Add ssl setup

defaults/main.yml

@@ -36,13 +36,25 @@ qdrouterd_listener_sasl_mech: "ANONYMOUS"
 qdrouterd_irl_addr: 0.0.0.0
 qdrouterd_irl_port: 31460
 qdrouterd_worker_threads: 4
-qdrouterd_sasl_conf_path: "/etc/sasl2/"
+qdrouterd_sasl_conf_path: "/etc/sasl2"
 qdrouterd_sasl_conf_file: "/etc/sasl2/qdrouterd.conf"
 qdrouterd_log_module: "DEFAULT"
 qdrouterd_log_enable: "info+"
 
 # Qdrouterd SSL support
 qdrouterd_require_ssl: "yes"
-qdrouterd_ssl_cert: /etc/qdrouterd/ssl/qdrouterd.pem
-qdrouterd_ssl_key: /etc/qdrouterd/ssl/qdrouterd.key
-#qdrouterd_ssl_ca_cert: /etc/qdrouterd/ssl/qdrouterd-ca.pem
+qdrouterd_ssl_cert: "{{ qdrouterd_etc_conf_path }}/qdrouterd.pem"
+qdrouterd_ssl_key: "{{ qdrouterd_etc_conf_path }}/qdrouterd.key"
+#qdrouterd_ssl_ca_cert: "{{ qdrouterd_etc_conf_path }}/qdrouterd-ca.pem"
+
+# Set qdrouterd_ssl_sefl_signed_regen to true if you want to generate a new
+# SSL certificate for Qdrouterd when this playbook runs. You can also change
+# the subject of the self-signed certificate here if you prefer.
+qdrouterd_ssl_self_signed_regen: false
+qdrouterd_ssl_self_signed_subject: "/C=US/ST=Massachusetts/L=Boston/O=IT/CN={{ ansible_hostname }}"
+
+# Define user-provided SSL certificates in:
+# /etc/openstack_deploy/user_variables.yml
+#qdrouterd_user_ssl_cert: <path to cert on ansible deployment host>
+#qdrouterd_user_ssl_key: <path to cert on ansible deployment host>
+#qdrouterd_user_ssl_ca_cert: <path to cert on ansible deployment host>

tasks/main.yml

@@ -26,6 +26,28 @@
 
 - include: qdrouterd_pre_install.yml
 
+# Qdrouterd SSL/TLS listener configuration
+#
+# If the user has not specified a certificate, key and CA certificate, we will
+# generate a self-signed SSL certificate and distribute it to each Qdrouterd
+# container.
+#
+# User-provided certificates must be specified within:
+#
+#   playbooks/roles/qdrouterd/defaults/main.yml
+#
+- include: qdrouterd_ssl_self_signed.yml
+  static: no
+  when: >
+    qdrouterd_user_ssl_cert is not defined or
+    qdrouterd_user_ssl_key is not defined
+  tags:
+    - qdrouterd-config
+
+- include: qdrouterd_ssl_user_provided.yml
+  tags:
+    - qdrouterd-config
+
 - include: qdrouterd_install.yml
   static: no
 

tasks/qdrouterd_ssl_key_create.yml

@@ -0,0 +1,48 @@
+---
+# Copyright 2018, Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Remove self signed cert for regen
+  file:
+    dest: "{{ qdrouterd_ssl_cert }}"
+    state: "absent"
+  when: qdrouterd_ssl_self_signed_regen | bool
+  tags:
+    - qdrouterd-ssl
+
+# See playbooks/roles/qdrouterd/defaults/main.yml to provide custom
+# subject material for certificates or specify a user-provided certificate and
+# key pair.
+- name: Create self-signed ssl cert
+  command: >
+    openssl req -new -nodes -sha256 -x509 -subj
+    "{{ qdrouterd_ssl_self_signed_subject }}"
+    -days 3650
+    -keyout {{ qdrouterd_ssl_key }}
+    -out {{ qdrouterd_ssl_cert }}
+    -extensions v3_ca
+    creates={{ qdrouterd_ssl_cert }}
+  tags:
+    - qdrouterd-ssl
+
+- name: Ensure qdrouterd user owns the self-signed key and certificate
+  file:
+    path: "{{ item }}"
+    owner: qdrouterd
+    group: qdrouterd
+  with_items:
+    - "{{ qdrouterd_ssl_key }}"
+    - "{{ qdrouterd_ssl_cert }}"
+  tags:
+    - qdrouterd-ssl

tasks/qdrouterd_ssl_key_distribute.yml

@@ -0,0 +1,45 @@
+---
+# Copyright 2018, Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Distribute self signed ssl key
+  copy:
+    dest: "{{ qdrouterd_ssl_key }}"
+    content: "{{ hostvars[groups[qdrouterd_host_group][0]]['qdrouterd_ssl_key_fact'] | b64decode }}"
+    owner: "qdrouterd"
+    group: "qdrouterd"
+    mode: "0640"
+  tags:
+    - qdrouterd-ssl
+
+- name: Distribute self signed ssl cert
+  copy:
+    dest: "{{ qdrouterd_ssl_cert }}"
+    content: "{{ hostvars[groups[qdrouterd_host_group][0]]['qdrouterd_ssl_cert_fact'] | b64decode }}"
+    owner: "qdrouterd"
+    group: "qdrouterd"
+    mode: "0640"
+  tags:
+    - qdrouterd-ssl
+
+- name: Ensure qdrouterd user owns the self-signed key and certificate
+  file:
+    path: "{{ item }}"
+    owner: qdrouterd
+    group: qdrouterd
+  with_items:
+    - "{{ qdrouterd_ssl_key }}"
+    - "{{ qdrouterd_ssl_cert }}"
+  tags:
+    - qdrouterd-ssl

tasks/qdrouterd_ssl_key_store.yml

@@ -0,0 +1,37 @@
+---
+# Copyright 2018, Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Store ssl cert
+  slurp:
+    src: "{{ qdrouterd_ssl_cert }}"
+  register: _qdrouterd_ssl_cert
+  changed_when: false
+  tags:
+    - qdrouterd-ssl
+
+- name: Store ssl key
+  slurp:
+    src: "{{ qdrouterd_ssl_key }}"
+  register: _qdrouterd_ssl_key
+  changed_when: false
+  tags:
+    - qdrouterd-ssl
+
+- name: Register a fact for the cert and key
+  set_fact:
+     qdrouterd_ssl_cert_fact: "{{ _qdrouterd_ssl_cert.content }}"
+     qdrouterd_ssl_key_fact: "{{ _qdrouterd_ssl_key.content }}"
+  tags:
+    - qdrouterd-ssl

tasks/qdrouterd_ssl_self_signed.yml

@@ -0,0 +1,25 @@
+---
+# Copyright 2018, Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# We create the self-signed SSL certificate and key only on the first
+# Qdrouterd container.
+- include: qdrouterd_ssl_key_create.yml
+  when: inventory_hostname == groups[qdrouterd_host_group][0]
+
+- include: qdrouterd_ssl_key_store.yml
+  when: inventory_hostname == groups[qdrouterd_host_group][0]
+
+- include: qdrouterd_ssl_key_distribute.yml
+  when: inventory_hostname != groups[qdrouterd_host_group][0]

tasks/qdrouterd_ssl_user_provided.yml

@@ -0,0 +1,55 @@
+---
+# Copyright 2018, Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# If we have a user-provided SSL certificate from
+# /etc/openstack_deploy/user_variables.yml, we should deploy that certificate
+# and key to each Qdrouterd container.
+- name: Deploy user provided ssl cert
+  copy:
+    src: "{{ qdrouterd_user_ssl_cert }}"
+    dest: "{{ qdrouterd_ssl_cert }}"
+    owner: "qdrouterd"
+    group: "qdrouterd"
+    mode: "0644"
+  when: qdrouterd_user_ssl_cert is defined
+  tags:
+    - qdrouterd-configs
+    - qdrouterd-ssl
+
+- name: Deploy user provided ssl key
+  copy:
+    src: "{{ qdrouterd_user_ssl_key }}"
+    dest: "{{ qdrouterd_ssl_key }}"
+    owner: "qdrouterd"
+    group: "qdrouterd"
+    mode: "0600"
+  when: qdrouterd_user_ssl_key is defined
+  tags:
+    - qdrouterd-configs
+    - qdrouterd-ssl
+
+# Deploy the user provided CA certificate as well (if the user defined it
+# within /etc/openstack_deploy/user_variables.yml).
+- name: Deploy user provided ssl CA cert
+  copy:
+    src: "{{ qdrouterd_user_ssl_ca_cert }}"
+    dest: "{{ qdrouterd_ssl_ca_cert }}"
+    owner: "qdrouterd"
+    group: "qdrouterd"
+    mode: "0644"
+  when: qdrouterd_user_ssl_ca_cert is defined
+  tags:
+    - qdrouterd-configs
+    - qdrouterd-ssl

templates/qdrouterd.conf.j2

@@ -22,6 +22,9 @@ listener {
     host: {{ qdrouterd_listener_addr }}
     port: {{ qdrouterd_listener_port }}
     role: normal
+{% if qdrouterd_require_ssl == 'yes' %}
+    sslProfile: {{ ansible_hostname }}
+{% endif %}
     authenticatePeer: {{ qdrouterd_listener_auth_peer }}
     saslMechanisms: {{ qdrouterd_listener_sasl_mech }}
 }
@@ -31,6 +34,9 @@ listener {
     host: {{ qdrouterd_irl_addr }}
     port: {{ qdrouterd_irl_port }}
     role: inter-router
+{% if qdrouterd_require_ssl == 'yes' %}
+    sslProfile: {{ ansible_hostname }}
+{% endif %}
 }
 {% endif %}
 

vars/redhat.yml

@@ -20,7 +20,7 @@ qdrouterd_distro_packages:
   - qpid-dispatch-router
   - qpid-dispatch-tools
 
-_qdrouterd_etc_conf_path: "/etc/qpid-dispatch/"
+_qdrouterd_etc_conf_path: "/etc/qpid-dispatch"
 _qdrouterd_etc_conf_file: "/etc/qpid-dispatch/qdrouterd.conf"
 _qdrouterd_service_name: "qdrouterd"