openstack/kolla-ansible
Code Issues Proposed changes

Generate Root CA for Self-Signed Certificates

Browse Source 
Update the certificate generation task to create a root CA for the
self-signed certificates. The internal and external facing certificates
are then generated using the root CA.

Updated openstack_cacert to use system CA trust store in CI tests
certificate by default.

Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b
Partially-Implements: blueprint add-ssl-internal-network
This commit is contained in:
James Kirsch 2020-05-27 14:08:31 -07:00
parent a64b4395d2
commit a982d3acbb
7 changed files with 216 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ansible/roles/certificates/defaults/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
root_dir: "{{ kolla_certificates_dir }}/private/root"
external_dir: "{{ kolla_certificates_dir }}/private/external"
internal_dir: "{{ kolla_certificates_dir }}/private/internal"
backend_dir: "{{ kolla_certificates_dir }}/private/backend"

64
ansible/roles/certificates/tasks/generate-backend.yml Normal file
View File

@ -0,0 +1,64 @@
---
- name: Ensuring private backend directory exist
file:
path: "{{ backend_dir }}"
state: "directory"
mode: "0770"
- name: Creating backend SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-backend.cnf"
- name: Creating backend Server Certificate key
command: >
openssl genrsa
-out "{{ backend_dir }}/backend.key" 2048
args:
creates: "{{ kolla_tls_backend_key }}"
- name: Creating backend Server Certificate signing request
command: >
openssl req
-new
-key "{{ backend_dir }}/backend.key"
-out "{{ backend_dir }}/backend.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf"
-sha256
args:
creates: "{{ backend_dir }}/backend.csr"
- name: Creating backend Server Certificate
command: >
openssl x509
-req
-in "{{ backend_dir }}/backend.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-out "{{ backend_dir }}/backend.crt"
-days 500
-sha256
args:
creates: "{{ backend_dir }}/backend.crt"
- name: Setting permissions on backend key
file:
path: "{{ backend_dir }}/backend.key"
mode: "0660"
state: file
- name: Copy backend cert to default configuration location
copy:
src: "{{ backend_dir }}/backend.crt"
dest: "{{ kolla_certificates_dir }}/backend-cert.pem"
mode: "0660"
- name: Copy backend key to default configuration location
copy:
src: "{{ backend_dir }}/backend.key"
dest: "{{ kolla_certificates_dir }}/backend-key.pem"
mode: "0660"

45
ansible/roles/certificates/tasks/generate-root.yml Normal file
View File

@ -0,0 +1,45 @@
---
- name: Ensuring ca directory exist
file:
path: "{{ kolla_certificates_dir }}/ca"
state: "directory"
mode: "0770"
- name: Ensuring private root directory exist
file:
path: "{{ root_dir }}"
state: "directory"
mode: "0770"
- name: Creating root Certificate key
command: >
openssl genrsa
-out "{{ root_dir }}/root.key"
4096
args:
creates: "{{ root_dir }}/root.key"
- name: Creating and sign root Certificate
command: >
openssl req
-x509
-new -nodes
-key "{{ root_dir }}/root.key"
-sha256
-days 1024
-out "{{ root_dir }}/root.crt"
-subj "/CN=KollaTestCA/"
args:
creates: "{{ root_dir }}/root.crt"
- name: Setting permissions on root key
file:
path: "{{ root_dir }}/root.key"
mode: "0660"
state: file
- name: Creating root Certificate file to be included in container trusted ca-certificates
copy:
src: "{{ root_dir }}/root.crt"
dest: "{{ kolla_certificates_dir }}/ca/root.crt"
mode: "0660"

190
ansible/roles/certificates/tasks/generate.yml
View File

@ -1,35 +1,14 @@
---
- name: Ensuring private internal directory exist
file:
path: "{{ kolla_certificates_dir }}/private/internal"
path: "{{ internal_dir }}"
state: "directory"
recurse: yes
mode: "0770"
- name: Ensuring private external directory exist
file:
path: "{{ kolla_certificates_dir }}/private/external"
path: "{{ external_dir }}"
state: "directory"
recurse: yes
mode: "0770"
- name: Ensuring backend certificate and key directories exist
file:
path: "{{ item | dirname }}"
state: "directory"
recurse: yes
mode: "0770"
when:
- kolla_enable_tls_backend | bool
with_items:
- "{{ kolla_tls_backend_cert }}"
- "{{ kolla_tls_backend_key }}"
- name: Ensuring ca directory exist
file:
path: "{{ kolla_certificates_dir }}/ca"
state: "directory"
recurse: yes
mode: "0770"
- block:
@ -40,56 +19,68 @@
mode: "0660"
with_items:
- "openssl-kolla.cnf"
- name: Creating external Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/external/external.key"
- name: Creating external Server Certificate key
command: >
openssl genrsa
-out "{{ external_dir }}/external.key" 2048
args:
creates: "{{ external_dir }}/external.key"
- name: Creating external Server Certificate signing request
command: >
openssl req
-new
-key "{{ external_dir }}/external.key"
-out "{{ external_dir }}/external.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
-sha256
args:
creates: "{{ external_dir }}/external.csr"
- name: Creating external Server Certificate
command: >
openssl x509
-req
-in "{{ external_dir }}/external.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-out "{{ external_dir }}/external.crt"
-days 365
-sha256
args:
creates: "{{ external_dir }}/external.crt"
- name: Setting permissions on external key
file:
path: "{{ kolla_certificates_dir }}/private/external/external.key"
path: "{{ external_dir }}/external.key"
mode: "0660"
state: file
- name: Creating external Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_certificates_dir }}/private/external/external.key \
-out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/external/external.crt"
- name: Creating external CA Certificate File
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.crt"
dest: "{{ kolla_external_fqdn_cacert }}"
mode: "0660"
- name: Creating external Server PEM File
assemble:
src: "{{ kolla_certificates_dir }}/private/external"
regexp: '.*[crt|key]'
src: "{{ external_dir }}"
dest: "{{ kolla_external_fqdn_cert }}"
mode: "0660"
- name: Creating external CA Certificate File
copy:
src: "{{ root_dir }}/root.crt"
dest: "{{ kolla_external_fqdn_cacert }}"
mode: "0660"
when:
- kolla_enable_tls_external | bool
- block:
- name: Copy the external certificate crt to be the internal when internal + external are same network
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.crt"
dest: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
remote_src: yes
mode: "0660"
- name: Copy the external certificate key to be the internal when internal + external are same network
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.key"
dest: "{{ kolla_certificates_dir }}/private/internal/internal.key"
remote_src: yes
mode: "0660"
- name: Copy the external PEM file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ kolla_internal_fqdn_cert }}"
remote_src: yes
mode: "0660"
- name: Copy the external CA Certificate file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cacert }}"
@ -109,68 +100,57 @@
mode: "0660"
with_items:
- "openssl-kolla-internal.cnf"
- name: Creating internal Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/internal/internal.key"
- name: Creating internal Server Certificate key
command: >
openssl genrsa
-out "{{ internal_dir }}/internal.key" 2048
args:
creates: "{{ internal_dir }}/internal.key"
- name: Creating internal Server Certificate signing request
command: >
openssl req
-new
-key "{{ internal_dir }}/internal.key"
-out "{{ internal_dir }}/internal.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
-sha256
args:
creates: "{{ internal_dir }}/internal.csr"
- name: Creating internal Server Certificate
command: >
openssl x509
-req
-in "{{ internal_dir }}/internal.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-out "{{ internal_dir }}/internal.crt"
-days 365
-sha256
args:
creates: "{{ internal_dir }}/internal.crt"
- name: Setting permissions on internal key
file:
path: "{{ kolla_certificates_dir }}/private/internal/internal.key"
path: "{{ internal_dir }}/internal.key"
mode: "0660"
state: file
- name: Creating internal Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla-internal.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_certificates_dir }}/private/internal/internal.key \
-out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/internal/internal.crt"
- name: Creating internal CA Certificate File
copy:
src: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
src: "{{ root_dir }}/root.crt"
dest: "{{ kolla_internal_fqdn_cacert }}"
mode: "0660"
- name: Creating internal Server PEM File
assemble:
src: "{{ kolla_certificates_dir }}/private/internal"
regexp: '.*[crt|key]'
src: "{{ internal_dir }}"
dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660"
when:
- kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool
- block:
- name: Creating backend SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-backend.cnf"
- name: Creating backend Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_tls_backend_key }}"
- name: Setting permissions on backend key
file:
path: "{{ kolla_tls_backend_key }}"
mode: "0660"
state: file
- name: Creating backend Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla-backend.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_tls_backend_key }} \
-out {{ item }}
with_items:
- "{{ kolla_tls_backend_cert }}"
- name: Creating backend Certificate file to be included in container trusted ca-certificates
copy:
src: "{{ kolla_tls_backend_cert }}"
dest: "{{ kolla_certificates_dir }}/ca/backend-cert.crt"
mode: "0660"
when:
- kolla_enable_tls_backend | bool

4
ansible/roles/certificates/tasks/main.yml
View File

@ -1,2 +1,6 @@
---
- include_tasks: generate-root.yml
- include_tasks: generate.yml
- include_tasks: generate-backend.yml
when:
- kolla_enable_tls_backend | bool

11
releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml Normal file
View File

@ -0,0 +1,11 @@
---
features:
- |
Self-signed TLS certificates can be used to test TLS in a
development OpenStack environment. The ``kolla-ansible certificates``
command will generate the required self-signed TLS certificates. This
command has been updated to first create a self-signed root certificate
authority. The command then generates the internal and external facing
certificates and signs them using the root CA. If backend TLS is enabled,
the command will generate the backend certificate and sign it with the
root CA.

4
tests/templates/globals-default.j2
View File

@ -122,10 +122,10 @@ kolla_enable_tls_internal: "yes"
kolla_copy_ca_into_containers: "yes"
kolla_enable_tls_backend: "yes"
{% if base_distro == "ubuntu" or base_distro == "debian" %}
openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt"
openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
{% endif %}
{% if base_distro == "centos" %}
openstack_cacert: "/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt"
openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
{% endif %}
{% endif %}