From e2b9b2068e98148555527595bae64919ceb67c52 Mon Sep 17 00:00:00 2001 From: James Kirsch Date: Mon, 29 Jun 2020 14:10:58 -0700 Subject: [PATCH] Add support for encrypting etcd service This patch introduces an optional backend encryption for etcd service. Change-Id: Ia259f7844b868dbc418ace595c87eb1b278d3d38 --- ansible/group_vars/all.yml | 3 +- ansible/roles/etcd/defaults/main.yml | 4 ++ ansible/roles/etcd/tasks/config.yml | 4 ++ ansible/roles/etcd/tasks/copy-certs.yml | 50 +++++++++++++++++++ ansible/roles/etcd/templates/etcd.json.j2 | 17 ++++++- .../notes/add-tls-etcd-cd2bd09cd69053be.yaml | 6 +++ 6 files changed, 82 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/etcd/tasks/copy-certs.yml create mode 100644 releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 1f9c7b12d4..dd774e8bac 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -266,7 +266,8 @@ elasticsearch_port: "9200" etcd_client_port: "2379" etcd_peer_port: "2380" -etcd_protocol: "http" +etcd_enable_tls: "{{ kolla_enable_tls_backend }}" +etcd_protocol: "{{ 'https' if etcd_enable_tls | bool else 'http' }}" fluentd_syslog_port: "5140" diff --git a/ansible/roles/etcd/defaults/main.yml b/ansible/roles/etcd/defaults/main.yml index 0b85fb90e5..9dc0f9af2d 100644 --- a/ansible/roles/etcd/defaults/main.yml +++ b/ansible/roles/etcd/defaults/main.yml @@ -18,6 +18,10 @@ etcd_services: ETCD_INITIAL_CLUSTER_STATE: "new" ETCD_OUT_FILE: "/var/log/kolla/etcd/etcd.log" KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}" + ETCD_CERT_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-cert.pem{% endif %}" + ETCD_KEY_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-key.pem{% endif %}" + ETCD_PEER_CERT_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-cert.pem{% endif %}" + ETCD_PEER_KEY_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-key.pem{% endif %}" image: "{{ etcd_image_full }}" volumes: "{{ etcd_default_volumes + etcd_extra_volumes }}" dimensions: "{{ etcd_dimensions }}" diff --git a/ansible/roles/etcd/tasks/config.yml b/ansible/roles/etcd/tasks/config.yml index c07a2f8a8f..635cb2725a 100644 --- a/ansible/roles/etcd/tasks/config.yml +++ b/ansible/roles/etcd/tasks/config.yml @@ -25,5 +25,9 @@ notify: - Restart {{ item.key }} container +- include_tasks: copy-certs.yml + when: + - etcd_enable_tls | bool + - include_tasks: check-containers.yml when: kolla_action != "config" diff --git a/ansible/roles/etcd/tasks/copy-certs.yml b/ansible/roles/etcd/tasks/copy-certs.yml new file mode 100644 index 0000000000..7601236f55 --- /dev/null +++ b/ansible/roles/etcd/tasks/copy-certs.yml @@ -0,0 +1,50 @@ +--- +- name: "{{ project_name }} | Copying over extra CA certificates" + become: true + copy: + src: "{{ kolla_certificates_dir }}/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - kolla_copy_ca_into_containers | bool + with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" + notify: + - "Restart {{ item.key }} container" + +- name: "{{ project_name }} | Copying over etcd TLS certificate" + vars: + certs: + - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-cert.pem" + - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem" + - "{{ kolla_certificates_dir }}/{{ project_name }}-cert.pem" + - "{{ kolla_tls_backend_cert }}" + backend_tls_cert: "{{ lookup('first_found', certs) }}" + copy: + src: "{{ backend_tls_cert }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-cert.pem" + mode: "0644" + become: true + with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" + notify: + - "Restart {{ item.key }} container" + when: + - etcd_enable_tls | bool + +- name: "{{ project_name }} | Copying over etcd TLS key" + vars: + keys: + - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-key.pem" + - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem" + - "{{ kolla_certificates_dir }}/{{ project_name }}-key.pem" + - "{{ kolla_tls_backend_key }}" + backend_tls_key: "{{ lookup('first_found', keys) }}" + copy: + src: "{{ backend_tls_key }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-key.pem" + mode: "0600" + become: true + with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" + notify: + - "Restart {{ item.key }} container" + when: + - etcd_enable_tls | bool diff --git a/ansible/roles/etcd/templates/etcd.json.j2 b/ansible/roles/etcd/templates/etcd.json.j2 index 3ea11fd909..dfd66d2e19 100644 --- a/ansible/roles/etcd/templates/etcd.json.j2 +++ b/ansible/roles/etcd/templates/etcd.json.j2 @@ -1,3 +1,18 @@ { - "command": "etcd" + "command": "etcd", + "config_files": [ + {% if etcd_enable_tls | bool %} + { + "source": "{{ container_config_directory }}/etcd-cert.pem", + "dest": "/etc/etcd/certs/etcd-cert.pem", + "owner": "etcd", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/etcd-key.pem", + "dest": "/etc/etcd/certs/etcd-key.pem", + "owner": "etcd", + "perm": "0600" + }{% endif %} + ] } diff --git a/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml b/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml new file mode 100644 index 0000000000..3addf1f1cb --- /dev/null +++ b/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add "etcd_enable_tls" configuration parameter which can be used to enable + TLS encryption for the etcd service. The default value of + "etcd_enable_tls" is set by the value of "kolla_enable_tls_backend".