openstack/kolla-ansible
Code Issues Proposed changes
9b8b7bf9b4
kolla-ansible/ansible/roles/certificates/tasks/generate.yml
James Kirsch b475643c11 Add support for encrypting backend Keystone HAProxy traffic 
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.

Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
2020-04-09 09:22:55 +00:00

177 lines
6.1 KiB
YAML
Raw Blame History

---
- name: Ensuring private internal directory exist
file:
path: "{{ kolla_certificates_dir }}/private/internal"
state: "directory"
recurse: yes
mode: "0770"
- name: Ensuring private external directory exist
file:
path: "{{ kolla_certificates_dir }}/private/external"
state: "directory"
recurse: yes
mode: "0770"
- name: Ensuring backend certificate and key directories exist
file:
path: "{{ item | dirname }}"
state: "directory"
recurse: yes
mode: "0770"
when:
- kolla_enable_tls_backend | bool
with_items:
- "{{ kolla_tls_backend_cert }}"
- "{{ kolla_tls_backend_key }}"
- name: Ensuring ca directory exist
file:
path: "{{ kolla_certificates_dir }}/ca"
state: "directory"
recurse: yes
mode: "0770"
- block:
- name: Creating external SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla.cnf"
- name: Creating external Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/external/external.key"
- name: Setting permissions on external key
file:
path: "{{ kolla_certificates_dir }}/private/external/external.key"
mode: "0660"
state: file
- name: Creating external Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_certificates_dir }}/private/external/external.key \
-out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/external/external.crt"
- name: Creating external CA Certificate File
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.crt"
dest: "{{ kolla_external_fqdn_cacert }}"
mode: "0660"
- name: Creating external Server PEM File
assemble:
src: "{{ kolla_certificates_dir }}/private/external"
dest: "{{ kolla_external_fqdn_cert }}"
mode: "0660"
when:
- kolla_enable_tls_external | bool
- block:
- name: Copy the external certificate crt to be the internal when internal + external are same network
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.crt"
dest: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
remote_src: yes
mode: "0660"
- name: Copy the external certificate key to be the internal when internal + external are same network
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.key"
dest: "{{ kolla_certificates_dir }}/private/internal/internal.key"
remote_src: yes
mode: "0660"
- name: Copy the external PEM file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ kolla_internal_fqdn_cert }}"
remote_src: yes
mode: "0660"
- name: Copy the external CA Certificate file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cacert }}"
dest: "{{ kolla_internal_fqdn_cacert }}"
remote_src: yes
mode: "0660"
when:
- kolla_enable_tls_external | bool
- kolla_enable_tls_internal | bool
- kolla_same_external_internal_vip | bool
- block:
- name: Creating internal SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-internal.cnf"
- name: Creating internal Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/internal/internal.key"
- name: Setting permissions on internal key
file:
path: "{{ kolla_certificates_dir }}/private/internal/internal.key"
mode: "0660"
state: file
- name: Creating internal Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla-internal.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_certificates_dir }}/private/internal/internal.key \
-out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/internal/internal.crt"
- name: Creating internal CA Certificate File
copy:
src: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
dest: "{{ kolla_internal_fqdn_cacert }}"
mode: "0660"
- name: Creating internal Server PEM File
assemble:
src: "{{ kolla_certificates_dir }}/private/internal"
dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660"
when:
- kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool
- block:
- name: Creating backend SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-backend.cnf"
- name: Creating backend Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_tls_backend_key }}"
- name: Setting permissions on backend key
file:
path: "{{ kolla_tls_backend_key }}"
mode: "0660"
state: file
- name: Creating backend Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla-backend.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_tls_backend_key }} \
-out {{ item }}
with_items:
- "{{ kolla_tls_backend_cert }}"
- name: Creating backend Certificate file to be included in container trusted ca-certificates
copy:
src: "{{ kolla_tls_backend_cert }}"
dest: "{{ kolla_certificates_dir }}/ca/backend-cert.crt"
mode: "0660"
when:
- kolla_enable_tls_backend | bool
View Git Blame Copy Permalink