diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 7984fb4fa0..ef60395b26 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -266,7 +266,8 @@ elasticsearch_port: "9200" etcd_client_port: "2379" etcd_peer_port: "2380" -etcd_protocol: "http" +etcd_enable_tls: "{{ kolla_enable_tls_backend }}" +etcd_protocol: "{{ 'https' if etcd_enable_tls | bool else 'http' }}" fluentd_syslog_port: "5140" diff --git a/ansible/roles/etcd/defaults/main.yml b/ansible/roles/etcd/defaults/main.yml index 0b85fb90e5..9dc0f9af2d 100644 --- a/ansible/roles/etcd/defaults/main.yml +++ b/ansible/roles/etcd/defaults/main.yml @@ -18,6 +18,10 @@ etcd_services: ETCD_INITIAL_CLUSTER_STATE: "new" ETCD_OUT_FILE: "/var/log/kolla/etcd/etcd.log" KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}" + ETCD_CERT_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-cert.pem{% endif %}" + ETCD_KEY_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-key.pem{% endif %}" + ETCD_PEER_CERT_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-cert.pem{% endif %}" + ETCD_PEER_KEY_FILE: "{% if etcd_enable_tls | bool %}/etc/etcd/certs/etcd-key.pem{% endif %}" image: "{{ etcd_image_full }}" volumes: "{{ etcd_default_volumes + etcd_extra_volumes }}" dimensions: "{{ etcd_dimensions }}" diff --git a/ansible/roles/etcd/tasks/config.yml b/ansible/roles/etcd/tasks/config.yml index c07a2f8a8f..635cb2725a 100644 --- a/ansible/roles/etcd/tasks/config.yml +++ b/ansible/roles/etcd/tasks/config.yml @@ -25,5 +25,9 @@ notify: - Restart {{ item.key }} container +- include_tasks: copy-certs.yml + when: + - etcd_enable_tls | bool + - include_tasks: check-containers.yml when: kolla_action != "config" diff --git a/ansible/roles/etcd/tasks/copy-certs.yml b/ansible/roles/etcd/tasks/copy-certs.yml new file mode 100644 index 0000000000..7601236f55 --- /dev/null +++ b/ansible/roles/etcd/tasks/copy-certs.yml @@ -0,0 +1,50 @@ +--- +- name: "{{ project_name }} | Copying over extra CA certificates" + become: true + copy: + src: "{{ kolla_certificates_dir }}/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - kolla_copy_ca_into_containers | bool + with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" + notify: + - "Restart {{ item.key }} container" + +- name: "{{ project_name }} | Copying over etcd TLS certificate" + vars: + certs: + - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-cert.pem" + - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem" + - "{{ kolla_certificates_dir }}/{{ project_name }}-cert.pem" + - "{{ kolla_tls_backend_cert }}" + backend_tls_cert: "{{ lookup('first_found', certs) }}" + copy: + src: "{{ backend_tls_cert }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-cert.pem" + mode: "0644" + become: true + with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" + notify: + - "Restart {{ item.key }} container" + when: + - etcd_enable_tls | bool + +- name: "{{ project_name }} | Copying over etcd TLS key" + vars: + keys: + - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-key.pem" + - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem" + - "{{ kolla_certificates_dir }}/{{ project_name }}-key.pem" + - "{{ kolla_tls_backend_key }}" + backend_tls_key: "{{ lookup('first_found', keys) }}" + copy: + src: "{{ backend_tls_key }}" + dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-key.pem" + mode: "0600" + become: true + with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" + notify: + - "Restart {{ item.key }} container" + when: + - etcd_enable_tls | bool diff --git a/ansible/roles/etcd/templates/etcd.json.j2 b/ansible/roles/etcd/templates/etcd.json.j2 index 3ea11fd909..dfd66d2e19 100644 --- a/ansible/roles/etcd/templates/etcd.json.j2 +++ b/ansible/roles/etcd/templates/etcd.json.j2 @@ -1,3 +1,18 @@ { - "command": "etcd" + "command": "etcd", + "config_files": [ + {% if etcd_enable_tls | bool %} + { + "source": "{{ container_config_directory }}/etcd-cert.pem", + "dest": "/etc/etcd/certs/etcd-cert.pem", + "owner": "etcd", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/etcd-key.pem", + "dest": "/etc/etcd/certs/etcd-key.pem", + "owner": "etcd", + "perm": "0600" + }{% endif %} + ] } diff --git a/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml b/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml new file mode 100644 index 0000000000..3addf1f1cb --- /dev/null +++ b/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add "etcd_enable_tls" configuration parameter which can be used to enable + TLS encryption for the etcd service. The default value of + "etcd_enable_tls" is set by the value of "kolla_enable_tls_backend".