Ensure self-signed certificates are distributed

Currently when executing the role across multiple hosts
and using self-signed certificates, each host has its
own certificates.

This patch uses the same model as os_keystone to
facilitate SSL key/cert distribution across multiple
hosts if the cert is self-signed.

Change-Id: I0a4a2340a56aa657380d7fa49be24a0c4407d070
Closes-Bug: #1635274

tasks/haproxy_ssl.yml

@@ -0,0 +1,28 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure the private ssl directory exists
+  file:
+    dest: "/etc/ssl/private"
+    state: "directory"
+  tags:
+    - haproxy-ssl
+
+- include: haproxy_ssl_self_signed.yml
+  when:
+    - haproxy_ssl | bool
+    - haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
+
+- include: haproxy_ssl_user_provided.yml

tasks/haproxy_ssl_key_create.yml

@@ -0,0 +1,40 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Remove self signed certs and keys for regen
+  file:
+    dest: "{{ item }}"
+    state: "absent"
+  with_items:
+    - "{{ haproxy_ssl_pem }}"
+    - "{{ haproxy_ssl_key }}"
+    - "{{ haproxy_ssl_cert }}"
+  when: haproxy_ssl_self_signed_regen | bool
+  tags:
+    - haproxy-ssl
+
+- name: Create self-signed ssl cert
+  command: >
+    openssl req -new -nodes -sha256 -x509 -subj
+    "{{ haproxy_ssl_self_signed_subject }}"
+    -days 3650
+    -keyout {{ haproxy_ssl_key }}
+    -out {{ haproxy_ssl_cert }}
+    -extensions v3_ca
+    creates={{ haproxy_ssl_cert }}
+  notify:
+    - regen pem
+  tags:
+    - haproxy-ssl

tasks/haproxy_ssl_key_distribute.yml

@@ -0,0 +1,34 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Distribute self signed ssl key
+  copy:
+    dest: "{{ haproxy_ssl_key }}"
+    content: "{{ hostvars[groups['haproxy_all'][0]]['haproxy_ssl_key_fact'] | b64decode }}"
+    mode: "0640"
+  notify:
+    - regen pem
+  tags:
+    - haproxy-ssl
+
+- name: Distribute self signed ssl cert
+  copy:
+    dest: "{{ haproxy_ssl_cert }}"
+    content: "{{ hostvars[groups['haproxy_all'][0]]['haproxy_ssl_cert_fact'] | b64decode }}"
+    mode: "0640"
+  notify:
+    - regen pem
+  tags:
+    - haproxy-ssl

tasks/haproxy_ssl_key_store.yml

@@ -0,0 +1,31 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Store ssl cert
+  slurp:
+    src: "{{ haproxy_ssl_cert }}"
+  register: _haproxy_ssl_cert
+  changed_when: false
+
+- name: Store ssl key
+  slurp:
+    src: "{{ haproxy_ssl_key }}"
+  register: _haproxy_ssl_key
+  changed_when: false
+
+- name: Register a fact for the cert and key
+  set_fact:
+    haproxy_ssl_cert_fact: "{{ _haproxy_ssl_cert.content }}"
+    haproxy_ssl_key_fact: "{{ _haproxy_ssl_key.content }}"

tasks/haproxy_ssl_self_signed.yml

@@ -0,0 +1,23 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: haproxy_ssl_key_create.yml
+  when: inventory_hostname == groups['haproxy_all'][0]
+
+- include: haproxy_ssl_key_store.yml
+  when: inventory_hostname == groups['haproxy_all'][0]
+
+- include: haproxy_ssl_key_distribute.yml
+  when: inventory_hostname != groups['haproxy_all'][0]

tasks/haproxy_ssl_user_provided.yml

@@ -1,5 +1,5 @@
 ---
-# Copyright 2015, Jean-Philippe Evrard <jean-philippe.evrard@belnet.be>
+# Copyright 2015, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Deploy user provided ssl cert
+- name: Drop user provided ssl cert
   copy:
     src: "{{ haproxy_user_ssl_cert }}"
     dest: "{{ haproxy_ssl_cert }}"
@@ -26,13 +26,13 @@
   tags:
     - haproxy-ssl
 
-- name: Deploy user provided ssl key
+- name: Drop user provided ssl key
   copy:
     src: "{{ haproxy_user_ssl_key }}"
     dest: "{{ haproxy_ssl_key }}"
     owner: "root"
     group: "root"
-    mode: "0600"
+    mode: "0640"
   when: haproxy_user_ssl_key is defined
   notify:
     - regen pem
@@ -51,36 +51,3 @@
     - regen pem
   tags:
     - haproxy-ssl
-
-- name: Ensure the private ssl directory exists
-  file:
-    dest: "/etc/ssl/private"
-    state: "directory"
-  tags:
-    - haproxy-ssl
-
-- name: Remove signed certs and keys for regen
-  file:
-    dest: "{{ item }}"
-    state: "absent"
-  with_items:
-    - "{{ haproxy_ssl_pem }}"
-    - "{{ haproxy_ssl_key }}"
-    - "{{ haproxy_ssl_cert }}"
-  when: haproxy_ssl_self_signed_regen | bool
-  tags:
-    - haproxy-ssl
-
-- name: Create self-signed ssl cert if no certificate exists
-  command: >
-    openssl req -new -nodes -sha256 -x509 -subj
-    "{{ haproxy_ssl_self_signed_subject }}"
-    -days 3650
-    -keyout {{ haproxy_ssl_key }}
-    -out {{ haproxy_ssl_cert }}
-    -extensions v3_ca
-    creates={{ haproxy_ssl_cert }}
-  notify:
-    - regen pem
-  tags:
-    - haproxy-ssl

tasks/main.yml

@@ -27,8 +27,7 @@
 
 - include: haproxy_install.yml
 
-- include: haproxy_ssl_configuration.yml
-  static: no
+- include: haproxy_ssl.yml
   when: haproxy_ssl | bool
 
 - include: haproxy_post_install.yml

tests/inventory

@@ -1,2 +1,5 @@
 [all]
 localhost ansible_connection=local ansible_become=True
+
+[haproxy_all]
+localhost