Add CCD enviroment to VPN automation

[infra/tools.git] / infra / openvpn_automation / README.md

# Creating OpenVPN files for users

## Prerequisites

In order to follow the steps documented here, few things must be prepared
in advance.

* Access to required below Nordix OpenVPN/Jump servers with sudo access to infra user,
  +----------------+---------------+--------------------------------------+
  | Nordix OpenVPN |   IP ADDRESS  |              SSH ACCESS              |
  +================+===============+======================================+
  | ONAP-CityCloud |  77.81.6.42   | ssh <USER_ID>@77.81.6.42 -p 52413    |
  +----------------+---------------+--------------------------------------+
  | ONAP-Xerces    | 129.192.70.24 | ssh <USER_ID>@129.192.70.24 -p 52413 |
  +----------------+---------------+--------------------------------------+
  | Acumos         | 91.106.193.58 | ssh <USER_ID>@91.106.193.58 -p 52413 |
  +----------------+---------------+--------------------------------------+
  | CCD            | 188.212.109.53| ssh <USER_ID>@188.212.109.53 -p 52413|
  +----------------+---------------+--------------------------------------+

* Ensure SSH key based authentication enabled between Openvpn server and CA

* Login to required Nordix OpenVPN/Jump server from your machine

* Install virtualenv, python3-minimal, python3-dev, and python3-pip
```bash
sudo apt update
sudo apt install -y virtualenv python3-minimal python3-dev python3-pip
```
* Create and set virtualenv
```bash
virtualenv -p python3 .venv
source .venv/bin/activate
```
* Install Ansible 2.9.6
```
pip install ansible==2.9.6
```

## Generate User ovpn file

* Login to OpenVPN/Jump server with your credentials

* Clone infra/tools repository from Nordix Gerrit

```bash
git clone "https://gerrit.nordix.org/infra/tools"
```
You are now ready to create ovpn files for users in project specific OpenVPN server,

* Switch to infra user in OpenVPN/Jump server

* Change directory to you home directory from where repo cloned
```bash
cd <YOUR_HOME_DIR>/tools/infra/openvpn_automation
source <YOUR_HOME_DIR>/.venv/bin/activate
ansible-playbook -i inventory/inventory.ini openvpn_user_setup.yaml -e "client_name=<USERNAME_TO_CREATE_OVPN_CERT>"
```

NOTE:
* Client user ID should be user's username (first character of user firstname + lastname)
* {{ client_name }} should be given as per specific OpenvVPN servers listed below,
  +----------------+---------------+---------------------------+
  | Nordix OpenVPN |     CIDR      |    Client_name            |
  +================+===============+===========================+
  | ONAP-CityCloud | 10.1.0.0/24   | client_userid.onap        |
  |                | 10.2.0.0/24   |                           |
  +----------------+---------------+---------------------------+
  | ONAP-Xerces    | 10.10.10.0/24 | client_userid.xerces.onap |
  |                | 172.16.0.0/16 |                           |
  +----------------+---------------+---------------------------+
  | Acumos         | 10.1.0.0/24   | client_userid.acumos      |
  +----------------+---------------+---------------------------+
  | CCD            | 10.4.0.0/24   | client_userid.ccd         |
  +----------------+---------------+---------------------------+

* Once user specific ovpn file is generated, this file should be shared with user's email with below instructions,

  * Please install the openvpn on your laptop. Assuming you using Ubuntu:
    $ sudo apt install openvpn
  * Then you need to open the VPN connection using the .ovpn file which contain all the required certificates:
    $ sudo openvpn --config {{ client_name }}.ovpn
  * Now, you should have access to all the VMs directly from your laptop
    $ nmap -n -sP <CIDR>/24
  * In case you use Windows 10 OS, please use the community version of OpenVPN client:
    https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe


## Revoke User ovpn file

* Login to required Nordix OpenVPN/Jump server from your machine

* Clone infra/tools repository from Nordix Gerrit

```bash
git clone "ssh://<USERNAME>@gerrit.nordix.org:29418/infra/tools && scp -p -P 29418 <USERNAME>@gerrit.nordix.org:hooks/commit-msg "tools/.git/hooks/"
```
You are now ready to revoke Openvpn access for users in project specific OpenVPN server,

* Switch to infra user in OpenVPN/Jump server

* Change directory to you home directory from where repo cloned
```bash
cd <YOUR_HOME_DIR>/tools/infra/openvpn_automation
source <YOUR_HOME_DIR>/.venv/bin/activate
ansible-playbook -i inventory/inventory.ini openvpn_user_revoke.yaml -e "client_name=<USERNAME_TO_REVOKE_ACCESS>"
```
NOTE:
* Client user ID should be user's username (first character of user firstname + lastname)
* {{ client_name }} should be given as per specific OpenvVPN servers listed below,
  +----------------+---------------+---------------------------+
  | Nordix OpenVPN |     CIDR      |    Client_name            |
  +================+===============+===========================+
  | ONAP-CityCloud | 10.1.0.0/24   | client_userid.onap        |
  |                | 10.2.0.0/24   |                           |
  +----------------+---------------+---------------------------+
  | ONAP-Xerces    | 10.10.10.0/24 | client_userid.xerces.onap |
  |                | 172.16.0.0/16 |                           |
  +----------------+---------------+---------------------------+
  | Acumos         | 10.1.0.0/24   | client_userid.acumos      |
  +----------------+---------------+---------------------------+
  | CCD            | 10.4.0.0/24   | client_userid.ccd         |
  +----------------+---------------+---------------------------+

You are done!