add ipsec addon config

mandarjog · May 16, 2016 · e9236b1 · e9236b1
1 parent 767efcf
commit e9236b1
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 7 deletions.
diff --git a/awsdeploy1.7.1_prepared_example.yml b/awsdeploy1.7.1_prepared_example.yml
@@ -2,8 +2,8 @@ PIVNET_TOKEN: h6TTTTTTT
 __PREPARED__: true
 date: 2016-05-11 15:56:34.506636
 domain: mjog0f64e4.pcf-practice.com
-apps_domain: a.mjog0f64e4.pcf-practice.com
-system_domain: s.mjog0f64e4.pcf-practice.com
+apps_domain: mjog0f64e4.pcf-practice.com
+system_domain: mjog0f64e4.pcf-practice.com
 elastic-runtime:
   beta-ok: false
   cloudformation-template: pcf_1_7_cloudformation.json
@@ -31,12 +31,12 @@ ssh_private_key_path: /Users/mjog/.ssh/piv-ec2-mjog.pem
 ssl_cert_file: /Users/mjog/CFWORK/cfawsinit/Selfsigned/my-certificate.pem
 ssl_key_file: /Users/mjog/CFWORK/cfawsinit/Selfsigned/my-private-key.pem
 ssl_cert_arn: arn:aws:iam::375783000519:server-certificate/mjogCertificate
-# Set the following to true if cert_arn is self signed
 skip_cert_verify: true
-ipsec_instance_certificate: /path/to/instance_cert.pem
-ipsec_instance_private_key: /path/to/instance_key.pem
+ipsec_instance_certificate: /Users/mjog/CFWORK/cfawsinit/Selfsigned/my-certificate.pem
+ipsec_instance_private_key: /Users/mjog/CFWORK/cfawsinit/Selfsigned/my-private-key.pem
 ipsec_ca_certificates:
-  - /path/to/ca_cert.pem
+  - /Users/mjog/CFWORK/cfawsinit/Selfsigned/my-certificate.pem
+ipsec_release: ipsec-1.0.0.tgz
 stack-name: mjog-pcf-0f64e4
 uid: 0f64e4
 _START_INSTALLS_: false
diff --git a/opsmanapi.py b/opsmanapi.py
@@ -314,7 +314,7 @@ def boshlogin(self, out=None):
                 out)
         except Exception as ex:
             if 'Non-interactive UAA login is not supported'\
-                    not in str(ex.stderr):
+                    not in str(ex):
                 raise
 
         self._login = True
@@ -614,6 +614,50 @@ def get_bosh_director(self):
         # bosh director is the 1st ip after the reserved block
         return self.get_ip_insubnet(subnet.cidr_block, res_hosts+1)
 
+    def configure_ipsec(self):
+        if 'ipsec_release' not in self.opts:
+            print "Ipsec config skipped"
+            return self
+        jx = yaml.load(open(THIS_DIR+"/ipsec-addon.yml"))
+        ipsec = jx["addons"][0]["properties"]["ipsec"]
+        ipsec["instance_certificate"] = open(
+            self.opts["ipsec_instance_certificate"]).read()
+        ipsec["instance_private_key"] = open(
+            self.opts["ipsec_instance_private_key"]).read()
+        ipsec["ca_certificates"] = [
+            open(fl).read()
+            for fl in self.opts["ipsec_ca_certificates"]]
+
+        current = self.getJSON("/api/installation_settings")
+        # {'director-guid': {'az-us-west-2b': ['10.0.16.10']}}
+        pbosh =\
+            next(v for k, v in
+                 current["ip_assignments"]["assignments"].items()
+                 if k.startswith('p-bosh'))
+
+        boship = pbosh.values()[0].values()[0]
+
+        # only 1 network in the installation
+        nw = current["infrastructure"]["networks"][0]
+        ipsec["ipsec_subnets"] = [s["cidr"] for s in nw["subnets"]]
+        no_ipsec_subnets = [s["gateway"] for s in nw["subnets"]] + boship
+        ipsec["no_ipsec_subnets"] = [s+"/32" for s in no_ipsec_subnets]
+
+        # write the addon file
+        outfilename = "ipsec-addon-prepared.yml"
+        outfile = open(outfilename, "wt")
+        yaml.safe_dump(
+            jx, outfile, indent=2, default_flow_style=False)
+
+        self.copy_to_opsman(self.opts, outfilename, outfilename)
+        self.copy_to_opsman(
+            self.opts,
+            self.opts["ipsec_release"],
+            "ipsec-release.tgz")
+        self.bosh("upload release ipsec-release.tgz")
+        self.bosh("update runtime-config "+outfilename)
+        self.bosh("bosh releases")
+
     def configure(self, filename=None, action=None, force=False):
         force = force or '_FORCE_PREPARE_' in os.environ
         if force or not self.is_prepared():