diff --git a/defaults/main.yml b/defaults/main.yml index c2637c4..366d886 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -88,6 +88,9 @@ skyline_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}" skyline_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}" ## TLS configuration +skyline_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" +skyline_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}" +skyline_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" skyline_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}" # TLS v1.2 and below skyline_ssl_cipher_suite_tls12: >- @@ -95,6 +98,11 @@ skyline_ssl_cipher_suite_tls12: >- # TLS v1.3 skyline_ssl_cipher_suite_tls13: >- {{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }} +skyline_pki_regen_cert: '' +skyline_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" +# skyline_user_ssl_cert: +# skyline_user_ssl_key: +# skyline_user_ssl_ca_cert: ## System User / Group skyline_system_user_name: skyline diff --git a/releasenotes/notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml b/releasenotes/notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml new file mode 100644 index 0000000..f563213 --- /dev/null +++ b/releasenotes/notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Implemented TLS encryption for the communication between Load Balancer + (HAProxy) and Skyline backends if ``openstack_service_backend_ssl`` + is set to True. diff --git a/tasks/skyline_apache.yml b/tasks/skyline_apache.yml index 0f36edb..f9c345c 100644 --- a/tasks/skyline_apache.yml +++ b/tasks/skyline_apache.yml @@ -17,6 +17,12 @@ ansible.builtin.import_role: name: httpd vars: + httpd_pki_dir: "{{ skyline_pki_dir }}" + httpd_pki_setup_host: "{{ skyline_pki_setup_host }}" + httpd_ssl_protocol: "{{ skyline_ssl_protocol }}" + httpd_ssl_cipher_suite_tls12: "{{ skyline_ssl_cipher_suite_tls12 }}" + httpd_ssl_cipher_suite_tls13: "{{ skyline_ssl_cipher_suite_tls13 }}" + httpd_pki_regen_cert: "{{ skyline_pki_regen_cert }}" httpd_extra_modules: - name: "proxy_http" state: "present" @@ -46,3 +52,4 @@ _skyline_proxy_ssl_options | select(), [] ) }} + ssl: "{{ skyline_backend_ssl | ternary(_skyline_httpd_vhost_ssl, false) }}" diff --git a/vars/main.yml b/vars/main.yml index aea428f..856994b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -89,3 +89,15 @@ _skyline_proxy_ssl_options: - "SSLProxyProtocol {{ skyline_ssl_protocol }}" - "{{ skyline_ssl_cipher_suite_tls12 | ternary('SSLProxyCipherSuite ' ~ skyline_ssl_cipher_suite_tls12, '') }}" - "{{ skyline_ssl_cipher_suite_tls13 | ternary('SSLProxyCipherSuite TLSv1.3 ' ~ skyline_ssl_cipher_suite_tls13, '') }}" + +_skyline_httpd_vhost_ssl: |- + {% set ssl_options = {} %} + {% if (skyline_user_ssl_cert is defined and skyline_user_ssl_cert) and (skyline_user_ssl_key is defined and skyline_user_ssl_key) %} + {% set _ = ssl_options.update({'cert': skyline_user_ssl_cert, 'key': skyline_user_ssl_key}) %} + {% if skyline_user_ssl_ca_cert is defined and skyline_user_ssl_ca_cert %} + {% set _ = ssl_options.update({'ca': skyline_user_ssl_ca_cert}) %} + {% endif %} + {% else %} + {% set _ = ssl_options.update({'san': skyline_pki_san}) %} + {% endif %} + {{ ssl_options }}