kolla-ansible/ansible/roles/octavia-certificates/tasks/main.yml
Matt Crees d9451f49f3 Add support for checking Octavia cert expiration
Adds a flag ``kolla-ansible octavia-certificates --check-expiry <days>``
to the ``octavia-certificates`` command to check if the certificates
will expire within a given number of days.

Change-Id: I869b8afd85fe282d823ecf3593aa22f94a61b2a0
2023-04-27 15:22:12 +01:00

52 lines
1.7 KiB
YAML

---
# This play adapts https://docs.openstack.org/octavia/victoria/admin/guides/certificates.html
# Kolla Ansible prepares the Server CA certificate and key for use by Octavia
# to generate Amphorae certificates.
# Kolla Ansible prepares and controls the Client CA certificate and key.
# Client CA is used to generate certificates for Octavia controllers.
- name: Check if any certificates are going to expire
include_tasks: check_expiry.yml
when: octavia_certs_check_expiry | bool
- block:
- name: Ensure server_ca and client_ca directories exist
file:
path: "{{ octavia_certs_work_dir }}/{{ item }}"
state: "directory"
mode: 0770
loop:
- server_ca
- client_ca
- name: Copy openssl.cnf
copy:
src: "{{ octavia_certs_openssl_cnf_path }}"
dest: "{{ octavia_certs_work_dir }}/openssl.cnf"
- import_tasks: server_ca.yml
- import_tasks: client_ca.yml
- import_tasks: client_cert.yml
- name: Ensure {{ node_custom_config }}/octavia directory exists
file:
path: "{{ node_custom_config }}/octavia"
state: "directory"
mode: 0770
- name: Copy the to-be-deployed keys and certs to {{ node_custom_config }}/octavia
copy:
src: "{{ octavia_certs_work_dir }}/{{ item.src }}"
dest: "{{ node_custom_config }}/octavia/{{ item.dest }}"
with_items:
- { src: "server_ca/server_ca.cert.pem", dest: "server_ca.cert.pem" }
- { src: "server_ca/server_ca.key.pem", dest: "server_ca.key.pem" }
- { src: "client_ca/client_ca.cert.pem", dest: "client_ca.cert.pem" }
- { src: "client_ca/client.cert-and-key.pem", dest: "client.cert-and-key.pem" }
when: not octavia_certs_check_expiry | bool