Merge "Support internal API TLS encryption"

ansible/group_vars/all/kolla

@@ -318,7 +318,10 @@ kolla_ansible_target_venv: "{{ virtualenv_path ~ '/kolla-ansible' }}"
 kolla_ansible_vault_password: "{{ lookup('env', 'KAYOBE_VAULT_PASSWORD') | default }}"
 
 # Whether TLS is enabled for the external API endpoints.
-kolla_enable_tls_external: "no"
+kolla_enable_tls_external: "{{ kolla_enable_tls_internal if public_net_name == internal_net_name else 'no' }}"
+
+# Whether TLS is enabled for the internal API endpoints.
+kolla_enable_tls_internal: "no"
 
 # Whether debug logging is enabled.
 kolla_openstack_logging_debug: "False"
@@ -411,14 +414,30 @@ kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}"
 ###############################################################################
 # TLS certificate bundle management
 
-# Optionally copy a TLS certificate bundle into place.
+# External API certificate bundle.
 #
-# When enabled, this will copy the contents of kolla_tls_cert into place for
-# use by HAProxy
+# When kolla_enable_tls_external is true, this should contain an X.509
+# certificate bundle for the external API.
 #
 # Note that this should be formatted as a literal style block scalar.
-kolla_tls_cert:
+# TODO(mgoddard): Remove the deprecated support for kolla_tls_cert in the
+# Ussuri cycle.
+kolla_external_tls_cert: "{{ kolla_tls_cert | default }}"
 
-# Path to a CA certificate file to use for the OS_CACERT environment variable in
-# openrc files when TLS is enabled, instead of Kolla-Ansible's default.
+# Path to a CA certificate file to use for the OS_CACERT environment variable
+# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
+# default.
 kolla_external_fqdn_cacert:
+
+# Internal API certificate bundle.
+#
+# When kolla_enable_tls_internal is true, this should contain an X.509
+# certificate bundle for the internal API.
+#
+# Note that this should be formatted as a literal style block scalar.
+kolla_internal_tls_cert:
+
+# Path to a CA certificate file to use for the OS_CACERT environment variable
+# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
+# default.
+kolla_internal_fqdn_cacert:

ansible/kolla-ansible.yml

@@ -288,6 +288,7 @@
       vars:
         kolla_ansible_install_epel: "{{ yum_install_epel }}"
         kolla_external_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy.pem"
+        kolla_internal_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy-internal.pem"
         kolla_ansible_passwords_path: "{{ kayobe_config_path }}/kolla/passwords.yml"
         # NOTE: This differs from the default SELinux mode in kolla ansible,
         # which is permissive. The justification for using this mode is twofold:

ansible/roles/kolla-ansible/defaults/main.yml

@@ -200,12 +200,15 @@ kolla_neutron_ml2_tenant_network_types: []
 ####################
 # TLS options
 ####################
-# To provide encryption and authentication on the kolla_external_vip_interface,
-# TLS can be enabled.  When TLS is enabled, certificates must be provided to
-# allow clients to perform authentication.
+# To provide encryption and authentication on the external and/or internal
+# APIs, TLS can be enabled.  When TLS is enabled, certificates must be provided
+# to allow clients to perform authentication.
 kolla_enable_tls_external:
+kolla_enable_tls_internal:
 kolla_external_fqdn_cert:
+kolla_internal_fqdn_cert:
 kolla_external_fqdn_cacert:
+kolla_internal_fqdn_cacert:
 
 #############################
 # Ironic options
@@ -299,7 +302,8 @@ kolla_ansible_custom_passwords: {}
 
 # When set, this will copy the contents of this variable into place for
 # use by HAProxy.
-kolla_tls_cert:
+kolla_external_tls_cert:
+kolla_internal_tls_cert:
 
 ###############################################################################
 # SELinux

ansible/roles/kolla-ansible/tasks/config.yml

@@ -100,14 +100,32 @@
     dest: "{{ kolla_config_path }}/passwords.yml"
     remote_src: True
 
-- name: Ensure the HAProxy TLS certificate bundle is copied into place
-  block:
-    - file:
+- block:
+    - name: Ensure external HAProxy TLS directory exists
+      file:
         path: "{{ kolla_external_fqdn_cert | dirname }}"
         state: directory
         recurse: yes
-    - copy:
-        content: "{{ kolla_tls_cert }}"
+
+    - name: Ensure the external HAProxy TLS certificate bundle is copied into place
+      copy:
+        content: "{{ kolla_external_tls_cert }}"
         dest: "{{ kolla_external_fqdn_cert }}"
   when:
-    - kolla_tls_cert is not none
+    - kolla_external_tls_cert is not none
+    - kolla_external_tls_cert | length > 0
+
+- block:
+    - name: Ensure internal HAProxy TLS directory exists
+      file:
+        path: "{{ kolla_internal_fqdn_cert | dirname }}"
+        state: directory
+        recurse: yes
+
+    - name: Ensure the internal HAProxy TLS certificate bundle is copied into place
+      copy:
+        content: "{{ kolla_internal_tls_cert }}"
+        dest: "{{ kolla_internal_fqdn_cert }}"
+  when:
+    - kolla_internal_tls_cert is not none
+    - kolla_internal_tls_cert | length > 0

ansible/roles/kolla-ansible/templates/globals.yml.j2

@@ -180,9 +180,16 @@ neutron_tenant_network_types: {{ kolla_neutron_ml2_tenant_network_types | join('
 # To provide encryption and authentication on the kolla_external_vip_interface,
 # TLS can be enabled.  When TLS is enabled, certificates must be provided to
 # allow clients to perform authentication.
+kolla_enable_tls_internal: {{ kolla_enable_tls_internal | bool }}
 kolla_enable_tls_external: {{ kolla_enable_tls_external | bool }}
 kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
+kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
+{% if kolla_external_fqdn_cacert %}
 kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
+{% endif %}
+{% if kolla_internal_fqdn_cacert %}
+kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
+{% endif %}
 
 ################
 # Region options

ansible/roles/kolla-ansible/tests/test-defaults.yml

@@ -30,8 +30,10 @@
             kolla_external_vip_address: "10.0.0.2"
             kolla_external_fqdn: "fake.external.fqdn"
             kolla_enable_tls_external: False
-            kolla_enable_grafana: False
             kolla_external_fqdn_cert: "fake-cert"
+            kolla_enable_tls_internal: False
+            kolla_internal_fqdn_cert: "fake-cert"
+            kolla_enable_grafana: False
             kolla_openstack_logging_debug: False
 
         - name: Verify kolla-ansible installation
@@ -70,6 +72,8 @@
               neutron_plugin_agent: "openvswitch"
               kolla_enable_tls_external: False
               kolla_external_fqdn_cert: "fake-cert"
+              kolla_enable_tls_internal: False
+              kolla_internal_fqdn_cert: "fake-cert"
               openstack_logging_debug: False
               kolla_user: "kolla"
               kolla_group: "kolla"

ansible/roles/kolla-ansible/tests/test-extras.yml

@@ -96,6 +96,8 @@
               - "fake-ml2-tenant-type-2"
             kolla_enable_tls_external: False
             kolla_external_fqdn_cert: "fake-cert"
+            kolla_enable_tls_internal: False
+            kolla_internal_fqdn_cert: "fake-cert"
             kolla_openstack_logging_debug: True
             grafana_local_admin_user_name: "grafana-admin"
             kolla_inspector_dhcp_pool_start: "1.2.3.4"
@@ -229,6 +231,8 @@
               neutron_plugin_agent: "openvswitch"
               kolla_enable_tls_external: False
               kolla_external_fqdn_cert: "fake-cert"
+              kolla_enable_tls_internal: False
+              kolla_internal_fqdn_cert: "fake-cert"
               openstack_logging_debug: True
               grafana_admin_username: "grafana-admin"
               ironic_dnsmasq_dhcp_range: "1.2.3.4,1.2.3.5"

ansible/roles/kolla-ansible/tests/test-requirements.yml

@@ -32,8 +32,10 @@
             kolla_external_vip_address: "10.0.0.2"
             kolla_external_fqdn: "fake.external.fqdn"
             kolla_enable_tls_external: False
-            kolla_enable_grafana: False
+            kolla_enable_tls_internal: False
             kolla_external_fqdn_cert: "fake-cert"
+            kolla_internal_fqdn_cert: "fake-cert"
+            kolla_enable_grafana: False
             kolla_openstack_logging_debug: False
 
         - name: List Python packages installed in virtualenv

ansible/roles/public-openrc/templates/public-openrc.sh.j2

@@ -5,6 +5,8 @@
 export OS_AUTH_URL={{ public_openrc_auth_url }}
 {% elif "export OS_INTERFACE" in line %}
 export OS_INTERFACE=public
+{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %}
+export OS_CACERT={{ kolla_external_fqdn_cacert }}
 {% else %}
 {{ line }}
 {% endif %}

doc/source/configuration/kolla-ansible.rst

@@ -202,7 +202,7 @@ The following variables affect TLS encryption of the public API.
 
 ``kolla_enable_tls_external``
     Whether TLS is enabled for the public API endpoints. Default is ``no``.
-``kolla_tls_cert``
+``kolla_external_tls_cert``
     A TLS certificate bundle to use for the public API endpoints, if
     ``kolla_enable_tls_external`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
@@ -211,6 +211,20 @@ The following variables affect TLS encryption of the public API.
     variable in openrc files when TLS is enabled, instead of Kolla Ansible's
     default.
 
+The following variables affect TLS encryption of the internal API. Currently
+this requires all Kolla images to be built with the API's root CA trusted.
+
+``kolla_enable_tls_internal``
+    Whether TLS is enabled for the internal API endpoints. Default is ``no``.
+``kolla_internal_tls_cert``
+    A TLS certificate bundle to use for the internal API endpoints, if
+    ``kolla_enable_tls_internal`` is ``true``.  Note that this should be
+    formatted as a literal style block scalar.
+``kolla_internal_fqdn_cacert``
+    Path to a CA certificate file to use for the ``OS_CACERT`` environment
+    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
+    default.
+
 Example: enabling TLS for the public API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -222,12 +236,29 @@ Here is an example:
 
    ---
    kolla_enable_tls_external: yes
-   kolla_tls_cert: |
+   kolla_external_tls_cert: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
 
+Example: enabling TLS for the internal API
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+It is highly recommended to use TLS encryption to secure the internal API.
+Here is an example:
+
+.. code-block:: yaml
+   :caption: ``$KAYOBE_CONFIG_PATH/kolla.yml``
+
+   ---
+   kolla_enable_tls_internal: yes
+   kolla_internal_tls_cert: |
+     -----BEGIN CERTIFICATE-----
+     ...
+     -----END CERTIFICATE-----
+   kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
+
 Custom Global Variables
 -----------------------
 

etc/kayobe/kolla.yml

@@ -152,6 +152,9 @@
 # Whether TLS is enabled for the external API endpoints. Default is 'no'.
 #kolla_enable_tls_external:
 
+# Whether TLS is enabled for the internal API endpoints. Default is 'no'.
+#kolla_enable_tls_internal:
+
 # Whether debug logging is enabled. Default is 'false'.
 #kolla_openstack_logging_debug:
 
@@ -269,18 +272,35 @@
 ###############################################################################
 # TLS certificate bundle management
 
-# Optionally copy a TLS certificate bundle into place.
+# External API certificate bundle.
 #
-# When enabled, this will copy the contents of kolla_tls_cert into place for
-# use by HAproxy.
+# When kolla_enable_tls_external is true, this should contain an X.509
+# certificate bundle for the external API.
 #
 # Note that this should be formatted as a literal style block scalar.
-#kolla_tls_cert:
+#
+# NOTE: kolla_tls_cert has been renamed to kolla_external_tls_cert. Support for
+# the deprecated name kolla_tls_cert will be removed in a future release.
+#kolla_external_tls_cert:
 
-# Path to a CA certificate file to use for the OS_CACERT environment variable in
-# openrc files when TLS is enabled, instead of Kolla-Ansible's default.
+# Path to a CA certificate file to use for the OS_CACERT environment variable
+# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
+# default.
 #kolla_external_fqdn_cacert:
 
+# Internal API certificate bundle.
+#
+# When kolla_enable_tls_internal is true, this should contain an X.509
+# certificate bundle for the internal API.
+#
+# Note that this should be formatted as a literal style block scalar.
+#kolla_internal_tls_cert:
+
+# Path to a CA certificate file to use for the OS_CACERT environment variable
+# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
+# default.
+#kolla_internal_fqdn_cacert:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes

releasenotes/notes/internal-api-tls-4e7383e6a0262f5f.yaml

@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    Adds support for encryption of internal API traffic. This can be done via
+    the following variables:
+
+    * ``kolla_enable_tls_internal``
+    * ``kolla_internal_tls_cert``
+    * ``kolla_internal_fqdn_cacert``
+deprecations:
+  - |
+    The variable ``kolla_tls_cert`` has been deprecated in favour of
+    ``kolla_external_tls_cert``. Support for using ``kolla_tls_cert`` will be
+    removed in a future release.