Add Ansible scripts to generate TLS certificates for testing

Working towards the blueprint that will add TLS protection for the external endpoints, kolla needs certificates. When kolla deploys OpenStack, the external VIP will need a server side certifcate. Clients that access those endpoints will need the public CA certificate that signed that certificate. This ansible script will create these two certificates to make it easy to use TLS in a test environment. The generated certificate files are: /etc/kolla/certificates/haproxy.pem (server side certificate) /etc/kolla/certificates/haproxy-ca.pem (CA certificate) The generated certificates are not suitable for use in a production environment, but will be useful for testing and verifying operations. Partially-implements: blueprint ssl-kolla Change-Id: I208777f9e5eee3bfb06810c7b18a2727beda234d
2016-02-20 14:54:41 -05:00 · 2016-02-20 14:54:41 -05:00 · fd28087229
parent 6fa1ce127d
commit fd28087229
5 changed files with 69 additions and 0 deletions
--- a/ansible/certificates.yml
+++ b/ansible/certificates.yml
@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - certificates
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@ -0,0 +1,41 @@
+---
+- name: Ensuring config directories exist
+  file:
+    path: "{{ node_config_directory }}/{{ item }}"
+    state: "directory"
+    recurse: yes
+  with_items:
+    - "certificates/private"
+
+- name: Creating SSL configuration file
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ node_config_directory }}/certificates/{{ item }}"
+  with_items:
+    - "openssl-kolla.cnf"
+
+- name: Creating Key
+  command: creates="{{ item }}" openssl genrsa -out {{ item }}
+  with_items:
+    - "{{ node_config_directory }}/certificates/private/haproxy.key"
+
+- name: Creating Server Certificate
+  command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
+    -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_address }}" \
+    -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
+    -days 3650 \
+    -extensions v3_req \
+    -key {{ node_config_directory }}/certificates/private/haproxy.key \
+    -out {{ item }}
+  with_items:
+    - "{{ node_config_directory }}/certificates/private/haproxy.crt"
+
+- name: Creating CA Certificate File
+  copy:
+    src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
+    dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
+
+- name: Creating Server PEM File
+  assemble:
+    src: "{{ node_config_directory }}/certificates/private"
+    dest: "{{ node_config_directory }}/certificates/haproxy.pem"
--- a/ansible/roles/certificates/tasks/main.yml
+++ b/ansible/roles/certificates/tasks/main.yml
@ -0,0 +1,2 @@
+---
+- include: generate.yml
--- a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
+++ b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
@ -0,0 +1,16 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+commonName = {{ kolla_external_address }}
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+IP.1 = {{ kolla_external_vip_address }}
--- a/tools/kolla-ansible
+++ b/tools/kolla-ansible
@ -41,6 +41,8 @@ Commands:
    deploy       Deploy and start all kolla containers
    post-deploy  Do post deploy on deploy node
    pull         Pull all images for containers (only pulls, no runnnig container changes)
+    reconfigure  Reconfigure OpenStack service
+    certificates Generate self-signed certificate for TLS *For Development Only*
 EOF
 }

@ -137,6 +139,10 @@ case "$1" in
        ACTION="Reconfigure OpenStack service"
        EXTRA_OPTS="$EXTRA_OPTS -e action=reconfigure"
        ;;
+(certificates)
+        ACTION="Generate TLS Certificates"
+        PLAYBOOK="${BASEDIR}/ansible/certificates.yml"
+        ;;
 (*)     usage
        exit 0
        ;;