Generate self signed TLS certificates

Generate both internal and external self signed TLS certificates.
Duplicate the certificate if internal and external VIPs are the same.

Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74
Partially-Implements: blueprint custom-cacerts
This commit is contained in:
James Kirsch 2020-01-06 20:39:04 -08:00
parent 88418cbaa9
commit d100904f2c
7 changed files with 174 additions and 51 deletions

View File

@ -757,8 +757,8 @@ kolla_enable_tls_internal: "no"
kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}"
kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt"
kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt"
kolla_copy_ca_into_containers: "no"
####################

View File

@ -1,53 +1,130 @@
---
- name: Ensuring config directories exist
become: true
- name: Ensuring private internal directory exist
file:
path: "{{ certificates_dir }}/private"
path: "{{ certificates_dir }}/private/internal"
state: "directory"
recurse: yes
mode: "0770"
- name: Creating SSL configuration file
become: true
- name: Ensuring private external directory exist
file:
path: "{{ certificates_dir }}/private/external"
state: "directory"
recurse: yes
mode: "0770"
- name: Ensuring ca directory exist
file:
path: "{{ certificates_dir }}/ca"
state: "directory"
recurse: yes
mode: "0770"
- block:
- name: Creating external SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla.cnf"
- name: Creating Key
become: true
- name: Creating external Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ certificates_dir }}/private/haproxy.key"
- name: Setting permissions on key
become: true
- "{{ certificates_dir }}/private/external/external.key"
- name: Setting permissions on external key
file:
path: "{{ certificates_dir }}/private/haproxy.key"
mode: 0600
path: "{{ certificates_dir }}/private/external/external.key"
mode: "0660"
state: file
- name: Creating Server Certificate
become: true
- name: Creating external Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
-config {{ certificates_dir }}/openssl-kolla.cnf \
-days 3650 \
-extensions v3_req \
-key {{ certificates_dir }}/private/haproxy.key \
-key {{ certificates_dir }}/private/external/external.key \
-out {{ item }}
with_items:
- "{{ certificates_dir }}/private/haproxy.crt"
- name: Creating CA Certificate File
become: true
- "{{ certificates_dir }}/private/external/external.crt"
- name: Creating external CA Certificate File
copy:
src: "{{ certificates_dir }}/private/haproxy.crt"
src: "{{ certificates_dir }}/private/external/external.crt"
dest: "{{ kolla_external_fqdn_cacert }}"
- name: Creating Server PEM File
become: true
mode: "0660"
- name: Creating external Server PEM File
assemble:
src: "{{ certificates_dir }}/private"
src: "{{ certificates_dir }}/private/external"
dest: "{{ kolla_external_fqdn_cert }}"
mode: 0600
mode: "0660"
when:
- kolla_enable_tls_external | bool
- block:
- name: Copy the external certificate crt to be the internal when internal + external are same network
copy:
src: "{{ certificates_dir }}/private/external/external.crt"
dest: "{{ certificates_dir }}/private/internal/internal.crt"
remote_src: yes
mode: "0660"
- name: Copy the external certificate key to be the internal when internal + external are same network
copy:
src: "{{ certificates_dir }}/private/external/external.key"
dest: "{{ certificates_dir }}/private/internal/internal.key"
remote_src: yes
mode: "0660"
- name: Copy the external PEM file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ kolla_internal_fqdn_cert }}"
remote_src: yes
mode: "0660"
- name: Copy the external CA Certificate file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cacert }}"
dest: "{{ kolla_internal_fqdn_cacert }}"
remote_src: yes
mode: "0660"
when:
- kolla_enable_tls_external | bool
- kolla_enable_tls_internal | bool
- kolla_same_external_internal_vip | bool
- block:
- name: Creating internal SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-internal.cnf"
- name: Creating internal Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ certificates_dir }}/private/internal/internal.key"
- name: Setting permissions on internal key
file:
path: "{{ certificates_dir }}/private/internal/internal.key"
mode: "0660"
state: file
- name: Creating internal Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ certificates_dir }}/openssl-kolla-internal.cnf \
-days 3650 \
-extensions v3_req \
-key {{ certificates_dir }}/private/internal/internal.key \
-out {{ item }}
with_items:
- "{{ certificates_dir }}/private/internal/internal.crt"
- name: Creating internal CA Certificate File
copy:
src: "{{ certificates_dir }}/private/internal/internal.crt"
dest: "{{ kolla_internal_fqdn_cacert }}"
mode: "0660"
- name: Creating internal Server PEM File
assemble:
src: "{{ certificates_dir }}/private/internal"
dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660"
when:
- kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool

View File

@ -0,0 +1,21 @@
[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = US
stateOrProvinceName = NC
localityName = RTP
organizationalUnitName = kolla
commonName = {{ kolla_internal_fqdn }}
[v3_req]
subjectAltName = @alt_names
[alt_names]
{% if kolla_internal_fqdn != kolla_internal_vip_address %}
DNS.1 = {{ kolla_internal_fqdn }}
{% else %}
IP.1 = {{ kolla_internal_fqdn }}
{% endif %}

View File

@ -1,4 +1,5 @@
[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req

View File

@ -140,7 +140,7 @@ have settings similar to this:
export OS_PASSWORD=demo-password
export OS_AUTH_URL=https://mykolla.example.net:5000
# os_cacert is optional for trusted certificates
export OS_CACERT=/etc/pki/mykolla-cacert.crt
export OS_CACERT=/etc/pki/ca/mykolla-cacert.crt
export OS_IDENTITY_API_VERSION=3
Self-Signed Certificates
@ -162,8 +162,9 @@ configuration file:
kolla-ansible certificates
The files haproxy.pem and haproxy-ca.pem will be generated and stored
in the ``/etc/kolla/certificates/`` directory.
The certificate file haproxy.pem will be generated and stored in the
``/etc/kolla/certificates/`` directory, and the CA cert will be in the
``/etc/kolla/certificates/ca/`` directory.
Adding CA Certificates to the Service Containers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@ -184,8 +184,8 @@
#kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}"
#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
#kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt"
#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt"
#kolla_copy_ca_into_containers: "no"
################

View File

@ -0,0 +1,23 @@
---
features:
- |
Generate self signed certificates for both the internal and external
(public) networks. If they are the same network, then the certificate
files will be the same.
upgrade:
- |
The default value for ``kolla_external_fqdn_cacert`` has been changed
from:
"{{ node_config }}/certificates/haproxy-ca.crt"
to:
"{{ node_config }}/certificates/ca/haproxy.crt"
and the default value for ``kolla_external_fqdn_cacert`` has been changed
from:
"{{ node_config }}/certificates/haproxy-ca-internal.crt"
to:
"{{ node_config }}/certificates/ca/haproxy-internal.crt"
These variables set the value for the ``OS_CACERT`` environment variable in
``admin-openrc.sh``. This has been done to allow these certificates to be
copied into containers when ``kolla_copy_ca_into_containers`` is true.