From 422a5b1e0fde667e7e9e7dd66bd3a8c6f2b9beb3 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Evrard Date: Fri, 21 Aug 2015 11:05:07 +0200 Subject: [PATCH] Adds the ability to provide user certificates to HAProxy This change brings similar changes as this one targeting horizon: i.e.: * The server key/certificate (and optionally a CA cert) are distributed to all haproxy containers. * Two new variables have been implemented for a user-provided server key and certificate: - haproxy_user_ssl_cert: - haproxy_user_ssl_key: If either of these is not defined, then the missing cert/key will be self generated on each container. No distribution of the self generated certificates accross all the hosts is planned. * A new variable has been implemented for a user-provided CA certificate: - haproxy_user_ssl_ca_cert: * The 'haproxy_cert_regen' variable has been renamed to 'haproxy_ssl_self_signed_regen' to have the same naming convention as horizon. * A change of certificates, whether user dropped or role generated, triggers pem generation and server restart DocImpact Closes-Bug: #1487380 Change-Id: I0c88d197d8ede820ac4e0388e67a2da06b003c2b --- .../roles/haproxy_server/defaults/main.yml | 3 +- .../roles/haproxy_server/handlers/main.yml | 5 ++ .../tasks/haproxy_ssl_configuration.yml | 69 +++++++++++++++++++ .../tasks/haproxy_ssl_key_create.yml | 43 ------------ playbooks/roles/haproxy_server/tasks/main.yml | 2 +- 5 files changed, 77 insertions(+), 45 deletions(-) create mode 100644 playbooks/roles/haproxy_server/tasks/haproxy_ssl_configuration.yml delete mode 100644 playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml diff --git a/playbooks/roles/haproxy_server/defaults/main.yml b/playbooks/roles/haproxy_server/defaults/main.yml index 161dab0ac2..cf1f6fb16f 100644 --- a/playbooks/roles/haproxy_server/defaults/main.yml +++ b/playbooks/roles/haproxy_server/defaults/main.yml @@ -71,8 +71,9 @@ haproxy_bind_on_non_local: False ## haproxy SSL haproxy_ssl: no -haproxy_cert_regen: no +haproxy_ssl_self_signed_regen: no haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert haproxy_ssl_key: /etc/ssl/private/haproxy.key haproxy_ssl_pem: /etc/ssl/private/haproxy.pem +haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" diff --git a/playbooks/roles/haproxy_server/handlers/main.yml b/playbooks/roles/haproxy_server/handlers/main.yml index 9590648014..339b547333 100644 --- a/playbooks/roles/haproxy_server/handlers/main.yml +++ b/playbooks/roles/haproxy_server/handlers/main.yml @@ -13,6 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: regen pem + shell: > + cat {{ haproxy_user_ssl_ca_cert is defined | ternary(haproxy_ssl_ca_cert,'') }} {{ haproxy_ssl_cert }} {{ haproxy_ssl_key }} > {{ haproxy_ssl_pem }} + notify: Restart haproxy + - name: Restart haproxy service: name: "haproxy" diff --git a/playbooks/roles/haproxy_server/tasks/haproxy_ssl_configuration.yml b/playbooks/roles/haproxy_server/tasks/haproxy_ssl_configuration.yml new file mode 100644 index 0000000000..18ec80bd31 --- /dev/null +++ b/playbooks/roles/haproxy_server/tasks/haproxy_ssl_configuration.yml @@ -0,0 +1,69 @@ +--- +# Copyright 2015, Jean-Philippe Evrard +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Drop user provided ssl cert and key + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "root" + group: "root" + mode: "{{ item.mode }}" + with_items: + - { src: "{{ haproxy_user_ssl_cert }}", dest: "{{ haproxy_ssl_cert }}", mode: "0644" } + - { src: "{{ haproxy_user_ssl_key }}", dest: "{{ haproxy_ssl_key }}", mode: "0640" } + when: haproxy_user_ssl_cert is defined and haproxy_user_ssl_key is defined + notify: + - regen pem + tags: + - haproxy-ssl + +- name: Drop user provided ssl CA cert + copy: + src: "{{ haproxy_user_ssl_ca_cert }}" + dest: "{{ haproxy_ssl_ca_cert }}" + owner: "root" + group: "root" + mode: "0644" + when: haproxy_user_ssl_ca_cert is defined + notify: + - regen pem + tags: + - haproxy-ssl + +- name: Remove signed certs and keys for regen + file: + dest: "{{ haproxy_ssl_cert }}" + state: "absent" + with_items: + - "{{ haproxy_ssl_pem }}" + - "{{ haproxy_ssl_key }}" + - "{{ haproxy_ssl_cert }}" + when: haproxy_ssl_self_signed_regen | bool + tags: + - haproxy-ssl + +- name: Create self-signed ssl cert if no certificate exists + command: > + openssl req -new -nodes -sha256 -x509 -subj + "{{ haproxy_ssl_self_signed_subject }}" + -days 3650 + -keyout {{ haproxy_ssl_key }} + -out {{ haproxy_ssl_cert }} + -extensions v3_ca + creates={{ haproxy_ssl_cert }} + notify: + - regen pem + tags: + - haproxy-ssl diff --git a/playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml b/playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml deleted file mode 100644 index e4d88d832e..0000000000 --- a/playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Remove self signed cert for regen - file: - dest: "{{ haproxy_ssl_cert }}" - state: "absent" - with_items: - - "{{ haproxy_ssl_pem }}" - - "{{ haproxy_ssl_key }}" - - "{{ haproxy_ssl_cert }}" - when: haproxy_cert_regen | bool - -- name: Create self-signed ssl cert - command: > - openssl req -new -nodes -sha256 -x509 -subj - "{{ haproxy_ssl_self_signed_subject }}" - -days 3650 - -keyout {{ haproxy_ssl_key }} - -out {{ haproxy_ssl_cert }} - -extensions v3_ca - creates={{ haproxy_ssl_cert }} - notify: Restart haproxy - tags: - - haproxy-ssl - -- name: Create a .pem certificate file - shell: > - cat {{ haproxy_ssl_cert }} {{ haproxy_ssl_key }} > {{ haproxy_ssl_pem }} - args: - creates: "{{ haproxy_ssl_pem }}" diff --git a/playbooks/roles/haproxy_server/tasks/main.yml b/playbooks/roles/haproxy_server/tasks/main.yml index 01e7c2a4cb..e019fe7f66 100644 --- a/playbooks/roles/haproxy_server/tasks/main.yml +++ b/playbooks/roles/haproxy_server/tasks/main.yml @@ -18,7 +18,7 @@ - include: haproxy_install.yml -- include: haproxy_ssl_key_create.yml +- include: haproxy_ssl_configuration.yml when: haproxy_ssl | bool - include: haproxy_post_install.yml