Add hashi_vault pki backend support

This patch defines necessary variables for the 'hashi_vault' pki backend
which is the alternative to the default 'standalone' backend.

Additionally, it:
- changes the format of `placement_pki_san` to the new one changed in [1]
- passes `pki_default_backend` when trigerring PKI role so its aware of
the default backend in case it's not explicitly specified in the cert
definition.
- adopts this role to the recent changes in PKI role [2][3][4]

[1] https://review.opendev.org/c/openstack/openstack-ansible/+/948886
[2] fc7db02074
[3] 7cff89ee71
[4] f03bcc19d5

Change-Id: Ib602d9950c5b46427f9088eb2f03f1ab19d64ee8
Signed-off-by: Damian Dabrowski <damian.dabrowski@cleura.com>

defaults/main.yml

@@ -253,12 +253,14 @@ masakari_pki_keys_path: "{{ masakari_pki_dir ~ '/certs/private/' }}"
 masakari_pki_certs_path: "{{ masakari_pki_dir ~ '/certs/certs/' }}"
 masakari_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
 masakari_pki_regen_cert: ""
-masakari_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+masakari_pki_san: "{{ openstack_pki_san | default({'dns': [ansible_facts['hostname']], 'ip': [management_address]}) }}"
+masakari_pki_backend: "{{ openstack_pki_backend | default('standalone') }}"
 masakari_pki_certificates:
   - name: "masakari_{{ ansible_facts['hostname'] }}"
-    provider: ownca
     cn: "{{ ansible_facts['hostname'] }}"
     san: "{{ masakari_pki_san }}"
+    # standalone backend only
+    provider: ownca
     signed_by: "{{ masakari_pki_intermediate_cert_name }}"
 
 # masakari destination files for SSL certificates
@@ -267,17 +269,21 @@ masakari_ssl_key: /etc/masakari/masakari.key
 
 # Installation details for SSL certificates
 masakari_pki_install_certificates:
-  - src: "{{ masakari_user_ssl_cert | default(masakari_pki_certs_path ~ 'masakari_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+  - name: "masakari_{{ ansible_facts['hostname'] }}"
+    type: "certificate_chain"
     dest: "{{ masakari_ssl_cert }}"
     owner: "{{ masakari_system_user_name }}"
     group: "{{ masakari_system_user_name }}"
-    mode: "0644"
-  - src: "{{ masakari_user_ssl_key | default(masakari_pki_keys_path ~ 'masakari_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    # standalone backend only
+    src: "{{ masakari_user_ssl_cert | default(masakari_pki_certs_path ~ 'masakari_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+  - name: "masakari_{{ ansible_facts['hostname'] }}"
+    type: "private_key"
     dest: "{{ masakari_ssl_key }}"
     owner: "{{ masakari_system_user_name }}"
     group: "{{ masakari_system_user_name }}"
-    mode: "0600"
+    # standalone backend only
+    src: "{{ masakari_user_ssl_key | default(masakari_pki_keys_path ~ 'masakari_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
 
 # Define user-provided SSL certificates
-# masakari_user_ssl_cert: <path to cert on ansible deployment host>
-# masakari_user_ssl_key: <path to cert on ansible deployment host>
+masakari_user_ssl_cert: ""
+masakari_user_ssl_key: ""

tasks/main.yml

@@ -90,9 +90,10 @@
         - masakari-config
         - pki
   vars:
+    pki_backend: "{{ masakari_pki_backend }}"
     pki_setup_host: "{{ masakari_pki_setup_host }}"
     pki_dir: "{{ masakari_pki_dir }}"
-    pki_create_certificates: "{{ masakari_user_ssl_cert is not defined and masakari_user_ssl_key is not defined }}"
+    pki_create_certificates: "{{ masakari_user_ssl_cert | length == 0 and masakari_user_ssl_key | length == 0 }}"
     pki_regen_cert: "{{ masakari_pki_regen_cert }}"
     pki_certificates: "{{ masakari_pki_certificates }}"
     pki_install_certificates: "{{ masakari_pki_install_certificates }}"