diff --git a/defaults/main.yml b/defaults/main.yml index 41dd2cd..299e22c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -209,3 +209,51 @@ masakari_optional_oslomsg_amqp1_pip_packages: masakari_monitor_corosync_multicast_interface: "br-mgmt" masakari_monitor_corosync_multicast_ports: 5405 masakari_monitor_corosync_ipmi_check: False + +### +### Backend TLS +### + +# Define if communication between haproxy and service backends should be +# encrypted with TLS. +masakari_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" + +# Storage location for SSL certificate authority +masakari_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}" + +# Delegated host for operating the certificate authority +masakari_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" + +# masakari server certificate +masakari_pki_keys_path: "{{ masakari_pki_dir ~ '/certs/private/' }}" +masakari_pki_certs_path: "{{ masakari_pki_dir ~ '/certs/certs/' }}" +masakari_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}" +masakari_pki_regen_cert: '' +masakari_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" +masakari_pki_certificates: + - name: "masakari_{{ ansible_facts['hostname'] }}" + provider: ownca + cn: "{{ ansible_facts['hostname'] }}" + san: "{{ masakari_pki_san }}" + signed_by: "{{ masakari_pki_intermediate_cert_name }}" + +# masakari destination files for SSL certificates +masakari_ssl_cert: /etc/masakari/masakari.pem +masakari_ssl_key: /etc/masakari/masakari.key + +# Installation details for SSL certificates +masakari_pki_install_certificates: + - src: "{{ masakari_user_ssl_cert | default(masakari_pki_certs_path ~ 'masakari_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}" + dest: "{{ masakari_ssl_cert }}" + owner: "{{ masakari_system_user_name }}" + group: "{{ masakari_system_user_name }}" + mode: "0644" + - src: "{{ masakari_user_ssl_key | default(masakari_pki_keys_path ~ 'masakari_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" + dest: "{{ masakari_ssl_key }}" + owner: "{{ masakari_system_user_name }}" + group: "{{ masakari_system_user_name }}" + mode: "0600" + +# Define user-provided SSL certificates +#masakari_user_ssl_cert: +#masakari_user_ssl_key: diff --git a/handlers/main.yml b/handlers/main.yml index 4f518d4..2806974 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -23,3 +23,4 @@ listen: - "venv changed" - "systemd service changed" + - "cert installed" diff --git a/tasks/main.yml b/tasks/main.yml index c7cce2e..d363e66 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -75,6 +75,26 @@ tags: - masakari-install +- name: Create and install SSL certificates + include_role: + name: pki + tasks_from: main_certs.yml + apply: + tags: + - masakari-config + - pki + vars: + pki_setup_host: "{{ masakari_pki_setup_host }}" + pki_dir: "{{ masakari_pki_dir }}" + pki_create_certificates: "{{ masakari_user_ssl_cert is not defined and masakari_user_ssl_key is not defined }}" + pki_regen_cert: "{{ masakari_pki_regen_cert }}" + pki_certificates: "{{ masakari_pki_certificates }}" + pki_install_certificates: "{{ masakari_pki_install_certificates }}" + when: + - masakari_backend_ssl + tags: + - always + - name: Install the python venv import_role: name: "python_venv_build" diff --git a/templates/masakari.conf.j2 b/templates/masakari.conf.j2 index 2f5eed4..913926a 100644 --- a/templates/masakari.conf.j2 +++ b/templates/masakari.conf.j2 @@ -19,7 +19,11 @@ os_privileged_user_name = {{ masakari_service_user_name }} os_privileged_user_password = {{ masakari_service_password }} service_down_time = 60 periodic_enable = true -use_ssl = false +{% if masakari_backend_ssl | bool %} +use_ssl = True +ssl_cert_file = {{ masakari_ssl_cert }} +ssl_key_file = {{ masakari_ssl_key }} +{% endif %} [wsgi] # The paste configuration file path