Merge "Fix TLS settings when letsencrypt turned on"

This commit is contained in:
Zuul 2024-11-27 01:44:19 +00:00 committed by Gerrit Code Review
commit ccdc8c159f
17 changed files with 214 additions and 131 deletions

View File

@ -501,6 +501,9 @@ keystone_ssh_port: "8023"
kuryr_port: "23750" kuryr_port: "23750"
letsencrypt_webserver_port: "8081" letsencrypt_webserver_port: "8081"
letsencrypt_managed_certs: "{{ '' if not enable_letsencrypt | bool else ('internal' if letsencrypt_internal_cert_server != '' and kolla_same_external_internal_vip | bool else ('internal,external' if letsencrypt_internal_cert_server != '' and letsencrypt_external_cert_server != '' else ('internal' if letsencrypt_internal_cert_server != '' else ('external' if letsencrypt_external_cert_server != '' and not kolla_same_external_internal_vip | bool else '')))) }}"
letsencrypt_external_cert_server: ""
letsencrypt_internal_cert_server: ""
magnum_internal_fqdn: "{{ kolla_internal_fqdn }}" magnum_internal_fqdn: "{{ kolla_internal_fqdn }}"
magnum_external_fqdn: "{{ kolla_external_fqdn }}" magnum_external_fqdn: "{{ kolla_external_fqdn }}"
@ -523,6 +526,7 @@ mariadb_wsrep_port: "4567"
mariadb_ist_port: "4568" mariadb_ist_port: "4568"
mariadb_sst_port: "4444" mariadb_sst_port: "4444"
mariadb_clustercheck_port: "4569" mariadb_clustercheck_port: "4569"
mariadb_enable_tls_backend: "{{ database_enable_tls_backend }}"
mariadb_monitor_user: "{{ 'monitor' if enable_proxysql | bool else 'haproxy' }}" mariadb_monitor_user: "{{ 'monitor' if enable_proxysql | bool else 'haproxy' }}"
mariadb_monitor_connect_interval: "2000" mariadb_monitor_connect_interval: "2000"

View File

@ -59,16 +59,35 @@
path: "{{ external_dir }}/external.key" path: "{{ external_dir }}/external.key"
mode: "0660" mode: "0660"
state: file state: file
when:
- letsencrypt_managed_certs == 'internal' or letsencrypt_managed_certs == '' or database_enable_tls_internal | bool
- kolla_enable_tls_external | bool or database_enable_tls_internal | bool
- name: Creating external Server PEM File - name: Creating external Server PEM File
assemble: assemble:
regexp: \.(crt|key)$ regexp: \.(crt|key)$
src: "{{ external_dir }}" src: "{{ external_dir }}"
dest: "{{ kolla_external_fqdn_cert }}" dest: "{{ kolla_external_fqdn_cert }}"
mode: "0660"
when:
- letsencrypt_managed_certs == 'internal' or letsencrypt_managed_certs == ''
- kolla_enable_tls_external | bool
- block:
- name: Copy Certificate for ProxySQL
copy:
src: "{{ external_dir }}/external.crt"
dest: "{{ kolla_certificates_dir }}/proxysql-cert.pem"
mode: "0660"
- name: Copy Key for ProxySQL
copy:
src: "{{ external_dir }}/external.key"
dest: "{{ kolla_certificates_dir }}/proxysql-key.pem"
mode: "0660" mode: "0660"
when: when:
- not enable_letsencrypt | bool - database_enable_tls_internal | bool
- kolla_enable_tls_external | bool - kolla_same_external_internal_vip | bool
- block: - block:
- name: Copy the external PEM file to be the internal when internal + external are same network - name: Copy the external PEM file to be the internal when internal + external are same network
@ -78,7 +97,7 @@
remote_src: yes remote_src: yes
mode: "0660" mode: "0660"
when: when:
- not enable_letsencrypt | bool - letsencrypt_managed_certs == 'external' or letsencrypt_managed_certs == ''
- kolla_enable_tls_external | bool - kolla_enable_tls_external | bool
- kolla_enable_tls_internal | bool - kolla_enable_tls_internal | bool
- kolla_same_external_internal_vip | bool - kolla_same_external_internal_vip | bool
@ -131,26 +150,34 @@
path: "{{ internal_dir }}/internal.key" path: "{{ internal_dir }}/internal.key"
mode: "0660" mode: "0660"
state: file state: file
- name: Creating internal Server PEM File
assemble:
regexp: \.(crt|key)$
src: "{{ internal_dir }}"
dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660"
when: when:
- not enable_letsencrypt | bool - letsencrypt_managed_certs == 'external' or letsencrypt_managed_certs == '' or database_enable_tls_internal | bool
- kolla_enable_tls_internal | bool or database_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool
- name: Creating internal Server PEM File
assemble:
regexp: \.(crt|key)$
src: "{{ internal_dir }}"
dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660"
when:
- letsencrypt_managed_certs == 'external' or letsencrypt_managed_certs == ''
- kolla_enable_tls_internal | bool - kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool - not kolla_same_external_internal_vip | bool
- block: - block:
- name: Copy Certificate and Key for ProxySQL - name: Copy Certificate for ProxySQL
copy: copy:
src: "{{ external_dir if kolla_same_external_internal_vip | bool else internal_dir }}/{{ 'external' if kolla_same_external_internal_vip | bool else 'internal' }}.{{item}}" src: "{{ internal_dir }}/internal.crt"
dest: "{{ kolla_certificates_dir }}/proxysql-{{ 'cert' if item == 'crt' else item }}.pem" dest: "{{ kolla_certificates_dir }}/proxysql-cert.pem"
mode: "0660"
- name: Copy Key for ProxySQL
copy:
src: "{{ internal_dir }}/internal.key"
dest: "{{ kolla_certificates_dir }}/proxysql-key.pem"
mode: "0660" mode: "0660"
with_items:
- "crt"
- "key"
when: when:
- database_enable_tls_internal | bool - database_enable_tls_internal | bool
- kolla_enable_tls_internal | bool - not kolla_same_external_internal_vip | bool

View File

@ -3,6 +3,6 @@
- include_tasks: generate.yml - include_tasks: generate.yml
- include_tasks: generate-backend.yml - include_tasks: generate-backend.yml
when: when:
- kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool - kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool or database_enable_tls_backend | bool
- include_tasks: generate-libvirt.yml - include_tasks: generate-libvirt.yml
when: certificates_generate_libvirt | bool when: certificates_generate_libvirt | bool

View File

@ -47,7 +47,6 @@ letsencrypt_webserver_default_volumes:
- "kolla_logs:/var/log/kolla/" - "kolla_logs:/var/log/kolla/"
letsencrypt_webserver_extra_volumes: "{{ default_extra_volumes }}" letsencrypt_webserver_extra_volumes: "{{ default_extra_volumes }}"
letsencrypt_cert_server: "https://acme-v02.api.letsencrypt.org/directory"
# attempt to renew Let's Encrypt certificate every 4 hours # attempt to renew Let's Encrypt certificate every 4 hours
letsencrypt_cron_renew_schedule: "0 */4 * * *" letsencrypt_cron_renew_schedule: "0 */4 * * *"
# The email used for certificate registration and recovery contact. Required. # The email used for certificate registration and recovery contact. Required.

View File

@ -1,8 +1,10 @@
PATH=/usr/local/bin:/usr/bin:/bin PATH=/usr/local/bin:/usr/bin:/bin
{% if kolla_external_vip_address != kolla_internal_vip_address and kolla_external_fqdn != kolla_external_vip_address %} {% if 'external' in letsencrypt_managed_certs and kolla_external_fqdn != kolla_external_vip_address %}
{{ letsencrypt_cron_renew_schedule }} /usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log # External Certificates
{{ letsencrypt_cron_renew_schedule }} /usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
{% endif %} {% endif %}
{% if kolla_external_vip_address == kolla_internal_vip_address and kolla_internal_fqdn != kolla_internal_vip_address %} {% if 'internal' in letsencrypt_managed_certs and kolla_internal_fqdn != kolla_internal_vip_address %}
{{ letsencrypt_cron_renew_schedule }} /usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log # Internal Certificates
{{ letsencrypt_cron_renew_schedule }} /usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
{% endif %} {% endif %}

View File

@ -2,11 +2,13 @@
{% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %} {% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %}
{% if kolla_external_vip_address != kolla_internal_vip_address and kolla_external_fqdn != kolla_external_vip_address %} {% if 'external' in letsencrypt_managed_certs and kolla_external_fqdn != kolla_external_vip_address %}
/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log # External Certificates
/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
{% endif %} {% endif %}
{% if kolla_external_vip_address == kolla_internal_vip_address and kolla_internal_fqdn != kolla_internal_vip_address %} {% if 'internal' in letsencrypt_managed_certs and kolla_internal_fqdn != kolla_internal_vip_address %}
/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log # Internal Certificates
/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
{% endif %} {% endif %}
{{ cron_cmd }} {{ cron_cmd }}

View File

@ -200,3 +200,4 @@ haproxy_external_single_frontend_options:
- "timeout client {{ haproxy_glance_api_client_timeout }}" - "timeout client {{ haproxy_glance_api_client_timeout }}"
haproxy_glance_api_client_timeout: "6h" haproxy_glance_api_client_timeout: "6h"
loadbalancer_copy_certs: "{{ kolla_copy_ca_into_containers | bool or kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool or kolla_enable_tls_backend | bool or database_enable_tls_internal | bool or database_enable_tls_backend | bool }}"

View File

@ -184,43 +184,9 @@
notify: notify:
- Restart keepalived container - Restart keepalived container
- name: Copying over haproxy.pem
vars:
service: "{{ loadbalancer_services['haproxy'] }}"
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ node_config_directory }}/haproxy/{{ item }}"
mode: "0660"
become: true
when:
- not enable_letsencrypt | bool
- kolla_enable_tls_external | bool
- not kolla_externally_managed_cert | bool
- service | service_enabled_and_mapped_to_host
with_items:
- "haproxy.pem"
notify:
- Restart haproxy container
- name: Copying over haproxy-internal.pem
vars:
service: "{{ loadbalancer_services['haproxy'] }}"
copy:
src: "{{ kolla_internal_fqdn_cert }}"
dest: "{{ node_config_directory }}/haproxy/{{ item }}"
mode: "0660"
become: true
when:
- not enable_letsencrypt | bool
- kolla_enable_tls_internal | bool
- not kolla_externally_managed_cert | bool
- service | service_enabled_and_mapped_to_host
with_items:
- "haproxy-internal.pem"
notify:
- Restart haproxy container
- include_tasks: copy-certs.yml - include_tasks: copy-certs.yml
when:
- loadbalancer_copy_certs
- name: Copying over haproxy start script - name: Copying over haproxy start script
vars: vars:

View File

@ -1,25 +1,71 @@
--- ---
- name: Copying over haproxy.pem
vars:
service: "{{ loadbalancer_services['haproxy'] }}"
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ node_config_directory }}/haproxy/{{ item }}"
mode: "0660"
become: true
when:
- letsencrypt_managed_certs == 'internal' or letsencrypt_managed_certs == ''
- kolla_enable_tls_external | bool
- not kolla_externally_managed_cert | bool
- service | service_enabled_and_mapped_to_host
with_items:
- "haproxy.pem"
notify:
- Restart haproxy container
- name: Copying over haproxy-internal.pem
vars:
service: "{{ loadbalancer_services['haproxy'] }}"
copy:
src: "{{ kolla_internal_fqdn_cert }}"
dest: "{{ node_config_directory }}/haproxy/{{ item }}"
mode: "0660"
become: true
when:
- letsencrypt_managed_certs == 'external' or letsencrypt_managed_certs == ''
- kolla_enable_tls_internal | bool
- not kolla_externally_managed_cert | bool
- service | service_enabled_and_mapped_to_host
with_items:
- "haproxy-internal.pem"
notify:
- Restart haproxy container
- name: Copying over proxysql-cert.pem
vars:
service: "{{ loadbalancer_services['proxysql'] }}"
copy:
src: "{{ kolla_certificates_dir }}/proxysql-cert.pem"
dest: "{{ node_config_directory }}/proxysql/proxysql-cert.pem"
mode: "0660"
become: true
when:
- database_enable_tls_internal | bool
- service | service_enabled_and_mapped_to_host
notify:
- Restart proxysql container
- name: Copying over proxysql-key.pem
vars:
service: "{{ loadbalancer_services['proxysql'] }}"
copy:
src: "{{ kolla_certificates_dir }}/proxysql-key.pem"
dest: "{{ node_config_directory }}/proxysql/proxysql-key.pem"
mode: "0660"
become: true
when:
- database_enable_tls_internal | bool
- service | service_enabled_and_mapped_to_host
notify:
- Restart proxysql container
- name: "Copy certificates and keys for {{ project_name }}" - name: "Copy certificates and keys for {{ project_name }}"
import_role:
role: service-cert-copy
vars:
project_services: "{{ loadbalancer_services }}"
when:
- kolla_copy_ca_into_containers | bool
- name: "Copy certificates and keys for MariaDB "
import_role: import_role:
role: service-cert-copy role: service-cert-copy
vars: vars:
project_services: "{{ loadbalancer_services }}" project_services: "{{ loadbalancer_services }}"
project_name: mariadb project_name: mariadb
when: database_enable_tls_backend | bool
- name: "Copy certificates and keys for Proxysql"
import_role:
role: service-cert-copy
vars:
project_services: "{{ loadbalancer_services }}"
project_name: "proxysql"
when: database_enable_tls_internal | bool

View File

@ -55,48 +55,42 @@
haproxy_vip_prechecks: "{{ all_hosts_in_batch and groups['haproxy_running_True'] is not defined }}" haproxy_vip_prechecks: "{{ all_hosts_in_batch and groups['haproxy_running_True'] is not defined }}"
proxysql_vip_prechecks: "{{ all_hosts_in_batch and groups['proxysql_running_True'] is not defined }}" proxysql_vip_prechecks: "{{ all_hosts_in_batch and groups['proxysql_running_True'] is not defined }}"
- name: Checking if external haproxy certificate exists - block:
run_once: true - name: Checking if external haproxy certificate exists
stat: run_once: true
path: "{{ kolla_external_fqdn_cert }}" stat:
delegate_to: localhost path: "{{ kolla_external_fqdn_cert }}"
register: haproxy_cert_file delegate_to: localhost
changed_when: false register: haproxy_cert_file
changed_when: false
- name: Assert that external haproxy certificate exists
run_once: true
assert:
that: haproxy_cert_file.stat.exists
fail_msg: "External haproxy certificate file is not found. It is configured via 'kolla_external_fqdn_cert'"
when: when:
- not kolla_externally_managed_cert | bool - not kolla_externally_managed_cert | bool
- not enable_letsencrypt | bool - letsencrypt_managed_certs == 'internal' or letsencrypt_managed_certs == ''
- kolla_enable_tls_external | bool - kolla_enable_tls_external | bool
- name: Assert that external haproxy certificate exists - block:
run_once: true - name: Checking if internal haproxy certificate exists
assert: run_once: true
that: haproxy_cert_file.stat.exists stat:
fail_msg: "External haproxy certificate file is not found. It is configured via 'kolla_external_fqdn_cert'" path: "{{ kolla_internal_fqdn_cert }}"
when: delegate_to: localhost
- not kolla_externally_managed_cert | bool register: haproxy_internal_cert_file
- not enable_letsencrypt | bool changed_when: false
- kolla_enable_tls_external | bool
- name: Checking if internal haproxy certificate exists - name: Assert that internal haproxy certificate exists
run_once: true run_once: true
stat: assert:
path: "{{ kolla_internal_fqdn_cert }}" that: haproxy_internal_cert_file.stat.exists
delegate_to: localhost fail_msg: "Internal haproxy certificate file is not found. It is configured via 'kolla_internal_fqdn_cert'"
register: haproxy_internal_cert_file
changed_when: false
when: when:
- not kolla_externally_managed_cert | bool - not kolla_externally_managed_cert | bool
- not enable_letsencrypt | bool - letsencrypt_managed_certs == 'external' or letsencrypt_managed_certs == ''
- kolla_enable_tls_internal | bool
- name: Assert that internal haproxy certificate exists
run_once: true
assert:
that: haproxy_internal_cert_file.stat.exists
fail_msg: "Internal haproxy certificate file is not found. It is configured via 'kolla_internal_fqdn_cert'"
when:
- not kolla_externally_managed_cert | bool
- not enable_letsencrypt | bool
- kolla_enable_tls_internal | bool - kolla_enable_tls_internal | bool
- name: Checking the kolla_external_vip_interface is present - name: Checking the kolla_external_vip_interface is present

View File

@ -18,22 +18,21 @@
"dest": "/etc/haproxy/services.d", "dest": "/etc/haproxy/services.d",
"owner": "root", "owner": "root",
"perm": "0700" "perm": "0700"
}{% if kolla_enable_tls_external | bool and not enable_letsencrypt | bool %}, }{% if kolla_enable_tls_external | bool %},
{ {
"source": "{{ container_config_directory }}/external-frontend-map", "source": "{{ container_config_directory }}/external-frontend-map",
"dest": "/etc/haproxy/external-frontend-map", "dest": "/etc/haproxy/external-frontend-map",
"owner": "root", "owner": "root",
"perm": "0600", "perm": "0600",
"optional": {{ (not haproxy_single_external_frontend | bool) | string | lower }} "optional": {{ (not haproxy_single_external_frontend | bool) | string | lower }}
}, }{% endif %}{% if kolla_enable_tls_external and letsencrypt_managed_certs == 'internal' or letsencrypt_managed_certs == '' %},
{ {
"source": "{{ container_config_directory }}/haproxy.pem", "source": "{{ container_config_directory }}/haproxy.pem",
"dest": "/etc/haproxy/certificates/haproxy.pem", "dest": "/etc/haproxy/certificates/haproxy.pem",
"owner": "haproxy", "owner": "haproxy",
"perm": "0600", "perm": "0600",
"optional": {{ (not kolla_enable_tls_external | bool) | string | lower }} "optional": {{ (not kolla_enable_tls_external | bool) | string | lower }}
}{% endif %} }{% endif %}{% if kolla_enable_tls_internal | bool and letsencrypt_managed_certs == 'external' or letsencrypt_managed_certs == '' %},
{% if kolla_enable_tls_internal | bool and not enable_letsencrypt | bool %},
{ {
"source": "{{ container_config_directory }}/haproxy-internal.pem", "source": "{{ container_config_directory }}/haproxy-internal.pem",
"dest": "/etc/haproxy/certificates/haproxy-internal.pem", "dest": "/etc/haproxy/certificates/haproxy-internal.pem",

View File

@ -100,3 +100,8 @@ rabbitmq_enabled_plugins: "{{ rabbitmq_plugins | selectattr('enabled', 'equalto'
kolla_externally_managed_cert: False kolla_externally_managed_cert: False
rabbitmq_version_suffix: "" rabbitmq_version_suffix: ""
####################
# TLS
####################
rabbitmq_enable_tls_backend: "{{ rabbitmq_enable_tls }}"

View File

@ -1,3 +1,4 @@
--- ---
kolla_externally_managed_cert: False kolla_externally_managed_cert: False
kolla_copy_backend_tls_files: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_enable_tls_backend', default=false) }}"

View File

@ -25,7 +25,7 @@
mode: "0644" mode: "0644"
become: true become: true
when: when:
- kolla_enable_tls_backend | bool - kolla_copy_backend_tls_files | bool
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}" with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
notify: notify:
- "Restart {{ item.key }} container" - "Restart {{ item.key }} container"
@ -44,7 +44,7 @@
mode: "0600" mode: "0600"
become: true become: true
when: when:
- kolla_enable_tls_backend | bool - kolla_copy_backend_tls_files | bool
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}" with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
notify: notify:
- "Restart {{ item.key }} container" - "Restart {{ item.key }} container"

View File

@ -317,6 +317,21 @@ to the HAProxy containers using SSH.
admin access level. This is needed so Let's Encrypt can interact admin access level. This is needed so Let's Encrypt can interact
with HAProxy. with HAProxy.
You can configure separate ACME servers for internal and external
certificate requests.
.. code-block:: yaml
letsencrypt_external_cert_server: "<ACME server URL for external cert>"
letsencrypt_internal_cert_server: "<ACME server URL for internal cert>"
.. note::
The ``letsencrypt_external_cert_server`` has a default value of
``https://acme-v02.api.letsencrypt.org/directory``. Ensure that
``letsencrypt_internal_cert_server`` is reachable from the controller
if you configure it for internal certificate requests.
Generating a Private Certificate Authority Generating a Private Certificate Authority
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@ -0,0 +1,21 @@
---
features:
- |
Adds new variables to be used by the letsencrypt role,
``letsencrypt_external_cert_server`` and
``letsencrypt_internal_cert_server``, It allows to
configure ACME server for internal, external
certificate generation.
upgrade:
- |
Users who have previously used the letsencrypt role for an
external certificate generation need to migrate their previous
default value (or their overridden value) of the variable
``letsencrypt_cert_server`` and set it to
``letsencrypt_external_cert_server``.The default value was
``https://acme-v02.api.letsencrypt.org/directory``
fixes:
- |
Fixes copying of custom certificates when Let's encrypt
is turned on. `LP#2076331
<https://bugs.launchpad.net/kolla-ansible/+bug/2076331>`__

View File

@ -242,13 +242,14 @@ placement_external_fqdn: "placement.external"
{% endif %} {% endif %}
{% if scenario == "lets-encrypt" %} {% if scenario == "lets-encrypt" %}
enable_horizon: "yes"
enable_letsencrypt: "yes" enable_letsencrypt: "yes"
rabbitmq_enable_tls: "yes"
letsencrypt_email: "usero@openstack.test" letsencrypt_email: "usero@openstack.test"
letsencrypt_cert_server: "https://pebble:14000/dir" letsencrypt_internal_cert_server: "https://pebble:14000/dir"
kolla_internal_fqdn: "{{ kolla_internal_fqdn }}" kolla_internal_fqdn: "{{ kolla_internal_fqdn }}"
kolla_enable_tls_backend: "no"
kolla_admin_openrc_cacert: "{% raw %}{{ kolla_certificates_dir }}{% endraw %}/ca/pebble.crt" kolla_admin_openrc_cacert: "{% raw %}{{ kolla_certificates_dir }}{% endraw %}/ca/pebble.crt"
database_enable_tls_internal: "yes"
database_enable_tls_backend: "yes"
{% endif %} {% endif %}
{% if scenario == "skyline" %} {% if scenario == "skyline" %}