Use correct variable for default certificate paths
The variable {{ node_config_directory }} is used for the configuration directory on the remote hosts, and should not be used for paths on the deploy host (localhost). This changes the default value of the TLS certificate and CA file to reference {{ CONFIG_DIR }}, in line with the directory used for admin-openrc.sh (as of I0709482ead4b7a67e82796e17f85bde151e71bc0). This change also introduces a variable, {{ node_config }}, that references {{ CONFIG_DIR | default('/etc/kolla') }}, to remove duplication. Change-Id: Ibd82ac78630ebfff5824c329d7399e1e900c0ee0 Closes-Bug: #1804025
This commit is contained in:
parent
52319dabfb
commit
9223deeecd
@ -6,6 +6,9 @@
|
|||||||
# again. Persistent files allow for idempotency
|
# again. Persistent files allow for idempotency
|
||||||
container_config_directory: "/var/lib/kolla/config_files"
|
container_config_directory: "/var/lib/kolla/config_files"
|
||||||
|
|
||||||
|
# The directory on the deploy host containing globals.yml.
|
||||||
|
node_config: "{{ CONFIG_DIR | default('/etc/kolla') }}"
|
||||||
|
|
||||||
# The directory to merge custom config files the kolla's config files
|
# The directory to merge custom config files the kolla's config files
|
||||||
node_custom_config: "/etc/kolla/config"
|
node_custom_config: "/etc/kolla/config"
|
||||||
|
|
||||||
@ -621,8 +624,8 @@ qdrouterd_user: "openstack"
|
|||||||
haproxy_user: "openstack"
|
haproxy_user: "openstack"
|
||||||
haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
|
haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
|
||||||
kolla_enable_tls_external: "no"
|
kolla_enable_tls_external: "no"
|
||||||
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
|
kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
|
||||||
kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
|
kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
|
||||||
|
|
||||||
|
|
||||||
####################
|
####################
|
||||||
|
@ -5,5 +5,5 @@
|
|||||||
tasks:
|
tasks:
|
||||||
- template:
|
- template:
|
||||||
src: "roles/common/templates/admin-openrc.sh.j2"
|
src: "roles/common/templates/admin-openrc.sh.j2"
|
||||||
dest: "{{ CONFIG_DIR | default('/etc/kolla') }}/admin-openrc.sh"
|
dest: "{{ node_config }}/admin-openrc.sh"
|
||||||
run_once: True
|
run_once: True
|
||||||
|
3
ansible/roles/certificates/defaults/main.yml
Normal file
3
ansible/roles/certificates/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
# Directory on deploy node (localhost) in which certificates are generated.
|
||||||
|
certificates_dir: "{{ node_config }}/certificates"
|
@ -2,17 +2,15 @@
|
|||||||
- name: Ensuring config directories exist
|
- name: Ensuring config directories exist
|
||||||
become: true
|
become: true
|
||||||
file:
|
file:
|
||||||
path: "{{ node_config_directory }}/{{ item }}"
|
path: "{{ certificates_dir }}/private"
|
||||||
state: "directory"
|
state: "directory"
|
||||||
recurse: yes
|
recurse: yes
|
||||||
with_items:
|
|
||||||
- "certificates/private"
|
|
||||||
|
|
||||||
- name: Creating SSL configuration file
|
- name: Creating SSL configuration file
|
||||||
become: true
|
become: true
|
||||||
template:
|
template:
|
||||||
src: "{{ item }}.j2"
|
src: "{{ item }}.j2"
|
||||||
dest: "{{ node_config_directory }}/certificates/{{ item }}"
|
dest: "{{ certificates_dir }}/{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- "openssl-kolla.cnf"
|
- "openssl-kolla.cnf"
|
||||||
|
|
||||||
@ -20,12 +18,12 @@
|
|||||||
become: true
|
become: true
|
||||||
command: creates="{{ item }}" openssl genrsa -out {{ item }}
|
command: creates="{{ item }}" openssl genrsa -out {{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ node_config_directory }}/certificates/private/haproxy.key"
|
- "{{ certificates_dir }}/private/haproxy.key"
|
||||||
|
|
||||||
- name: Setting permissions on key
|
- name: Setting permissions on key
|
||||||
become: true
|
become: true
|
||||||
file:
|
file:
|
||||||
path: "{{ node_config_directory }}/certificates/private/haproxy.key"
|
path: "{{ certificates_dir }}/certificates/private/haproxy.key"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
state: file
|
state: file
|
||||||
|
|
||||||
@ -33,23 +31,23 @@
|
|||||||
become: true
|
become: true
|
||||||
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
|
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
|
||||||
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
|
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
|
||||||
-config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
|
-config {{ certificates_dir }}/openssl-kolla.cnf \
|
||||||
-days 3650 \
|
-days 3650 \
|
||||||
-extensions v3_req \
|
-extensions v3_req \
|
||||||
-key {{ node_config_directory }}/certificates/private/haproxy.key \
|
-key {{ certificates_dir }}/private/haproxy.key \
|
||||||
-out {{ item }}
|
-out {{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ node_config_directory }}/certificates/private/haproxy.crt"
|
- "{{ certificates_dir }}/private/haproxy.crt"
|
||||||
|
|
||||||
- name: Creating CA Certificate File
|
- name: Creating CA Certificate File
|
||||||
become: true
|
become: true
|
||||||
copy:
|
copy:
|
||||||
src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
|
src: "{{ certificates_dir }}/private/haproxy.crt"
|
||||||
dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
|
dest: "{{ kolla_external_fqdn_cacert }}"
|
||||||
|
|
||||||
- name: Creating Server PEM File
|
- name: Creating Server PEM File
|
||||||
become: true
|
become: true
|
||||||
assemble:
|
assemble:
|
||||||
src: "{{ node_config_directory }}/certificates/private"
|
src: "{{ certificates_dir }}/private"
|
||||||
dest: "{{ node_config_directory }}/certificates/haproxy.pem"
|
dest: "{{ kolla_external_fqdn_cert }}"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
@ -44,7 +44,7 @@
|
|||||||
|
|
||||||
- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
|
- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
|
||||||
run_once: true
|
run_once: true
|
||||||
local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ CONFIG_DIR | default('/etc/kolla') }}/globals.yml"
|
local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
|
||||||
register: result
|
register: result
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+")
|
failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+")
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
# will pass, but only because nothing in the vault file has the format of a
|
# will pass, but only because nothing in the vault file has the format of a
|
||||||
# YAML dict item.
|
# YAML dict item.
|
||||||
- name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
|
- name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
|
||||||
local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml"
|
local_action: command grep '^[^#].*:\s*$' "{{ node_config }}/passwords.yml"
|
||||||
run_once: True
|
run_once: True
|
||||||
register: result
|
register: result
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
@ -92,7 +92,7 @@ The default for TLS is disabled, to enable TLS networking:
|
|||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
kolla_enable_tls_external: "yes"
|
kolla_enable_tls_external: "yes"
|
||||||
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/mycert.pem"
|
kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem"
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
|
@ -151,7 +151,7 @@ kolla_internal_vip_address: "10.10.10.254"
|
|||||||
# TLS can be enabled. When TLS is enabled, certificates must be provided to
|
# TLS can be enabled. When TLS is enabled, certificates must be provided to
|
||||||
# allow clients to perform authentication.
|
# allow clients to perform authentication.
|
||||||
#kolla_enable_tls_external: "no"
|
#kolla_enable_tls_external: "no"
|
||||||
#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
|
#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
|
||||||
|
|
||||||
|
|
||||||
##############
|
##############
|
||||||
|
9
releasenotes/notes/cert-path-65943386e62f1a8c.yaml
Normal file
9
releasenotes/notes/cert-path-65943386e62f1a8c.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
Changes the default path for certificates generated via ``kolla-ansible
|
||||||
|
certificates`` from ``{[ node_config_directory }}/certificates`` to
|
||||||
|
``{{ node_config }}``. ``{{ node_config }}`` is the directory containing
|
||||||
|
``globals.yml``, which by default is ``/etc/kolla/``. This makes
|
||||||
|
certificates consistent with other locally generated files, such as
|
||||||
|
``admin-openrc.sh``.
|
Loading…
Reference in New Issue
Block a user