Fix self-signed certs distribution
With multinode Octavia setup self and octavia_generate_certs is True, role fails with distributing certificates. While correct approach would be to replace that with PKI role, right now we just patching current approach, by ensuring that facts are set for octavia_cert_setup_host so we could reliable gain them. Change-Id: I0dc2488b9e8e33847c9a2646032ac5f926d09133 Closes-Bug: #1936646
This commit is contained in:
parent
a2de42c7bb
commit
799f003b85
@ -82,8 +82,9 @@
|
||||
apply:
|
||||
tags:
|
||||
- octavia-config
|
||||
run_once: true
|
||||
when: octavia_generate_certs | bool
|
||||
when:
|
||||
- octavia_generate_certs | bool
|
||||
- _octavia_is_first_play_host
|
||||
tags:
|
||||
- always
|
||||
|
||||
|
@ -20,6 +20,7 @@
|
||||
# system python instead.
|
||||
- name: Prepare octavia_cert_setup_host for certificate generation
|
||||
delegate_to: "{{ octavia_cert_setup_host }}"
|
||||
delegate_facts: true
|
||||
vars:
|
||||
ansible_python_interpreter: >-
|
||||
{{ (octavia_cert_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}
|
||||
@ -94,6 +95,12 @@
|
||||
register: _octavia_server_ca
|
||||
changed_when: false
|
||||
|
||||
- name: Register a fact for the CA cert and key
|
||||
set_fact:
|
||||
octavia_ca_private_key_fact: "{{ _octavia_ca_private_key['content'] | b64decode }}"
|
||||
octavia_ca_certificate_fact: "{{ _octavia_ca_certificate['content'] | b64decode }}"
|
||||
octavia_server_ca_fact: "{{ _octavia_server_ca['content'] | b64decode }}"
|
||||
|
||||
# These are run at the very first installation of Octavia
|
||||
# While Octavia acts as a CA for the server certificates,
|
||||
# for the amphora it only needs a client certificate and
|
||||
@ -105,6 +112,7 @@
|
||||
|
||||
- name: Generate keys/certificates on octavia_cert_setup_host
|
||||
delegate_to: "{{ octavia_cert_setup_host }}"
|
||||
delegate_facts: true
|
||||
vars:
|
||||
ansible_python_interpreter: >-
|
||||
{{ (octavia_cert_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}
|
||||
@ -171,3 +179,8 @@
|
||||
src: "{{ octavia_client_cert }}"
|
||||
register: _octavia_client_cert
|
||||
changed_when: false
|
||||
|
||||
- name: Register a fact for the cert and key
|
||||
set_fact:
|
||||
octavia_client_ca_fact: "{{ _octavia_client_ca['content'] | b64decode }}"
|
||||
octavia_client_cert_fact: "{{ _octavia_client_cert['content'] | b64decode }}"
|
||||
|
@ -5,24 +5,6 @@
|
||||
path: /etc/octavia/certs/
|
||||
state: directory
|
||||
|
||||
- name: Register a fact for the cert and key
|
||||
set_fact:
|
||||
octavia_ca_private_key_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_ca_private_key']['content'] | b64decode }}"
|
||||
octavia_ca_certificate_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_ca_certificate']['content'] | b64decode }}"
|
||||
octavia_server_ca_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_server_ca']['content'] | b64decode }}"
|
||||
octavia_client_ca_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_client_ca']['content'] | b64decode }}"
|
||||
octavia_client_cert_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_client_cert']['content'] | b64decode }}"
|
||||
when: octavia_cert_setup_host != 'localhost'
|
||||
|
||||
- name: Register a fact for the cert and key
|
||||
set_fact:
|
||||
octavia_ca_private_key_fact: "{{ _octavia_ca_private_key['content'] | b64decode }}"
|
||||
octavia_ca_certificate_fact: "{{ _octavia_ca_certificate['content'] | b64decode }}"
|
||||
octavia_server_ca_fact: "{{ _octavia_server_ca['content'] | b64decode }}"
|
||||
octavia_client_ca_fact: "{{ _octavia_client_ca['content'] | b64decode }}"
|
||||
octavia_client_cert_fact: "{{ _octavia_client_cert['content'] | b64decode }}"
|
||||
when: octavia_cert_setup_host == 'localhost'
|
||||
|
||||
- name: Copy certificates
|
||||
copy:
|
||||
content: "{{ item.content }}"
|
||||
@ -31,15 +13,15 @@
|
||||
group: "{{ octavia_system_group_name }}"
|
||||
mode: "0640"
|
||||
with_items:
|
||||
- content: "{{ octavia_ca_private_key_fact }}"
|
||||
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_ca_private_key_fact'] }}"
|
||||
dest: "/etc/octavia/certs/ca_key.pem"
|
||||
- content: "{{ octavia_ca_certificate_fact }}"
|
||||
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_ca_certificate_fact'] }}"
|
||||
dest: "/etc/octavia/certs/ca.pem"
|
||||
- content: "{{ octavia_server_ca_fact }}"
|
||||
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_server_ca_fact'] }}"
|
||||
dest: "/etc/octavia/certs/server_ca.pem"
|
||||
- content: "{{ octavia_client_ca_fact }}"
|
||||
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_client_ca_fact'] }}"
|
||||
dest: "/etc/octavia/certs/client_ca.pem"
|
||||
- content: "{{ octavia_client_cert_fact }}"
|
||||
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_client_cert_fact'] }}"
|
||||
dest: "/etc/octavia/certs/client.pem"
|
||||
notify:
|
||||
- Restart octavia services
|
||||
|
Loading…
x
Reference in New Issue
Block a user