From 1c4862b9ef83eb5abfecab46c1120babe4c940d0 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Fri, 27 Dec 2024 17:28:01 +0100 Subject: [PATCH] Implement TLS backend coverage for Skyline While most of services already have TLS encryption with backend implemented, Skyline implementation was missed. Now, with migration to the common role, it's way easier to add TLS coverage for backends. Change-Id: I7c17d36212891108674240ddb8ac4c1fd637532c --- defaults/main.yml | 8 ++++++++ .../notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml | 6 ++++++ tasks/skyline_apache.yml | 7 +++++++ vars/main.yml | 12 ++++++++++++ 4 files changed, 33 insertions(+) create mode 100644 releasenotes/notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml diff --git a/defaults/main.yml b/defaults/main.yml index c2637c4..366d886 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -88,6 +88,9 @@ skyline_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}" skyline_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}" ## TLS configuration +skyline_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" +skyline_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}" +skyline_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" skyline_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}" # TLS v1.2 and below skyline_ssl_cipher_suite_tls12: >- @@ -95,6 +98,11 @@ skyline_ssl_cipher_suite_tls12: >- # TLS v1.3 skyline_ssl_cipher_suite_tls13: >- {{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }} +skyline_pki_regen_cert: '' +skyline_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" +# skyline_user_ssl_cert: +# skyline_user_ssl_key: +# skyline_user_ssl_ca_cert: ## System User / Group skyline_system_user_name: skyline diff --git a/releasenotes/notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml b/releasenotes/notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml new file mode 100644 index 0000000..f563213 --- /dev/null +++ b/releasenotes/notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Implemented TLS encryption for the communication between Load Balancer + (HAProxy) and Skyline backends if ``openstack_service_backend_ssl`` + is set to True. diff --git a/tasks/skyline_apache.yml b/tasks/skyline_apache.yml index 0f36edb..f9c345c 100644 --- a/tasks/skyline_apache.yml +++ b/tasks/skyline_apache.yml @@ -17,6 +17,12 @@ ansible.builtin.import_role: name: httpd vars: + httpd_pki_dir: "{{ skyline_pki_dir }}" + httpd_pki_setup_host: "{{ skyline_pki_setup_host }}" + httpd_ssl_protocol: "{{ skyline_ssl_protocol }}" + httpd_ssl_cipher_suite_tls12: "{{ skyline_ssl_cipher_suite_tls12 }}" + httpd_ssl_cipher_suite_tls13: "{{ skyline_ssl_cipher_suite_tls13 }}" + httpd_pki_regen_cert: "{{ skyline_pki_regen_cert }}" httpd_extra_modules: - name: "proxy_http" state: "present" @@ -46,3 +52,4 @@ _skyline_proxy_ssl_options | select(), [] ) }} + ssl: "{{ skyline_backend_ssl | ternary(_skyline_httpd_vhost_ssl, false) }}" diff --git a/vars/main.yml b/vars/main.yml index aea428f..856994b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -89,3 +89,15 @@ _skyline_proxy_ssl_options: - "SSLProxyProtocol {{ skyline_ssl_protocol }}" - "{{ skyline_ssl_cipher_suite_tls12 | ternary('SSLProxyCipherSuite ' ~ skyline_ssl_cipher_suite_tls12, '') }}" - "{{ skyline_ssl_cipher_suite_tls13 | ternary('SSLProxyCipherSuite TLSv1.3 ' ~ skyline_ssl_cipher_suite_tls13, '') }}" + +_skyline_httpd_vhost_ssl: |- + {% set ssl_options = {} %} + {% if (skyline_user_ssl_cert is defined and skyline_user_ssl_cert) and (skyline_user_ssl_key is defined and skyline_user_ssl_key) %} + {% set _ = ssl_options.update({'cert': skyline_user_ssl_cert, 'key': skyline_user_ssl_key}) %} + {% if skyline_user_ssl_ca_cert is defined and skyline_user_ssl_ca_cert %} + {% set _ = ssl_options.update({'ca': skyline_user_ssl_ca_cert}) %} + {% endif %} + {% else %} + {% set _ = ssl_options.update({'san': skyline_pki_san}) %} + {% endif %} + {{ ssl_options }}