From e169d1caea71b63034dbe1a008616df0f7a52639 Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Mon, 6 Apr 2020 10:47:09 -0400 Subject: [PATCH] Generate admin_url to enable https for admin endpoints This commit updated platform services' sysinv puppet plugins to generate proper admin_url hiera data to enable https for these endpoints during controller unlock. This commit also updated controller_config to copy and install dc admin endpoint CA cert and haproxy cert for the second controller. Change-Id: I21345a96f8a0ffb416069ff28dbcfa51b9e12359 Story: 2007347 Task: 39314 Signed-off-by: Andy Ning --- .../scripts/controller_config | 24 +++++++++++++++++ .../sysinv/sysinv/sysinv/common/constants.py | 2 ++ .../sysinv/sysinv/sysinv/puppet/barbican.py | 2 +- .../sysinv/sysinv/sysinv/puppet/dcdbsync.py | 2 +- .../sysinv/sysinv/sysinv/puppet/dcmanager.py | 2 +- sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py | 18 +++++++++++-- sysinv/sysinv/sysinv/sysinv/puppet/fm.py | 2 +- .../sysinv/sysinv/sysinv/puppet/inventory.py | 2 +- .../sysinv/sysinv/sysinv/puppet/keystone.py | 2 +- sysinv/sysinv/sysinv/sysinv/puppet/nfv.py | 2 +- .../sysinv/sysinv/sysinv/puppet/openstack.py | 27 +++++++++++++++++++ .../sysinv/sysinv/sysinv/puppet/patching.py | 2 +- sysinv/sysinv/sysinv/sysinv/puppet/smapi.py | 2 +- 13 files changed, 78 insertions(+), 11 deletions(-) diff --git a/controllerconfig/controllerconfig/scripts/controller_config b/controllerconfig/controllerconfig/scripts/controller_config index 6b06c6f95b..5162b860d9 100755 --- a/controllerconfig/controllerconfig/scripts/controller_config +++ b/controllerconfig/controllerconfig/scripts/controller_config @@ -319,6 +319,30 @@ start() fi fi + if [ -e $CONFIG_DIR/admin-ep-cert.pem ] + then + cp $CONFIG_DIR/admin-ep-cert.pem /etc/ssl/private/ + if [ $? -ne 0 ] + then + fatal_error "Unable to copy $CONFIG_DIR/admin-ep-cert.pem to certificates dir" + fi + fi + + if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ] + then + cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/ + if [ $? -ne 0 ] + then + fatal_error "Unable to copy $CONFIG_DIR/dc-adminep-root-ca.crt to certificates dir" + fi + # Update system trusted CA cert list with the new CA cert. + update-ca-trust extract + if [ $? -ne 0 ] + then + fatal_error "Unable to update system trusted CA certificate list" + fi + fi + if [ -e $CONFIG_DIR/openstack ] then if [ ! -e /etc/ssl/private/openstack ] diff --git a/sysinv/sysinv/sysinv/sysinv/common/constants.py b/sysinv/sysinv/sysinv/sysinv/common/constants.py index 06c5617eac..67f4b78aa3 100644 --- a/sysinv/sysinv/sysinv/sysinv/common/constants.py +++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py @@ -1542,6 +1542,8 @@ DEFAULT_DNS_SERVICE_DOMAIN = 'cluster.local' # Ansible bootstrap ANSIBLE_BOOTSTRAP_FLAG = os.path.join(tsc.VOLATILE_PATH, ".ansible_bootstrap") +ANSIBLE_BOOTSTRAP_COMPLETED_FLAG = os.path.join(tsc.CONFIG_PATH, + ".bootstrap_completed") UNLOCK_READY_FLAG = os.path.join(tsc.PLATFORM_CONF_PATH, ".unlock_ready") INVENTORY_WAIT_TIMEOUT_IN_SECS = 90 diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py index b77b235974..0006bc4875 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/barbican.py @@ -89,7 +89,7 @@ class BarbicanPuppet(openstack.OpenstackBasePuppet): return self._format_private_endpoint(self.SERVICE_PORT) def get_admin_url(self): - return self._format_private_endpoint(self.SERVICE_PORT) + return self._format_admin_endpoint(self.SERVICE_PORT) def get_region_name(self): return self._get_service_region_name(self.SERVICE_NAME) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/dcdbsync.py b/sysinv/sysinv/sysinv/sysinv/puppet/dcdbsync.py index 565cf58725..ed2b52e62f 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/dcdbsync.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/dcdbsync.py @@ -132,7 +132,7 @@ class DCDBsyncPuppet(openstack.OpenstackBasePuppet): path=self.SERVICE_PATH) def get_admin_url(self): - return self._format_private_endpoint(self.SERVICE_PORT, + return self._format_admin_endpoint(self.SERVICE_PORT, path=self.SERVICE_PATH) def get_region_name(self): diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py b/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py index 5f9b7e3b8d..ff7633edb2 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py @@ -111,7 +111,7 @@ class DCManagerPuppet(openstack.OpenstackBasePuppet): path=self.SERVICE_PATH) def get_admin_url(self): - return self._format_private_endpoint(self.SERVICE_PORT, + return self._format_admin_endpoint(self.SERVICE_PORT, path=self.SERVICE_PATH) def get_region_name(self): diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py b/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py index a4ca5cee4a..4eb8ba2459 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py @@ -110,8 +110,19 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet): self.get_proxy_public_url(self.PATCHING_SERVICE_PORT, self.PATCHING_SERVICE_PATH), 'dcorch::keystone::auth::identity_proxy_public_url': - self.get_proxy_internal_url(self.IDENTITY_SERVICE_PORT, - self.IDENTITY_SERVICE_PATH), + self.get_proxy_public_url(self.IDENTITY_SERVICE_PORT, + self.IDENTITY_SERVICE_PATH), + + 'dcorch::keystone::auth::sysinv_proxy_admin_url': + self.get_proxy_admin_url(self.PLATFORM_SERVICE_PORT, + self.PLATFORM_SERVICE_PATH), + 'dcorch::keystone::auth::identity_proxy_admin_url': + self.get_proxy_admin_url(self.IDENTITY_SERVICE_PORT, + self.IDENTITY_SERVICE_PATH), + 'dcorch::keystone::auth::patching_proxy_admin_url': + self.get_proxy_admin_url(self.PATCHING_SERVICE_PORT, + self.PATCHING_SERVICE_PATH), + 'dcorch::keystone::auth::region': self.get_region_name(), 'dcorch::keystone::auth::auth_name': ksuser, 'dcorch::keystone::auth::service_name': self.SERVICE_NAME, @@ -198,5 +209,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet): def get_proxy_public_url(self, port, service_path): return self._format_public_endpoint(port, path=service_path) + def get_proxy_admin_url(self, port, service_path): + return self._format_admin_endpoint(port, path=service_path) + def get_region_name(self): return self._get_service_region_name(self.SERVICE_NAME) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/fm.py b/sysinv/sysinv/sysinv/sysinv/puppet/fm.py index 3cb0fda9dc..3d4a893e29 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/fm.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/fm.py @@ -105,7 +105,7 @@ class FmPuppet(openstack.OpenstackBasePuppet): return self._format_private_endpoint(self.SERVICE_PORT) def get_admin_url(self): - return self._format_private_endpoint(self.SERVICE_PORT) + return self._format_admin_endpoint(self.SERVICE_PORT) def get_region_name(self): return self._get_service_region_name(self.SERVICE_NAME) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py index 48710e4a6f..f74340d220 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py @@ -111,7 +111,7 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet): path=self.SERVICE_PATH) def get_admin_url(self): - return self._format_private_endpoint(self.SERVICE_PORT, + return self._format_admin_endpoint(self.SERVICE_PORT, path=self.SERVICE_PATH) def get_region_name(self): diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py b/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py index c45fb1b2f8..0305b6c0b1 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py @@ -242,7 +242,7 @@ class KeystonePuppet(openstack.OpenstackBasePuppet): self.SERVICE_TYPE in self._get_shared_services()): return self._get_admin_url_from_service_config(self.SERVICE_NAME) else: - return self._format_private_endpoint(self.SERVICE_PORT) + return self._format_admin_endpoint(self.SERVICE_PORT) def get_auth_address(self): if self._region_config(): diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/nfv.py b/sysinv/sysinv/sysinv/sysinv/puppet/nfv.py index 590af412ba..2df20d78f5 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/nfv.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/nfv.py @@ -271,4 +271,4 @@ class NfvPuppet(openstack.OpenstackBasePuppet): return self._format_private_endpoint(self.SERVICE_PORT) def get_admin_url(self): - return self._format_private_endpoint(self.SERVICE_PORT) + return self._format_admin_endpoint(self.SERVICE_PORT) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/openstack.py b/sysinv/sysinv/sysinv/sysinv/puppet/openstack.py index 17d82615d0..7ceaa1863b 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/openstack.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/openstack.py @@ -6,6 +6,7 @@ import abc import keyring +import os from sysinv.common import constants @@ -116,6 +117,23 @@ class OpenstackBasePuppet(base.BasePuppet): def _get_private_protocol(self): return 'http' + def _get_admin_protocol(self): + # Turn admin endpoint protocol to be https only after ansible + # bootstrap is completed. This is because https enabled admin + # endpoints work only after haproxy is properly configured, + # which will happen when puppet manifest apply during + # controller unlock. So if https is turned on during bootstrap + # (by services' endpoint reconfiguration), the system commands + # to add networks etc during ansible bootstrap will fail as + # haproxy has not been configured yet. + if os.path.isfile(constants.ANSIBLE_BOOTSTRAP_COMPLETED_FLAG) and \ + (self._distributed_cloud_role() == + constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER or + self._distributed_cloud_role() == + constants.DISTRIBUTED_CLOUD_ROLE_SUBCLOUD): + return 'https' + return 'http' + def _format_public_endpoint(self, port, address=None, path=None): protocol = self._get_public_protocol() if address is None: @@ -128,6 +146,15 @@ class OpenstackBasePuppet(base.BasePuppet): address = self._format_url_address(self._get_management_address()) return self._format_keystone_endpoint(protocol, port, address, path) + def _format_admin_endpoint(self, port, address=None, path=None): + protocol = self._get_admin_protocol() + s_port = port + if address is None: + address = self._format_url_address(self._get_management_address()) + if protocol == 'https': + s_port = s_port + 1 + return self._format_keystone_endpoint(protocol, s_port, address, path) + def _keystone_auth_address(self): return self._operator.keystone.get_auth_address() diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/patching.py b/sysinv/sysinv/sysinv/sysinv/puppet/patching.py index ce10512fa3..2a1ef799c0 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/patching.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/patching.py @@ -88,7 +88,7 @@ class PatchingPuppet(openstack.OpenstackBasePuppet): return self._format_private_endpoint(self.SERVICE_PORT) def get_admin_url(self): - return self._format_private_endpoint(self.SERVICE_PORT) + return self._format_admin_endpoint(self.SERVICE_PORT) def get_region_name(self): return self._get_service_region_name(self.SERVICE_NAME) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/smapi.py b/sysinv/sysinv/sysinv/sysinv/puppet/smapi.py index 06a61fb351..160d54f0f6 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/smapi.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/smapi.py @@ -73,4 +73,4 @@ class SmPuppet(openstack.OpenstackBasePuppet): return self._format_private_endpoint(self.SERVICE_PORT) def get_admin_url(self): - return self._format_private_endpoint(self.SERVICE_PORT) + return self._format_admin_endpoint(self.SERVICE_PORT)