SSL support for haproxy

This change adds support for SSL to the haproxy role. When
enabled, this implements/upgrades haproxy to v1.5.x from a PPA.

* A new boolean variable called 'haproxy_ssl' enables/disables
  the configuration of SSL for the haproxy service.

* A new variable called 'haproxy_ssl_self_signed_subject' has
  been implemented to allow the user to override the certificate
  properties, such as the CN and subjectAltName.

* A new variable called 'haproxy_cert_regen' has been
  implemented to allow the user to regenerate the self-signed
  certificate used for the SSL endpoint.

* SSL will only be enabled for a load balanced service if
  haproxy_ssl is true in the service vars. This has only been
  implemented for the Keystone service endpoints in this patch.

* The keystone admin service endpoint will only have SSL enabled
  if keystone_service_adminuri_proto == 'https'.

* The keystone internal/public service endpoint will only have
  SSL enabled if keystone_service_publicuri_proto == 'https'.

Implements: blueprint keystone-federation
Change-Id: I069f1a0f928feb754816b7d450929fb62df66244
This commit is contained in:
Miguel Grinberg 2015-07-06 19:40:54 -07:00 committed by Jesse Pretorius
parent 8cb06d4412
commit 36640a8f43
11 changed files with 239 additions and 16 deletions

View File

@ -140,12 +140,17 @@ keystone_service_port: 5000
keystone_service_proto: http
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_user_name: keystone
keystone_service_tenant_name: service
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_publicurl: "{{ keystone_service_publicuri }}/v2.0"
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v2.0"
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v2.0"
keystone_service_publicuri_v3: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_publicurl_v3: "{{ keystone_service_publicuri_v3 }}/v3"
keystone_service_internaluri_v3: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internalurl_v3: "{{ keystone_service_adminuri_v3 }}/v3"
keystone_service_adminuri_v3: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"

View File

@ -17,6 +17,35 @@
hosts: haproxy_hosts
max_fail_percentage: 20
user: root
pre_tasks:
- name: Remove legacy haproxy configuration files
file:
dest: "/etc/haproxy/conf.d/{{ item }}"
state: "absent"
with_items:
- "keystone_internal"
when: internal_lb_vip_address == external_lb_vip_address
tags:
- haproxy-service-config
post_tasks:
- name: Add keystone internal endpoint config
include: roles/haproxy_server/tasks/haproxy_service_config.yml
when: internal_lb_vip_address != external_lb_vip_address
vars:
haproxy_service_configs:
- service:
haproxy_service_name: keystone_internal
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
haproxy_bind: "{{ internal_lb_vip_address }}"
haproxy_port: 5000
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}"
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
- "httpchk"
- "httplog"
tags:
- haproxy-service-config
roles:
- { role: "haproxy_server", tags: [ "haproxy-server" ] }
vars_files:

View File

@ -16,6 +16,23 @@
# Defines that the role will be deployed on a host machine
is_metal: true
haproxy_apt_repo_url: "http://ppa.launchpad.net/vbernat/haproxy-1.5/ubuntu"
haproxy_apt_repo:
repo: "deb {{ haproxy_apt_repo_url }} {{ ansible_distribution_release }} main"
state: "present"
# Haproxy GPG Keys
haproxy_gpg_keys:
- key_name: 'haproxy'
keyserver: 'hkp://keyserver.ubuntu.com:80'
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
hash_id: '0xcffb779aadc995e4f350a060505d97a41c61b9cd'
haproxy_pre_apt_packages:
- python-software-properties
- software-properties-common
- debconf-utils
haproxy_apt_packages:
- haproxy
- hatop
@ -43,3 +60,11 @@ haproxy_backup_nodes: []
# - "httplog"
galera_monitoring_user: monitoring
## haproxy SSL
haproxy_ssl: no
haproxy_cert_regen: no
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
haproxy_ssl_key: /etc/ssl/private/haproxy.key
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

View File

@ -0,0 +1,86 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Update apt sources
apt:
update_cache: yes
cache_valid_time: 600
register: apt_update
until: apt_update|success
retries: 5
delay: 2
tags:
- haproxy-apt-packages
- name: Install haproxy pre packages
apt:
pkg: "{{ item }}"
state: latest
register: install_packages
until: install_packages|success
retries: 5
delay: 2
with_items: haproxy_pre_apt_packages
tags:
- haproxy-pre-apt-packages
- name: Add haproxy apt-keys
apt_key:
id: "{{ item.hash_id }}"
keyserver: "{{ item.keyserver }}"
state: "present"
register: add_keys
until: add_keys|success
ignore_errors: True
retries: 5
delay: 2
with_items: haproxy_gpg_keys
tags:
- haproxy-apt-keys
- name: Add haproxy apt-keys using fallback keyserver
apt_key:
id: "{{ item.hash_id }}"
keyserver: "{{ item.fallback_keyserver }}"
state: "present"
register: add_keys_fallback
until: add_keys_fallback|success
retries: 5
delay: 2
with_items: haproxy_gpg_keys
when: add_keys|failed and item.fallback_keyserver is defined
tags:
- haproxy-apt-keys
- name: Drop haproxy repo pin
template:
src: "haproxy_pin.pref.j2"
dest: "/etc/apt/preferences.d/haproxy_pin.pref"
owner: "root"
group: "root"
mode: "0644"
tags:
- haproxy-repo-pin
- name: Add haproxy repo(s)
apt_repository:
repo: "{{ haproxy_apt_repo.repo }}"
state: "{{ haproxy_apt_repo.state }}"
register: add_repos
until: add_repos|success
retries: 5
delay: 2
tags:
- haproxy-repos

View File

@ -23,11 +23,4 @@
tags:
- haproxy-base-config
- name: "Create haproxy service config files"
template:
src: service.j2
dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
with_items: haproxy_service_configs
notify: Restart haproxy
tags:
- haproxy-service-config
- include: haproxy_service_config.yml

View File

@ -0,0 +1,23 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: "Create haproxy service config files"
template:
src: service.j2
dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
with_items: haproxy_service_configs
notify: Restart haproxy
tags:
- haproxy-service-config

View File

@ -0,0 +1,43 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Remove self signed cert for regen
file:
dest: "{{ haproxy_ssl_cert }}"
state: "absent"
with_items:
- "{{ haproxy_ssl_pem }}"
- "{{ haproxy_ssl_key }}"
- "{{ haproxy_ssl_cert }}"
when: haproxy_cert_regen | bool
- name: Create self-signed ssl cert
command: >
openssl req -new -nodes -sha256 -x509 -subj
"{{ haproxy_ssl_self_signed_subject }}"
-days 3650
-keyout {{ haproxy_ssl_key }}
-out {{ haproxy_ssl_cert }}
-extensions v3_ca
creates={{ haproxy_ssl_cert }}
notify: Restart haproxy
tags:
- haproxy-ssl
- name: Create a .pem certificate file
shell: >
cat {{ haproxy_ssl_cert }} {{ haproxy_ssl_key }} > {{ haproxy_ssl_pem }}
args:
creates: "{{ haproxy_ssl_pem }}"

View File

@ -13,5 +13,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- include: haproxy_add_ppa_repo.yml
when: haproxy_ssl | bool
- include: haproxy_install.yml
- include: haproxy_ssl_key_create.yml
when: haproxy_ssl | bool
- include: haproxy_post_install.yml

View File

@ -0,0 +1,5 @@
# {{ ansible_managed }}
Package: *
Pin: release o=LP-PPA-vbernat-haproxy-1.5
Pin-Priority: 1001

View File

@ -1,16 +1,20 @@
# {{ ansible_managed }}
frontend {{ item.service.haproxy_service_name }}-front
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }}
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }}{% endif %}
{% if item.service.haproxy_balance_type == "http" %}
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
{% set request_option = "http" %}
{%- set request_option = "http" %}
{% else %}
option tcplog
{% set request_option = "tcp" %}
{%- set request_option = "tcp" %}
{% endif %}
{% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}
reqadd X-Forwarded-Proto:\ https
{% endif %}
{% if item.service.haproxy_timeout_client is defined %}

View File

@ -68,6 +68,7 @@ haproxy_service_configs:
haproxy_service_name: keystone_admin
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
haproxy_port: 35357
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_adminuri_proto == 'https' %}true{% else %}false{% endif %}"
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
@ -76,7 +77,9 @@ haproxy_service_configs:
- service:
haproxy_service_name: keystone_service
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
haproxy_bind: "{% if internal_lb_vip_address != external_lb_vip_address %}{{ external_lb_vip_address }}{% else %}*{% endif %}"
haproxy_port: 5000
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_publicuri_proto == 'https' %}true{% else %}false{% endif %}"
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"