Commit e4d531a9 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

deploy: Add CA component and ca role

The ca role will be a separate node able to create and sign
certificates. All components that need a certificate will get it
from this node. Since we are going to have one common certificate
for the synnefo.live CN including all DNS alternatives (astakos,
cyclades, vnc, etc.) this certificate will be created in advance and
everyone will get it during setup.

The cacert.pem will be added to the firefox db via certutil -A.

snf-vncauthproxy will use the corresponding cert.pem and key.pem.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent fbdfad18
......@@ -6,6 +6,7 @@
[auto]
ns = node
ca = node
client = node
router = node
nfs = node
......
......@@ -7,6 +7,7 @@
[auto]
ns = node
client = node
ca = node
router = node
nfs = node
db = node
......
# x509v3 extenstions to add when creating the root CA
# This is a CA's root certificate
basicConstraints = critical, CA:TRUE
# The key of this certificate will be used for signing other certificates
keyUsage = keyCertSign, cRLSign
# Follow the guidelines in RFC3280
subjectKeyIdentifier = hash
# This certificate will be used for signing certificates with the following CN
nameConstraints = permitted;DNS:%DOMAIN%
# x509v3 extenstions to add when creating the synnefo certificate
# This is certificate and not a CA
basicConstraints = CA:FALSE
# The certificate is valid for the CN but also for other alternative names
subjectAltName = DNS:%DOMAIN%,DNS:*.%DOMAIN%
# The certificate will be used for server authentication (e.g. apache2)
extendedKeyUsage = serverAuth
#!/bin/bash
# THIS SCRIPT CREATES A CA AND SIGNES A CERTIFICATE TO BE USED
# FOR THE SYNNEFO INSTALLATION. IT FOLLOWS INSTRUCTIONS FROM:
# https://wiki.mozilla.org/SecurityEngineering/x509Certs#Running_your_Own_CA
DIR=/root/ca
ROOT_CA_KEY=$DIR/cakey.pem
ROOT_CA_CSR=$DIR/cacert.csr
ROOT_CA_CERT=$DIR/cacert.pem
KEY=$DIR/key.pem
CSR=$DIR/cert.csr
CERT=$DIR/cert.pem
ROOT_CNF=$DIR/ca-x509-extensions.cnf
CNF=$DIR/x509-extensions.cnf
mkdir -p $DIR
echo [$ROOT_CA_KEY] Generating private key for root CA...
openssl genpkey -algorithm RSA -out $ROOT_CA_KEY -pkeyopt rsa_keygen_bits:4096
echo [$ROOT_CA_CSR] Generating certificate request for root CA...
openssl req -new -key $ROOT_CA_KEY -days 5480 -extensions v3_ca -batch \
-out $ROOT_CA_CSR -utf8 -subj '/C=GR/O=Synnefo/OU=SynnefoCloudSoftware'
echo [$ROOT_CA_CERT] Generating certificate for root CA...
openssl x509 -req -sha256 -days 3650 -in $ROOT_CA_CSR -signkey $ROOT_CA_KEY \
-set_serial 1 -extfile $ROOT_CNF -out $ROOT_CA_CERT
echo [$KEY] Generating private key for services...
openssl genpkey -algorithm RSA -out $KEY -pkeyopt rsa_keygen_bits:2048
echo [$CSR] Generating certificate request for services...
openssl req -new -key $KEY -days 1096 -extensions v3_ca -batch \
-out $CSR -utf8 -subj '/OU=SynnefoCloudServices/CN=synnefo.live'
echo [$CERT] Generating certificate for services...
openssl x509 -req -sha256 -days 1096 -in $CSR \
-CAkey $ROOT_CA_KEY -CA $ROOT_CA_CERT -set_serial 100 \
-out $CERT -extfile $CNF
......@@ -76,6 +76,7 @@ def update_admin(fn):
ctx.admin_node = cl.node
ctx.admin_fqdn = cl.fqdn
cl.NS = NS(node=ctx.ns.node, ctx=ctx)
cl.CA = CA(node=ctx.ca.node, ctx=ctx)
cl.NFS = NFS(node=ctx.nfs.node, ctx=ctx)
cl.DB = DB(node=ctx.db.node, ctx=ctx)
cl.ASTAKOS = Astakos(node=ctx.astakos.node, ctx=ctx)
......@@ -564,6 +565,46 @@ class DRBD(base.Component):
]
class CA(base.Component):
REQUIRED_PACKAGES = [
"openssl"
]
alias = constants.CA
service = constants.CA
def required_components(self):
return [
HW, SSH, DNS, APT,
]
@update_admin
def admin_pre(self):
self.NS.update_ns()
@base.run_cmds
def prepare(self):
return [
"mkdir -p /root/ca"
]
def _configure(self):
r1 = {
"domain": self.node.domain,
}
return [
("/root/create_root_ca.sh", {}, {"mode": 0755}),
("/root/ca/ca-x509-extensions.cnf", r1, {}),
("/root/ca/x509-extensions.cnf", r1, {}),
]
@base.run_cmds
def initialize(self):
return [
"/root/create_root_ca.sh"
]
class Ganeti(base.Component):
REQUIRED_PACKAGES = [
"qemu-kvm",
......
......@@ -14,6 +14,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
NS = "ns"
CA = "ca"
DB = "db"
MQ = "mq"
ASTAKOS = "astakos"
......
......@@ -60,6 +60,7 @@ class Context(object):
def update_info(self):
self.ns = self._get(constants.NS)
self.ca = self._get(constants.CA)
self.nfs = self._get(constants.NFS)
self.mq = self._get(constants.MQ)
self.db = self._get(constants.DB)
......
......@@ -100,6 +100,7 @@ def setup_cluster(ctx=None):
def setup_synnefo():
setup_role(constants.NS)
setup_role(constants.CA)
setup_role(constants.NFS)
setup_role(constants.DB)
setup_role(constants.MQ)
......
......@@ -20,6 +20,7 @@ from snfdeploy import components
_ROLE_MAP = {
constants.NS: components.NS,
constants.NFS: components.NFS,
constants.CA: components.CA,
constants.DB: components.DB,
constants.MQ: components.MQ,
constants.ASTAKOS: components.Astakos,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment