Generate self signed TLS certificates
Generate both internal and external self signed TLS certificates. Duplicate the certificate if internal and external VIPs are the same. Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74 Partially-Implements: blueprint custom-cacerts
This commit is contained in:
parent
88418cbaa9
commit
d100904f2c
@ -757,8 +757,8 @@ kolla_enable_tls_internal: "no"
|
||||
kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}"
|
||||
kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
|
||||
kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
|
||||
kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
|
||||
kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
|
||||
kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt"
|
||||
kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt"
|
||||
kolla_copy_ca_into_containers: "no"
|
||||
|
||||
####################
|
||||
|
@ -1,53 +1,130 @@
|
||||
---
|
||||
- name: Ensuring config directories exist
|
||||
become: true
|
||||
- name: Ensuring private internal directory exist
|
||||
file:
|
||||
path: "{{ certificates_dir }}/private"
|
||||
path: "{{ certificates_dir }}/private/internal"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
mode: "0770"
|
||||
|
||||
- name: Creating SSL configuration file
|
||||
become: true
|
||||
- name: Ensuring private external directory exist
|
||||
file:
|
||||
path: "{{ certificates_dir }}/private/external"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
mode: "0770"
|
||||
|
||||
- name: Ensuring ca directory exist
|
||||
file:
|
||||
path: "{{ certificates_dir }}/ca"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
mode: "0770"
|
||||
|
||||
- block:
|
||||
- name: Creating external SSL configuration file
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ certificates_dir }}/{{ item }}"
|
||||
mode: "0660"
|
||||
with_items:
|
||||
- "openssl-kolla.cnf"
|
||||
|
||||
- name: Creating Key
|
||||
become: true
|
||||
- name: Creating external Key
|
||||
command: creates="{{ item }}" openssl genrsa -out {{ item }}
|
||||
with_items:
|
||||
- "{{ certificates_dir }}/private/haproxy.key"
|
||||
|
||||
- name: Setting permissions on key
|
||||
become: true
|
||||
- "{{ certificates_dir }}/private/external/external.key"
|
||||
- name: Setting permissions on external key
|
||||
file:
|
||||
path: "{{ certificates_dir }}/private/haproxy.key"
|
||||
mode: 0600
|
||||
path: "{{ certificates_dir }}/private/external/external.key"
|
||||
mode: "0660"
|
||||
state: file
|
||||
|
||||
- name: Creating Server Certificate
|
||||
become: true
|
||||
- name: Creating external Server Certificate
|
||||
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
|
||||
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
|
||||
-config {{ certificates_dir }}/openssl-kolla.cnf \
|
||||
-days 3650 \
|
||||
-extensions v3_req \
|
||||
-key {{ certificates_dir }}/private/haproxy.key \
|
||||
-key {{ certificates_dir }}/private/external/external.key \
|
||||
-out {{ item }}
|
||||
with_items:
|
||||
- "{{ certificates_dir }}/private/haproxy.crt"
|
||||
|
||||
- name: Creating CA Certificate File
|
||||
become: true
|
||||
- "{{ certificates_dir }}/private/external/external.crt"
|
||||
- name: Creating external CA Certificate File
|
||||
copy:
|
||||
src: "{{ certificates_dir }}/private/haproxy.crt"
|
||||
src: "{{ certificates_dir }}/private/external/external.crt"
|
||||
dest: "{{ kolla_external_fqdn_cacert }}"
|
||||
|
||||
- name: Creating Server PEM File
|
||||
become: true
|
||||
mode: "0660"
|
||||
- name: Creating external Server PEM File
|
||||
assemble:
|
||||
src: "{{ certificates_dir }}/private"
|
||||
src: "{{ certificates_dir }}/private/external"
|
||||
dest: "{{ kolla_external_fqdn_cert }}"
|
||||
mode: 0600
|
||||
mode: "0660"
|
||||
when:
|
||||
- kolla_enable_tls_external | bool
|
||||
|
||||
- block:
|
||||
- name: Copy the external certificate crt to be the internal when internal + external are same network
|
||||
copy:
|
||||
src: "{{ certificates_dir }}/private/external/external.crt"
|
||||
dest: "{{ certificates_dir }}/private/internal/internal.crt"
|
||||
remote_src: yes
|
||||
mode: "0660"
|
||||
- name: Copy the external certificate key to be the internal when internal + external are same network
|
||||
copy:
|
||||
src: "{{ certificates_dir }}/private/external/external.key"
|
||||
dest: "{{ certificates_dir }}/private/internal/internal.key"
|
||||
remote_src: yes
|
||||
mode: "0660"
|
||||
- name: Copy the external PEM file to be the internal when internal + external are same network
|
||||
copy:
|
||||
src: "{{ kolla_external_fqdn_cert }}"
|
||||
dest: "{{ kolla_internal_fqdn_cert }}"
|
||||
remote_src: yes
|
||||
mode: "0660"
|
||||
- name: Copy the external CA Certificate file to be the internal when internal + external are same network
|
||||
copy:
|
||||
src: "{{ kolla_external_fqdn_cacert }}"
|
||||
dest: "{{ kolla_internal_fqdn_cacert }}"
|
||||
remote_src: yes
|
||||
mode: "0660"
|
||||
when:
|
||||
- kolla_enable_tls_external | bool
|
||||
- kolla_enable_tls_internal | bool
|
||||
- kolla_same_external_internal_vip | bool
|
||||
|
||||
- block:
|
||||
- name: Creating internal SSL configuration file
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ certificates_dir }}/{{ item }}"
|
||||
mode: "0660"
|
||||
with_items:
|
||||
- "openssl-kolla-internal.cnf"
|
||||
- name: Creating internal Key
|
||||
command: creates="{{ item }}" openssl genrsa -out {{ item }}
|
||||
with_items:
|
||||
- "{{ certificates_dir }}/private/internal/internal.key"
|
||||
- name: Setting permissions on internal key
|
||||
file:
|
||||
path: "{{ certificates_dir }}/private/internal/internal.key"
|
||||
mode: "0660"
|
||||
state: file
|
||||
- name: Creating internal Server Certificate
|
||||
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
|
||||
-config {{ certificates_dir }}/openssl-kolla-internal.cnf \
|
||||
-days 3650 \
|
||||
-extensions v3_req \
|
||||
-key {{ certificates_dir }}/private/internal/internal.key \
|
||||
-out {{ item }}
|
||||
with_items:
|
||||
- "{{ certificates_dir }}/private/internal/internal.crt"
|
||||
- name: Creating internal CA Certificate File
|
||||
copy:
|
||||
src: "{{ certificates_dir }}/private/internal/internal.crt"
|
||||
dest: "{{ kolla_internal_fqdn_cacert }}"
|
||||
mode: "0660"
|
||||
- name: Creating internal Server PEM File
|
||||
assemble:
|
||||
src: "{{ certificates_dir }}/private/internal"
|
||||
dest: "{{ kolla_internal_fqdn_cert }}"
|
||||
mode: "0660"
|
||||
when:
|
||||
- kolla_enable_tls_internal | bool
|
||||
- not kolla_same_external_internal_vip | bool
|
||||
|
@ -0,0 +1,21 @@
|
||||
[req]
|
||||
prompt = no
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = v3_req
|
||||
|
||||
[req_distinguished_name]
|
||||
countryName = US
|
||||
stateOrProvinceName = NC
|
||||
localityName = RTP
|
||||
organizationalUnitName = kolla
|
||||
commonName = {{ kolla_internal_fqdn }}
|
||||
|
||||
[v3_req]
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[alt_names]
|
||||
{% if kolla_internal_fqdn != kolla_internal_vip_address %}
|
||||
DNS.1 = {{ kolla_internal_fqdn }}
|
||||
{% else %}
|
||||
IP.1 = {{ kolla_internal_fqdn }}
|
||||
{% endif %}
|
@ -1,4 +1,5 @@
|
||||
[req]
|
||||
prompt = no
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = v3_req
|
||||
|
||||
|
@ -140,7 +140,7 @@ have settings similar to this:
|
||||
export OS_PASSWORD=demo-password
|
||||
export OS_AUTH_URL=https://mykolla.example.net:5000
|
||||
# os_cacert is optional for trusted certificates
|
||||
export OS_CACERT=/etc/pki/mykolla-cacert.crt
|
||||
export OS_CACERT=/etc/pki/ca/mykolla-cacert.crt
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
Self-Signed Certificates
|
||||
@ -162,8 +162,9 @@ configuration file:
|
||||
|
||||
kolla-ansible certificates
|
||||
|
||||
The files haproxy.pem and haproxy-ca.pem will be generated and stored
|
||||
in the ``/etc/kolla/certificates/`` directory.
|
||||
The certificate file haproxy.pem will be generated and stored in the
|
||||
``/etc/kolla/certificates/`` directory, and the CA cert will be in the
|
||||
``/etc/kolla/certificates/ca/`` directory.
|
||||
|
||||
Adding CA Certificates to the Service Containers
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -184,8 +184,8 @@
|
||||
#kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}"
|
||||
#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
|
||||
#kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
|
||||
#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
|
||||
#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
|
||||
#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt"
|
||||
#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt"
|
||||
#kolla_copy_ca_into_containers: "no"
|
||||
|
||||
################
|
||||
|
@ -0,0 +1,23 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Generate self signed certificates for both the internal and external
|
||||
(public) networks. If they are the same network, then the certificate
|
||||
files will be the same.
|
||||
upgrade:
|
||||
- |
|
||||
The default value for ``kolla_external_fqdn_cacert`` has been changed
|
||||
from:
|
||||
"{{ node_config }}/certificates/haproxy-ca.crt"
|
||||
to:
|
||||
"{{ node_config }}/certificates/ca/haproxy.crt"
|
||||
|
||||
and the default value for ``kolla_external_fqdn_cacert`` has been changed
|
||||
from:
|
||||
"{{ node_config }}/certificates/haproxy-ca-internal.crt"
|
||||
to:
|
||||
"{{ node_config }}/certificates/ca/haproxy-internal.crt"
|
||||
|
||||
These variables set the value for the ``OS_CACERT`` environment variable in
|
||||
``admin-openrc.sh``. This has been done to allow these certificates to be
|
||||
copied into containers when ``kolla_copy_ca_into_containers`` is true.
|
Loading…
Reference in New Issue
Block a user