Add ability to deploy the Overcloud with SSL
- Undercloud part has been removed as that is done in OOOQ - Improve tls_tht.py to be able to manage master/newton SSL specifics. Depends-On: Id2d98903577525daa79c7f57eead512ee030e6b8 Depends-On: Idc74e30b6b4d3a749d748dbbd61ff162e69ca5ae Change-Id: I2e647764a3bf965a1f874f75b8e28eaca25accce Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
This commit is contained in:
parent
977f2d811c
commit
be2653a1a6
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
# defaults file for ansible-role-tripleo-ssl
|
# defaults file for ansible-role-tripleo-ssl
|
||||||
local_working_dir: "{{ lookup('env', 'HOME') }}/.cat"
|
|
||||||
working_dir: /home/stack
|
working_dir: /home/stack
|
||||||
ssl_overcloud: false
|
ssl_overcloud: false
|
||||||
ssl_undercloud: false
|
|
||||||
|
|
||||||
undercloud_undercloud_public_vip: 172.16.23.110
|
overcloud_public_vip: 10.0.0.5
|
||||||
|
overcloud_ssl_cert_log: "{{working_dir}}/overcloud_create_ssl_cert.log"
|
||||||
|
overcloud_ssl_cert_script: overcloud-create-ssl-cert.sh.j2
|
||||||
|
|
|
@ -49,6 +49,11 @@ options:
|
||||||
- the CA cert pem filename
|
- the CA cert pem filename
|
||||||
required: false
|
required: false
|
||||||
default: cert.pem
|
default: cert.pem
|
||||||
|
tht_release:
|
||||||
|
description:
|
||||||
|
- the tht release name
|
||||||
|
required: false
|
||||||
|
default: master
|
||||||
|
|
||||||
|
|
||||||
'''
|
'''
|
||||||
|
@ -68,9 +73,10 @@ def _open_yaml(filename):
|
||||||
return tmp_dict
|
return tmp_dict
|
||||||
|
|
||||||
|
|
||||||
def create_enable_file(certpem, keypem, source_dir, dest_dir):
|
def create_enable_file(certpem, keypem, source_dir, dest_dir, tht_release):
|
||||||
output_dict = _open_yaml("{}environments/enable-tls.yaml".format(source_dir))
|
output_dict = _open_yaml("{}environments/enable-tls.yaml".format(source_dir))
|
||||||
|
|
||||||
|
if tht_release not in ['master', 'newton']:
|
||||||
for key in output_dict["parameter_defaults"]["EndpointMap"]:
|
for key in output_dict["parameter_defaults"]["EndpointMap"]:
|
||||||
if output_dict["parameter_defaults"]["EndpointMap"][key]["host"] == "CLOUDNAME":
|
if output_dict["parameter_defaults"]["EndpointMap"][key]["host"] == "CLOUDNAME":
|
||||||
output_dict["parameter_defaults"]["EndpointMap"][key]["host"] = "IP_ADDRESS"
|
output_dict["parameter_defaults"]["EndpointMap"][key]["host"] = "IP_ADDRESS"
|
||||||
|
@ -108,6 +114,7 @@ def main():
|
||||||
cert_filename=dict(default="cert.pem", required=False),
|
cert_filename=dict(default="cert.pem", required=False),
|
||||||
cert_ca_filename=dict(default="cert.pem", required=False),
|
cert_ca_filename=dict(default="cert.pem", required=False),
|
||||||
key_filename=dict(default="key.pem", required=False),
|
key_filename=dict(default="key.pem", required=False),
|
||||||
|
tht_release=dict(default="master", required=False),
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -120,8 +127,13 @@ def main():
|
||||||
with open(module.params["key_filename"], "r") as stream:
|
with open(module.params["key_filename"], "r") as stream:
|
||||||
keypem = stream.read()
|
keypem = stream.read()
|
||||||
|
|
||||||
create_enable_file(certpem, keypem, module.params["source_dir"], module.params["dest_dir"])
|
create_enable_file(certpem, keypem,
|
||||||
create_anchor_file(cert_ca_pem, module.params["source_dir"], module.params["dest_dir"])
|
module.params["source_dir"],
|
||||||
|
module.params["dest_dir"],
|
||||||
|
module.params["tht_release"])
|
||||||
|
create_anchor_file(cert_ca_pem,
|
||||||
|
module.params["source_dir"],
|
||||||
|
module.params["dest_dir"])
|
||||||
module.exit_json(changed=True)
|
module.exit_json(changed=True)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,54 +1,32 @@
|
||||||
---
|
---
|
||||||
# tasks file for ansible-role-tripleo-ssl
|
# tasks file for ansible-role-tripleo-ssl
|
||||||
- name: Ensure rpm requirements for ssl are installed
|
- when: ssl_overcloud
|
||||||
|
block:
|
||||||
|
- name: Ensure rpm requirements for ssl are installed
|
||||||
yum: name={{ item }} state=latest
|
yum: name={{ item }} state=latest
|
||||||
with_items:
|
with_items:
|
||||||
- openssl
|
- openssl
|
||||||
when: ssl_overcloud or ssl_undercloud
|
|
||||||
|
|
||||||
- name: Ensure tripleo heat template rpm requirements for ssl are installed
|
- name: Ensure tripleo heat template rpm requirements for ssl are installed
|
||||||
yum: name={{ item }} state=latest
|
yum: name={{ item }} state=latest
|
||||||
with_items:
|
with_items:
|
||||||
- openstack-tripleo-heat-templates
|
- openstack-tripleo-heat-templates
|
||||||
when: ssl_overcloud
|
|
||||||
|
|
||||||
- name: create self-signed SSL cert
|
- name: Create overcloud-create-ssl-cert.sh
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -subj "/CN={{ undercloud_undercloud_public_vip }}" -days 3650 -keyout test-privkey.pem -out test-cacert.pem -extensions v3_ca
|
template:
|
||||||
when: ssl_overcloud or ssl_undercloud
|
src: "{{ overcloud_ssl_cert_script }}"
|
||||||
|
dest: "{{ working_dir }}/overcloud-create-ssl-cert.sh"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
- name: Combine CA and key for HAproxy
|
- name: Generate SSL certificates
|
||||||
shell: >
|
shell: |
|
||||||
cat test-cacert.pem test-privkey.pem > undercloud.pem
|
{{ working_dir }}/overcloud-create-ssl-cert.sh > {{ overcloud_ssl_cert_log }} 2>&1
|
||||||
when: ssl_undercloud
|
|
||||||
|
|
||||||
- name: Combine CA and key for HAproxy
|
- name: fetch template from single remote host
|
||||||
sudo: yes
|
|
||||||
shell: >
|
|
||||||
mkdir /etc/pki/instack-certs;
|
|
||||||
cp undercloud.pem /etc/pki/instack-certs;
|
|
||||||
semanage fcontext -a -t etc_t "/etc/pki/instack-certs(/.*)?";
|
|
||||||
restorecon -R /etc/pki/instack-certs;
|
|
||||||
when: ssl_undercloud
|
|
||||||
|
|
||||||
- name: Copy self-signed certificate
|
|
||||||
sudo: yes
|
|
||||||
shell: >
|
|
||||||
cp test-cacert.pem /etc/pki/ca-trust/source/anchors/;
|
|
||||||
update-ca-trust extract;
|
|
||||||
when: ssl_undercloud
|
|
||||||
|
|
||||||
- name: fetch template from single remote host
|
|
||||||
tls_tht:
|
tls_tht:
|
||||||
source_dir: "/usr/share/openstack-tripleo-heat-templates/"
|
source_dir: "/usr/share/openstack-tripleo-heat-templates/"
|
||||||
dest_dir: "{{ working_dir }}/"
|
dest_dir: "{{ working_dir }}/"
|
||||||
cert_filename: "test-cacert.pem"
|
cert_filename: "{{ working_dir }}/server-cert.pem"
|
||||||
cert_ca_filename: "test-cacert.pem"
|
cert_ca_filename: "{{ working_dir }}/overcloud-cacert.pem"
|
||||||
key_filename: "test-privkey.pem"
|
key_filename: "{{ working_dir }}/server-key.pem"
|
||||||
when: ssl_overcloud
|
tht_release: '{{ release }}'
|
||||||
|
|
||||||
- name: copy the self-signed SSL cert
|
|
||||||
shell: >
|
|
||||||
cp test-cacert.pem /etc/pki/ca-trust/source/anchors/;
|
|
||||||
update-ca-trust extract;
|
|
||||||
sudo: true
|
|
||||||
when: ssl_overcloud
|
|
||||||
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
### --start_docs
|
||||||
|
## Generating the overcloud SSL Certificates
|
||||||
|
## =========================================
|
||||||
|
|
||||||
|
## * Generate a private key
|
||||||
|
## ::
|
||||||
|
|
||||||
|
openssl genrsa 2048 > {{ working_dir }}/overcloud-ca-privkey.pem 2> /dev/null
|
||||||
|
|
||||||
|
## * Generate a self-signed CA certificate
|
||||||
|
## ::
|
||||||
|
|
||||||
|
openssl req -new -x509 -key {{ working_dir }}/overcloud-ca-privkey.pem \
|
||||||
|
-out {{ working_dir }}/overcloud-cacert.pem -days 365 \
|
||||||
|
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud"
|
||||||
|
|
||||||
|
## * Add the self-signed CA certificate to the undercloud's trusted certificate
|
||||||
|
## store.
|
||||||
|
## ::
|
||||||
|
|
||||||
|
sudo cp {{ working_dir }}/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
|
||||||
|
sudo update-ca-trust extract
|
||||||
|
|
||||||
|
## * Generate the leaf certificate request and key that will be used for the
|
||||||
|
## public VIP
|
||||||
|
## ::
|
||||||
|
|
||||||
|
openssl req -newkey rsa:2048 -days 365 \
|
||||||
|
-nodes -keyout {{ working_dir }}/server-key.pem \
|
||||||
|
-out {{ working_dir }}/server-req.pem \
|
||||||
|
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN={{overcloud_public_vip}}"
|
||||||
|
|
||||||
|
## * Process the server RSA key
|
||||||
|
## ::
|
||||||
|
|
||||||
|
openssl rsa -in {{ working_dir }}/server-key.pem \
|
||||||
|
-out {{ working_dir }}/server-key.pem
|
||||||
|
|
||||||
|
## * Sign the leaf certificate with the CA certificate and generate
|
||||||
|
## the certificate
|
||||||
|
## ::
|
||||||
|
|
||||||
|
openssl x509 -req -in server-req.pem -days 365 \
|
||||||
|
-CA {{ working_dir }}/overcloud-cacert.pem \
|
||||||
|
-CAkey {{ working_dir }}/overcloud-ca-privkey.pem \
|
||||||
|
-set_serial 01 -out {{ working_dir }}/server-cert.pem
|
||||||
|
|
||||||
|
## --stop_docs
|
Loading…
Reference in New Issue