Implement TLS backend coverage for Skyline

While most of services already have TLS encryption with backend
implemented, Skyline implementation was missed.
Now, with migration to the common role, it's way easier to add
TLS coverage for backends.

Change-Id: I7c17d36212891108674240ddb8ac4c1fd637532c

defaults/main.yml

@@ -88,6 +88,9 @@ skyline_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
 skyline_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"
 
 ## TLS configuration
+skyline_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+skyline_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+skyline_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
 skyline_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
 # TLS v1.2 and below
 skyline_ssl_cipher_suite_tls12: >-
@@ -95,6 +98,11 @@ skyline_ssl_cipher_suite_tls12: >-
 # TLS v1.3
 skyline_ssl_cipher_suite_tls13: >-
   {{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}
+skyline_pki_regen_cert: ''
+skyline_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+# skyline_user_ssl_cert: <path to cert on ansible deployment host>
+# skyline_user_ssl_key: <path to cert on ansible deployment host>
+# skyline_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
 ## System User / Group
 skyline_system_user_name: skyline

releasenotes/notes/skyline_backend_ssl-cd1db8c8fbf140f0.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Implemented TLS encryption for the communication between Load Balancer
+    (HAProxy) and Skyline backends if ``openstack_service_backend_ssl``
+    is set to True.

tasks/skyline_apache.yml

@@ -17,6 +17,12 @@
   ansible.builtin.import_role:
     name: httpd
   vars:
+    httpd_pki_dir: "{{ skyline_pki_dir }}"
+    httpd_pki_setup_host: "{{ skyline_pki_setup_host }}"
+    httpd_ssl_protocol: "{{ skyline_ssl_protocol }}"
+    httpd_ssl_cipher_suite_tls12: "{{ skyline_ssl_cipher_suite_tls12 }}"
+    httpd_ssl_cipher_suite_tls13: "{{ skyline_ssl_cipher_suite_tls13 }}"
+    httpd_pki_regen_cert: "{{ skyline_pki_regen_cert }}"
     httpd_extra_modules:
       - name: "proxy_http"
         state: "present"
@@ -46,3 +52,4 @@
               _skyline_proxy_ssl_options | select(), []
             )
           }}
+        ssl: "{{ skyline_backend_ssl | ternary(_skyline_httpd_vhost_ssl, false) }}"

vars/main.yml

@@ -89,3 +89,15 @@ _skyline_proxy_ssl_options:
   - "SSLProxyProtocol {{ skyline_ssl_protocol }}"
   - "{{ skyline_ssl_cipher_suite_tls12 | ternary('SSLProxyCipherSuite '  ~ skyline_ssl_cipher_suite_tls12, '') }}"
   - "{{ skyline_ssl_cipher_suite_tls13 | ternary('SSLProxyCipherSuite TLSv1.3 ' ~ skyline_ssl_cipher_suite_tls13, '') }}"
+
+_skyline_httpd_vhost_ssl: |-
+  {% set ssl_options = {} %}
+  {% if (skyline_user_ssl_cert is defined and skyline_user_ssl_cert) and (skyline_user_ssl_key is defined and skyline_user_ssl_key) %}
+  {%   set _ = ssl_options.update({'cert': skyline_user_ssl_cert, 'key': skyline_user_ssl_key}) %}
+  {%   if skyline_user_ssl_ca_cert is defined and skyline_user_ssl_ca_cert %}
+  {%     set _ = ssl_options.update({'ca': skyline_user_ssl_ca_cert}) %}
+  {%   endif %}
+  {% else %}
+  {%   set _ = ssl_options.update({'san': skyline_pki_san}) %}
+  {% endif %}
+  {{ ssl_options }}