openstack/openstack-ansible
Code Issues Proposed changes
00a3ff23c5
openstack-ansible/playbooks/roles/haproxy_server/tasks/haproxy_ssl_configuration.yml
Jean-Philippe Evrard 422a5b1e0f Adds the ability to provide user certificates to HAProxy 
This change brings similar changes as this one targeting horizon:

i.e.:
* The server key/certificate (and optionally a CA cert) are
  distributed to all haproxy containers.

* Two new variables have been implemented for a user-provided
  server key and certificate:
  - haproxy_user_ssl_cert: <path to cert on deployment host>
  - haproxy_user_ssl_key: <path to cert on deployment host>
  If either of these is not defined, then the missing cert/key
  will be self generated on each container. No distribution
  of the self generated certificates accross all the hosts
  is planned.

* A new variable has been implemented for a user-provided CA
  certificate:
  - haproxy_user_ssl_ca_cert: <path to cert on deployment host>

* The 'haproxy_cert_regen' variable has been renamed
  to 'haproxy_ssl_self_signed_regen' to have the same
  naming convention as horizon.

* A change of certificates, whether user dropped
  or role generated, triggers pem generation and server restart

DocImpact
Closes-Bug: #1487380

Change-Id: I0c88d197d8ede820ac4e0388e67a2da06b003c2b
2015-09-03 18:37:00 +00:00

70 lines
2.0 KiB
YAML
Raw Blame History

---
# Copyright 2015, Jean-Philippe Evrard <jean-philippe.evrard@belnet.be>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Drop user provided ssl cert and key
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "{{ item.mode }}"
with_items:
- { src: "{{ haproxy_user_ssl_cert }}", dest: "{{ haproxy_ssl_cert }}", mode: "0644" }
- { src: "{{ haproxy_user_ssl_key }}", dest: "{{ haproxy_ssl_key }}", mode: "0640" }
when: haproxy_user_ssl_cert is defined and haproxy_user_ssl_key is defined
notify:
- regen pem
tags:
- haproxy-ssl
- name: Drop user provided ssl CA cert
copy:
src: "{{ haproxy_user_ssl_ca_cert }}"
dest: "{{ haproxy_ssl_ca_cert }}"
owner: "root"
group: "root"
mode: "0644"
when: haproxy_user_ssl_ca_cert is defined
notify:
- regen pem
tags:
- haproxy-ssl
- name: Remove signed certs and keys for regen
file:
dest: "{{ haproxy_ssl_cert }}"
state: "absent"
with_items:
- "{{ haproxy_ssl_pem }}"
- "{{ haproxy_ssl_key }}"
- "{{ haproxy_ssl_cert }}"
when: haproxy_ssl_self_signed_regen | bool
tags:
- haproxy-ssl
- name: Create self-signed ssl cert if no certificate exists
command: >
openssl req -new -nodes -sha256 -x509 -subj
"{{ haproxy_ssl_self_signed_subject }}"
-days 3650
-keyout {{ haproxy_ssl_key }}
-out {{ haproxy_ssl_cert }}
-extensions v3_ca
creates={{ haproxy_ssl_cert }}
notify:
- regen pem
tags:
- haproxy-ssl
View Git Blame Copy Permalink