tripleo-quickstart-extras/roles/overcloud-ssl/library/tls_tht.py

#!/usr/bin/python
# coding: utf-8 -*-
#
# (c) 2016, Adriano Petrich <apetrich@redhat.com>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import yaml
from ansible.module_utils.basic import *


DOCUMENTATION = '''
---
module: tls_tht
version_added: "1.9"
short_description: Generate the tht templates for enabled ssl
description:
   - Generate the tht templates for enabled ssl
options:
    source_dir:
        description:
            - directory to copy the templates from
        required: false
        default: "/usr/share/openstack-tripleo-heat-templates/"
    dest_dir:
        description:
            - were to copy the files to
        required: false
        default: ""
    cert_filename:
        description:
            - the cert pem filename
        required: false
        default: cert.pem
    cert_ca_filename:
        description:
            - the key pem filename
        required: false
        default: key.pem
    key_filename:
        description:
            - the CA cert pem filename
        required: false
        default: cert.pem
    tht_release:
        description:
            - the tht release name
        required: false
        default: master


'''

EXAMPLES = '''
# Generate the tht templates for enabled ssl
- tls_tht:
'''


def _open_yaml(filename):
    with open(filename, "r") as stream:
        tmp_dict = yaml.safe_load(stream)
    return tmp_dict


def create_enable_file(certpem, keypem, source_dir, dest_dir, tht_release):
    # environments/ssl/* is preferred starting with pike
    output_dict = _open_yaml("{}environments/ssl/enable-tls.yaml".format(source_dir))

    output_dict["parameter_defaults"]["SSLCertificate"] = certpem
    output_dict["parameter_defaults"]["SSLKey"] = keypem

    with open("{}enable-tls.yaml".format(dest_dir), "w") as stream:
        yaml.safe_dump(output_dict, stream, default_style='|')


def create_anchor_file(cert_ca_pem, source_dir, dest_dir, enable_tls_overcloud, tht_release):

    output_dict = _open_yaml(
        "{}environments/ssl/inject-trust-anchor.yaml".format(source_dir)
    )

    if enable_tls_overcloud:
        ca_map = {"overcloud-ca": {"content": cert_ca_pem}}
    else:
        ca_map = {}
    # Optionally include the undercloud's local CA certificate
    try:
        undercloud_ca = "/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
        with open(undercloud_ca, 'r') as undercloud_ca_file:
            undercloud_ca_content = undercloud_ca_file.read()
        ca_map.update({"undercloud-ca": {"content": undercloud_ca_content}})
    except IOError:
        pass
    output_dict["parameter_defaults"]["CAMap"] = ca_map
    del output_dict["resource_registry"]

    with open("{}inject-trust-anchor.yaml".format(dest_dir), "w") as stream:
        yaml.safe_dump(output_dict, stream, default_style='|')


def main():
    module = AnsibleModule(
        argument_spec=dict(
            enable_tls_overcloud=dict(type="bool", default=False, required=False),
            source_dir=dict(default="/usr/share/openstack-tripleo-heat-templates/",
                            required=False),
            dest_dir=dict(default="", required=False),
            cert_filename=dict(default="cert.pem", required=False),
            cert_ca_filename=dict(default="cert.pem", required=False),
            key_filename=dict(default="key.pem", required=False),
            tht_release=dict(default="master", required=False),
        )
    )

    if module.params["enable_tls_overcloud"]:
        with open(module.params["cert_filename"], "r") as stream:
            certpem = stream.read()

        with open(module.params["key_filename"], "r") as stream:
            keypem = stream.read()
        with open(module.params["cert_ca_filename"], "r") as stream:
            cert_ca_pem = stream.read()

        create_enable_file(certpem, keypem,
                           module.params["source_dir"],
                           module.params["dest_dir"],
                           module.params["tht_release"])
    else:
        cert_ca_pem = None

    create_anchor_file(cert_ca_pem,
                       module.params["source_dir"],
                       module.params["dest_dir"],
                       module.params["enable_tls_overcloud"],
                       module.params["tht_release"])
    module.exit_json(changed=True)


if __name__ == '__main__':
    main()