Add ability to deploy the Overcloud with SSL

- Undercloud part has been removed as that is done in OOOQ
- Improve tls_tht.py to be able to manage master/newton SSL specifics.

Depends-On: Id2d98903577525daa79c7f57eead512ee030e6b8
Depends-On: Idc74e30b6b4d3a749d748dbbd61ff162e69ca5ae

Change-Id: I2e647764a3bf965a1f874f75b8e28eaca25accce
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
This commit is contained in:
Gael Chamoulaud 2016-10-04 18:03:59 +02:00
parent 977f2d811c
commit be2653a1a6
4 changed files with 99 additions and 57 deletions

View File

@ -1,8 +1,8 @@
---
# defaults file for ansible-role-tripleo-ssl
local_working_dir: "{{ lookup('env', 'HOME') }}/.cat"
working_dir: /home/stack
ssl_overcloud: false
ssl_undercloud: false
undercloud_undercloud_public_vip: 172.16.23.110
overcloud_public_vip: 10.0.0.5
overcloud_ssl_cert_log: "{{working_dir}}/overcloud_create_ssl_cert.log"
overcloud_ssl_cert_script: overcloud-create-ssl-cert.sh.j2

View File

@ -49,6 +49,11 @@ options:
- the CA cert pem filename
required: false
default: cert.pem
tht_release:
description:
- the tht release name
required: false
default: master
'''
@ -68,12 +73,13 @@ def _open_yaml(filename):
return tmp_dict
def create_enable_file(certpem, keypem, source_dir, dest_dir):
def create_enable_file(certpem, keypem, source_dir, dest_dir, tht_release):
output_dict = _open_yaml("{}environments/enable-tls.yaml".format(source_dir))
for key in output_dict["parameter_defaults"]["EndpointMap"]:
if output_dict["parameter_defaults"]["EndpointMap"][key]["host"] == "CLOUDNAME":
output_dict["parameter_defaults"]["EndpointMap"][key]["host"] = "IP_ADDRESS"
if tht_release not in ['master', 'newton']:
for key in output_dict["parameter_defaults"]["EndpointMap"]:
if output_dict["parameter_defaults"]["EndpointMap"][key]["host"] == "CLOUDNAME":
output_dict["parameter_defaults"]["EndpointMap"][key]["host"] = "IP_ADDRESS"
output_dict["parameter_defaults"]["SSLCertificate"] = certpem
output_dict["parameter_defaults"]["SSLKey"] = keypem
@ -108,6 +114,7 @@ def main():
cert_filename=dict(default="cert.pem", required=False),
cert_ca_filename=dict(default="cert.pem", required=False),
key_filename=dict(default="key.pem", required=False),
tht_release=dict(default="master", required=False),
)
)
@ -120,8 +127,13 @@ def main():
with open(module.params["key_filename"], "r") as stream:
keypem = stream.read()
create_enable_file(certpem, keypem, module.params["source_dir"], module.params["dest_dir"])
create_anchor_file(cert_ca_pem, module.params["source_dir"], module.params["dest_dir"])
create_enable_file(certpem, keypem,
module.params["source_dir"],
module.params["dest_dir"],
module.params["tht_release"])
create_anchor_file(cert_ca_pem,
module.params["source_dir"],
module.params["dest_dir"])
module.exit_json(changed=True)

View File

@ -1,54 +1,32 @@
---
# tasks file for ansible-role-tripleo-ssl
- name: Ensure rpm requirements for ssl are installed
yum: name={{ item }} state=latest
with_items:
- openssl
when: ssl_overcloud or ssl_undercloud
- when: ssl_overcloud
block:
- name: Ensure rpm requirements for ssl are installed
yum: name={{ item }} state=latest
with_items:
- openssl
- name: Ensure tripleo heat template rpm requirements for ssl are installed
yum: name={{ item }} state=latest
with_items:
- openstack-tripleo-heat-templates
when: ssl_overcloud
- name: Ensure tripleo heat template rpm requirements for ssl are installed
yum: name={{ item }} state=latest
with_items:
- openstack-tripleo-heat-templates
- name: create self-signed SSL cert
command: openssl req -x509 -nodes -newkey rsa:2048 -subj "/CN={{ undercloud_undercloud_public_vip }}" -days 3650 -keyout test-privkey.pem -out test-cacert.pem -extensions v3_ca
when: ssl_overcloud or ssl_undercloud
- name: Create overcloud-create-ssl-cert.sh
template:
src: "{{ overcloud_ssl_cert_script }}"
dest: "{{ working_dir }}/overcloud-create-ssl-cert.sh"
mode: 0755
- name: Combine CA and key for HAproxy
shell: >
cat test-cacert.pem test-privkey.pem > undercloud.pem
when: ssl_undercloud
- name: Generate SSL certificates
shell: |
{{ working_dir }}/overcloud-create-ssl-cert.sh > {{ overcloud_ssl_cert_log }} 2>&1
- name: Combine CA and key for HAproxy
sudo: yes
shell: >
mkdir /etc/pki/instack-certs;
cp undercloud.pem /etc/pki/instack-certs;
semanage fcontext -a -t etc_t "/etc/pki/instack-certs(/.*)?";
restorecon -R /etc/pki/instack-certs;
when: ssl_undercloud
- name: Copy self-signed certificate
sudo: yes
shell: >
cp test-cacert.pem /etc/pki/ca-trust/source/anchors/;
update-ca-trust extract;
when: ssl_undercloud
- name: fetch template from single remote host
tls_tht:
source_dir: "/usr/share/openstack-tripleo-heat-templates/"
dest_dir: "{{ working_dir }}/"
cert_filename: "test-cacert.pem"
cert_ca_filename: "test-cacert.pem"
key_filename: "test-privkey.pem"
when: ssl_overcloud
- name: copy the self-signed SSL cert
shell: >
cp test-cacert.pem /etc/pki/ca-trust/source/anchors/;
update-ca-trust extract;
sudo: true
when: ssl_overcloud
- name: fetch template from single remote host
tls_tht:
source_dir: "/usr/share/openstack-tripleo-heat-templates/"
dest_dir: "{{ working_dir }}/"
cert_filename: "{{ working_dir }}/server-cert.pem"
cert_ca_filename: "{{ working_dir }}/overcloud-cacert.pem"
key_filename: "{{ working_dir }}/server-key.pem"
tht_release: '{{ release }}'

View File

@ -0,0 +1,52 @@
#!/bin/bash
set -eux
### --start_docs
## Generating the overcloud SSL Certificates
## =========================================
## * Generate a private key
## ::
openssl genrsa 2048 > {{ working_dir }}/overcloud-ca-privkey.pem 2> /dev/null
## * Generate a self-signed CA certificate
## ::
openssl req -new -x509 -key {{ working_dir }}/overcloud-ca-privkey.pem \
-out {{ working_dir }}/overcloud-cacert.pem -days 365 \
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud"
## * Add the self-signed CA certificate to the undercloud's trusted certificate
## store.
## ::
sudo cp {{ working_dir }}/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
## * Generate the leaf certificate request and key that will be used for the
## public VIP
## ::
openssl req -newkey rsa:2048 -days 365 \
-nodes -keyout {{ working_dir }}/server-key.pem \
-out {{ working_dir }}/server-req.pem \
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN={{overcloud_public_vip}}"
## * Process the server RSA key
## ::
openssl rsa -in {{ working_dir }}/server-key.pem \
-out {{ working_dir }}/server-key.pem
## * Sign the leaf certificate with the CA certificate and generate
## the certificate
## ::
openssl x509 -req -in server-req.pem -days 365 \
-CA {{ working_dir }}/overcloud-cacert.pem \
-CAkey {{ working_dir }}/overcloud-ca-privkey.pem \
-set_serial 01 -out {{ working_dir }}/server-cert.pem
## --stop_docs