Add TLS support to repo_server backends

By overriding the variable `repo_backend_ssl: True` HTTPS will be enabled, disabling HTTP support on the repo_server backend. The ansible-role-pki is used to generate the required TLS certificates if this functionality is enabled. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085 Change-Id: I5c5d3dd5689ac122781303ad21dacc8a1fa746eb
2023-03-03 20:34:19 +01:00 · 2023-03-03 20:34:19 +01:00 · 2d0e465fd3
commit 2d0e465fd3
parent 3d3f610245
4 changed files with 88 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -59,3 +59,60 @@ repo_server_systemd_mounts: []
 #    type: glusterfs
 #    state: 'started'
 #    enabled: true
+
+###
+### Backend TLS
+###
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+repo_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+# Storage location for SSL certificate authority
+repo_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+
+# Delegated host for operating the certificate authority
+repo_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+
+# repo server certificate
+repo_pki_keys_path: "{{ repo_pki_dir ~ '/certs/private/' }}"
+repo_pki_certs_path: "{{ repo_pki_dir ~ '/certs/certs/' }}"
+repo_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
+repo_pki_intermediate_cert_path: "{{ repo_pki_dir ~ '/roots/' ~ repo_pki_intermediate_cert_name ~ '/certs/' ~ repo_pki_intermediate_cert_name ~ '.crt' }}"
+repo_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+repo_pki_regen_cert: ''
+repo_pki_certificates:
+  - name: "repo_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ repo_pki_san }}"
+    signed_by: "{{ repo_pki_intermediate_cert_name }}"
+
+# repo destination files for SSL certificates
+repo_ssl_cert: /etc/ssl/certs/repo.pem
+repo_ssl_key: /etc/ssl/private/repo.key
+repo_ssl_ca_cert: /etc/ssl/certs/repo-ca.pem
+
+# Installation details for SSL certificates
+repo_pki_install_certificates:
+  - src: "{{ repo_user_ssl_cert | default(repo_pki_certs_path ~ 'repo_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ repo_ssl_cert }}"
+    owner: "{{ repo_service_user_name }}"
+    group: "{{ repo_service_group_name }}"
+    mode: "0644"
+  - src: "{{ repo_user_ssl_key | default(repo_pki_keys_path ~ 'repo_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ repo_ssl_key }}"
+    owner: "{{ repo_service_user_name }}"
+    group: "{{ repo_service_group_name }}"
+    mode: "0600"
+  - src: "{{ repo_user_ssl_ca_cert | default(repo_pki_intermediate_cert_path) }}"
+    dest: "{{ repo_ssl_ca_cert }}"
+    owner: "{{ repo_service_user_name }}"
+    group: "{{ repo_service_group_name }}"
+    mode: "0644"
+    condition: "{{ repo_user_ssl_ca_cert is defined }}"
+
+# Define user-provided SSL certificates
+#repo_user_ssl_cert: <path to cert on ansible deployment host>
+#repo_user_ssl_key: <path to cert on ansible deployment host>
+#repo_user_ssl_ca_cert: <path to cert on ansible deployment host>
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -23,3 +23,5 @@
  until: _restart is success
  retries: 5
  delay: 2
+  listen:
+    - "cert installed"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -42,6 +42,26 @@
  tags:
    - repo_server-install

+- name: Create and install SSL certificates
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+    apply:
+      tags:
+        - repo_server-config
+        - pki
+  vars:
+    pki_setup_host: "{{ repo_pki_setup_host }}"
+    pki_dir: "{{ repo_pki_dir }}"
+    pki_create_certificates: "{{ repo_user_ssl_cert is not defined and repo_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ repo_pki_regen_cert }}"
+    pki_certificates: "{{ repo_pki_certificates }}"
+    pki_install_certificates: "{{ repo_pki_install_certificates }}"
+  when:
+    - repo_backend_ssl
+  tags:
+    - always
+
 - ansible.builtin.include_tasks: repo_post_install.yml
  tags:
    - repo_server-config
--- a/templates/openstack-slushee.vhost.j2
+++ b/templates/openstack-slushee.vhost.j2
@ -2,6 +2,15 @@ server {
    listen {{ repo_server_bind_address }}:{{ repo_server_port }};
    server_name {{ repo_server_name }};

+    {% if repo_backend_ssl | bool -%}
+    ssl on;
+    ssl_certificate {{ repo_ssl_cert }};
+    ssl_certificate_key {{ repo_ssl_key }};
+    {% if repo_user_ssl_ca_cert is defined -%}
+    ssl_trusted_certificate {{ repo_ssl_ca_cert }};
+    {% endif -%}
+    {% endif -%}
+
    # Logging
    access_log /var/log/nginx/{{ repo_server_name }}.access.log gzip buffer=32k;
    error_log /var/log/nginx/{{ repo_server_name }}.error.log notice;