openstack/tripleo-quickstart-extras
Code Issues Proposed changes

Make overcloud trust undercloud CA if undercloud has TLS

Browse Source 
When the undercloud is enabled with TLS, the overcloud needs to trust
the CA, even if the overcloud is not using TLS.

The overcloud-ssl module already skips most of the process when
overcloud_ssl is false. So I removed the skipping of the overcloud-ssl
role from the playbooks in order for the CA injection template to be
generated.

Closes-Bug: #1731282
Depends-On: Ib88f6e4d561f9c8b5ba6215bbd9450a704b74eec
Change-Id: Iae6f1768018d37f898da1ad455475036896189c4
This commit is contained in:
Juan Antonio Osorio Robles 2017-11-09 09:38:21 +02:00
parent 5e1463d84a
commit d923396ebb
5 changed files with 50 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/baremetal-quickstart-extras.yml
View File

@ -75,7 +75,7 @@
hosts: undercloud
gather_facts: no
roles:
- { role: overcloud-ssl, when: ssl_overcloud|bool }
- { role: overcloud-ssl }
- name: Run tripleo-validations pre-deployment tests
hosts: undercloud

2
playbooks/quickstart-extras-overcloud-prep.yml
View File

@ -59,4 +59,4 @@
hosts: undercloud
gather_facts: no
roles:
- { role: overcloud-ssl, when: ssl_overcloud|bool }
- { role: overcloud-ssl }

23
roles/overcloud-deploy/tasks/pre-deploy.yml
View File

@ -111,25 +111,36 @@
-e {{ working_dir }}/cloud-names.yaml
when: release not in ['mitaka', 'liberty']
- name: set ssl_args fact for releases after mitaka
- name: set set overcloud SSL args for releases after mitaka
set_fact:
ssl_args: >-
ssl_overcloud_args: >-
-e {{ working_dir }}/enable-tls.yaml
-e {{ overcloud_templates_path }}/environments/tls-endpoints-public-ip.yaml
-e {{ working_dir }}/inject-trust-anchor.yaml
when:
- ssl_overcloud|bool
- release not in ['mitaka', 'liberty']
- name: set ssl_args fact for mitaka/liberty
- name: set overcloud SSL args fact for mitaka/liberty
set_fact:
ssl_args: >-
ssl_overcloud_args: >-
-e {{ working_dir }}/enable-tls.yaml
-e {{ working_dir }}/inject-trust-anchor.yaml
when:
- ssl_overcloud|bool
- release in ['mitaka', 'liberty']
- name: set CA injection arg
set_fact:
ssl_ca_args: >-
-e {{ working_dir }}/inject-trust-anchor.yaml
when: ssl_overcloud|bool or undercloud_generate_service_certificate|bool
- name: set ssl_args
set_fact:
ssl_args: >-
{{ ssl_overcloud_args|default('') }}
{{ ssl_ca_args }}
when: ssl_overcloud|bool or undercloud_generate_service_certificate|bool
- name: set novajoin/TLS everywhere fact
set_fact:
tls_everywhere_args: >-

34
roles/overcloud-ssl/library/tls_tht.py
View File

@ -91,12 +91,15 @@ def create_enable_file(certpem, keypem, source_dir, dest_dir, tht_release):
yaml.safe_dump(output_dict, stream, default_style='|')
def create_anchor_file(cert_ca_pem, source_dir, dest_dir):
def create_anchor_file(cert_ca_pem, source_dir, dest_dir, enable_tls_overcloud):
output_dict = _open_yaml(
"{}environments/inject-trust-anchor.yaml".format(source_dir)
)
ca_map = {"overcloud-ca": {"content": cert_ca_pem}}
if enable_tls_overcloud:
ca_map = {"overcloud-ca": {"content": cert_ca_pem}}
else:
ca_map = {}
# Optionally include the undercloud's local CA certificate
try:
undercloud_ca = "/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
@ -115,6 +118,7 @@ def create_anchor_file(cert_ca_pem, source_dir, dest_dir):
def main():
module = AnsibleModule(
argument_spec=dict(
enable_tls_overcloud=dict(type="bool", default=False, required=False),
source_dir=dict(default="/usr/share/openstack-tripleo-heat-templates/",
required=False),
dest_dir=dict(default="", required=False),
@ -125,22 +129,26 @@ def main():
)
)
with open(module.params["cert_filename"], "r") as stream:
certpem = stream.read()
if module.params["enable_tls_overcloud"]:
with open(module.params["cert_filename"], "r") as stream:
certpem = stream.read()
with open(module.params["cert_ca_filename"], "r") as stream:
cert_ca_pem = stream.read()
with open(module.params["key_filename"], "r") as stream:
keypem = stream.read()
with open(module.params["cert_ca_filename"], "r") as stream:
cert_ca_pem = stream.read()
with open(module.params["key_filename"], "r") as stream:
keypem = stream.read()
create_enable_file(certpem, keypem,
module.params["source_dir"],
module.params["dest_dir"],
module.params["tht_release"])
else:
cert_ca_pem = None
create_enable_file(certpem, keypem,
module.params["source_dir"],
module.params["dest_dir"],
module.params["tht_release"])
create_anchor_file(cert_ca_pem,
module.params["source_dir"],
module.params["dest_dir"])
module.params["dest_dir"],
module.params["enable_tls_overcloud"])
module.exit_json(changed=True)

18
roles/overcloud-ssl/tasks/main.yml
View File

@ -24,11 +24,13 @@
{{ working_dir }}/overcloud-create-ssl-cert.sh 2>&1 {{ timestamper_cmd }} >
{{ overcloud_ssl_cert_log }}
- name: fetch template from single remote host
tls_tht:
source_dir: "/usr/share/openstack-tripleo-heat-templates/"
dest_dir: "{{ working_dir }}/"
cert_filename: "{{ working_dir }}/server-cert.pem"
cert_ca_filename: "{{ working_dir }}/overcloud-cacert.pem"
key_filename: "{{ working_dir }}/server-key.pem"
tht_release: '{{ release }}'
- name: fetch template from single remote host
tls_tht:
enable_tls_overcloud: "{{ ssl_overcloud }}"
source_dir: "/usr/share/openstack-tripleo-heat-templates/"
dest_dir: "{{ working_dir }}/"
cert_filename: "{{ working_dir }}/server-cert.pem"
cert_ca_filename: "{{ working_dir }}/overcloud-cacert.pem"
key_filename: "{{ working_dir }}/server-key.pem"
tht_release: '{{ release }}'
when: ssl_overcloud|bool or undercloud_generate_service_certificate|bool