Initialise ssh and ssl certificates

This is needed later by the keystone, nova and repo_server roles Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/840445 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/840514 Change-Id: I3a3e9ee62fde37c65fa182bf59f12031c390d968
2022-05-04 08:57:02 +01:00 · 2022-05-04 08:57:02 +01:00 · 3458ee0ee1
parent a504a35d29
commit 3458ee0ee1
2 changed files with 74 additions and 0 deletions
--- a/test-prepare-keys.yml
+++ b/test-prepare-keys.yml
@ -119,3 +119,63 @@
        user: "{{ ansible_user_id }}"
        key: "{{ root_public_key }}"
      when: ansible_user_id != 'root'
+
+- name: Create SSHD CA
+  hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
+  gather_facts: false
+  become: yes
+  tasks:
+    - name: "Create SSHD certificate authority"
+      include_role:
+        name: openstack.osa.ssh_keypairs
+      vars:
+        ssh_keypairs_setup_host: localhost
+        ssh_keypairs_dir: "/etc/openstack_deploy/ssh_keypairs"
+        ssh_keypairs:
+          - name: "OpenStack-Ansible-SSH-Signing-Key"
+        ssh_keypairs_install_authorities: false
+        ssh_keypairs_install_keypairs: false
+        ssh_keypairs_install_authorized_keys: false
+
+- name: Create CA certificates
+  hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
+  gather_facts: "false"
+  become: true
+  tasks:
+    - name: "Create CA certificates"
+      include_role:
+        name: pki
+        tasks_from: main_ca.yml
+      vars:
+        pki_dir: "/etc/openstack_deploy/pki"
+        pki_create_ca: true
+        pki_authorities:
+          - name: "ExampleCorpRoot"
+            provider: selfsigned
+            basic_constraints: "CA:TRUE"
+            cn: "Example Corp Root CA"
+            email_address: "pki@example.com"
+            country_name: "GB"
+            state_or_province_name: "England"
+            organization_name: "Example Corporation"
+            organizational_unit_name: "IT Security"
+            key_usage:
+              - digitalSignature
+              - cRLSign
+              - keyCertSign
+            not_after: "+3650d"
+          - name: "ExampleCorpIntermediate"
+            provider: ownca
+            basic_constraints: "CA:TRUE,pathlen:0"
+            cn: "Example Corp Openstack Infrastructure Intermediate CA"
+            email_address: "pki@example.com"
+            country_name: "GB"
+            state_or_province_name: "England"
+            organization_name: "Example Corporation"
+            organizational_unit_name: "IT Security"
+            key_usage:
+              - digitalSignature
+              - cRLSign
+              - keyCertSign
+            not_after: "+3650d"
+            signed_by: "ExampleCorpRoot"
--- a/test-vars.yml
+++ b/test-vars.yml
@ -496,3 +496,17 @@ uwsgi_python_executable: "{{ openstack_venv_python_executable }}"

 ## OpenStack db setup host
 openstack_db_setup_host: infra1
+
+## ssh keypairs
+openstack_ssh_keypairs_dir: "/etc/openstack_deploy/ssh_keypairs"
+openstack_ssh_signing_key: "OpenStack-Ansible-SSH-Signing-Key"
+openstack_ssh_keypairs_authorities:
+  - name: "{{ openstack_ssh_signing_key }}"
+
+## certificate authority
+openstack_pki_authorities:
+  # placeholder to ensure that this var is defined and list is length > 0
+  - true
+
+openstack_pki_dir: "/etc/openstack_deploy/pki"
+openstack_pki_service_intermediate_cert_name: "ExampleCorpIntermediate"