Add hashi_vault pki backend support

This patch defines necessary variables for the 'hashi_vault' pki backend which is the alternative to the default 'standalone' backend. Additionally, it: - changes the format of 'san' parameter to the new one changed in [1] - passes `pki_default_backend` when trigerring PKI role so its aware of the default backend in case it's not explicitly specified in the cert definition. - adopts this role to the recent changes in PKI role [2][3][4] [1] https://review.opendev.org/c/openstack/openstack-ansible/+/948886 [2] fc7db02074 [3] 7cff89ee71 [4] f03bcc19d5 Signed-off-by: Damian Dabrowski <damian.dabrowski@cleura.com> Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/948881 Change-Id: I914b9531822d600ae40b0d7400fda4184ef45e0d
2025-05-07 19:01:56 +02:00
parent fe630d6e80
commit 9aef6dd981
3 changed files with 28 additions and 14 deletions
@@ -151,11 +151,18 @@ rabbitmq_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert
 rabbitmq_pki_intermediate_cert_path: >-
  {{ rabbitmq_pki_dir ~ '/roots/' ~ rabbitmq_pki_intermediate_cert_name ~ '/certs/' ~ rabbitmq_pki_intermediate_cert_name ~ '.crt' }}
 rabbitmq_pki_regen_cert: ""
+rabbitmq_pki_backend: "{{ openstack_pki_backend | default('standalone') }}"
 rabbitmq_pki_certificates:
  - name: "rabbitmq_{{ ansible_facts['hostname'] }}"
-    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
-    san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ rabbitmq_node_address ~ ',DNS:' ~ ansible_facts['fqdn'] }}"
+    san:
+      dns:
+        - "{{ ansible_facts['hostname'] }}"
+        - "{{ ansible_facts['fqdn'] }}"
+      ip:
+        - "{{ rabbitmq_node_address }}"
+    # standalone backend only
+    provider: ownca
    signed_by: "{{ rabbitmq_pki_intermediate_cert_name }}"

 # RabbitMQ destination files for SSL certificates
@@ -165,27 +172,33 @@ rabbitmq_ssl_ca_cert: /etc/rabbitmq/rabbitmq-ca.pem

 # Installation details for SSL certificates
 rabbitmq_pki_install_certificates:
-  - src: "{{ rabbitmq_user_ssl_cert | default(rabbitmq_pki_certs_path ~ 'rabbitmq_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+  - name: "rabbitmq_{{ ansible_facts['hostname'] }}"
+    type: "certificate_chain"
    dest: "{{ rabbitmq_ssl_cert }}"
    owner: "rabbitmq"
    group: "rabbitmq"
-    mode: "0644"
-  - src: "{{ rabbitmq_user_ssl_key | default(rabbitmq_pki_keys_path ~ 'rabbitmq_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    # standalone backend only
+    src: "{{ rabbitmq_user_ssl_cert }}"
+  - name: "rabbitmq_{{ ansible_facts['hostname'] }}"
+    type: "private_key"
    dest: "{{ rabbitmq_ssl_key }}"
    owner: "rabbitmq"
    group: "rabbitmq"
-    mode: "0600"
-  - src: "{{ rabbitmq_user_ssl_ca_cert | default(rabbitmq_pki_intermediate_cert_path) }}"
+    # standalone backend only
+    src: "{{ rabbitmq_user_ssl_key }}"
+  - name: "rabbitmq_{{ ansible_facts['hostname'] }}"
+    type: "ca_bundle"
    dest: "{{ rabbitmq_ssl_ca_cert }}"
    owner: "rabbitmq"
    group: "rabbitmq"
-    mode: "0644"
+    # standalone backend only
+    src: "{{ rabbitmq_user_ssl_ca_cert }}"

 # Define user-provided SSL certificates in:
 # /etc/openstack_deploy/user_variables.yml
-# rabbitmq_user_ssl_cert: <path to cert on ansible deployment host>
-# rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
-# rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>
+rabbitmq_user_ssl_cert: ""
+rabbitmq_user_ssl_key: ""
+rabbitmq_user_ssl_ca_cert: ""

 # These are highly recommended for TLSv1.2 but cannot be used
 # with TLSv1.3. If TLSv1.3 is enabled, these lines will not be
@@ -50,13 +50,14 @@
    name: pki
    tasks_from: "{{ rabbitmq_pki_create_ca | ternary('main.yml', 'main_certs.yml') }}"
  vars:
+    pki_backend: "{{ rabbitmq_pki_backend }}"
    pki_setup_host: "{{ rabbitmq_pki_setup_host }}"
    pki_dir: "{{ rabbitmq_pki_dir }}"
    pki_create_ca: "{{ rabbitmq_pki_create_ca }}"
    pki_regen_ca: "{{ rabbitmq_pki_regen_ca }}"
    pki_authorities: "{{ rabbitmq_pki_authorities }}"
    pki_install_ca: "{{ rabbitmq_pki_install_ca }}"
-    pki_create_certificates: "{{ rabbitmq_user_ssl_cert is not defined and rabbitmq_user_ssl_key is not defined }}"
+    pki_create_certificates: "{{ rabbitmq_user_ssl_cert | length == 0 and rabbitmq_user_ssl_key | length == 0 }}"
    pki_regen_cert: "{{ rabbitmq_pki_regen_cert }}"
    pki_certificates: "{{ rabbitmq_pki_certificates }}"
    pki_install_certificates: "{{ rabbitmq_pki_install_certificates }}"
@@ -26,7 +26,7 @@ listeners.{{ _opt }}.{{ loop.index }} = {{ _key }}:{{ _value }}

 ssl_options.certfile   = {{ rabbitmq_ssl_cert }}
 ssl_options.keyfile    = {{ rabbitmq_ssl_key }}
-{% if rabbitmq_user_ssl_ca_cert is defined -%}
+{% if rabbitmq_user_ssl_ca_cert | length > 0 -%}
 ssl_options.cacertfile = {{ rabbitmq_ssl_ca_cert }}
 {% endif %}
 ssl_options.honor_cipher_order   = true
@@ -59,7 +59,7 @@ management.ssl.ip = {{ rabbitmq_management_bind_address }}
 management.ssl.port = {{ rabbitmq_management_bind_tls_port }}
 management.ssl.certfile   = {{ rabbitmq_ssl_cert }}
 management.ssl.keyfile    = {{ rabbitmq_ssl_key }}
-{%   if rabbitmq_user_ssl_ca_cert is defined -%}
+{%   if rabbitmq_user_ssl_ca_cert | length > 0 -%}
 management.ssl.cacertfile = {{ rabbitmq_ssl_ca_cert }}
 {%   endif %}
 management.ssl.honor_cipher_order   = true