Merge "Validate vips when generating certificate too"

2017-01-24 15:47:27 +00:00 · 2017-01-24 15:47:27 +00:00 · b53d8dd32d
parent 564c438619 9c6424df5d
commit b53d8dd32d
8 changed files with 70 additions and 37 deletions
--- a/elements/puppet-stack-config/puppet-stack-config.pp
+++ b/elements/puppet-stack-config/puppet-stack-config.pp
@ -264,7 +264,7 @@ class { '::ironic::inspector::db::mysql':
 include ::swift

 if hiera('tripleo::haproxy::service_certificate', undef) {
-  $keystone_public_endpoint = join(['https://', hiera('controller_public_vip'), ':13000'])
+  $keystone_public_endpoint = join(['https://', hiera('controller_public_host'), ':13000'])
  $enable_proxy_headers_parsing = true
 } else {
  $keystone_public_endpoint = undef
@ -510,7 +510,7 @@ if str2bool(hiera('enable_docker_registry', true)) {
    line   => join ([
      'INSECURE_REGISTRY="',
      '--insecure-registry ', hiera('controller_host'), ':8787 ',
-      '--insecure-registry ', hiera('controller_admin_vip'), ':8787"']),
+      '--insecure-registry ', hiera('controller_admin_host'), ':8787"']),
    match  => 'INSECURE_REGISTRY=',
    notify => Service['docker'],
  }
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@ -5,8 +5,8 @@ keystone_region: 'regionOne'

 debug: {{UNDERCLOUD_DEBUG}}
 controller_host: {{LOCAL_IP}} #local-ipv4
-controller_admin_vip: {{UNDERCLOUD_ADMIN_VIP}}
-controller_public_vip: {{UNDERCLOUD_PUBLIC_VIP}}
+controller_admin_host: {{UNDERCLOUD_ADMIN_HOST}}
+controller_public_host: {{UNDERCLOUD_PUBLIC_HOST}}
 ntp::servers:
  -

@ -24,7 +24,7 @@ tripleo::profile::base::haproxy::certificates_specs:
    service_pem: {{UNDERCLOUD_SERVICE_CERTIFICATE}}
    service_certificate: '/etc/pki/tls/certs/undercloud-front.crt'
    service_key: '/etc/pki/tls/private/undercloud-front.key'
-    hostname: "%{hiera('controller_public_vip')}"
+    hostname: "%{hiera('controller_public_host')}"
    postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}}"
    principal: {{SERVICE_PRINCIPAL}}

@ -635,9 +635,9 @@ cinder::wsgi::apache::workers: "%{::os_workers}"
 # HAproxy
 tripleo::profile::base::haproxy::step: 1
 tripleo::haproxy::haproxy_stats_password: {{UNDERCLOUD_HAPROXY_STATS_PASSWORD}}
-tripleo::haproxy::controller_virtual_ip: "%{hiera('controller_admin_vip')}"
+tripleo::haproxy::controller_virtual_ip: "%{hiera('controller_admin_host')}"
 tripleo::haproxy::controller_hosts: "%{hiera('controller_host')}"
-tripleo::haproxy::public_virtual_ip: "%{hiera('controller_public_vip')}"
+tripleo::haproxy::public_virtual_ip: "%{hiera('controller_public_host')}"
 tripleo::haproxy::public_virtual_interface: 'br-ctlplane'
 tripleo::haproxy::keystone_admin: true
 tripleo::haproxy::keystone_public: true
@ -662,9 +662,9 @@ tripleo::haproxy::zaqar_ws: true
 tripleo::haproxy::docker_registry: true

 # Keepalived
-tripleo::keepalived::controller_virtual_ip: "%{hiera('controller_admin_vip')}"
+tripleo::keepalived::controller_virtual_ip: "%{hiera('controller_admin_host')}"
 tripleo::keepalived::control_virtual_interface: 'br-ctlplane'
-tripleo::keepalived::public_virtual_ip: "%{hiera('controller_public_vip')}"
+tripleo::keepalived::public_virtual_ip: "%{hiera('controller_public_host')}"
 tripleo::keepalived::public_virtual_interface: 'br-ctlplane'

 # UI
--- a/elements/undercloud-install/os-apply-config/root/stackrc
+++ b/elements/undercloud-install/os-apply-config/root/stackrc
@ -3,7 +3,7 @@ export NOVA_VERSION
 OS_PASSWORD=$(sudo hiera admin_password)
 export OS_PASSWORD
 {{#service_certificate}}
-OS_AUTH_URL=https://{{public_vip}}:13000/v2.0
+OS_AUTH_URL=https://{{public_host}}:13000/v2.0
 PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"
 export OS_AUTH_URL
 export PYTHONWARNINGS
--- a/instack_undercloud/tests/test_validator.py
+++ b/instack_undercloud/tests/test_validator.py
@ -129,5 +129,26 @@ class TestValidator(base.BaseTestCase):

    def test_invalid_undercloud_nameserver_fails(self):
        self.conf.config(undercloud_nameservers=['Iamthewalrus'])
+
+    def test_fail_on_invalid_public_host(self):
+        self.conf.config(undercloud_public_host='192.0.3.2',
+                         undercloud_service_certificate='foo.pem')
+        self.assertRaises(validator.FailedValidation,
+                          undercloud._validate_network)
+
+    def test_fail_on_invalid_admin_host(self):
+        self.conf.config(undercloud_admin_host='192.0.3.3',
+                         generate_service_certificate=True)
+        self.assertRaises(validator.FailedValidation,
+                          undercloud._validate_network)
+
+    def test_ssl_hosts_allowed(self):
+        self.conf.config(undercloud_public_host='public.domain',
+                         undercloud_admin_host='admin.domain',
+                         undercloud_service_certificate='foo.pem')
+        undercloud._validate_network()
+
+    def test_fail_on_invalid_ip(self):
+        self.conf.config(dhcp_start='foo.bar')
        self.assertRaises(validator.FailedValidation,
                          undercloud._validate_network)
--- a/instack_undercloud/undercloud.py
+++ b/instack_undercloud/undercloud.py
@ -136,15 +136,17 @@ _opts = [
                     'Overcloud instances. This should match the local_ip '
                     'above when using masquerading.')
               ),
-    cfg.StrOpt('undercloud_public_vip',
+    cfg.StrOpt('undercloud_public_host',
+               deprecated_name='undercloud_public_vip',
               default='192.168.24.2',
-               help=('Virtual IP address to use for the public endpoints of '
-                     'Undercloud services. Only used with SSL.')
+               help=('Virtual IP or DNS address to use for the public '
+                     'endpoints of Undercloud services. Only used with SSL.')
               ),
-    cfg.StrOpt('undercloud_admin_vip',
+    cfg.StrOpt('undercloud_admin_host',
+               deprecated_name='undercloud_admin_vip',
               default='192.168.24.3',
-               help=('Virtual IP address to use for the admin endpoints of '
-                     'Undercloud services. Only used with SSL.')
+               help=('Virtual IP or DNS address to use for the admin '
+                     'endpoints of Undercloud services. Only used with SSL.')
               ),
    cfg.ListOpt('undercloud_nameservers',
                default=[],
@ -163,7 +165,7 @@ _opts = [
                      'will be used in place of the value for '
                      'undercloud_service_certificate.  The resulting '
                      'certificate will be written to '
-                      '/etc/pki/tls/certs/undercloud-[undercloud_public_vip].'
+                      '/etc/pki/tls/certs/undercloud-[undercloud_public_host].'
                      'pem.  This certificate is signed by CA selected by the '
                      '"certificate_generation_ca" option.')
                ),
@ -684,8 +686,8 @@ def _generate_endpoints(instack_env):

    if (CONF.undercloud_service_certificate or
            CONF.generate_service_certificate):
-        public_host = CONF.undercloud_public_vip
-        internal_host = CONF.undercloud_admin_vip
+        public_host = CONF.undercloud_public_host
+        internal_host = CONF.undercloud_admin_host
        public_proto = 'https'
        zaqar_ws_public_proto = 'wss'

@ -945,9 +947,9 @@ def _generate_environment(instack_root):
    _write_password_file(instack_env)

    if CONF.generate_service_certificate:
-        public_vip = CONF.undercloud_public_vip
+        public_host = CONF.undercloud_public_host
        instack_env['UNDERCLOUD_SERVICE_CERTIFICATE'] = (
-            '/etc/pki/tls/certs/undercloud-%s.pem' % public_vip)
+            '/etc/pki/tls/certs/undercloud-%s.pem' % public_host)

    _member_role_exists(instack_env)

--- a/instack_undercloud/validator.py
+++ b/instack_undercloud/validator.py
@ -73,11 +73,16 @@ def _validate_value_formats(params, error_callback):
 def _validate_in_cidr(params, error_callback):
    cidr = netaddr.IPNetwork(params['network_cidr'])

-    def validate_addr_in_cidr(params, name, pretty_name=None):
-        if netaddr.IPAddress(params[name]) not in cidr:
-            message = ('%s "%s" not in defined CIDR "%s"' %
-                       (pretty_name or name, params[name], cidr))
-            error_callback(message)
+    def validate_addr_in_cidr(params, name, pretty_name=None, require_ip=True):
+        try:
+            if netaddr.IPAddress(params[name]) not in cidr:
+                message = ('%s "%s" not in defined CIDR "%s"' %
+                           (pretty_name or name, params[name], cidr))
+                error_callback(message)
+        except netaddr.core.AddrFormatError:
+            if require_ip:
+                message = 'Invalid IP address: %s' % params[name]
+                error_callback(message)

    params['just_local_ip'] = params['local_ip'].split('/')[0]
    # undercloud.conf uses inspection_iprange, the configuration wizard
@ -88,9 +93,12 @@ def _validate_in_cidr(params, error_callback):
        params['inspection_end'] = inspection_iprange[1]
    validate_addr_in_cidr(params, 'just_local_ip', 'local_ip')
    validate_addr_in_cidr(params, 'network_gateway')
-    if params['undercloud_service_certificate']:
-        validate_addr_in_cidr(params, 'undercloud_public_vip')
-        validate_addr_in_cidr(params, 'undercloud_admin_vip')
+    if (params['undercloud_service_certificate'] or
+            params['generate_service_certificate']):
+        validate_addr_in_cidr(params, 'undercloud_public_host',
+                              require_ip=False)
+        validate_addr_in_cidr(params, 'undercloud_admin_host',
+                              require_ip=False)
    validate_addr_in_cidr(params, 'dhcp_start')
    validate_addr_in_cidr(params, 'dhcp_end')
    validate_addr_in_cidr(params, 'inspection_start', 'Inspection range start')
--- a/templates/config.json.template
+++ b/templates/config.json.template
@ -11,7 +11,7 @@
  "local-ip": "{{LOCAL_IP}}",
  "masquerade_networks": ["{{MASQUERADE_NETWORK}}"],
  "service_certificate": "{{UNDERCLOUD_SERVICE_CERTIFICATE}}",
-  "public_vip": "{{UNDERCLOUD_PUBLIC_VIP}}",
+  "public_host": "{{UNDERCLOUD_PUBLIC_HOST}}",
  "neutron": {
    "dhcp_start": "{{DHCP_START}}",
    "dhcp_end": "{{DHCP_END}}",
--- a/undercloud.conf.sample
+++ b/undercloud.conf.sample
@ -28,13 +28,15 @@
 # masquerading. (string value)
 #network_gateway = 192.168.24.1

-# Virtual IP address to use for the public endpoints of Undercloud
-# services. Only used with SSL. (string value)
-#undercloud_public_vip = 192.168.24.2
+# Virtual IP or DNS address to use for the public endpoints of
+# Undercloud services. Only used with SSL. (string value)
+# Deprecated group/name - [DEFAULT]/undercloud_public_vip
+#undercloud_public_host = 192.168.24.2

-# Virtual IP address to use for the admin endpoints of Undercloud
-# services. Only used with SSL. (string value)
-#undercloud_admin_vip = 192.168.24.3
+# Virtual IP or DNS address to use for the admin endpoints of
+# Undercloud services. Only used with SSL. (string value)
+# Deprecated group/name - [DEFAULT]/undercloud_admin_vip
+#undercloud_admin_host = 192.168.24.3

 # DNS nameserver(s) to use for the undercloud node. (list value)
 #undercloud_nameservers =
@ -48,7 +50,7 @@
 # the undercloud install and this certificate will be used in place of
 # the value for undercloud_service_certificate.  The resulting
 # certificate will be written to
-# /etc/pki/tls/certs/undercloud-[undercloud_public_vip].pem.  This
+# /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem.  This
 # certificate is signed by CA selected by the
 # "certificate_generation_ca" option. (boolean value)
 #generate_service_certificate = false