From d100904f2c42dea3338e5016c46014ee3132807c Mon Sep 17 00:00:00 2001 From: James Kirsch Date: Mon, 6 Jan 2020 20:39:04 -0800 Subject: [PATCH] Generate self signed TLS certificates Generate both internal and external self signed TLS certificates. Duplicate the certificate if internal and external VIPs are the same. Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74 Partially-Implements: blueprint custom-cacerts --- ansible/group_vars/all.yml | 4 +- ansible/roles/certificates/tasks/generate.yml | 165 +++++++++++++----- .../templates/openssl-kolla-internal.cnf.j2 | 21 +++ .../templates/openssl-kolla.cnf.j2 | 1 + doc/source/admin/advanced-configuration.rst | 7 +- etc/kolla/globals.yml | 4 +- ...al-self-signed-certs-c631a9d934d31fac.yaml | 23 +++ 7 files changed, 174 insertions(+), 51 deletions(-) create mode 100644 ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2 create mode 100644 releasenotes/notes/generate-internal-external-self-signed-certs-c631a9d934d31fac.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 5ad1be8706..eaca73e903 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -757,8 +757,8 @@ kolla_enable_tls_internal: "no" kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}" kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem" kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" -kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" -kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt" +kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt" +kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt" kolla_copy_ca_into_containers: "no" #################### diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml index 680cbc3daf..6865c12393 100644 --- a/ansible/roles/certificates/tasks/generate.yml +++ b/ansible/roles/certificates/tasks/generate.yml @@ -1,53 +1,130 @@ --- -- name: Ensuring config directories exist - become: true +- name: Ensuring private internal directory exist file: - path: "{{ certificates_dir }}/private" + path: "{{ certificates_dir }}/private/internal" state: "directory" recurse: yes + mode: "0770" -- name: Creating SSL configuration file - become: true - template: - src: "{{ item }}.j2" - dest: "{{ certificates_dir }}/{{ item }}" - with_items: - - "openssl-kolla.cnf" - -- name: Creating Key - become: true - command: creates="{{ item }}" openssl genrsa -out {{ item }} - with_items: - - "{{ certificates_dir }}/private/haproxy.key" - -- name: Setting permissions on key - become: true +- name: Ensuring private external directory exist file: - path: "{{ certificates_dir }}/private/haproxy.key" - mode: 0600 - state: file + path: "{{ certificates_dir }}/private/external" + state: "directory" + recurse: yes + mode: "0770" -- name: Creating Server Certificate - become: true - command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ - -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \ - -config {{ certificates_dir }}/openssl-kolla.cnf \ - -days 3650 \ - -extensions v3_req \ - -key {{ certificates_dir }}/private/haproxy.key \ - -out {{ item }} - with_items: - - "{{ certificates_dir }}/private/haproxy.crt" +- name: Ensuring ca directory exist + file: + path: "{{ certificates_dir }}/ca" + state: "directory" + recurse: yes + mode: "0770" -- name: Creating CA Certificate File - become: true - copy: - src: "{{ certificates_dir }}/private/haproxy.crt" - dest: "{{ kolla_external_fqdn_cacert }}" +- block: + - name: Creating external SSL configuration file + template: + src: "{{ item }}.j2" + dest: "{{ certificates_dir }}/{{ item }}" + mode: "0660" + with_items: + - "openssl-kolla.cnf" + - name: Creating external Key + command: creates="{{ item }}" openssl genrsa -out {{ item }} + with_items: + - "{{ certificates_dir }}/private/external/external.key" + - name: Setting permissions on external key + file: + path: "{{ certificates_dir }}/private/external/external.key" + mode: "0660" + state: file + - name: Creating external Server Certificate + command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ + -config {{ certificates_dir }}/openssl-kolla.cnf \ + -days 3650 \ + -extensions v3_req \ + -key {{ certificates_dir }}/private/external/external.key \ + -out {{ item }} + with_items: + - "{{ certificates_dir }}/private/external/external.crt" + - name: Creating external CA Certificate File + copy: + src: "{{ certificates_dir }}/private/external/external.crt" + dest: "{{ kolla_external_fqdn_cacert }}" + mode: "0660" + - name: Creating external Server PEM File + assemble: + src: "{{ certificates_dir }}/private/external" + dest: "{{ kolla_external_fqdn_cert }}" + mode: "0660" + when: + - kolla_enable_tls_external | bool -- name: Creating Server PEM File - become: true - assemble: - src: "{{ certificates_dir }}/private" - dest: "{{ kolla_external_fqdn_cert }}" - mode: 0600 +- block: + - name: Copy the external certificate crt to be the internal when internal + external are same network + copy: + src: "{{ certificates_dir }}/private/external/external.crt" + dest: "{{ certificates_dir }}/private/internal/internal.crt" + remote_src: yes + mode: "0660" + - name: Copy the external certificate key to be the internal when internal + external are same network + copy: + src: "{{ certificates_dir }}/private/external/external.key" + dest: "{{ certificates_dir }}/private/internal/internal.key" + remote_src: yes + mode: "0660" + - name: Copy the external PEM file to be the internal when internal + external are same network + copy: + src: "{{ kolla_external_fqdn_cert }}" + dest: "{{ kolla_internal_fqdn_cert }}" + remote_src: yes + mode: "0660" + - name: Copy the external CA Certificate file to be the internal when internal + external are same network + copy: + src: "{{ kolla_external_fqdn_cacert }}" + dest: "{{ kolla_internal_fqdn_cacert }}" + remote_src: yes + mode: "0660" + when: + - kolla_enable_tls_external | bool + - kolla_enable_tls_internal | bool + - kolla_same_external_internal_vip | bool + +- block: + - name: Creating internal SSL configuration file + template: + src: "{{ item }}.j2" + dest: "{{ certificates_dir }}/{{ item }}" + mode: "0660" + with_items: + - "openssl-kolla-internal.cnf" + - name: Creating internal Key + command: creates="{{ item }}" openssl genrsa -out {{ item }} + with_items: + - "{{ certificates_dir }}/private/internal/internal.key" + - name: Setting permissions on internal key + file: + path: "{{ certificates_dir }}/private/internal/internal.key" + mode: "0660" + state: file + - name: Creating internal Server Certificate + command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ + -config {{ certificates_dir }}/openssl-kolla-internal.cnf \ + -days 3650 \ + -extensions v3_req \ + -key {{ certificates_dir }}/private/internal/internal.key \ + -out {{ item }} + with_items: + - "{{ certificates_dir }}/private/internal/internal.crt" + - name: Creating internal CA Certificate File + copy: + src: "{{ certificates_dir }}/private/internal/internal.crt" + dest: "{{ kolla_internal_fqdn_cacert }}" + mode: "0660" + - name: Creating internal Server PEM File + assemble: + src: "{{ certificates_dir }}/private/internal" + dest: "{{ kolla_internal_fqdn_cert }}" + mode: "0660" + when: + - kolla_enable_tls_internal | bool + - not kolla_same_external_internal_vip | bool diff --git a/ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2 new file mode 100644 index 0000000000..0fc84f2bd4 --- /dev/null +++ b/ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2 @@ -0,0 +1,21 @@ +[req] +prompt = no +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +stateOrProvinceName = NC +localityName = RTP +organizationalUnitName = kolla +commonName = {{ kolla_internal_fqdn }} + +[v3_req] +subjectAltName = @alt_names + +[alt_names] +{% if kolla_internal_fqdn != kolla_internal_vip_address %} +DNS.1 = {{ kolla_internal_fqdn }} +{% else %} +IP.1 = {{ kolla_internal_fqdn }} +{% endif %} diff --git a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 index 4e15b92b82..a0273720dd 100644 --- a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 +++ b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 @@ -1,4 +1,5 @@ [req] +prompt = no distinguished_name = req_distinguished_name req_extensions = v3_req diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst index 9d5b52ed20..765ed2f69b 100644 --- a/doc/source/admin/advanced-configuration.rst +++ b/doc/source/admin/advanced-configuration.rst @@ -140,7 +140,7 @@ have settings similar to this: export OS_PASSWORD=demo-password export OS_AUTH_URL=https://mykolla.example.net:5000 # os_cacert is optional for trusted certificates - export OS_CACERT=/etc/pki/mykolla-cacert.crt + export OS_CACERT=/etc/pki/ca/mykolla-cacert.crt export OS_IDENTITY_API_VERSION=3 Self-Signed Certificates @@ -162,8 +162,9 @@ configuration file: kolla-ansible certificates -The files haproxy.pem and haproxy-ca.pem will be generated and stored -in the ``/etc/kolla/certificates/`` directory. +The certificate file haproxy.pem will be generated and stored in the +``/etc/kolla/certificates/`` directory, and the CA cert will be in the +``/etc/kolla/certificates/ca/`` directory. Adding CA Certificates to the Service Containers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index e661910b19..807f6581ef 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -184,8 +184,8 @@ #kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}" #kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem" #kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" -#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" -#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt" +#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt" +#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt" #kolla_copy_ca_into_containers: "no" ################ diff --git a/releasenotes/notes/generate-internal-external-self-signed-certs-c631a9d934d31fac.yaml b/releasenotes/notes/generate-internal-external-self-signed-certs-c631a9d934d31fac.yaml new file mode 100644 index 0000000000..94ea0638e5 --- /dev/null +++ b/releasenotes/notes/generate-internal-external-self-signed-certs-c631a9d934d31fac.yaml @@ -0,0 +1,23 @@ +--- +features: + - | + Generate self signed certificates for both the internal and external + (public) networks. If they are the same network, then the certificate + files will be the same. +upgrade: + - | + The default value for ``kolla_external_fqdn_cacert`` has been changed + from: + "{{ node_config }}/certificates/haproxy-ca.crt" + to: + "{{ node_config }}/certificates/ca/haproxy.crt" + + and the default value for ``kolla_external_fqdn_cacert`` has been changed + from: + "{{ node_config }}/certificates/haproxy-ca-internal.crt" + to: + "{{ node_config }}/certificates/ca/haproxy-internal.crt" + + These variables set the value for the ``OS_CACERT`` environment variable in + ``admin-openrc.sh``. This has been done to allow these certificates to be + copied into containers when ``kolla_copy_ca_into_containers`` is true.