SSL support for haproxy

This change adds support for SSL to the haproxy role. When enabled, this implements/upgrades haproxy to v1.5.x from a PPA. * A new boolean variable called 'haproxy_ssl' enables/disables the configuration of SSL for the haproxy service. * A new variable called 'haproxy_ssl_self_signed_subject' has been implemented to allow the user to override the certificate properties, such as the CN and subjectAltName. * A new variable called 'haproxy_cert_regen' has been implemented to allow the user to regenerate the self-signed certificate used for the SSL endpoint. * SSL will only be enabled for a load balanced service if haproxy_ssl is true in the service vars. This has only been implemented for the Keystone service endpoints in this patch. * The keystone admin service endpoint will only have SSL enabled if keystone_service_adminuri_proto == 'https'. * The keystone internal/public service endpoint will only have SSL enabled if keystone_service_publicuri_proto == 'https'. Implements: blueprint keystone-federation Change-Id: I069f1a0f928feb754816b7d450929fb62df66244
2015-07-06 19:40:54 -07:00 · 2015-07-06 19:40:54 -07:00 · 36640a8f43
commit 36640a8f43
parent 8cb06d4412
11 changed files with 239 additions and 16 deletions
--- a/etc/openstack_deploy/user_group_vars.yml
+++ b/etc/openstack_deploy/user_group_vars.yml
@ -140,12 +140,17 @@ keystone_service_port: 5000
 keystone_service_proto: http
 keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
 keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
+keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
 keystone_service_user_name: keystone
 keystone_service_tenant_name: service
+keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
+keystone_service_publicurl: "{{ keystone_service_publicuri }}/v2.0"
 keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_internalurl: "{{ keystone_service_internaluri }}/v2.0"
 keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
 keystone_service_adminurl: "{{ keystone_service_adminuri }}/v2.0"
+keystone_service_publicuri_v3: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
+keystone_service_publicurl_v3: "{{ keystone_service_publicuri_v3 }}/v3"
 keystone_service_internaluri_v3: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_internalurl_v3: "{{ keystone_service_adminuri_v3 }}/v3"
 keystone_service_adminuri_v3: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
--- a/playbooks/haproxy-install.yml
+++ b/playbooks/haproxy-install.yml
@ -17,6 +17,35 @@
  hosts: haproxy_hosts
  max_fail_percentage: 20
  user: root
+  pre_tasks:
+    - name: Remove legacy haproxy configuration files
+      file:
+        dest: "/etc/haproxy/conf.d/{{ item }}"
+        state: "absent"
+      with_items:
+        - "keystone_internal"
+      when: internal_lb_vip_address == external_lb_vip_address
+      tags:
+        - haproxy-service-config
+  post_tasks:
+    - name: Add keystone internal endpoint config
+      include: roles/haproxy_server/tasks/haproxy_service_config.yml
+      when: internal_lb_vip_address != external_lb_vip_address
+      vars:
+        haproxy_service_configs:
+          - service:
+              haproxy_service_name: keystone_internal
+              haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
+              haproxy_bind: "{{ internal_lb_vip_address }}"
+              haproxy_port: 5000
+              haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}"
+              haproxy_balance_type: http
+              haproxy_backend_options:
+                - "forwardfor"
+                - "httpchk"
+                - "httplog"
+      tags:
+        - haproxy-service-config
  roles:
    - { role: "haproxy_server", tags: [ "haproxy-server" ] }
  vars_files:
--- a/playbooks/roles/haproxy_server/defaults/main.yml
+++ b/playbooks/roles/haproxy_server/defaults/main.yml
@ -16,6 +16,23 @@
 # Defines that the role will be deployed on a host machine
 is_metal: true

+haproxy_apt_repo_url: "http://ppa.launchpad.net/vbernat/haproxy-1.5/ubuntu"
+haproxy_apt_repo:
+  repo: "deb {{ haproxy_apt_repo_url }} {{ ansible_distribution_release }} main"
+  state: "present"
+
+# Haproxy GPG Keys
+haproxy_gpg_keys:
+  - key_name: 'haproxy'
+    keyserver: 'hkp://keyserver.ubuntu.com:80'
+    fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
+    hash_id: '0xcffb779aadc995e4f350a060505d97a41c61b9cd'
+
+haproxy_pre_apt_packages:
+  - python-software-properties
+  - software-properties-common
+  - debconf-utils
+
 haproxy_apt_packages:
  - haproxy
  - hatop
@ -43,3 +60,11 @@ haproxy_backup_nodes: []
 #         - "httplog"

 galera_monitoring_user: monitoring
+
+## haproxy SSL
+haproxy_ssl: no
+haproxy_cert_regen: no
+haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
+haproxy_ssl_key: /etc/ssl/private/haproxy.key
+haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
+haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
--- a/playbooks/roles/haproxy_server/tasks/haproxy_add_ppa_repo.yml
+++ b/playbooks/roles/haproxy_server/tasks/haproxy_add_ppa_repo.yml
@ -0,0 +1,86 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Update apt sources
+  apt:
+    update_cache: yes
+    cache_valid_time: 600
+  register: apt_update
+  until: apt_update|success
+  retries: 5
+  delay: 2
+  tags:
+    - haproxy-apt-packages
+
+- name: Install haproxy pre packages
+  apt:
+    pkg: "{{ item }}"
+    state: latest
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items: haproxy_pre_apt_packages
+  tags:
+    - haproxy-pre-apt-packages
+
+- name: Add haproxy apt-keys
+  apt_key:
+    id: "{{ item.hash_id }}"
+    keyserver: "{{ item.keyserver }}"
+    state: "present"
+  register: add_keys
+  until: add_keys|success
+  ignore_errors: True
+  retries: 5
+  delay: 2
+  with_items: haproxy_gpg_keys
+  tags:
+    - haproxy-apt-keys
+
+- name: Add haproxy apt-keys using fallback keyserver
+  apt_key:
+    id: "{{ item.hash_id }}"
+    keyserver: "{{ item.fallback_keyserver }}"
+    state: "present"
+  register: add_keys_fallback
+  until: add_keys_fallback|success
+  retries: 5
+  delay: 2
+  with_items: haproxy_gpg_keys
+  when: add_keys|failed and item.fallback_keyserver is defined
+  tags:
+    - haproxy-apt-keys
+
+- name: Drop haproxy repo pin
+  template:
+    src: "haproxy_pin.pref.j2"
+    dest: "/etc/apt/preferences.d/haproxy_pin.pref"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  tags:
+    - haproxy-repo-pin
+
+- name: Add haproxy repo(s)
+  apt_repository:
+    repo: "{{ haproxy_apt_repo.repo }}"
+    state: "{{ haproxy_apt_repo.state }}"
+  register: add_repos
+  until: add_repos|success
+  retries: 5
+  delay: 2
+  tags:
+    - haproxy-repos
--- a/playbooks/roles/haproxy_server/tasks/haproxy_post_install.yml
+++ b/playbooks/roles/haproxy_server/tasks/haproxy_post_install.yml
@ -23,11 +23,4 @@
  tags:
    - haproxy-base-config

- name: "Create haproxy service config files"
-  template:
-    src: service.j2
-    dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
-  with_items: haproxy_service_configs
-  notify: Restart haproxy
-  tags:
-    - haproxy-service-config
+- include: haproxy_service_config.yml
--- a/playbooks/roles/haproxy_server/tasks/haproxy_service_config.yml
+++ b/playbooks/roles/haproxy_server/tasks/haproxy_service_config.yml
@ -0,0 +1,23 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: "Create haproxy service config files"
+  template:
+    src: service.j2
+    dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
+  with_items: haproxy_service_configs
+  notify: Restart haproxy
+  tags:
+    - haproxy-service-config
--- a/playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml
+++ b/playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml
@ -0,0 +1,43 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Remove self signed cert for regen
+  file:
+    dest: "{{ haproxy_ssl_cert }}"
+    state: "absent"
+  with_items:
+    - "{{ haproxy_ssl_pem }}"
+    - "{{ haproxy_ssl_key }}"
+    - "{{ haproxy_ssl_cert }}"
+  when: haproxy_cert_regen | bool
+
+- name: Create self-signed ssl cert
+  command: >
+    openssl req -new -nodes -sha256 -x509 -subj
+    "{{ haproxy_ssl_self_signed_subject }}"
+    -days 3650
+    -keyout {{ haproxy_ssl_key }}
+    -out {{ haproxy_ssl_cert }}
+    -extensions v3_ca
+    creates={{ haproxy_ssl_cert }}
+  notify: Restart haproxy
+  tags:
+    - haproxy-ssl
+
+- name: Create a .pem certificate file
+  shell: >
+    cat {{ haproxy_ssl_cert }} {{ haproxy_ssl_key }} > {{ haproxy_ssl_pem }}
+  args:
+    creates: "{{ haproxy_ssl_pem }}"
--- a/playbooks/roles/haproxy_server/tasks/main.yml
+++ b/playbooks/roles/haproxy_server/tasks/main.yml
@ -13,5 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- include: haproxy_add_ppa_repo.yml
+  when: haproxy_ssl | bool
+
 - include: haproxy_install.yml
+
+- include: haproxy_ssl_key_create.yml
+  when: haproxy_ssl | bool
+
 - include: haproxy_post_install.yml
--- a/playbooks/roles/haproxy_server/templates/haproxy_pin.pref.j2
+++ b/playbooks/roles/haproxy_server/templates/haproxy_pin.pref.j2
@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+Package: *
+Pin: release o=LP-PPA-vbernat-haproxy-1.5
+Pin-Priority: 1001
--- a/playbooks/roles/haproxy_server/templates/service.j2
+++ b/playbooks/roles/haproxy_server/templates/service.j2
@ -1,16 +1,20 @@
 # {{ ansible_managed }}

 frontend {{ item.service.haproxy_service_name }}-front
-bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }}
+bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }}{% endif %}
+
 {% if item.service.haproxy_balance_type == "http" %}
    option httplog
    option forwardfor except 127.0.0.0/8
    option http-server-close

-    {% set request_option = "http" %}
+    {%- set request_option = "http" %}
 {% else %}
    option  tcplog
-    {% set request_option = "tcp" %}
+    {%- set request_option = "tcp" %}
+{% endif %}
+{% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}
+    reqadd X-Forwarded-Proto:\ https
 {% endif %}

 {% if item.service.haproxy_timeout_client is defined %}
--- a/playbooks/vars/configs/haproxy_config.yml
+++ b/playbooks/vars/configs/haproxy_config.yml
@ -68,6 +68,7 @@ haproxy_service_configs:
      haproxy_service_name: keystone_admin
      haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
      haproxy_port: 35357
+      haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_adminuri_proto == 'https' %}true{% else %}false{% endif %}"
      haproxy_balance_type: http
      haproxy_backend_options:
       - "forwardfor"
@ -76,7 +77,9 @@ haproxy_service_configs:
  - service:
      haproxy_service_name: keystone_service
      haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
+      haproxy_bind: "{% if internal_lb_vip_address != external_lb_vip_address %}{{ external_lb_vip_address }}{% else %}*{% endif %}"
      haproxy_port: 5000
+      haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_publicuri_proto == 'https' %}true{% else %}false{% endif %}"
      haproxy_balance_type: http
      haproxy_backend_options:
       - "forwardfor"