openstack/kolla-ansible
Code Issues Proposed changes

Merge "Use correct variable for default certificate paths"

Browse Source
This commit is contained in:
Zuul 2018-12-02 09:25:42 +00:00 committed by Gerrit Code Review
commit 568fd4dcfd
9 changed files with 33 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ansible/group_vars/all.yml
View File

@ -6,6 +6,9 @@
# again. Persistent files allow for idempotency # again. Persistent files allow for idempotency
container_config_directory: "/var/lib/kolla/config_files" container_config_directory: "/var/lib/kolla/config_files"
# The directory on the deploy host containing globals.yml.
node_config: "{{ CONFIG_DIR | default('/etc/kolla') }}"
# The directory to merge custom config files the kolla's config files # The directory to merge custom config files the kolla's config files
node_custom_config: "/etc/kolla/config" node_custom_config: "/etc/kolla/config"
@ -631,8 +634,8 @@ qdrouterd_user: "openstack"
haproxy_user: "openstack" haproxy_user: "openstack"
haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}" haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
kolla_enable_tls_external: "no" kolla_enable_tls_external: "no"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem" kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt" kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
#################### ####################

2
ansible/post-deploy.yml
View File

@ -5,5 +5,5 @@
tasks: tasks:
- template: - template:
src: "roles/common/templates/admin-openrc.sh.j2" src: "roles/common/templates/admin-openrc.sh.j2"
dest: "{{ CONFIG_DIR | default('/etc/kolla') }}/admin-openrc.sh" dest: "{{ node_config }}/admin-openrc.sh"
run_once: True run_once: True

3
ansible/roles/certificates/defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
# Directory on deploy node (localhost) in which certificates are generated.
certificates_dir: "{{ node_config }}/certificates"

24
ansible/roles/certificates/tasks/generate.yml
View File

@ -2,17 +2,15 @@
- name: Ensuring config directories exist - name: Ensuring config directories exist
become: true become: true
file: file:
path: "{{ node_config_directory }}/{{ item }}" path: "{{ certificates_dir }}/private"
state: "directory" state: "directory"
recurse: yes recurse: yes
with_items:
- "certificates/private"
- name: Creating SSL configuration file - name: Creating SSL configuration file
become: true become: true
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "{{ node_config_directory }}/certificates/{{ item }}" dest: "{{ certificates_dir }}/{{ item }}"
with_items: with_items:
- "openssl-kolla.cnf" - "openssl-kolla.cnf"
@ -20,12 +18,12 @@
become: true become: true
command: creates="{{ item }}" openssl genrsa -out {{ item }} command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items: with_items:
- "{{ node_config_directory }}/certificates/private/haproxy.key" - "{{ certificates_dir }}/private/haproxy.key"
- name: Setting permissions on key - name: Setting permissions on key
become: true become: true
file: file:
path: "{{ node_config_directory }}/certificates/private/haproxy.key" path: "{{ certificates_dir }}/certificates/private/haproxy.key"
mode: 0600 mode: 0600
state: file state: file
@ -33,23 +31,23 @@
become: true become: true
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \ -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
-config {{ node_config_directory }}/certificates/openssl-kolla.cnf \ -config {{ certificates_dir }}/openssl-kolla.cnf \
-days 3650 \ -days 3650 \
-extensions v3_req \ -extensions v3_req \
-key {{ node_config_directory }}/certificates/private/haproxy.key \ -key {{ certificates_dir }}/private/haproxy.key \
-out {{ item }} -out {{ item }}
with_items: with_items:
- "{{ node_config_directory }}/certificates/private/haproxy.crt" - "{{ certificates_dir }}/private/haproxy.crt"
- name: Creating CA Certificate File - name: Creating CA Certificate File
become: true become: true
copy: copy:
src: "{{ node_config_directory }}/certificates/private/haproxy.crt" src: "{{ certificates_dir }}/private/haproxy.crt"
dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt" dest: "{{ kolla_external_fqdn_cacert }}"
- name: Creating Server PEM File - name: Creating Server PEM File
become: true become: true
assemble: assemble:
src: "{{ node_config_directory }}/certificates/private" src: "{{ certificates_dir }}/private"
dest: "{{ node_config_directory }}/certificates/haproxy.pem" dest: "{{ kolla_external_fqdn_cert }}"
mode: 0600 mode: 0600

2
ansible/roles/keystone/tasks/precheck.yml
View File

@ -44,7 +44,7 @@
- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails - name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
run_once: true run_once: true
local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ CONFIG_DIR | default('/etc/kolla') }}/globals.yml" local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
register: result register: result
changed_when: false changed_when: false
failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+") failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+")

2
ansible/roles/prechecks/tasks/service_checks.yml
View File

@ -11,7 +11,7 @@
# will pass, but only because nothing in the vault file has the format of a # will pass, but only because nothing in the vault file has the format of a
# YAML dict item. # YAML dict item.
- name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails - name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml" local_action: command grep '^[^#].*:\s*$' "{{ node_config }}/passwords.yml"
run_once: True run_once: True
register: result register: result
changed_when: false changed_when: false

2
doc/source/admin/advanced-configuration.rst
View File

@ -92,7 +92,7 @@ The default for TLS is disabled, to enable TLS networking:
.. code-block:: yaml .. code-block:: yaml
kolla_enable_tls_external: "yes" kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/mycert.pem" kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem"
.. note:: .. note::

2
etc/kolla/globals.yml
View File

@ -151,7 +151,7 @@ kolla_internal_vip_address: "10.10.10.254"
# TLS can be enabled. When TLS is enabled, certificates must be provided to # TLS can be enabled. When TLS is enabled, certificates must be provided to
# allow clients to perform authentication. # allow clients to perform authentication.
#kolla_enable_tls_external: "no" #kolla_enable_tls_external: "no"
#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem" #kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
############## ##############

9
releasenotes/notes/cert-path-65943386e62f1a8c.yaml Normal file
View File

@ -0,0 +1,9 @@
---
upgrade:
- |
Changes the default path for certificates generated via ``kolla-ansible
certificates`` from ``{[ node_config_directory }}/certificates`` to
``{{ node_config }}``. ``{{ node_config }}`` is the directory containing
``globals.yml``, which by default is ``/etc/kolla/``. This makes
certificates consistent with other locally generated files, such as
``admin-openrc.sh``.