Merge branch 'master' into nodecount

tomassedovic · web-flow · commit d928e29064c1 · 2017-04-05T11:00:57.000+02:00
diff --git a/README.adoc b/README.adoc
@@ -276,6 +276,57 @@ Sometimes it's necessary to find out why a stack was not deployed as expected.
 link:README_debugging.adoc[Debugging] helps you find the root cause of the
 issue.
 
+== OpenStack Integration
+
+OpenShift on OpenStack takes advantage of the cloud provider to offer
+features such as dymaic storage to the OpenShift users. Auto scaling
+also requires communication with the OpenStack service.  You must
+provide a set of OpenStack credentials so that OpenShift and the heat
+scaling mechanism can work correctly.
+
+These are the same values used to create the Heat stack.
+
+.Sample OSP Credentials - `osp_credentials.yaml`
+----
+---
+parameters:
+  os_auth_url: http://10.0.x.x:5000/v2.0
+  os_username: <username>
+  os_password: <password>
+  os_region_name: regionOne
+  os_tenant_name: <tenant name>
+----
+
+When invoking the stack creation, include this by adding `-e
+osp_credentials.yaml` to the command.
+
+== [[ca-certificates]]OpenStack with SSL/TLS
+
+If your OpenStack service is encrypted with SSL/TLS, you will need to
+provide the CA certificate so that the communication channel can be
+validated.
+
+The CA certificate is provided as a literal string copy of contents of
+the CA certificate file, and can be included in an additional
+environment file:
+
+.CA Certificate Parameter File `ca_certificates.yaml`
+----
+---
+parameters:
+  ca_cert: |
+    -----BEGIN CERTIFICATE-----
+   ...
+   -----END CERTIFICATE-----
+----
+
+When invoking the stack creation, includ this by adding `-e
+ca_certificates.yaml`.
+
+You can include multiple CA certificate strings and all will be imported
+into the CA list on all instances.
+
+
 == Multiple Master Nodes
 
 You can deploy OpenShift with multiple master hosts using the 'native'
@@ -385,15 +436,15 @@ when you create the stack.
 
 Example of `env_ldap.yaml` using an Active Directory server:
 
-```yaml
+.LDAP parameter file `env_ldap.yaml
+----
 parameter_defaults:
    ldap_hostname: <ldap hostname>
    ldap_ip: <ip of ldap server>
    ldap_url: ldap://<ldap hostname>:389/CN=Users,DC=example,DC=openshift,DC=com?sAMAccountName
    ldap_bind_dn: CN=Administrator,CN=Users,DC=example,DC=openshift,DC=com?sAMAccountName
    ldap_bind_password: <admin password>
-```
-
+----
 
 ```bash
 heat stack-create my-openshift \
@@ -402,6 +453,8 @@ heat stack-create my-openshift \
   -f openshift-on-openstack/openshift.yaml
 ```
 
+If your LDAP service uses SSL, you will also need to add a link:#ca-certificates[CA Certficate] for the LDAP communications.
+
 == Using Custom Yum Repositories
 
 You can set additional Yum repositories on deployed nodes by passing `extra_repository_urls`
@@ -513,7 +566,7 @@ the `dns_nameserver` list.
 You will still need to set the API and wildcard entries, though.
 
 
-== Retrieving the CA certificate
+== Retrieving the OpenShift CA certificate
 
 You can retrieve the CA certificate that was generated during the OpenShift
 installation by running
diff --git a/bastion.yaml b/bastion.yaml
@@ -201,6 +201,10 @@ parameters:
     description: List of docker repository URLs which will be installed on each node, if a repo is insecure use '#insecure' suffix.
     default: ''
 
+  ca_cert:
+    type: string
+    description: Certificate Authority Certificate to be added to trust chain
+
 resources:
 
   # A VM to provide host based orchestration and other sub-services
@@ -235,6 +239,7 @@ resources:
       parts:
       - config: {get_resource: set_hostname}
       - config: {get_resource: included_files}
+      - config: {get_resource: update_ca_cert}
       - config: {get_resource: rhn_register}
       - config: {get_resource: set_extra_repos}
       - config: {get_resource: set_extra_docker_repos}
@@ -295,9 +300,17 @@ resources:
         - path: /root/.ssh/id_rsa.pub
           permissions: 0600
           content: {get_param: ansible_public_key}
+        - path: /etc/pki/ca-trust/source/anchors/ca.crt
+          permissions: 0600
+          content: {get_param: ca_cert}
         ssh_authorized_keys:
         - {get_param: ansible_public_key}
 
+  # Add CA Cert to trust chain
+  update_ca_cert:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      config: {get_file: fragments/ca_cert.sh}
 
   # Register the host with RHN for access to software packages
   rhn_register:
diff --git a/fragments/ca_cert.sh b/fragments/ca_cert.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Register with subscription manager and enable required RPM respositories
+#
+# ENVVARS:
+#   CA_CERT - a ca certificate to be added to trust chain
+
+# Exit on command fail
+set -eu
+set -x
+
+# Return the final non-zero exit code of a failed pipe (or 0 for success)
+set -o pipefail
+
+# =============================================================================
+# MAIN
+# =============================================================================
+
+if [ -f /etc/pki/ca-trust/source/anchors/ca.crt ] ; then
+  update-ca-trust enable
+  update-ca-trust extract
+else
+    exit 0
+fi
diff --git a/infra.yaml b/infra.yaml
@@ -228,6 +228,10 @@ parameters:
     type: string
     hidden: true
 
+  ca_cert:
+    type: string
+    description: Certificate Authority Certificate to be added to trust chain
+
 resources:
 
   # Create a network connection on the internal communications network
@@ -299,6 +303,7 @@ resources:
       parts:
       - config: {get_resource: set_hostname}
       - config: {get_resource: included_files}
+      - config: {get_resource: update_ca_cert}
       - config: {get_resource: rhn_register}
       - config: {get_resource: set_extra_repos}
       - config: {get_resource: set_extra_docker_repos}
@@ -347,9 +352,18 @@ resources:
               params:
                 $IFNAME: eth1
               template: {get_file: fragments/ifcfg-eth}
+        - path: /etc/pki/ca-trust/source/anchors/ca.crt
+          permissions: 0600
+          content: {get_param: ca_cert}
         ssh_authorized_keys:
         - {get_param: ansible_public_key}
 
+  # Add CA Cert to trust chain
+  update_ca_cert:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      config: {get_file: fragments/ca_cert.sh}
+
   # Attach to a source of software updates for RHEL
   rhn_register:
     type: OS::Heat::SoftwareConfig
diff --git a/loadbalancer_dedicated.yaml b/loadbalancer_dedicated.yaml
@@ -169,6 +169,10 @@ parameters:
     type: string
     hidden: true
 
+  ca_cert:
+    type: string
+    description: Certificate Authority Certificate to be added to trust chain
+
 resources:
   floating_ip_assoc:
     type: OS::Neutron::FloatingIPAssociation
@@ -233,6 +237,7 @@ resources:
       parts:
       - config: {get_resource: set_hostname}
       - config: {get_resource: included_files}
+      - config: {get_resource: update_ca_cert}
       - config: {get_resource: rhn_register}
       - config: {get_resource: set_extra_repos}
       - config: {get_resource: set_extra_docker_repos}
@@ -278,9 +283,22 @@ resources:
               params:
                 $WC_NOTIFY: { get_attr: ['wait_handle', 'curl_cli'] }
               template: {get_file: fragments/common_functions.sh}
+        - path: /etc/pki/ca-trust/source/anchors/ca.crt
+          permissions: 0600
+          content: {get_param: ca_cert}
         ssh_authorized_keys:
         - {get_param: ansible_public_key}
 
+  # Add CA Cert to trust chain
+  update_ca_cert:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      config:
+        str_replace:
+          params:
+            $CA_CERT: {get_param: ca_cert}
+          template: {get_file: fragments/ca_cert.sh}
+
   # Connect to a software source for updates on RHEL
   rhn_register:
     type: OS::Heat::SoftwareConfig
diff --git a/loadbalancer_external.yaml b/loadbalancer_external.yaml
@@ -167,6 +167,10 @@ parameters:
     type: string
     hidden: true
 
+  ca_cert:
+    type: string
+    description: Certificate Authority Certificate to be added to trust chain
+
 outputs:
   console_url:
     description: URL of the OpenShift web console
diff --git a/loadbalancer_neutron.yaml b/loadbalancer_neutron.yaml
@@ -160,6 +160,10 @@ parameters:
     type: string
     hidden: true
 
+  ca_cert:
+    type: string
+    description: Certificate Authority Certificate to be added to trust chain
+
 resources:
   lb:
     type: OS::Neutron::LoadBalancer
diff --git a/loadbalancer_none.yaml b/loadbalancer_none.yaml
@@ -171,6 +171,10 @@ parameters:
     type: string
     hidden: true
 
+  ca_cert:
+    type: string
+    description: Certificate Authority Certificate to be added to trust chain
+
 outputs:
   console_url:
     description: URL of the OpenShift web console
diff --git a/master.yaml b/master.yaml
@@ -221,6 +221,10 @@ parameters:
     type: string
     hidden: true
 
+  ca_cert:
+    type: string
+    description: Certificate Authority Certificate to be added to trust chain
+
 resources:
 
   # Create a network connection on the internal communications network
@@ -291,6 +295,7 @@ resources:
       parts:
       - config: {get_resource: set_hostname}
       - config: {get_resource: included_files}
+      - config: {get_resource: update_ca_cert}
       - config: {get_resource: rhn_register}
       - config: {get_resource: set_extra_repos}
       - config: {get_resource: set_extra_docker_repos}
@@ -339,9 +344,18 @@ resources:
               params:
                 $IFNAME: eth1
               template: {get_file: fragments/ifcfg-eth}
+        - path: /etc/pki/ca-trust/source/anchors/ca.crt
+          permissions: 0600
+          content: {get_param: ca_cert}
         ssh_authorized_keys:
         - {get_param: ansible_public_key}
 
+  # Add CA Cert to trust chain
+  update_ca_cert:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      config: {get_file: fragments/ca_cert.sh}
+
   # Attach to a source of software updates for RHEL
   rhn_register:
     type: OS::Heat::SoftwareConfig
diff --git a/node.yaml b/node.yaml
@@ -352,6 +352,10 @@ parameters:
       Automatically scale up/down openshift nodes.
     default: false
 
+  ca_cert:
+    type: string
+    description: Certificate Authority Certificate to be added to trust chain
+
 resources:
 
   # Generate a string to distinguish one node from the others
@@ -402,6 +406,7 @@ resources:
       parts:
       - config: {get_resource: set_hostname}
       - config: {get_resource: included_files}
+      - config: {get_resource: update_ca_cert}
       - config: {get_resource: rhn_register}
       - config: {get_resource: set_extra_repos}
       - config: {get_resource: set_extra_docker_repos}
@@ -456,9 +461,22 @@ resources:
               params:
                 $IFNAME: eth1
               template: {get_file: fragments/ifcfg-eth}
+        - path: /etc/pki/ca-trust/source/anchors/ca.crt
+          permissions: 0600
+          content: {get_param: ca_cert}
         ssh_authorized_keys:
         - {get_param: ansible_public_key}
 
+  # Add CA Cert to trust chain
+  update_ca_cert:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      config:
+        str_replace:
+          params:
+            $CA_CERT: {get_param: ca_cert}
+          template: {get_file: fragments/ca_cert.sh}
+
   # Connect to software update source for RHEL
   rhn_register:
     type: OS::Heat::SoftwareConfig
diff --git a/openshift.yaml b/openshift.yaml
diff --git a/templates/var/lib/ansible/playbooks/quota.yml b/templates/var/lib/ansible/playbooks/quota.yml
diff --git a/templates/var/lib/ansible/playbooks/scaleup.yml b/templates/var/lib/ansible/playbooks/scaleup.yml
