Generate webui certs if no external ones provided

Change-Id: Ief1c9378b56e956c44a2e4a73d160cef589a9cd5 Closes-Bug: #1791992
Juniper · Sep 11, 2018 · ec90aa5 · ec90aa5
1 parent 35a4556
commit ec90aa5
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/containers/node-init/certs-init.sh → containers/base/certs-init.sh b/containers/node-init/certs-init.sh → containers/base/certs-init.sh
diff --git a/containers/base/common.sh b/containers/base/common.sh
@@ -27,8 +27,8 @@ SSL_ENABLE=${SSL_ENABLE:-False}
 SSL_INSECURE=${SSL_INSECURE:-True}
 SERVER_CERTFILE=${SERVER_CERTFILE:-'/etc/contrail/ssl/certs/server.pem'}
 SERVER_KEYFILE=${SERVER_KEYFILE:-'/etc/contrail/ssl/private/server-privkey.pem'}
-SERVER_CA_CERTFILE=${SERVER_CA_CERTFILE:-'/etc/contrail/ssl/certs/ca-cert.pem'}
-SERVER_CA_KEYFILE=${SERVER_CA_KEYFILE:-'/etc/contrail/ssl/private/ca-key.pem'}
+SERVER_CA_CERTFILE=${SERVER_CA_CERTFILE-'/etc/contrail/ssl/certs/ca-cert.pem'}
+SERVER_CA_KEYFILE=${SERVER_CA_KEYFILE-'/etc/contrail/ssl/private/ca-key.pem'}
 
 
 CONTROLLER_NODES=${CONTROLLER_NODES:-${DEFAULT_LOCAL_IP}}
@@ -65,8 +65,8 @@ WEBUI_JOB_SERVER_PORT=${WEBUI_JOB_SERVER_PORT:-3000}
 KUE_UI_PORT=${KUE_UI_PORT:-3002}
 WEBUI_HTTP_LISTEN_PORT=${WEBUI_HTTP_LISTEN_PORT:-8180}
 WEBUI_HTTPS_LISTEN_PORT=${WEBUI_HTTPS_LISTEN_PORT:-8143}
-WEBUI_SSL_KEY_FILE=${WEBUI_SSL_KEY_FILE:-"/etc/pki/ca-trust/source/anchors/contrail_webui_ssl/cs-key.pem"}
-WEBUI_SSL_CERT_FILE=${WEBUI_SSL_CERT_FILE:-"/etc/pki/ca-trust/source/anchors/contrail_webui_ssl/cs-cert.pem"}
+WEBUI_SSL_KEY_FILE=${WEBUI_SSL_KEY_FILE:-'/etc/contrail/webui_ssl/cs-key.pem'}
+WEBUI_SSL_CERT_FILE=${WEBUI_SSL_CERT_FILE:-'/etc/contrail/webui_ssl/cs-cert.pem'}
 WEBUI_SSL_CIPHERS=${WEBUI_SSL_CIPHERS:-"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA"}
 ANALYTICS_API_PORT=${ANALYTCS_API_PORT:-8081}
 ANALYTICS_API_INTROSPECT_PORT=${ANALYTICS_API_INTROSPECT_PORT:-8090}

diff --git a/containers/controller/webui/base/entrypoint.sh b/containers/controller/webui/base/entrypoint.sh
@@ -10,6 +10,13 @@ function get_server_json_list(){
   echo "['"$srv_list"']"
 }
 
+function init_tls() {
+  SSL_ENABLE=true SERVER_CERTFILE="$WEBUI_SSL_CERT_FILE" \
+    SERVER_KEYFILE="$WEBUI_SSL_KEY_FILE" SERVER_CA_KEYFILE='' /certs-init.sh
+}
+
+init_tls
+
 orchestration_manager=${CLOUD_ORCHESTRATOR,,}
 
 if [[ "$orchestration_manager" == 'kubernetes' ]] ; then
@@ -223,6 +230,9 @@ config.server_options.ciphers = '$WEBUI_SSL_CIPHERS';
 module.exports = config;
 EOM
 
+echo "INFO: config /etc/contrail/config.global.js"
+cat /etc/contrail/config.global.js
+
 cat > /etc/contrail/contrail-webui-userauth.js << EOM
 /*
  * Copyright (c) 2014 Juniper Networks, Inc. All rights reserved.
@@ -237,6 +247,8 @@ auth.admin_tenant_name = '$KEYSTONE_AUTH_ADMIN_TENANT';
 module.exports = auth;
 EOM
 
+echo "INFO: config /etc/contrail/contrail-webui-userauth.js"
+cat /etc/contrail/contrail-webui-userauth.js
 
 set_vnc_api_lib_ini