From 2d0e465fd3bab22790213993eecafa6727785924 Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Fri, 3 Mar 2023 20:34:19 +0100
Subject: [PATCH] Add TLS support to repo_server backends

By overriding the variable `repo_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the repo_server backend.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I5c5d3dd5689ac122781303ad21dacc8a1fa746eb
---
 defaults/main.yml                    | 57 ++++++++++++++++++++++++++++
 handlers/main.yml                    |  2 +
 tasks/main.yml                       | 20 ++++++++++
 templates/openstack-slushee.vhost.j2 |  9 +++++
 4 files changed, 88 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 9efbf8e..349db5f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -59,3 +59,60 @@ repo_server_systemd_mounts: []
 #    type: glusterfs
 #    state: 'started'
 #    enabled: true
+
+###
+### Backend TLS
+###
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+repo_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+# Storage location for SSL certificate authority
+repo_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+
+# Delegated host for operating the certificate authority
+repo_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+
+# repo server certificate
+repo_pki_keys_path: "{{ repo_pki_dir ~ '/certs/private/' }}"
+repo_pki_certs_path: "{{ repo_pki_dir ~ '/certs/certs/' }}"
+repo_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
+repo_pki_intermediate_cert_path: "{{ repo_pki_dir ~ '/roots/' ~ repo_pki_intermediate_cert_name ~ '/certs/' ~ repo_pki_intermediate_cert_name ~ '.crt' }}"
+repo_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+repo_pki_regen_cert: ''
+repo_pki_certificates:
+  - name: "repo_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ repo_pki_san }}"
+    signed_by: "{{ repo_pki_intermediate_cert_name }}"
+
+# repo destination files for SSL certificates
+repo_ssl_cert: /etc/ssl/certs/repo.pem
+repo_ssl_key: /etc/ssl/private/repo.key
+repo_ssl_ca_cert: /etc/ssl/certs/repo-ca.pem
+
+# Installation details for SSL certificates
+repo_pki_install_certificates:
+  - src: "{{ repo_user_ssl_cert | default(repo_pki_certs_path ~ 'repo_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ repo_ssl_cert }}"
+    owner: "{{ repo_service_user_name }}"
+    group: "{{ repo_service_group_name }}"
+    mode: "0644"
+  - src: "{{ repo_user_ssl_key | default(repo_pki_keys_path ~ 'repo_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ repo_ssl_key }}"
+    owner: "{{ repo_service_user_name }}"
+    group: "{{ repo_service_group_name }}"
+    mode: "0600"
+  - src: "{{ repo_user_ssl_ca_cert | default(repo_pki_intermediate_cert_path) }}"
+    dest: "{{ repo_ssl_ca_cert }}"
+    owner: "{{ repo_service_user_name }}"
+    group: "{{ repo_service_group_name }}"
+    mode: "0644"
+    condition: "{{ repo_user_ssl_ca_cert is defined }}"
+
+# Define user-provided SSL certificates
+#repo_user_ssl_cert: <path to cert on ansible deployment host>
+#repo_user_ssl_key: <path to cert on ansible deployment host>
+#repo_user_ssl_ca_cert: <path to cert on ansible deployment host>
diff --git a/handlers/main.yml b/handlers/main.yml
index d24e2f1..fafc81a 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -23,3 +23,5 @@
   until: _restart is success
   retries: 5
   delay: 2
+  listen:
+    - "cert installed"
diff --git a/tasks/main.yml b/tasks/main.yml
index b3c08d4..cdf3956 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -42,6 +42,26 @@
   tags:
     - repo_server-install
 
+- name: Create and install SSL certificates
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+    apply:
+      tags:
+        - repo_server-config
+        - pki
+  vars:
+    pki_setup_host: "{{ repo_pki_setup_host }}"
+    pki_dir: "{{ repo_pki_dir }}"
+    pki_create_certificates: "{{ repo_user_ssl_cert is not defined and repo_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ repo_pki_regen_cert }}"
+    pki_certificates: "{{ repo_pki_certificates }}"
+    pki_install_certificates: "{{ repo_pki_install_certificates }}"
+  when:
+    - repo_backend_ssl
+  tags:
+    - always
+
 - ansible.builtin.include_tasks: repo_post_install.yml
   tags:
     - repo_server-config
diff --git a/templates/openstack-slushee.vhost.j2 b/templates/openstack-slushee.vhost.j2
index dc1dbc1..8e32e62 100644
--- a/templates/openstack-slushee.vhost.j2
+++ b/templates/openstack-slushee.vhost.j2
@@ -2,6 +2,15 @@ server {
     listen {{ repo_server_bind_address }}:{{ repo_server_port }};
     server_name {{ repo_server_name }};
 
+    {% if repo_backend_ssl | bool -%}
+    ssl on;
+    ssl_certificate {{ repo_ssl_cert }};
+    ssl_certificate_key {{ repo_ssl_key }};
+    {% if repo_user_ssl_ca_cert is defined -%}
+    ssl_trusted_certificate {{ repo_ssl_ca_cert }};
+    {% endif -%}
+    {% endif -%}
+
     # Logging
     access_log /var/log/nginx/{{ repo_server_name }}.access.log gzip buffer=32k;
     error_log /var/log/nginx/{{ repo_server_name }}.error.log notice;