Add ssl setup
This commit is contained in:
parent
8a516a937f
commit
3ae656b56f
@ -36,13 +36,25 @@ qdrouterd_listener_sasl_mech: "ANONYMOUS"
|
|||||||
qdrouterd_irl_addr: 0.0.0.0
|
qdrouterd_irl_addr: 0.0.0.0
|
||||||
qdrouterd_irl_port: 31460
|
qdrouterd_irl_port: 31460
|
||||||
qdrouterd_worker_threads: 4
|
qdrouterd_worker_threads: 4
|
||||||
qdrouterd_sasl_conf_path: "/etc/sasl2/"
|
qdrouterd_sasl_conf_path: "/etc/sasl2"
|
||||||
qdrouterd_sasl_conf_file: "/etc/sasl2/qdrouterd.conf"
|
qdrouterd_sasl_conf_file: "/etc/sasl2/qdrouterd.conf"
|
||||||
qdrouterd_log_module: "DEFAULT"
|
qdrouterd_log_module: "DEFAULT"
|
||||||
qdrouterd_log_enable: "info+"
|
qdrouterd_log_enable: "info+"
|
||||||
|
|
||||||
# Qdrouterd SSL support
|
# Qdrouterd SSL support
|
||||||
qdrouterd_require_ssl: "yes"
|
qdrouterd_require_ssl: "yes"
|
||||||
qdrouterd_ssl_cert: /etc/qdrouterd/ssl/qdrouterd.pem
|
qdrouterd_ssl_cert: "{{ qdrouterd_etc_conf_path }}/qdrouterd.pem"
|
||||||
qdrouterd_ssl_key: /etc/qdrouterd/ssl/qdrouterd.key
|
qdrouterd_ssl_key: "{{ qdrouterd_etc_conf_path }}/qdrouterd.key"
|
||||||
#qdrouterd_ssl_ca_cert: /etc/qdrouterd/ssl/qdrouterd-ca.pem
|
#qdrouterd_ssl_ca_cert: "{{ qdrouterd_etc_conf_path }}/qdrouterd-ca.pem"
|
||||||
|
|
||||||
|
# Set qdrouterd_ssl_sefl_signed_regen to true if you want to generate a new
|
||||||
|
# SSL certificate for Qdrouterd when this playbook runs. You can also change
|
||||||
|
# the subject of the self-signed certificate here if you prefer.
|
||||||
|
qdrouterd_ssl_self_signed_regen: false
|
||||||
|
qdrouterd_ssl_self_signed_subject: "/C=US/ST=Massachusetts/L=Boston/O=IT/CN={{ ansible_hostname }}"
|
||||||
|
|
||||||
|
# Define user-provided SSL certificates in:
|
||||||
|
# /etc/openstack_deploy/user_variables.yml
|
||||||
|
#qdrouterd_user_ssl_cert: <path to cert on ansible deployment host>
|
||||||
|
#qdrouterd_user_ssl_key: <path to cert on ansible deployment host>
|
||||||
|
#qdrouterd_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
||||||
|
@ -26,6 +26,28 @@
|
|||||||
|
|
||||||
- include: qdrouterd_pre_install.yml
|
- include: qdrouterd_pre_install.yml
|
||||||
|
|
||||||
|
# Qdrouterd SSL/TLS listener configuration
|
||||||
|
#
|
||||||
|
# If the user has not specified a certificate, key and CA certificate, we will
|
||||||
|
# generate a self-signed SSL certificate and distribute it to each Qdrouterd
|
||||||
|
# container.
|
||||||
|
#
|
||||||
|
# User-provided certificates must be specified within:
|
||||||
|
#
|
||||||
|
# playbooks/roles/qdrouterd/defaults/main.yml
|
||||||
|
#
|
||||||
|
- include: qdrouterd_ssl_self_signed.yml
|
||||||
|
static: no
|
||||||
|
when: >
|
||||||
|
qdrouterd_user_ssl_cert is not defined or
|
||||||
|
qdrouterd_user_ssl_key is not defined
|
||||||
|
tags:
|
||||||
|
- qdrouterd-config
|
||||||
|
|
||||||
|
- include: qdrouterd_ssl_user_provided.yml
|
||||||
|
tags:
|
||||||
|
- qdrouterd-config
|
||||||
|
|
||||||
- include: qdrouterd_install.yml
|
- include: qdrouterd_install.yml
|
||||||
static: no
|
static: no
|
||||||
|
|
||||||
|
48
tasks/qdrouterd_ssl_key_create.yml
Normal file
48
tasks/qdrouterd_ssl_key_create.yml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
---
|
||||||
|
# Copyright 2018, Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: Remove self signed cert for regen
|
||||||
|
file:
|
||||||
|
dest: "{{ qdrouterd_ssl_cert }}"
|
||||||
|
state: "absent"
|
||||||
|
when: qdrouterd_ssl_self_signed_regen | bool
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
||||||
|
|
||||||
|
# See playbooks/roles/qdrouterd/defaults/main.yml to provide custom
|
||||||
|
# subject material for certificates or specify a user-provided certificate and
|
||||||
|
# key pair.
|
||||||
|
- name: Create self-signed ssl cert
|
||||||
|
command: >
|
||||||
|
openssl req -new -nodes -sha256 -x509 -subj
|
||||||
|
"{{ qdrouterd_ssl_self_signed_subject }}"
|
||||||
|
-days 3650
|
||||||
|
-keyout {{ qdrouterd_ssl_key }}
|
||||||
|
-out {{ qdrouterd_ssl_cert }}
|
||||||
|
-extensions v3_ca
|
||||||
|
creates={{ qdrouterd_ssl_cert }}
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
||||||
|
|
||||||
|
- name: Ensure qdrouterd user owns the self-signed key and certificate
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
owner: qdrouterd
|
||||||
|
group: qdrouterd
|
||||||
|
with_items:
|
||||||
|
- "{{ qdrouterd_ssl_key }}"
|
||||||
|
- "{{ qdrouterd_ssl_cert }}"
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
45
tasks/qdrouterd_ssl_key_distribute.yml
Normal file
45
tasks/qdrouterd_ssl_key_distribute.yml
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
---
|
||||||
|
# Copyright 2018, Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: Distribute self signed ssl key
|
||||||
|
copy:
|
||||||
|
dest: "{{ qdrouterd_ssl_key }}"
|
||||||
|
content: "{{ hostvars[groups[qdrouterd_host_group][0]]['qdrouterd_ssl_key_fact'] | b64decode }}"
|
||||||
|
owner: "qdrouterd"
|
||||||
|
group: "qdrouterd"
|
||||||
|
mode: "0640"
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
||||||
|
|
||||||
|
- name: Distribute self signed ssl cert
|
||||||
|
copy:
|
||||||
|
dest: "{{ qdrouterd_ssl_cert }}"
|
||||||
|
content: "{{ hostvars[groups[qdrouterd_host_group][0]]['qdrouterd_ssl_cert_fact'] | b64decode }}"
|
||||||
|
owner: "qdrouterd"
|
||||||
|
group: "qdrouterd"
|
||||||
|
mode: "0640"
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
||||||
|
|
||||||
|
- name: Ensure qdrouterd user owns the self-signed key and certificate
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
owner: qdrouterd
|
||||||
|
group: qdrouterd
|
||||||
|
with_items:
|
||||||
|
- "{{ qdrouterd_ssl_key }}"
|
||||||
|
- "{{ qdrouterd_ssl_cert }}"
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
37
tasks/qdrouterd_ssl_key_store.yml
Normal file
37
tasks/qdrouterd_ssl_key_store.yml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
# Copyright 2018, Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: Store ssl cert
|
||||||
|
slurp:
|
||||||
|
src: "{{ qdrouterd_ssl_cert }}"
|
||||||
|
register: _qdrouterd_ssl_cert
|
||||||
|
changed_when: false
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
||||||
|
|
||||||
|
- name: Store ssl key
|
||||||
|
slurp:
|
||||||
|
src: "{{ qdrouterd_ssl_key }}"
|
||||||
|
register: _qdrouterd_ssl_key
|
||||||
|
changed_when: false
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
||||||
|
|
||||||
|
- name: Register a fact for the cert and key
|
||||||
|
set_fact:
|
||||||
|
qdrouterd_ssl_cert_fact: "{{ _qdrouterd_ssl_cert.content }}"
|
||||||
|
qdrouterd_ssl_key_fact: "{{ _qdrouterd_ssl_key.content }}"
|
||||||
|
tags:
|
||||||
|
- qdrouterd-ssl
|
25
tasks/qdrouterd_ssl_self_signed.yml
Normal file
25
tasks/qdrouterd_ssl_self_signed.yml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
---
|
||||||
|
# Copyright 2018, Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# We create the self-signed SSL certificate and key only on the first
|
||||||
|
# Qdrouterd container.
|
||||||
|
- include: qdrouterd_ssl_key_create.yml
|
||||||
|
when: inventory_hostname == groups[qdrouterd_host_group][0]
|
||||||
|
|
||||||
|
- include: qdrouterd_ssl_key_store.yml
|
||||||
|
when: inventory_hostname == groups[qdrouterd_host_group][0]
|
||||||
|
|
||||||
|
- include: qdrouterd_ssl_key_distribute.yml
|
||||||
|
when: inventory_hostname != groups[qdrouterd_host_group][0]
|
55
tasks/qdrouterd_ssl_user_provided.yml
Normal file
55
tasks/qdrouterd_ssl_user_provided.yml
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
---
|
||||||
|
# Copyright 2018, Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# If we have a user-provided SSL certificate from
|
||||||
|
# /etc/openstack_deploy/user_variables.yml, we should deploy that certificate
|
||||||
|
# and key to each Qdrouterd container.
|
||||||
|
- name: Deploy user provided ssl cert
|
||||||
|
copy:
|
||||||
|
src: "{{ qdrouterd_user_ssl_cert }}"
|
||||||
|
dest: "{{ qdrouterd_ssl_cert }}"
|
||||||
|
owner: "qdrouterd"
|
||||||
|
group: "qdrouterd"
|
||||||
|
mode: "0644"
|
||||||
|
when: qdrouterd_user_ssl_cert is defined
|
||||||
|
tags:
|
||||||
|
- qdrouterd-configs
|
||||||
|
- qdrouterd-ssl
|
||||||
|
|
||||||
|
- name: Deploy user provided ssl key
|
||||||
|
copy:
|
||||||
|
src: "{{ qdrouterd_user_ssl_key }}"
|
||||||
|
dest: "{{ qdrouterd_ssl_key }}"
|
||||||
|
owner: "qdrouterd"
|
||||||
|
group: "qdrouterd"
|
||||||
|
mode: "0600"
|
||||||
|
when: qdrouterd_user_ssl_key is defined
|
||||||
|
tags:
|
||||||
|
- qdrouterd-configs
|
||||||
|
- qdrouterd-ssl
|
||||||
|
|
||||||
|
# Deploy the user provided CA certificate as well (if the user defined it
|
||||||
|
# within /etc/openstack_deploy/user_variables.yml).
|
||||||
|
- name: Deploy user provided ssl CA cert
|
||||||
|
copy:
|
||||||
|
src: "{{ qdrouterd_user_ssl_ca_cert }}"
|
||||||
|
dest: "{{ qdrouterd_ssl_ca_cert }}"
|
||||||
|
owner: "qdrouterd"
|
||||||
|
group: "qdrouterd"
|
||||||
|
mode: "0644"
|
||||||
|
when: qdrouterd_user_ssl_ca_cert is defined
|
||||||
|
tags:
|
||||||
|
- qdrouterd-configs
|
||||||
|
- qdrouterd-ssl
|
@ -22,6 +22,9 @@ listener {
|
|||||||
host: {{ qdrouterd_listener_addr }}
|
host: {{ qdrouterd_listener_addr }}
|
||||||
port: {{ qdrouterd_listener_port }}
|
port: {{ qdrouterd_listener_port }}
|
||||||
role: normal
|
role: normal
|
||||||
|
{% if qdrouterd_require_ssl == 'yes' %}
|
||||||
|
sslProfile: {{ ansible_hostname }}
|
||||||
|
{% endif %}
|
||||||
authenticatePeer: {{ qdrouterd_listener_auth_peer }}
|
authenticatePeer: {{ qdrouterd_listener_auth_peer }}
|
||||||
saslMechanisms: {{ qdrouterd_listener_sasl_mech }}
|
saslMechanisms: {{ qdrouterd_listener_sasl_mech }}
|
||||||
}
|
}
|
||||||
@ -31,6 +34,9 @@ listener {
|
|||||||
host: {{ qdrouterd_irl_addr }}
|
host: {{ qdrouterd_irl_addr }}
|
||||||
port: {{ qdrouterd_irl_port }}
|
port: {{ qdrouterd_irl_port }}
|
||||||
role: inter-router
|
role: inter-router
|
||||||
|
{% if qdrouterd_require_ssl == 'yes' %}
|
||||||
|
sslProfile: {{ ansible_hostname }}
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@ qdrouterd_distro_packages:
|
|||||||
- qpid-dispatch-router
|
- qpid-dispatch-router
|
||||||
- qpid-dispatch-tools
|
- qpid-dispatch-tools
|
||||||
|
|
||||||
_qdrouterd_etc_conf_path: "/etc/qpid-dispatch/"
|
_qdrouterd_etc_conf_path: "/etc/qpid-dispatch"
|
||||||
_qdrouterd_etc_conf_file: "/etc/qpid-dispatch/qdrouterd.conf"
|
_qdrouterd_etc_conf_file: "/etc/qpid-dispatch/qdrouterd.conf"
|
||||||
_qdrouterd_service_name: "qdrouterd"
|
_qdrouterd_service_name: "qdrouterd"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user