Changes required for Nuage monitor REST server

roles/nuage_ca/files/openssl.cnf

@@ -0,0 +1,3 @@
+[ clientauth ]
+basicConstraints=CA:FALSE
+extendedKeyUsage=critical,clientAuth

roles/nuage_ca/files/serial.txt

@@ -0,0 +1 @@
+00

roles/nuage_ca/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Vishal Patil 
+  description:
+  company: Nuage Networks
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.8
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- { role: nuage_common }

roles/nuage_ca/tasks/main.yaml

@@ -0,0 +1,46 @@
+---
+- name: Install openssl
+  action: "{{ ansible_pkg_mgr }} name=openssl state=present"
+  when: not openshift.common.is_atomic | bool
+
+- name: Create CA directory
+  file: path="{{ nuage_ca_dir }}" state=directory
+  run_once: true
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Create certificate directory
+  file: path="{{ nuage_ca_master_crt_dir }}" state=directory
+  run_once: true
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Check if the CA key already exists
+  stat: path="{{ nuage_ca_key }}"
+  register: nuage_ca_key_check
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Create CA key
+  command: openssl genrsa -out "{{ nuage_ca_key }}" 4096
+  run_once: true
+  delegate_to: "{{ nuage_ca_master }}"
+  when: nuage_ca_key_check.stat.exists is defined and nuage_ca_key_check.stat.exists == False
+
+- name: Check if the CA crt already exists
+  stat: path="{{ nuage_ca_crt }}"
+  register: nuage_ca_crt_check
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Create CA crt
+  command: openssl req -new -x509 -key "{{ nuage_ca_key }}" -out "{{ nuage_ca_crt }}" -subj "/CN=nuage-signer"
+  run_once: true
+  delegate_to: "{{ nuage_ca_master }}"
+  when: nuage_ca_crt_check.stat.exists is defined and nuage_ca_crt_check.stat.exists == False
+
+- name: Create the serial file
+  copy: src=serial.txt dest="{{ nuage_ca_serial }}"
+  run_once: true
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Copy SSL config file
+  copy: src=openssl.cnf dest="{{ nuage_ca_dir }}/openssl.cnf" 
+  run_once: true
+  delegate_to: "{{ nuage_ca_master }}"

roles/nuage_common/defaults/main.yaml

@@ -0,0 +1,10 @@
+nuage_ca_master: "{{ groups.oo_first_master.0 }}"
+nuage_ca_master_crt_dir: /usr/share/nuage-openshift-certificates
+
+nuage_ca_dir: /usr/share/nuage-openshift-ca
+nuage_ca_key: "{{ nuage_ca_dir }}/nuageMonCA.key"
+nuage_ca_crt: "{{ nuage_ca_dir }}/nuageMonCA.crt"
+nuage_ca_serial: "{{ nuage_ca_dir }}/nuageMonCA.serial.txt"
+
+nuage_master_mon_dir: /usr/share/nuage-openshift-monitor
+nuage_node_plugin_dir: /usr/share/vsp-openshift

roles/nuage_master/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Vishal Patil 
+  description:
+  company: Nuage Networks
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.8
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- { role: nuage_ca }

roles/nuage_master/tasks/certificates.yml

@@ -0,0 +1,50 @@
+---
+- name: Create a directory to hold the certificates
+  file: path="{{ nuage_mon_rest_server_crt_dir }}" state=directory
+  delegate_to: "{{ nuage_ca_master }}" 
+
+- name: Create the key
+  command: >
+    openssl genrsa -out "{{ nuage_ca_master_rest_server_key }}" 4096  
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Create the req file
+  command: >
+    openssl req -key "{{ nuage_ca_master_rest_server_key }}" -new -out "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -subj "/CN={{ ansible_nodename }}"
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Generate the crt file
+  command: >
+     openssl x509 -req -in "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}"  -out "{{ nuage_ca_master_rest_server_crt }}"
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Remove the req file
+  file: path="{{ nuage_mon_rest_server_crt_dir }}/restServer.req" state=absent
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Copy nuage CA crt
+  shell: cp "{{ nuage_ca_crt }}" "{{ nuage_mon_rest_server_crt_dir }}"
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Archive the certificate dir
+  shell: "cd {{ nuage_mon_rest_server_crt_dir }} && tar -czvf /tmp/{{ ansible_nodename }}.tgz *"
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Create a temp directory for the certificates 
+  local_action: command mktemp -d "/tmp/openshift-{{ ansible_nodename }}-XXXXXXX"
+  register: mktemp
+
+- name: Download the certificates
+  fetch: src="/tmp/{{ ansible_nodename }}.tgz" dest="{{ mktemp.stdout }}/{{ ansible_nodename }}.tgz" flat=yes
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Extract the certificates
+  unarchive: src="{{ mktemp.stdout }}/{{ ansible_nodename }}.tgz" dest={{ nuage_master_crt_dir }}
+
+- name: Delete the certificates after copy
+  file: path="{{ nuage_mon_rest_server_crt_dir }}" state=absent 
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Delete the temp directory
+  file: path="{{ mktemp.stdout }}" state=absent
+  delegate_to: "{{ nuage_ca_master }}"

roles/nuage_master/tasks/main.yaml

@@ -5,7 +5,7 @@
 
 - name: Create the log directory
   sudo: true
-  file: path={{ nuage_openshift_monitor_log_dir }} state=directory
+  file: path={{ nuage_mon_rest_server_logdir }} state=directory
 
 - name: Install Nuage Openshift Monitor 
   sudo: true
@@ -23,7 +23,9 @@
         - nuage.crt
         - nuage.key
         - nuage.kubeconfig 
- 
+
+- include: certificates.yml 
+
 - name: Create nuage-openshift-monitor.yaml
   sudo: true
   template: src=nuage-openshift-monitor.j2 dest=/usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml owner=root mode=0644

roles/nuage_master/templates/nuage-openshift-monitor.j2

@@ -16,4 +16,8 @@ enterpriseName: {{ enterprise }}
 # Name of the domain in which pods will reside
 domainName: {{ domain }}
 # Location where logs should be saved
-log_dir: {{ nuage_openshift_monitor_log_dir }} 
+log_dir: {{ nuage_mon_rest_server_logdir }}
+# Monitor rest server paramters
+nuageMonServer:
+    URL: {{ nuage_mon_rest_server_url }}
+    certificateDirectory: {{ cert_output_dir }} 

roles/nuage_master/vars/main.yaml

@@ -4,4 +4,13 @@ admin_config: "{{ openshift.common.config_base }}/master/admin.kubeconfig"
 cert_output_dir: /usr/share/nuage-openshift-monitor
 kube_config: /usr/share/nuage-openshift-monitor/nuage.kubeconfig
 kubemon_yaml: /usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml 
-master_config_yaml: "{{ openshift_master_config_dir }}/master-config.yaml" 
+master_config_yaml: "{{ openshift_master_config_dir }}/master-config.yaml"
+nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}"
+nuage_mon_rest_server_url: "0.0.0.0:{{ nuage_mon_rest_server_port }}"
+nuage_mon_rest_server_logdir: "{{ nuage_openshift_monitor_log_dir | default('/var/log/nuage-openshift-monitor') }}"
+
+nuage_mon_rest_server_crt_dir: "{{ nuage_ca_master_crt_dir }}/{{ ansible_nodename }}"
+nuage_ca_master_rest_server_key: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.key"
+nuage_ca_master_rest_server_crt: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.crt" 
+
+nuage_master_crt_dir : /usr/share/nuage-openshift-monitor

roles/nuage_node/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Vishal Patil 
+  description:
+  company: Nuage Networks
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.8
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- { role: nuage_ca }

roles/nuage_node/tasks/certificates.yml

@@ -0,0 +1,50 @@
+---
+- name: Create a directory to hold the certificates
+  file: path="{{ nuage_plugin_rest_client_crt_dir }}" state=directory
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Create the key
+  command: >
+    openssl genrsa -out "{{ nuage_ca_master_plugin_key }}" 4096  
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Create the req file
+  command: >
+    openssl req -key "{{ nuage_ca_master_plugin_key }}" -new -out "{{ nuage_plugin_rest_client_crt_dir }}/restClient.req" -subj "/CN=nuage-client"
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Generate the crt file
+  command: >
+     openssl x509 -req -in "{{ nuage_plugin_rest_client_crt_dir }}/restClient.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}"  -out "{{ nuage_ca_master_plugin_crt }}" -extensions clientauth -extfile "{{ nuage_ca_dir }}"/openssl.cnf 
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Remove the req file
+  file: path="{{ nuage_plugin_rest_client_crt_dir }}/restClient.req" state=absent
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Copy nuage CA crt
+  shell: cp "{{ nuage_ca_crt }}" "{{ nuage_plugin_rest_client_crt_dir }}"
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Archive the certificate dir
+  shell: "cd {{ nuage_plugin_rest_client_crt_dir }} && tar -czvf /tmp/{{ ansible_nodename }}.tgz *"
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Create a temp directory for the certificates 
+  local_action: command mktemp -d "/tmp/openshift-{{ ansible_nodename }}-XXXXXXX"
+  register: mktemp
+
+- name: Download the certificates
+  fetch: src="/tmp/{{ ansible_nodename }}.tgz" dest="{{ mktemp.stdout }}/{{ ansible_nodename }}.tgz" flat=yes
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Extract the certificates
+  unarchive: src="{{ mktemp.stdout }}/{{ ansible_nodename }}.tgz" dest={{ nuage_plugin_crt_dir }}
+
+- name: Delete the certificates after copy
+  file: path="{{ nuage_plugin_rest_client_crt_dir }}" state=absent 
+  delegate_to: "{{ nuage_ca_master }}"
+
+- name: Delete the temp directory
+  file: path="{{ mktemp.stdout }}" state=absent
+  delegate_to: "{{ nuage_ca_master }}"

roles/nuage_node/tasks/main.yaml

@@ -29,6 +29,8 @@
         - nuage.key
         - nuage.kubeconfig 
 
+- include: certificates.yml
+
 - name: Set the vsp-openshift.yaml 
   sudo: true
   template: src=vsp-openshift.j2 dest={{ vsp_openshift_yaml }} owner=root mode=0644 

roles/nuage_node/templates/vsp-openshift.j2

@@ -10,5 +10,15 @@ enterpriseName: {{ enterprise }}
 domainName: {{ domain }}
 # IP address and port number of master API server
 masterApiServer: {{ api_server }}
+# REST server URL 
+nuageMonRestServer: {{ nuage_mon_rest_server_url }}
 # Bridge name for the docker bridge
 dockerBridgeName: {{ docker_bridge }}
+# Certificate for connecting to the kubemon REST API
+nuageMonClientCert: {{ rest_client_cert }}
+# Key to the certificate in restClientCert
+nuageMonClientKey: {{ rest_client_key }} 
+# CA certificate for verifying the master's rest server
+nuageMonServerCA: {{ rest_server_ca_cert }}
+# Nuage vport mtu size
+interfaceMTU: {{ vport_mtu  }}

roles/nuage_node/vars/main.yaml

@@ -6,4 +6,16 @@ client_cert: "{{ vsp_openshift_dir }}/nuage.crt"
 client_key: "{{ vsp_openshift_dir }}/nuage.key"
 ca_cert: "{{ vsp_openshift_dir }}/ca.crt"
 api_server: "{{ openshift_node_master_api_url }}"
+nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}"
+nuage_mon_rest_server_url: "https://{{ openshift_master_cluster_hostname }}:{{ nuage_mon_rest_server_port }}"
 docker_bridge: "docker0"
+rest_client_cert: "{{ vsp_openshift_dir }}/nuageMonClient.crt"
+rest_client_key: "{{ vsp_openshift_dir }}/nuageMonClient.key"
+rest_server_ca_cert: "{{ vsp_openshift_dir }}/nuageMonCA.crt"
+vport_mtu: "{{ nuage_interface_mtu | default('1460') }}"
+
+nuage_plugin_rest_client_crt_dir: "{{ nuage_ca_master_crt_dir }}/{{ ansible_nodename }}"
+nuage_ca_master_plugin_key: "{{ nuage_plugin_rest_client_crt_dir }}/nuageMonClient.key"
+nuage_ca_master_plugin_crt: "{{ nuage_plugin_rest_client_crt_dir }}/nuageMonClient.crt" 
+
+nuage_plugin_crt_dir : /usr/share/vsp-openshift