diff --git a/ansible/certificates.yml b/ansible/certificates.yml new file mode 100644 index 0000000000..410c698e99 --- /dev/null +++ b/ansible/certificates.yml @@ -0,0 +1,4 @@ +--- +- hosts: all + roles: + - certificates diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml new file mode 100644 index 0000000000..dd82bbdd13 --- /dev/null +++ b/ansible/roles/certificates/tasks/generate.yml @@ -0,0 +1,41 @@ +--- +- name: Ensuring config directories exist + file: + path: "{{ node_config_directory }}/{{ item }}" + state: "directory" + recurse: yes + with_items: + - "certificates/private" + +- name: Creating SSL configuration file + template: + src: "{{ item }}.j2" + dest: "{{ node_config_directory }}/certificates/{{ item }}" + with_items: + - "openssl-kolla.cnf" + +- name: Creating Key + command: creates="{{ item }}" openssl genrsa -out {{ item }} + with_items: + - "{{ node_config_directory }}/certificates/private/haproxy.key" + +- name: Creating Server Certificate + command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ + -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_address }}" \ + -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \ + -days 3650 \ + -extensions v3_req \ + -key {{ node_config_directory }}/certificates/private/haproxy.key \ + -out {{ item }} + with_items: + - "{{ node_config_directory }}/certificates/private/haproxy.crt" + +- name: Creating CA Certificate File + copy: + src: "{{ node_config_directory }}/certificates/private/haproxy.crt" + dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt" + +- name: Creating Server PEM File + assemble: + src: "{{ node_config_directory }}/certificates/private" + dest: "{{ node_config_directory }}/certificates/haproxy.pem" diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml new file mode 100644 index 0000000000..2403646bcf --- /dev/null +++ b/ansible/roles/certificates/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include: generate.yml diff --git a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 new file mode 100644 index 0000000000..8ebf22caa2 --- /dev/null +++ b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 @@ -0,0 +1,16 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +stateOrProvinceName = NC +localityName = RTP +organizationalUnitName = kolla +commonName = {{ kolla_external_address }} + +[v3_req] +subjectAltName = @alt_names + +[alt_names] +IP.1 = {{ kolla_external_vip_address }} diff --git a/tools/kolla-ansible b/tools/kolla-ansible index 14c88dfe37..0a1965cdbb 100755 --- a/tools/kolla-ansible +++ b/tools/kolla-ansible @@ -41,6 +41,8 @@ Commands: deploy Deploy and start all kolla containers post-deploy Do post deploy on deploy node pull Pull all images for containers (only pulls, no runnnig container changes) + reconfigure Reconfigure OpenStack service + certificates Generate self-signed certificate for TLS *For Development Only* EOF } @@ -137,6 +139,10 @@ case "$1" in ACTION="Reconfigure OpenStack service" EXTRA_OPTS="$EXTRA_OPTS -e action=reconfigure" ;; +(certificates) + ACTION="Generate TLS Certificates" + PLAYBOOK="${BASEDIR}/ansible/certificates.yml" + ;; (*) usage exit 0 ;;