Keystone SSL cert/key distribution and configuration

This patch adds the option to provide an SSL certificate for the Keystone service (either self-signed or user provided) and to configure the endpoints and Keystone service appropriately. * A new boolean variable called 'keystone_ssl' enables/disables the configuration of SSL for the Keystone service. * The server key/certificate (and optionally a CA cert) are distributed to all keystone containers and used for the setup of SSL endpoints if the appropriate protocol is set. * The internal/public and the admin endpoints can be set to be served via http or https seperately via the 'keystone_service_*_proto' variables. * The logic to determine the appropriate load balancing configuration based on the Keystone endpoint protocol has been implemented in the haproxy vars. * Two new variables have been implemented for a user-provided server key and certificate: - keystone_user_ssl_cert: <path to cert on deployment host> - keystone_user_ssl_key: <path to cert on deployment host> If either of these is not defined, but a Keystone endpoint has been configured for SSL, then the missing cert/key will be self generated on the first Keystone container and distributed to the other containers. * A new variable has been implemented for a user-provided CA certificate: - keystone_user_ssl_ca_cert: <path to cert on deployment host> * A new variable called 'keystone_ssl_self_signed_subject' has been implemented to allow the user to override the certificate properties, such as the CN and subjectAltName. Upgrade notes: * The SSL-based client authentication configuration in Apache has been removed as it appears to be unused. * The minimum Ansible version for the os_keystone and haproxy_server roles have been increased to v1.9.0 as it's the minimum version that supports ternary filters. * The boolean 'keystone_ssl_enabled' has been renamed to 'keystone_ssl'. This maintains a pattern set in the haproxy role for enablement of ssl offloading in the load balancer. * The Apache configuration appropriately implements the 'SSLCACertificateFile' instead of the 'SSLCACertificatePath' directive in order to ensure that the appropriate signing certificate is provided to the browser. * The 'keystone_self_signed_regen' variable has been renamed to 'keystone_ssl_self_signed_regen'. * The default names for the deployed keys/certificates have been changed: - /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem - /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key DocImpact Partial-Bug: #1466827 Implements: blueprint keystone-federation Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
2015-07-07 12:59:45 +01:00 · 2015-07-07 12:59:45 +01:00 · bfb378f19b
commit bfb378f19b
parent 1eff9df16f
11 changed files with 222 additions and 17 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -127,14 +127,23 @@ keystone_apache_log_level: info
 keystone_wsgi_threads: "{{ ansible_processor_vcpus | default(2) // 2 }}"
 keystone_wsgi_processes: "{{ ansible_processor_vcpus | default(1) }}"

-keystone_ssl_enabled: false
-keystone_ssl_cert_path: /etc/ssl/certs
-keystone_ssl_cert: "{{ keystone_ssl_cert_path }}/apache.cert"
-keystone_ssl_key_path: /etc/ssl/private
-keystone_ssl_key: "{{ keystone_ssl_key_path }}/apache.key"
+# set keystone_ssl to true to enable SSL configuration on the keystone containers
+keystone_ssl: false
+keystone_ssl_cert: /etc/ssl/certs/keystone.pem
+keystone_ssl_key: /etc/ssl/private/keystone.key
+keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
 keystone_ssl_protocol: "{{ ssl_protocol }}"
 keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"

+# if using a self-signed certificate, set this to true to regenerate it
+keystone_ssl_self_signed_regen: false
+keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
+
+# Set these in user_variables to deploy custom certificates
+#keystone_user_ssl_cert: <path to cert on ansible deployment host>
+#keystone_user_ssl_key: <path to cert on ansible deployment host>
+#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
+
 ## Caching
 # If set this will enable dog pile cache for keystone.
 # keystone_cache_backend_argument: url:127.0.0.1:11211
--- a/tasks/keystone_apache.yml
+++ b/tasks/keystone_apache.yml
@ -60,11 +60,12 @@
 - name: Enable/disable mod_ssl for apache2
  apache2_module:
    name: ssl
-    state: "{{ (keystone_ssl_enabled | bool) | ternary('present', 'absent') }}"
+    state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
  notify:
    - Restart Apache
  tags:
    - keystone-httpd
+    - keystone-ssl

 - name: Enable/disable mod_shib2 for apache2
  apache2_module:
--- a/tasks/keystone_ssl.yml
+++ b/tasks/keystone_ssl.yml
@ -0,0 +1,25 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: keystone_ssl_self_signed.yml
+  when: >
+    keystone_ssl | bool and
+    (keystone_user_ssl_cert is not defined or keystone_user_ssl_key is not defined)
+  tags:
+    - keystone-ssl
+
+- include: keystone_ssl_user_provided.yml
+  tags:
+    - keystone-ssl
--- a/tasks/keystone_ssl_key_create.yml
+++ b/tasks/keystone_ssl_key_create.yml
@ -0,0 +1,36 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Remove self signed cert for regen
+  file:
+    dest: "{{ keystone_ssl_cert }}"
+    state: "absent"
+  when: keystone_ssl_self_signed_regen | bool
+  tags:
+    - keystone-ssl
+
+- name: Create self-signed Apache ssl cert
+  command: >
+    openssl req -new -nodes -sha256 -x509 -subj
+    "{{ keystone_ssl_self_signed_subject }}"
+    -days 3650
+    -keyout {{ keystone_ssl_key }}
+    -out {{ keystone_ssl_cert }}
+    -extensions v3_ca
+    creates={{ keystone_ssl_cert }}
+  notify: Restart Apache
+  tags:
+    - keystone-configs
+    - keystone-ssl
--- a/tasks/keystone_ssl_key_distribute.yml
+++ b/tasks/keystone_ssl_key_distribute.yml
@ -0,0 +1,35 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Distribute self signed cert and key
+  memcached:
+    name: "{{ item.name }}"
+    file_path: "{{ item.src }}"
+    state: "retrieve"
+    file_mode: "{{ item.file_mode }}"
+    dir_mode: "{{ item.dir_mode }}"
+    server: "{{ memcached_servers }}"
+    encrypt_string: "{{ memcached_encryption_key }}"
+  with_items:
+    - { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert", file_mode: "0644", dir_mode: "0755" }
+    - { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key", file_mode: "0640", dir_mode: "0750" }
+  register: memcache_keys
+  until: memcache_keys|success
+  retries: 5
+  delay: 2
+  notify: Restart Apache
+  tags:
+    - keystone-config
+    - keystone-ssl
--- a/tasks/keystone_ssl_key_store.yml
+++ b/tasks/keystone_ssl_key_store.yml
@ -0,0 +1,31 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Store self signed cert and key
+  memcached:
+    name: "{{ item.name }}"
+    file_path: "{{ item.src }}"
+    state: "present"
+    server: "{{ memcached_servers }}"
+    encrypt_string: "{{ memcached_encryption_key }}"
+  with_items:
+    - { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert" }
+    - { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key" }
+  register: memcache_keys
+  until: memcache_keys|success
+  retries: 5
+  delay: 2
+  tags:
+    - keystone-ssl
--- a/tasks/keystone_ssl_self_signed.yml
+++ b/tasks/keystone_ssl_self_signed.yml
@ -0,0 +1,26 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: keystone_ssl_key_create.yml
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
+
+- include: keystone_ssl_key_store.yml
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
+
+- include: keystone_ssl_key_distribute.yml
+  when: >
+    inventory_hostname != groups['keystone_all'][0]
--- a/tasks/keystone_ssl_user_provided.yml
+++ b/tasks/keystone_ssl_user_provided.yml
@ -0,0 +1,43 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Drop user provided ssl cert and key
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "root"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: "{{ keystone_user_ssl_cert }}", dest: "{{ keystone_ssl_cert }}", mode: "0644" }
+    - { src: "{{ keystone_user_ssl_key }}", dest: "{{ keystone_ssl_key }}", mode: "0640" }
+  when: keystone_user_ssl_cert is defined and keystone_user_ssl_key is defined
+  notify: Restart Apache
+  tags:
+    - keystone-configs
+    - keystone-ssl
+
+- name: Drop user provided ssl CA cert
+  copy:
+    src: "{{ keystone_user_ssl_ca_cert }}"
+    dest: "{{ keystone_ssl_ca_cert }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: keystone_user_ssl_ca_cert is defined
+  notify: Restart Apache
+  tags:
+    - keystone-configs
+    - keystone-ssl
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -37,6 +37,7 @@
  when: >
    inventory_hostname == groups['keystone_all'][0]

+- include: keystone_ssl.yml
 - include: keystone_apache.yml
 - include: keystone_token_cleanup.yml

--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -16,14 +16,13 @@
    CustomLog /var/log/keystone/ssl_access.log combined
    Options +FollowSymLinks

-    {% if keystone_ssl_enabled == true -%}
+    {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
-    SSLCACertificatePath  {{ keystone_ssl_cert_path }}
-    SSLCARevocationPath   {{ keystone_ssl_cert_path }}
-    SSLVerifyClient optional
-    SSLVerifyDepth 10
+    {% if keystone_user_ssl_ca_cert is defined -%}
+    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
+    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
@ -74,14 +73,13 @@
    CustomLog /var/log/keystone/ssl_access.log combined
    Options +FollowSymLinks

-    {% if keystone_ssl_enabled == true -%}
+    {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
-    SSLCACertificatePath  {{ keystone_ssl_cert_path }}
-    SSLCARevocationPath   {{ keystone_ssl_cert_path }}
-    SSLVerifyClient optional
-    SSLVerifyDepth 10
+    {% if keystone_user_ssl_ca_cert is defined -%}
+    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
+    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@ -10,7 +10,7 @@ public_endpoint = {{ keystone_public_endpoint }}
 admin_endpoint = {{ keystone_service_adminuri }}
 fatal_deprecations = {{ keystone_fatal_deprecations }}

-{% if keystone_ssl_enabled == true and  keystone_secure_proxy_ssl_header is defined %}
+{% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %}
 secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
 {% endif %}