Merge "Use correct variable for default certificate paths"

This commit is contained in:
Zuul 2018-12-02 09:25:42 +00:00 committed by Gerrit Code Review
commit 568fd4dcfd
9 changed files with 33 additions and 20 deletions

View File

@ -6,6 +6,9 @@
# again. Persistent files allow for idempotency
container_config_directory: "/var/lib/kolla/config_files"
# The directory on the deploy host containing globals.yml.
node_config: "{{ CONFIG_DIR | default('/etc/kolla') }}"
# The directory to merge custom config files the kolla's config files
node_custom_config: "/etc/kolla/config"
@ -631,8 +634,8 @@ qdrouterd_user: "openstack"
haproxy_user: "openstack"
haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
kolla_enable_tls_external: "no"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
####################

View File

@ -5,5 +5,5 @@
tasks:
- template:
src: "roles/common/templates/admin-openrc.sh.j2"
dest: "{{ CONFIG_DIR | default('/etc/kolla') }}/admin-openrc.sh"
dest: "{{ node_config }}/admin-openrc.sh"
run_once: True

View File

@ -0,0 +1,3 @@
---
# Directory on deploy node (localhost) in which certificates are generated.
certificates_dir: "{{ node_config }}/certificates"

View File

@ -2,17 +2,15 @@
- name: Ensuring config directories exist
become: true
file:
path: "{{ node_config_directory }}/{{ item }}"
path: "{{ certificates_dir }}/private"
state: "directory"
recurse: yes
with_items:
- "certificates/private"
- name: Creating SSL configuration file
become: true
template:
src: "{{ item }}.j2"
dest: "{{ node_config_directory }}/certificates/{{ item }}"
dest: "{{ certificates_dir }}/{{ item }}"
with_items:
- "openssl-kolla.cnf"
@ -20,12 +18,12 @@
become: true
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ node_config_directory }}/certificates/private/haproxy.key"
- "{{ certificates_dir }}/private/haproxy.key"
- name: Setting permissions on key
become: true
file:
path: "{{ node_config_directory }}/certificates/private/haproxy.key"
path: "{{ certificates_dir }}/certificates/private/haproxy.key"
mode: 0600
state: file
@ -33,23 +31,23 @@
become: true
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
-config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
-config {{ certificates_dir }}/openssl-kolla.cnf \
-days 3650 \
-extensions v3_req \
-key {{ node_config_directory }}/certificates/private/haproxy.key \
-key {{ certificates_dir }}/private/haproxy.key \
-out {{ item }}
with_items:
- "{{ node_config_directory }}/certificates/private/haproxy.crt"
- "{{ certificates_dir }}/private/haproxy.crt"
- name: Creating CA Certificate File
become: true
copy:
src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
src: "{{ certificates_dir }}/private/haproxy.crt"
dest: "{{ kolla_external_fqdn_cacert }}"
- name: Creating Server PEM File
become: true
assemble:
src: "{{ node_config_directory }}/certificates/private"
dest: "{{ node_config_directory }}/certificates/haproxy.pem"
src: "{{ certificates_dir }}/private"
dest: "{{ kolla_external_fqdn_cert }}"
mode: 0600

View File

@ -44,7 +44,7 @@
- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
run_once: true
local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ CONFIG_DIR | default('/etc/kolla') }}/globals.yml"
local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
register: result
changed_when: false
failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+")

View File

@ -11,7 +11,7 @@
# will pass, but only because nothing in the vault file has the format of a
# YAML dict item.
- name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml"
local_action: command grep '^[^#].*:\s*$' "{{ node_config }}/passwords.yml"
run_once: True
register: result
changed_when: false

View File

@ -92,7 +92,7 @@ The default for TLS is disabled, to enable TLS networking:
.. code-block:: yaml
kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/mycert.pem"
kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem"
.. note::

View File

@ -151,7 +151,7 @@ kolla_internal_vip_address: "10.10.10.254"
# TLS can be enabled. When TLS is enabled, certificates must be provided to
# allow clients to perform authentication.
#kolla_enable_tls_external: "no"
#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
##############

View File

@ -0,0 +1,9 @@
---
upgrade:
- |
Changes the default path for certificates generated via ``kolla-ansible
certificates`` from ``{[ node_config_directory }}/certificates`` to
``{{ node_config }}``. ``{{ node_config }}`` is the directory containing
``globals.yml``, which by default is ``/etc/kolla/``. This makes
certificates consistent with other locally generated files, such as
``admin-openrc.sh``.