Add support of ssl for OpenContrail API
Change-Id: Ia7a15d32011200060fb80717aea1d5feeaa01516
Related-PROD: PROD-29907
diff --git a/_modules/contrail.py b/_modules/contrail.py
index 34b8db7..2541ad9 100644
--- a/_modules/contrail.py
+++ b/_modules/contrail.py
@@ -70,7 +70,7 @@
api_host = kwargs.get('api_server_ip')
api_port = kwargs.get('api_server_port')
api_base_url = kwargs.get('api_base_url')
- use_ssl = False
+ use_ssl = kwargs.get('api_server_use_ssl')
auth_host = kwargs.get('auth_host_ip')
vnc_lib = vnc_api.VncApi(user, password, tenant_name,
api_host, api_port, api_base_url, wait_for_connect=False,
@@ -183,7 +183,7 @@
if router_type not in router_types:
router_type = None
if name in vrouter_objs:
- vrouter = virtual_router_get(name)
+ vrouter = virtual_router_get(name, **kwargs)
vrouter_obj = vnc_client._object_read('virtual-router', id=vrouter[name]['uuid'])
changes = {}
if vrouter_obj.get_virtual_router_ip_address() != ip_address:
diff --git a/_modules/contrail_health.py b/_modules/contrail_health.py
index 23ae2e9..45bdd33 100644
--- a/_modules/contrail_health.py
+++ b/_modules/contrail_health.py
@@ -103,12 +103,19 @@
def get_api_status(wait_for=180, tries=20):
- api_host = __pillar__['opencontrail'].get('client', {}).get('api', {}).get('host', {})
+ api_host = __pillar__['opencontrail'].get('client', {}).get('api', {}).\
+ get('host', {})
api_port = __pillar__['opencontrail']['client']['api']['port']
+ use_ssl = __pillar__['opencontrail'].get('client', {}).get('api', {}).\
+ get('use_ssl', {})
+ api_protocol = 'https' if use_ssl is True else 'http'
for t in range(0, tries):
try:
- data = salt.utils.http.query("http://{0}:{1}".format(api_host, api_port), backend='requests', status=True)
+ data = salt.utils.http.query(
+ "{0}://{1}:{2}".format(api_protocol, api_host, api_port),
+ backend='requests', status=True
+ )
if data['status'] == 200:
return True
except Exception as e:
diff --git a/metadata/service/client/cluster.yml b/metadata/service/client/cluster.yml
index 91043a9..bf650bd 100644
--- a/metadata/service/client/cluster.yml
+++ b/metadata/service/client/cluster.yml
@@ -9,6 +9,7 @@
openstack_control_address: 127.0.0.1
opencontrail_admin_password: 'none'
opencontrail_admin_user: 'contrail'
+ opencontrail_api_ssl_enabled: False
opencontrail:
client:
enabled: True
@@ -26,3 +27,7 @@
engine: contrail
host: ${_param:opencontrail_control_address}
port: 8082
+ use_ssl: ${_param:opencontrail_api_ssl_enabled}
+ certfile: ${_param:opencontrail_api_certfile}
+ keyfile: ${_param:opencontrail_api_keyfile}
+ cafile: ${_param:opencontrail_api_cafile}
diff --git a/metadata/service/client/single.yml b/metadata/service/client/single.yml
index 2e14591..c1dfd35 100644
--- a/metadata/service/client/single.yml
+++ b/metadata/service/client/single.yml
@@ -8,6 +8,7 @@
opencontrail_identity_version: '2.0'
opencontrail_admin_password: 'none'
opencontrail_admin_user: 'contrail'
+ opencontrail_api_ssl_enabled: False
opencontrail:
client:
enabled: True
@@ -25,3 +26,7 @@
engine: contrail
host: ${_param:cluster_local_address}
port: 8082
+ use_ssl: ${_param:opencontrail_api_ssl_enabled}
+ certfile: ${_param:opencontrail_api_certfile}
+ keyfile: ${_param:opencontrail_api_keyfile}
+ cafile: ${_param:opencontrail_api_cafile}
diff --git a/metadata/service/control/cluster.yml b/metadata/service/control/cluster.yml
index 48d048c..5b7ff7d 100644
--- a/metadata/service/control/cluster.yml
+++ b/metadata/service/control/cluster.yml
@@ -56,6 +56,11 @@
password: '${_param:opencontrail_admin_password}'
token: '${_param:keystone_service_token}'
tenant: admin
+ api:
+ use_ssl: ${_param:opencontrail_api_ssl_enabled}
+ certfile: ${_param:opencontrail_api_certfile}
+ keyfile: ${_param:opencontrail_api_keyfile}
+ cafile: ${_param:opencontrail_api_cafile}
members:
- host: ${_param:cluster_node01_address}
id: 1
@@ -189,6 +194,8 @@
password: '${_param:opencontrail_admin_password}'
token: '${_param:keystone_service_token}'
tenant: admin
+ api:
+ use_ssl: ${_param:opencontrail_api_ssl_enabled}
network:
engine: neutron
host: ${_param:cluster_vip_address}
diff --git a/metadata/service/control/control.yml b/metadata/service/control/control.yml
index 7ea5014..4c152b5 100644
--- a/metadata/service/control/control.yml
+++ b/metadata/service/control/control.yml
@@ -56,6 +56,11 @@
password: '${_param:opencontrail_admin_password}'
token: '${_param:keystone_service_token}'
tenant: admin
+ api:
+ use_ssl: ${_param:opencontrail_api_ssl_enabled}
+ certfile: ${_param:opencontrail_api_certfile}
+ keyfile: ${_param:opencontrail_api_keyfile}
+ cafile: ${_param:opencontrail_api_cafile}
members:
- host: ${_param:cluster_node01_address}
id: 1
@@ -150,6 +155,8 @@
password: '${_param:opencontrail_admin_password}'
token: '${_param:keystone_service_token}'
tenant: admin
+ api:
+ use_ssl: ${_param:opencontrail_api_ssl_enabled}
network:
engine: neutron
host: ${_param:cluster_vip_address}
diff --git a/opencontrail/client.sls b/opencontrail/client.sls
index a74d607..4169ef8 100644
--- a/opencontrail/client.sls
+++ b/opencontrail/client.sls
@@ -48,6 +48,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
@@ -79,6 +80,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
@@ -99,6 +101,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
@@ -115,6 +118,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
@@ -131,6 +135,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
@@ -150,6 +155,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
@@ -173,6 +179,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
@@ -202,6 +209,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
@@ -224,6 +232,7 @@
- password: {{ client.identity.password }}
- project: {{ client.identity.tenant }}
- auth_host_ip: {{ client.identity.host }}
+ - api_server_use_ssl: {{ client.api.use_ssl }}
- api_server_ip: {{ client.api.host }}
- api_server_port: {{ client.api.port }}
- api_base_url: '/'
diff --git a/opencontrail/files/4.0/client_vnc_api_lib.ini b/opencontrail/files/4.0/client_vnc_api_lib.ini
index eeef174..c511b38 100644
--- a/opencontrail/files/4.0/client_vnc_api_lib.ini
+++ b/opencontrail/files/4.0/client_vnc_api_lib.ini
@@ -8,6 +8,11 @@
WEB_PORT = {{ client.api.port }}
BASE_URL = /
;BASE_URL = /tenants/infra ; common-prefix for all URLs
+{%- if client.api.use_ssl == True %}
+certfile = {{ client.api.certfile }}
+keyfile = {{ client.api.keyfile }}
+cafile = {{ client.api.cafile }}
+{%- endif %}
; Authentication settings (optional)
{%- if client.identity.engine == "keystone" %}
diff --git a/opencontrail/files/4.0/config.global.js b/opencontrail/files/4.0/config.global.js
index ade860a..d17ee3e 100644
--- a/opencontrail/files/4.0/config.global.js
+++ b/opencontrail/files/4.0/config.global.js
@@ -180,7 +180,11 @@
config.cnfg = {};
config.cnfg.server_ip = '{{ web.master.host }}';
config.cnfg.server_port = '8082';
+{%- if web.api.use_ssl == True %}
+config.cnfg.authProtocol = 'https';
+{%- else %}
config.cnfg.authProtocol = 'http';
+{%- endif %}
config.cnfg.strictSSL = false;
config.cnfg.ca = '';
config.cnfg.statusURL = "/global-system-configs";
diff --git a/opencontrail/files/4.0/contrail-device-manager.conf b/opencontrail/files/4.0/contrail-device-manager.conf
index a654f9d..7125305 100644
--- a/opencontrail/files/4.0/contrail-device-manager.conf
+++ b/opencontrail/files/4.0/contrail-device-manager.conf
@@ -18,6 +18,9 @@
{%- endif %}
api_server_ip={{ config.api.host }}
api_server_port=8082
+{%- if config.api.use_ssl == True %}
+api_server_use_ssl=True
+{%- endif %}
zk_server_ip={% for member in config.database.members %}{{ member.host }}:2181{% if not loop.last %},{% endif %}{% endfor %}
log_file=/var/log/contrail/contrail-device-manager.log
cassandra_server_list={% for member in config.database.members %}{{ member.host }}:9161 {% endfor %}
diff --git a/opencontrail/files/4.0/contrail-schema.conf b/opencontrail/files/4.0/contrail-schema.conf
index df61af7..63f05df 100644
--- a/opencontrail/files/4.0/contrail-schema.conf
+++ b/opencontrail/files/4.0/contrail-schema.conf
@@ -2,6 +2,9 @@
[DEFAULTS]
api_server_ip={{ config.api.host }}
api_server_port=8082
+{%- if config.api.use_ssl == True %}
+api_server_use_ssl=True
+{%- endif %}
#zk_server_ip=10.0.102.31:2181,10.0.102.32:2181,10.0.102.33:2181
zk_server_ip={% for member in config.database.members %}{{ member.host }}:2181{% if not loop.last %},{% endif %}{% endfor %}
log_file=/var/log/contrail/contrail-schema.log
diff --git a/opencontrail/files/4.0/contrail-svc-monitor.conf b/opencontrail/files/4.0/contrail-svc-monitor.conf
index d23c6ad..3a018b5 100644
--- a/opencontrail/files/4.0/contrail-svc-monitor.conf
+++ b/opencontrail/files/4.0/contrail-svc-monitor.conf
@@ -3,6 +3,9 @@
[DEFAULTS]
api_server_ip={{ config.api.host }}
api_server_port=8082
+{%- if config.api.use_ssl == True %}
+api_server_use_ssl=True
+{%- endif %}
#zk_server_ip=10.0.102.31:2181,10.0.102.32:2181,10.0.102.33:2181
zk_server_ip={% for member in config.database.members %}{{ member.host }}:2181{% if not loop.last %},{% endif %}{% endfor %}
log_file=/var/log/contrail/contrail-svc-monitor.log
diff --git a/opencontrail/files/4.0/vnc_api_lib.ini b/opencontrail/files/4.0/vnc_api_lib.ini
index bdf16b6..5cac52d 100644
--- a/opencontrail/files/4.0/vnc_api_lib.ini
+++ b/opencontrail/files/4.0/vnc_api_lib.ini
@@ -10,6 +10,12 @@
BASE_URL = /
;BASE_URL = /tenants/infra ; common-prefix for all URLs
+{%- if config.api.use_ssl == True %}
+certfile = {{ config.api.certfile }}
+keyfile = {{ config.api.keyfile }}
+cafile = {{ config.api.cafile }}
+{%- endif %}
+
; Authentication settings (optional)
{%- if config.identity.engine == "keystone" %}
[auth]
diff --git a/tests/pillar/cluster40.sls b/tests/pillar/cluster40.sls
index 5bc81b5..1de436b 100644
--- a/tests/pillar/cluster40.sls
+++ b/tests/pillar/cluster40.sls
@@ -19,6 +19,7 @@
enabled: true
api:
host: 127.0.0.1
+ use_ssl: False
network:
engine: neutron
host: 127.0.0.1
@@ -204,3 +205,5 @@
password: password
token: token
tenant: admin
+ api:
+ use_ssl: False
diff --git a/tests/pillar/control40.sls b/tests/pillar/control40.sls
index d7d9bb5..51a3b35 100644
--- a/tests/pillar/control40.sls
+++ b/tests/pillar/control40.sls
@@ -19,6 +19,7 @@
enabled: true
api:
host: 127.0.0.1
+ use_ssl: False
network:
engine: neutron
host: 127.0.0.1
@@ -169,3 +170,5 @@
password: password
token: token
tenant: admin
+ api:
+ use_ssl: False
diff --git a/tests/pillar/single40.sls b/tests/pillar/single40.sls
index c064f37..ea5acef 100644
--- a/tests/pillar/single40.sls
+++ b/tests/pillar/single40.sls
@@ -16,6 +16,7 @@
version: 4.0
api:
host: 127.0.0.1
+ use_ssl: False
enabled: true
network:
engine: neutron
@@ -158,3 +159,5 @@
password: password
token: token
tenant: admin
+ api:
+ use_ssl: False
diff --git a/tests/pillar/vrouter40.sls b/tests/pillar/vrouter40.sls
index b77c2ca..a37c728 100644
--- a/tests/pillar/vrouter40.sls
+++ b/tests/pillar/vrouter40.sls
@@ -15,6 +15,7 @@
client:
api:
host: 127.0.0.1
+ use_ssl: False
identity:
host: 127.0.0.1
user: contrail