc.VOLATILE_PATH, ".ansible_bootstrap")
|
||||
ANSIBLE_BOOTSTRAP_COMPLETED_FLAG = os.path.join(tsc.CONFIG_PATH,
|
||||
".bootstrap_completed")
|
||||
UNLOCK_READY_FLAG = os.path.join(tsc.PLATFORM_CONF_PATH, ".unlock_ready")
|
||||
INVENTORY_WAIT_TIMEOUT_IN_SECS = 90
|
||||
|
||||
|
|
|
@ -89,7 +89,7 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet):
|
|||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_admin_url(self):
|
||||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_region_name(self):
|
||||
return self._get_service_region_name(self.SERVICE_NAME)
|
||||
|
|
|
@ -132,7 +132,7 @@ class DCDBsyncPuppet(openstack.OpenstackBasePuppet):
|
|||
path=self.SERVICE_PATH)
|
||||
|
||||
def get_admin_url(self):
|
||||
return self._format_private_endpoint(self.SERVICE_PORT,
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT,
|
||||
path=self.SERVICE_PATH)
|
||||
|
||||
def get_region_name(self):
|
||||
|
|
|
@ -111,7 +111,7 @@ class DCManagerPuppet(openstack.OpenstackBasePuppet):
|
|||
path=self.SERVICE_PATH)
|
||||
|
||||
def get_admin_url(self):
|
||||
return self._format_private_endpoint(self.SERVICE_PORT,
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT,
|
||||
path=self.SERVICE_PATH)
|
||||
|
||||
def get_region_name(self):
|
||||
|
|
|
@ -110,8 +110,19 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
|
|||
self.get_proxy_public_url(self.PATCHING_SERVICE_PORT,
|
||||
self.PATCHING_SERVICE_PATH),
|
||||
'dcorch::keystone::auth::identity_proxy_public_url':
|
||||
self.get_proxy_internal_url(self.IDENTITY_SERVICE_PORT,
|
||||
self.IDENTITY_SERVICE_PATH),
|
||||
self.get_proxy_public_url(self.IDENTITY_SERVICE_PORT,
|
||||
self.IDENTITY_SERVICE_PATH),
|
||||
|
||||
'dcorch::keystone::auth::sysinv_proxy_admin_url':
|
||||
self.get_proxy_admin_url(self.PLATFORM_SERVICE_PORT,
|
||||
self.PLATFORM_SERVICE_PATH),
|
||||
'dcorch::keystone::auth::identity_proxy_admin_url':
|
||||
self.get_proxy_admin_url(self.IDENTITY_SERVICE_PORT,
|
||||
self.IDENTITY_SERVICE_PATH),
|
||||
'dcorch::keystone::auth::patching_proxy_admin_url':
|
||||
self.get_proxy_admin_url(self.PATCHING_SERVICE_PORT,
|
||||
self.PATCHING_SERVICE_PATH),
|
||||
|
||||
'dcorch::keystone::auth::region': self.get_region_name(),
|
||||
'dcorch::keystone::auth::auth_name': ksuser,
|
||||
'dcorch::keystone::auth::service_name': self.SERVICE_NAME,
|
||||
|
@ -198,5 +209,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
|
|||
def get_proxy_public_url(self, port, service_path):
|
||||
return self._format_public_endpoint(port, path=service_path)
|
||||
|
||||
def get_proxy_admin_url(self, port, service_path):
|
||||
return self._format_admin_endpoint(port, path=service_path)
|
||||
|
||||
def get_region_name(self):
|
||||
return self._get_service_region_name(self.SERVICE_NAME)
|
||||
|
|
|
@ -105,7 +105,7 @@ class FmPuppet(openstack.OpenstackBasePuppet):
|
|||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_admin_url(self):
|
||||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_region_name(self):
|
||||
return self._get_service_region_name(self.SERVICE_NAME)
|
||||
|
|
|
@ -111,7 +111,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
|
|||
path=self.SERVICE_PATH)
|
||||
|
||||
def get_admin_url(self):
|
||||
return self._format_private_endpoint(self.SERVICE_PORT,
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT,
|
||||
path=self.SERVICE_PATH)
|
||||
|
||||
def get_region_name(self):
|
||||
|
|
|
@ -242,7 +242,7 @@ class KeystonePuppet(openstack.OpenstackBasePuppet):
|
|||
self.SERVICE_TYPE in self._get_shared_services()):
|
||||
return self._get_admin_url_from_service_config(self.SERVICE_NAME)
|
||||
else:
|
||||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_auth_address(self):
|
||||
if self._region_config():
|
||||
|
|
|
@ -271,4 +271,4 @@ class NfvPuppet(openstack.OpenstackBasePuppet):
|
|||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_admin_url(self):
|
||||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT)
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
|
||||
import abc
|
||||
import keyring
|
||||
import os
|
||||
|
||||
from sysinv.common import constants
|
||||
|
||||
|
@ -116,6 +117,23 @@ class OpenstackBasePuppet(base.BasePuppet):
|
|||
def _get_private_protocol(self):
|
||||
return 'http'
|
||||
|
||||
def _get_admin_protocol(self):
|
||||
# Turn admin endpoint protocol to be https only after ansible
|
||||
# bootstrap is completed. This is because https enabled admin
|
||||
# endpoints work only after haproxy is properly configured,
|
||||
# which will happen when puppet manifest apply during
|
||||
# controller unlock. So if https is turned on during bootstrap
|
||||
# (by services' endpoint reconfiguration), the system commands
|
||||
# to add networks etc during ansible bootstrap will fail as
|
||||
# haproxy has not been configured yet.
|
||||
if os.path.isfile(constants.ANSIBLE_BOOTSTRAP_COMPLETED_FLAG) and \
|
||||
(self._distributed_cloud_role() ==
|
||||
constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER or
|
||||
self._distributed_cloud_role() ==
|
||||
constants.DISTRIBUTED_CLOUD_ROLE_SUBCLOUD):
|
||||
return 'https'
|
||||
return 'http'
|
||||
|
||||
def _format_public_endpoint(self, port, address=None, path=None):
|
||||
protocol = self._get_public_protocol()
|
||||
if address is None:
|
||||
|
@ -128,6 +146,15 @@ class OpenstackBasePuppet(base.BasePuppet):
|
|||
address = self._format_url_address(self._get_management_address())
|
||||
return self._format_keystone_endpoint(protocol, port, address, path)
|
||||
|
||||
def _format_admin_endpoint(self, port, address=None, path=None):
|
||||
protocol = self._get_admin_protocol()
|
||||
s_port = port
|
||||
if address is None:
|
||||
address = self._format_url_address(self._get_management_address())
|
||||
if protocol == 'https':
|
||||
s_port = s_port + 1
|
||||
return self._format_keystone_endpoint(protocol, s_port, address, path)
|
||||
|
||||
def _keystone_auth_address(self):
|
||||
return self._operator.keystone.get_auth_address()
|
||||
|
||||
|
|
|
@ -88,7 +88,7 @@ class PatchingPuppet(openstack.OpenstackBasePuppet):
|
|||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_admin_url(self):
|
||||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_region_name(self):
|
||||
return self._get_service_region_name(self.SERVICE_NAME)
|
||||
|
|
|
@ -73,4 +73,4 @@ class SmPuppet(openstack.OpenstackBasePuppet):
|
|||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
|
||||
def get_admin_url(self):
|
||||
return self._format_private_endpoint(self.SERVICE_PORT)
|
||||
return self._format_admin_endpoint(self.SERVICE_PORT)
|
||||
|
|
Loading…
Reference in New Issue