diff --git a/doc/source/user/security/ssl-certificates.rst b/doc/source/user/security/ssl-certificates.rst index 48bc8f07d8..57337aa5f7 100644 --- a/doc/source/user/security/ssl-certificates.rst +++ b/doc/source/user/security/ssl-certificates.rst @@ -94,6 +94,53 @@ following ways: haproxy_pki_regen_cert: true +Generating and regenerating self-signed user certificates +--------------------------------------------------------- + +Self-signed user certificates are generated but not installed for services +outside of Openstack ansible. These user certificates are signed by the same +self-signed certificate authority as is used by openstack services +but are intended to be used by user applications. + +To create user certificates, define a variable with the prefix +``user_pki_certificates_`` in the ``/etc/openstack_deploy/user_variables.yml`` +file. + +Example + +.. code-block:: yaml + + user_pki_certificates_example: + - name: "example" + provider: ownca + cn: "example.com" + san: "DNS:example.com,IP:x.x.x.x" + signed_by: "{{ openstack_pki_service_intermediate_cert_name }}" + key_usage: + - digitalSignature + - keyAgreement + extended_key_usage: + - serverAuth + +To generate a new self-signed certificate for a service, you must set +the ``user_pki_regen_cert`` variable to true in one of the +following ways: + +* To force a self-signed certificate to regenerate, you can pass the variable + to ``openstack-ansible`` on the command line: + + .. code-block:: shell-session + + # openstack-ansible -e "user_pki_regen_cert=true" certificate-generate.yml + +* To force a self-signed certificate to regenerate with every playbook run, + set the ``user_pki_regen_cert`` variable to ``true`` in the + ``/etc/openstack_deploy/user_variables.yml`` file: + + .. code-block:: yaml + + user_pki_regen_cert: true + User-provided certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/playbooks/certificate-generate.yml b/playbooks/certificate-generate.yml new file mode 100644 index 0000000000..aab5b2aba5 --- /dev/null +++ b/playbooks/certificate-generate.yml @@ -0,0 +1,32 @@ +# Copyright 2021, BBC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Generate any extra user certificates + hosts: "{{ openstack_pki_setup_host | default('localhost') }}" + gather_facts: "{{ osa_gather_facts | default(True) }}" + tags: + - always + tasks: + - name: Create user certificates + include_role: + name: pki + tasks_from: main_certs.yml + vars: + pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" + pki_dir: "{{ openstack_pki_dir }}" + cert_dir: "{{ pki_dir }}/certs" + pki_search_certificates_pattern: "user_pki_certificates_" + pki_regen_cert: "{{ user_pki_regen_cert | default(false) }}" + when: + - pki_create_certificates | default(true) diff --git a/playbooks/setup-hosts.yml b/playbooks/setup-hosts.yml index 001db9a46a..48aaef9efc 100644 --- a/playbooks/setup-hosts.yml +++ b/playbooks/setup-hosts.yml @@ -14,6 +14,7 @@ # limitations under the License. - import_playbook: certificate-authority.yml +- import_playbook: certificate-generate.yml - import_playbook: openstack-hosts-setup.yml - import_playbook: containers-deploy.yml - import_playbook: security-hardening.yml