Add ability to deploy the Overcloud with SSL
- Undercloud part has been removed as that is done in OOOQ - Improve tls_tht.py to be able to manage master/newton SSL specifics. Depends-On: Id2d98903577525daa79c7f57eead512ee030e6b8 Depends-On: Idc74e30b6b4d3a749d748dbbd61ff162e69ca5ae Change-Id: I2e647764a3bf965a1f874f75b8e28eaca25accce Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
This commit is contained in:
parent
977f2d811c
commit
be2653a1a6
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
# defaults file for ansible-role-tripleo-ssl
|
||||
local_working_dir: "{{ lookup('env', 'HOME') }}/.cat"
|
||||
working_dir: /home/stack
|
||||
ssl_overcloud: false
|
||||
ssl_undercloud: false
|
||||
|
||||
undercloud_undercloud_public_vip: 172.16.23.110
|
||||
overcloud_public_vip: 10.0.0.5
|
||||
overcloud_ssl_cert_log: "{{working_dir}}/overcloud_create_ssl_cert.log"
|
||||
overcloud_ssl_cert_script: overcloud-create-ssl-cert.sh.j2
|
||||
|
|
|
@ -49,6 +49,11 @@ options:
|
|||
- the CA cert pem filename
|
||||
required: false
|
||||
default: cert.pem
|
||||
tht_release:
|
||||
description:
|
||||
- the tht release name
|
||||
required: false
|
||||
default: master
|
||||
|
||||
|
||||
'''
|
||||
|
@ -68,12 +73,13 @@ def _open_yaml(filename):
|
|||
return tmp_dict
|
||||
|
||||
|
||||
def create_enable_file(certpem, keypem, source_dir, dest_dir):
|
||||
def create_enable_file(certpem, keypem, source_dir, dest_dir, tht_release):
|
||||
output_dict = _open_yaml("{}environments/enable-tls.yaml".format(source_dir))
|
||||
|
||||
for key in output_dict["parameter_defaults"]["EndpointMap"]:
|
||||
if output_dict["parameter_defaults"]["EndpointMap"][key]["host"] == "CLOUDNAME":
|
||||
output_dict["parameter_defaults"]["EndpointMap"][key]["host"] = "IP_ADDRESS"
|
||||
if tht_release not in ['master', 'newton']:
|
||||
for key in output_dict["parameter_defaults"]["EndpointMap"]:
|
||||
if output_dict["parameter_defaults"]["EndpointMap"][key]["host"] == "CLOUDNAME":
|
||||
output_dict["parameter_defaults"]["EndpointMap"][key]["host"] = "IP_ADDRESS"
|
||||
|
||||
output_dict["parameter_defaults"]["SSLCertificate"] = certpem
|
||||
output_dict["parameter_defaults"]["SSLKey"] = keypem
|
||||
|
@ -108,6 +114,7 @@ def main():
|
|||
cert_filename=dict(default="cert.pem", required=False),
|
||||
cert_ca_filename=dict(default="cert.pem", required=False),
|
||||
key_filename=dict(default="key.pem", required=False),
|
||||
tht_release=dict(default="master", required=False),
|
||||
)
|
||||
)
|
||||
|
||||
|
@ -120,8 +127,13 @@ def main():
|
|||
with open(module.params["key_filename"], "r") as stream:
|
||||
keypem = stream.read()
|
||||
|
||||
create_enable_file(certpem, keypem, module.params["source_dir"], module.params["dest_dir"])
|
||||
create_anchor_file(cert_ca_pem, module.params["source_dir"], module.params["dest_dir"])
|
||||
create_enable_file(certpem, keypem,
|
||||
module.params["source_dir"],
|
||||
module.params["dest_dir"],
|
||||
module.params["tht_release"])
|
||||
create_anchor_file(cert_ca_pem,
|
||||
module.params["source_dir"],
|
||||
module.params["dest_dir"])
|
||||
module.exit_json(changed=True)
|
||||
|
||||
|
||||
|
|
|
@ -1,54 +1,32 @@
|
|||
---
|
||||
# tasks file for ansible-role-tripleo-ssl
|
||||
- name: Ensure rpm requirements for ssl are installed
|
||||
yum: name={{ item }} state=latest
|
||||
with_items:
|
||||
- openssl
|
||||
when: ssl_overcloud or ssl_undercloud
|
||||
- when: ssl_overcloud
|
||||
block:
|
||||
- name: Ensure rpm requirements for ssl are installed
|
||||
yum: name={{ item }} state=latest
|
||||
with_items:
|
||||
- openssl
|
||||
|
||||
- name: Ensure tripleo heat template rpm requirements for ssl are installed
|
||||
yum: name={{ item }} state=latest
|
||||
with_items:
|
||||
- openstack-tripleo-heat-templates
|
||||
when: ssl_overcloud
|
||||
- name: Ensure tripleo heat template rpm requirements for ssl are installed
|
||||
yum: name={{ item }} state=latest
|
||||
with_items:
|
||||
- openstack-tripleo-heat-templates
|
||||
|
||||
- name: create self-signed SSL cert
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -subj "/CN={{ undercloud_undercloud_public_vip }}" -days 3650 -keyout test-privkey.pem -out test-cacert.pem -extensions v3_ca
|
||||
when: ssl_overcloud or ssl_undercloud
|
||||
- name: Create overcloud-create-ssl-cert.sh
|
||||
template:
|
||||
src: "{{ overcloud_ssl_cert_script }}"
|
||||
dest: "{{ working_dir }}/overcloud-create-ssl-cert.sh"
|
||||
mode: 0755
|
||||
|
||||
- name: Combine CA and key for HAproxy
|
||||
shell: >
|
||||
cat test-cacert.pem test-privkey.pem > undercloud.pem
|
||||
when: ssl_undercloud
|
||||
- name: Generate SSL certificates
|
||||
shell: |
|
||||
{{ working_dir }}/overcloud-create-ssl-cert.sh > {{ overcloud_ssl_cert_log }} 2>&1
|
||||
|
||||
- name: Combine CA and key for HAproxy
|
||||
sudo: yes
|
||||
shell: >
|
||||
mkdir /etc/pki/instack-certs;
|
||||
cp undercloud.pem /etc/pki/instack-certs;
|
||||
semanage fcontext -a -t etc_t "/etc/pki/instack-certs(/.*)?";
|
||||
restorecon -R /etc/pki/instack-certs;
|
||||
when: ssl_undercloud
|
||||
|
||||
- name: Copy self-signed certificate
|
||||
sudo: yes
|
||||
shell: >
|
||||
cp test-cacert.pem /etc/pki/ca-trust/source/anchors/;
|
||||
update-ca-trust extract;
|
||||
when: ssl_undercloud
|
||||
|
||||
- name: fetch template from single remote host
|
||||
tls_tht:
|
||||
source_dir: "/usr/share/openstack-tripleo-heat-templates/"
|
||||
dest_dir: "{{ working_dir }}/"
|
||||
cert_filename: "test-cacert.pem"
|
||||
cert_ca_filename: "test-cacert.pem"
|
||||
key_filename: "test-privkey.pem"
|
||||
when: ssl_overcloud
|
||||
|
||||
- name: copy the self-signed SSL cert
|
||||
shell: >
|
||||
cp test-cacert.pem /etc/pki/ca-trust/source/anchors/;
|
||||
update-ca-trust extract;
|
||||
sudo: true
|
||||
when: ssl_overcloud
|
||||
- name: fetch template from single remote host
|
||||
tls_tht:
|
||||
source_dir: "/usr/share/openstack-tripleo-heat-templates/"
|
||||
dest_dir: "{{ working_dir }}/"
|
||||
cert_filename: "{{ working_dir }}/server-cert.pem"
|
||||
cert_ca_filename: "{{ working_dir }}/overcloud-cacert.pem"
|
||||
key_filename: "{{ working_dir }}/server-key.pem"
|
||||
tht_release: '{{ release }}'
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -eux
|
||||
|
||||
### --start_docs
|
||||
## Generating the overcloud SSL Certificates
|
||||
## =========================================
|
||||
|
||||
## * Generate a private key
|
||||
## ::
|
||||
|
||||
openssl genrsa 2048 > {{ working_dir }}/overcloud-ca-privkey.pem 2> /dev/null
|
||||
|
||||
## * Generate a self-signed CA certificate
|
||||
## ::
|
||||
|
||||
openssl req -new -x509 -key {{ working_dir }}/overcloud-ca-privkey.pem \
|
||||
-out {{ working_dir }}/overcloud-cacert.pem -days 365 \
|
||||
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud"
|
||||
|
||||
## * Add the self-signed CA certificate to the undercloud's trusted certificate
|
||||
## store.
|
||||
## ::
|
||||
|
||||
sudo cp {{ working_dir }}/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
|
||||
sudo update-ca-trust extract
|
||||
|
||||
## * Generate the leaf certificate request and key that will be used for the
|
||||
## public VIP
|
||||
## ::
|
||||
|
||||
openssl req -newkey rsa:2048 -days 365 \
|
||||
-nodes -keyout {{ working_dir }}/server-key.pem \
|
||||
-out {{ working_dir }}/server-req.pem \
|
||||
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN={{overcloud_public_vip}}"
|
||||
|
||||
## * Process the server RSA key
|
||||
## ::
|
||||
|
||||
openssl rsa -in {{ working_dir }}/server-key.pem \
|
||||
-out {{ working_dir }}/server-key.pem
|
||||
|
||||
## * Sign the leaf certificate with the CA certificate and generate
|
||||
## the certificate
|
||||
## ::
|
||||
|
||||
openssl x509 -req -in server-req.pem -days 365 \
|
||||
-CA {{ working_dir }}/overcloud-cacert.pem \
|
||||
-CAkey {{ working_dir }}/overcloud-ca-privkey.pem \
|
||||
-set_serial 01 -out {{ working_dir }}/server-cert.pem
|
||||
|
||||
## --stop_docs
|
Loading…
Reference in New Issue