Use correct variable for default certificate paths

The variable {{ node_config_directory }} is used for the configuration
directory on the remote hosts, and should not be used for paths on the
deploy host (localhost).

This changes the default value of the TLS certificate and CA file to
reference {{ CONFIG_DIR }}, in line with the directory used for
admin-openrc.sh (as of I0709482ead4b7a67e82796e17f85bde151e71bc0).

This change also introduces a variable, {{ node_config }}, that
references {{ CONFIG_DIR | default('/etc/kolla') }}, to remove
duplication.

Change-Id: Ibd82ac78630ebfff5824c329d7399e1e900c0ee0
Closes-Bug: #1804025
This commit is contained in:
caoyuan 2018-03-20 20:31:24 +08:00 committed by Mark Goddard
parent 52319dabfb
commit 9223deeecd
9 changed files with 33 additions and 20 deletions

View File

@ -6,6 +6,9 @@
# again. Persistent files allow for idempotency # again. Persistent files allow for idempotency
container_config_directory: "/var/lib/kolla/config_files" container_config_directory: "/var/lib/kolla/config_files"
# The directory on the deploy host containing globals.yml.
node_config: "{{ CONFIG_DIR | default('/etc/kolla') }}"
# The directory to merge custom config files the kolla's config files # The directory to merge custom config files the kolla's config files
node_custom_config: "/etc/kolla/config" node_custom_config: "/etc/kolla/config"
@ -621,8 +624,8 @@ qdrouterd_user: "openstack"
haproxy_user: "openstack" haproxy_user: "openstack"
haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}" haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
kolla_enable_tls_external: "no" kolla_enable_tls_external: "no"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem" kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt" kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
#################### ####################

View File

@ -5,5 +5,5 @@
tasks: tasks:
- template: - template:
src: "roles/common/templates/admin-openrc.sh.j2" src: "roles/common/templates/admin-openrc.sh.j2"
dest: "{{ CONFIG_DIR | default('/etc/kolla') }}/admin-openrc.sh" dest: "{{ node_config }}/admin-openrc.sh"
run_once: True run_once: True

View File

@ -0,0 +1,3 @@
---
# Directory on deploy node (localhost) in which certificates are generated.
certificates_dir: "{{ node_config }}/certificates"

View File

@ -2,17 +2,15 @@
- name: Ensuring config directories exist - name: Ensuring config directories exist
become: true become: true
file: file:
path: "{{ node_config_directory }}/{{ item }}" path: "{{ certificates_dir }}/private"
state: "directory" state: "directory"
recurse: yes recurse: yes
with_items:
- "certificates/private"
- name: Creating SSL configuration file - name: Creating SSL configuration file
become: true become: true
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "{{ node_config_directory }}/certificates/{{ item }}" dest: "{{ certificates_dir }}/{{ item }}"
with_items: with_items:
- "openssl-kolla.cnf" - "openssl-kolla.cnf"
@ -20,12 +18,12 @@
become: true become: true
command: creates="{{ item }}" openssl genrsa -out {{ item }} command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items: with_items:
- "{{ node_config_directory }}/certificates/private/haproxy.key" - "{{ certificates_dir }}/private/haproxy.key"
- name: Setting permissions on key - name: Setting permissions on key
become: true become: true
file: file:
path: "{{ node_config_directory }}/certificates/private/haproxy.key" path: "{{ certificates_dir }}/certificates/private/haproxy.key"
mode: 0600 mode: 0600
state: file state: file
@ -33,23 +31,23 @@
become: true become: true
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \ -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
-config {{ node_config_directory }}/certificates/openssl-kolla.cnf \ -config {{ certificates_dir }}/openssl-kolla.cnf \
-days 3650 \ -days 3650 \
-extensions v3_req \ -extensions v3_req \
-key {{ node_config_directory }}/certificates/private/haproxy.key \ -key {{ certificates_dir }}/private/haproxy.key \
-out {{ item }} -out {{ item }}
with_items: with_items:
- "{{ node_config_directory }}/certificates/private/haproxy.crt" - "{{ certificates_dir }}/private/haproxy.crt"
- name: Creating CA Certificate File - name: Creating CA Certificate File
become: true become: true
copy: copy:
src: "{{ node_config_directory }}/certificates/private/haproxy.crt" src: "{{ certificates_dir }}/private/haproxy.crt"
dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt" dest: "{{ kolla_external_fqdn_cacert }}"
- name: Creating Server PEM File - name: Creating Server PEM File
become: true become: true
assemble: assemble:
src: "{{ node_config_directory }}/certificates/private" src: "{{ certificates_dir }}/private"
dest: "{{ node_config_directory }}/certificates/haproxy.pem" dest: "{{ kolla_external_fqdn_cert }}"
mode: 0600 mode: 0600

View File

@ -44,7 +44,7 @@
- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails - name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
run_once: true run_once: true
local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ CONFIG_DIR | default('/etc/kolla') }}/globals.yml" local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
register: result register: result
changed_when: false changed_when: false
failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+") failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+")

View File

@ -11,7 +11,7 @@
# will pass, but only because nothing in the vault file has the format of a # will pass, but only because nothing in the vault file has the format of a
# YAML dict item. # YAML dict item.
- name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails - name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml" local_action: command grep '^[^#].*:\s*$' "{{ node_config }}/passwords.yml"
run_once: True run_once: True
register: result register: result
changed_when: false changed_when: false

View File

@ -92,7 +92,7 @@ The default for TLS is disabled, to enable TLS networking:
.. code-block:: yaml .. code-block:: yaml
kolla_enable_tls_external: "yes" kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/mycert.pem" kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem"
.. note:: .. note::

View File

@ -151,7 +151,7 @@ kolla_internal_vip_address: "10.10.10.254"
# TLS can be enabled. When TLS is enabled, certificates must be provided to # TLS can be enabled. When TLS is enabled, certificates must be provided to
# allow clients to perform authentication. # allow clients to perform authentication.
#kolla_enable_tls_external: "no" #kolla_enable_tls_external: "no"
#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem" #kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
############## ##############

View File

@ -0,0 +1,9 @@
---
upgrade:
- |
Changes the default path for certificates generated via ``kolla-ansible
certificates`` from ``{[ node_config_directory }}/certificates`` to
``{{ node_config }}``. ``{{ node_config }}`` is the directory containing
``globals.yml``, which by default is ``/etc/kolla/``. This makes
certificates consistent with other locally generated files, such as
``admin-openrc.sh``.