Merge "Add support for checking Octavia cert expiration"
This commit is contained in:
commit
a34f1cd7e6
@ -43,3 +43,6 @@ octavia_certs_client_req_organizational_unit: "{{ octavia_certs_organizational_u
|
|||||||
# NOTE(yoctozepto): This should ideally be per controller, i.e. controller
|
# NOTE(yoctozepto): This should ideally be per controller, i.e. controller
|
||||||
# generates its key&CSR and this CA signs it.
|
# generates its key&CSR and this CA signs it.
|
||||||
octavia_certs_client_req_common_name: client.example.org
|
octavia_certs_client_req_common_name: client.example.org
|
||||||
|
|
||||||
|
# Used with command `kolla-ansible octavia-certificates --check-expiry <days>`.
|
||||||
|
octavia_certs_check_expiry: "no"
|
||||||
|
24
ansible/roles/octavia-certificates/tasks/check_expiry.yml
Normal file
24
ansible/roles/octavia-certificates/tasks/check_expiry.yml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
- name: Gather information on certificates
|
||||||
|
community.crypto.x509_certificate_info:
|
||||||
|
path: "{{ node_custom_config }}/octavia/{{ item }}"
|
||||||
|
valid_at:
|
||||||
|
point_1: "+{{ octavia_certs_expiry_limit | int }}d"
|
||||||
|
register: cert_info
|
||||||
|
delegate_to: localhost
|
||||||
|
with_items:
|
||||||
|
- "server_ca.cert.pem"
|
||||||
|
- "client_ca.cert.pem"
|
||||||
|
- "client.cert-and-key.pem"
|
||||||
|
|
||||||
|
- name: Check whether certificates are valid within {{ octavia_certs_expiry_limit }} days
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- item.valid_at.point_1
|
||||||
|
fail_msg: "{{ item.item }} will expire within {{ octavia_certs_expiry_limit }} days, on {{ item.not_after }}"
|
||||||
|
success_msg: "{{ item.item }} will not expire within {{ octavia_certs_expiry_limit }} days. It expires on {{ item.not_after }}"
|
||||||
|
quiet: True
|
||||||
|
loop: "{{ cert_info.results }}"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.item }}"
|
||||||
|
delegate_to: localhost
|
@ -7,38 +7,45 @@
|
|||||||
# Kolla Ansible prepares and controls the Client CA certificate and key.
|
# Kolla Ansible prepares and controls the Client CA certificate and key.
|
||||||
# Client CA is used to generate certificates for Octavia controllers.
|
# Client CA is used to generate certificates for Octavia controllers.
|
||||||
|
|
||||||
- name: Ensure server_ca and client_ca directories exist
|
- name: Check if any certificates are going to expire
|
||||||
file:
|
include_tasks: check_expiry.yml
|
||||||
path: "{{ octavia_certs_work_dir }}/{{ item }}"
|
when: octavia_certs_check_expiry | bool
|
||||||
state: "directory"
|
|
||||||
mode: 0770
|
|
||||||
loop:
|
|
||||||
- server_ca
|
|
||||||
- client_ca
|
|
||||||
|
|
||||||
- name: Copy openssl.cnf
|
- block:
|
||||||
copy:
|
- name: Ensure server_ca and client_ca directories exist
|
||||||
src: "{{ octavia_certs_openssl_cnf_path }}"
|
file:
|
||||||
dest: "{{ octavia_certs_work_dir }}/openssl.cnf"
|
path: "{{ octavia_certs_work_dir }}/{{ item }}"
|
||||||
|
state: "directory"
|
||||||
|
mode: 0770
|
||||||
|
loop:
|
||||||
|
- server_ca
|
||||||
|
- client_ca
|
||||||
|
|
||||||
- import_tasks: server_ca.yml
|
- name: Copy openssl.cnf
|
||||||
|
copy:
|
||||||
|
src: "{{ octavia_certs_openssl_cnf_path }}"
|
||||||
|
dest: "{{ octavia_certs_work_dir }}/openssl.cnf"
|
||||||
|
|
||||||
- import_tasks: client_ca.yml
|
- import_tasks: server_ca.yml
|
||||||
|
|
||||||
- import_tasks: client_cert.yml
|
- import_tasks: client_ca.yml
|
||||||
|
|
||||||
- name: Ensure {{ node_custom_config }}/octavia directory exists
|
- import_tasks: client_cert.yml
|
||||||
file:
|
|
||||||
path: "{{ node_custom_config }}/octavia"
|
|
||||||
state: "directory"
|
|
||||||
mode: 0770
|
|
||||||
|
|
||||||
- name: Copy the to-be-deployed keys and certs to {{ node_custom_config }}/octavia
|
- name: Ensure {{ node_custom_config }}/octavia directory exists
|
||||||
copy:
|
file:
|
||||||
src: "{{ octavia_certs_work_dir }}/{{ item.src }}"
|
path: "{{ node_custom_config }}/octavia"
|
||||||
dest: "{{ node_custom_config }}/octavia/{{ item.dest }}"
|
state: "directory"
|
||||||
with_items:
|
mode: 0770
|
||||||
- { src: "server_ca/server_ca.cert.pem", dest: "server_ca.cert.pem" }
|
|
||||||
- { src: "server_ca/server_ca.key.pem", dest: "server_ca.key.pem" }
|
- name: Copy the to-be-deployed keys and certs to {{ node_custom_config }}/octavia
|
||||||
- { src: "client_ca/client_ca.cert.pem", dest: "client_ca.cert.pem" }
|
copy:
|
||||||
- { src: "client_ca/client.cert-and-key.pem", dest: "client.cert-and-key.pem" }
|
src: "{{ octavia_certs_work_dir }}/{{ item.src }}"
|
||||||
|
dest: "{{ node_custom_config }}/octavia/{{ item.dest }}"
|
||||||
|
with_items:
|
||||||
|
- { src: "server_ca/server_ca.cert.pem", dest: "server_ca.cert.pem" }
|
||||||
|
- { src: "server_ca/server_ca.key.pem", dest: "server_ca.key.pem" }
|
||||||
|
- { src: "client_ca/client_ca.cert.pem", dest: "client_ca.cert.pem" }
|
||||||
|
- { src: "client_ca/client.cert-and-key.pem", dest: "client.cert-and-key.pem" }
|
||||||
|
|
||||||
|
when: not octavia_certs_check_expiry | bool
|
||||||
|
@ -75,6 +75,16 @@ used to encrypt the CA key:
|
|||||||
|
|
||||||
.. _octavia-network:
|
.. _octavia-network:
|
||||||
|
|
||||||
|
Monitoring certificate expiry
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
You can use the following command to check if any of the certificates will
|
||||||
|
expire within a given number of days:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
kolla-ansible octavia-certificates --check-expiry <days>
|
||||||
|
|
||||||
Networking
|
Networking
|
||||||
----------
|
----------
|
||||||
|
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The flag ``--check-expiry`` has been added to the ``octavia-certificates``
|
||||||
|
command. ``kolla-ansible octavia-certificates --check-expiry <days>`` will
|
||||||
|
check if the Octavia certificates are set to expire within a given number
|
||||||
|
of days.
|
@ -503,6 +503,8 @@
|
|||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
chdir: "{{ kolla_ansible_src_dir }}"
|
chdir: "{{ kolla_ansible_src_dir }}"
|
||||||
when: scenario == "octavia"
|
when: scenario == "octavia"
|
||||||
|
environment:
|
||||||
|
KOLLA_ANSIBLE_VENV_PATH: "{{ kolla_ansible_venv_path }}"
|
||||||
|
|
||||||
- name: Run test-masakari.sh script
|
- name: Run test-masakari.sh script
|
||||||
script:
|
script:
|
||||||
|
@ -8,6 +8,12 @@ set -o errexit
|
|||||||
# Enable unbuffered output for Ansible in Jenkins.
|
# Enable unbuffered output for Ansible in Jenkins.
|
||||||
export PYTHONUNBUFFERED=1
|
export PYTHONUNBUFFERED=1
|
||||||
|
|
||||||
|
function check_certificate_expiry {
|
||||||
|
RAW_INVENTORY=/etc/kolla/inventory
|
||||||
|
source $KOLLA_ANSIBLE_VENV_PATH/bin/activate
|
||||||
|
kolla-ansible octavia-certificates --check-expiry 7
|
||||||
|
deactivate
|
||||||
|
}
|
||||||
|
|
||||||
function register_amphora_image {
|
function register_amphora_image {
|
||||||
amphora_url=https://tarballs.opendev.org/openstack/octavia/test-images/test-only-amphora-x64-haproxy-ubuntu-focal.qcow2
|
amphora_url=https://tarballs.opendev.org/openstack/octavia/test-images/test-only-amphora-x64-haproxy-ubuntu-focal.qcow2
|
||||||
@ -79,6 +85,9 @@ function test_octavia {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function test_octavia_logged {
|
function test_octavia_logged {
|
||||||
|
# Check if any certs expire within a week.
|
||||||
|
check_certificate_expiry
|
||||||
|
|
||||||
. /etc/kolla/admin-openrc.sh
|
. /etc/kolla/admin-openrc.sh
|
||||||
. ~/openstackclient-venv/bin/activate
|
. ~/openstackclient-venv/bin/activate
|
||||||
test_octavia
|
test_octavia
|
||||||
|
@ -197,6 +197,7 @@ Commands:
|
|||||||
stop Stop Kolla containers
|
stop Stop Kolla containers
|
||||||
certificates Generate self-signed certificate for TLS *For Development Only*
|
certificates Generate self-signed certificate for TLS *For Development Only*
|
||||||
octavia-certificates Generate certificates for octavia deployment
|
octavia-certificates Generate certificates for octavia deployment
|
||||||
|
--check-expiry <days> to check if certificates expire within that many days
|
||||||
upgrade Upgrades existing OpenStack Environment
|
upgrade Upgrades existing OpenStack Environment
|
||||||
upgrade-bifrost Upgrades an existing bifrost container
|
upgrade-bifrost Upgrades an existing bifrost container
|
||||||
genconfig Generate configuration files for enabled OpenStack services
|
genconfig Generate configuration files for enabled OpenStack services
|
||||||
@ -263,7 +264,7 @@ function version {
|
|||||||
check_environment_coherence
|
check_environment_coherence
|
||||||
|
|
||||||
SHORT_OPTS="hi:p:t:k:e:CD:v"
|
SHORT_OPTS="hi:p:t:k:e:CD:v"
|
||||||
LONG_OPTS="help,version,inventory:,playbook:,skip-tags:,tags:,key:,extra:,check,diff,verbose,configdir:,passwords:,limit:,forks:,vault-id:,ask-vault-pass,vault-password-file:,yes-i-really-really-mean-it,include-images,include-dev:,full,incremental"
|
LONG_OPTS="help,version,inventory:,playbook:,skip-tags:,tags:,key:,extra:,check,diff,verbose,configdir:,passwords:,limit:,forks:,vault-id:,ask-vault-pass,vault-password-file:,yes-i-really-really-mean-it,include-images,include-dev:,full,incremental,check-expiry:"
|
||||||
|
|
||||||
RAW_ARGS="$*"
|
RAW_ARGS="$*"
|
||||||
ARGS=$(getopt -o "${SHORT_OPTS}" -l "${LONG_OPTS}" --name "$0" -- "$@") || { usage >&2; exit 2; }
|
ARGS=$(getopt -o "${SHORT_OPTS}" -l "${LONG_OPTS}" --name "$0" -- "$@") || { usage >&2; exit 2; }
|
||||||
@ -281,6 +282,7 @@ DANGER_CONFIRM=
|
|||||||
INCLUDE_IMAGES=
|
INCLUDE_IMAGES=
|
||||||
INCLUDE_DEV=
|
INCLUDE_DEV=
|
||||||
BACKUP_TYPE="full"
|
BACKUP_TYPE="full"
|
||||||
|
OCTAVIA_CERTS_EXPIRY=
|
||||||
# Serial is not recommended and disabled by default. Users can enable it by
|
# Serial is not recommended and disabled by default. Users can enable it by
|
||||||
# configuring ANSIBLE_SERIAL variable.
|
# configuring ANSIBLE_SERIAL variable.
|
||||||
ANSIBLE_SERIAL=${ANSIBLE_SERIAL:-0}
|
ANSIBLE_SERIAL=${ANSIBLE_SERIAL:-0}
|
||||||
@ -398,6 +400,11 @@ while [ "$#" -gt 0 ]; do
|
|||||||
shift 1
|
shift 1
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
(--check-expiry)
|
||||||
|
OCTAVIA_CERTS_EXPIRY="$2"
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
|
|
||||||
(--version)
|
(--version)
|
||||||
version
|
version
|
||||||
exit 0
|
exit 0
|
||||||
@ -532,6 +539,9 @@ EOF
|
|||||||
(octavia-certificates)
|
(octavia-certificates)
|
||||||
ACTION="Generate octavia Certificates"
|
ACTION="Generate octavia Certificates"
|
||||||
PLAYBOOK="${BASEDIR}/ansible/octavia-certificates.yml"
|
PLAYBOOK="${BASEDIR}/ansible/octavia-certificates.yml"
|
||||||
|
if [[ ! -z "${OCTAVIA_CERTS_EXPIRY}" ]]; then
|
||||||
|
EXTRA_OPTS="$EXTRA_OPTS -e octavia_certs_check_expiry=yes -e octavia_certs_expiry_limit=${OCTAVIA_CERTS_EXPIRY}"
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
(genconfig)
|
(genconfig)
|
||||||
ACTION="Generate configuration files for enabled OpenStack services"
|
ACTION="Generate configuration files for enabled OpenStack services"
|
||||||
|
Loading…
Reference in New Issue
Block a user