Add support for encrypting etcd service

This patch introduces an optional backend encryption for etcd service. Change-Id: Ia259f7844b868dbc418ace595c87eb1b278d3d38
2020-06-29 14:10:58 -07:00 · 2020-06-29 14:10:58 -07:00 · e2b9b2068e
commit e2b9b2068e
parent e7329a7619
6 changed files with 82 additions and 2 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -266,7 +266,8 @@ elasticsearch_port: "9200"

 etcd_client_port: "2379"
 etcd_peer_port: "2380"
-etcd_protocol: "http"
+etcd_enable_tls: "{{ kolla_enable_tls_backend }}"
+etcd_protocol: "{{ 'https' if etcd_enable_tls | bool else 'http' }}"

 fluentd_syslog_port: "5140"

--- a/ansible/roles/etcd/defaults/main.yml
+++ b/ansible/roles/etcd/defaults/main.yml
@ -18,6 +18,10 @@ etcd_services:
      ETCD_INITIAL_CLUSTER_STATE: "new"
      ETCD_OUT_FILE: "/var/log/kolla/etcd/etcd.log"
      KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+      ETCD_CERT_FILE: "{% if etcd_enable_tls | bool  %}/etc/etcd/certs/etcd-cert.pem{% endif %}"
+      ETCD_KEY_FILE: "{% if etcd_enable_tls | bool  %}/etc/etcd/certs/etcd-key.pem{% endif %}"
+      ETCD_PEER_CERT_FILE: "{% if etcd_enable_tls | bool  %}/etc/etcd/certs/etcd-cert.pem{% endif %}"
+      ETCD_PEER_KEY_FILE: "{% if etcd_enable_tls | bool  %}/etc/etcd/certs/etcd-key.pem{% endif %}"
    image: "{{ etcd_image_full }}"
    volumes: "{{ etcd_default_volumes + etcd_extra_volumes }}"
    dimensions: "{{ etcd_dimensions }}"
--- a/ansible/roles/etcd/tasks/config.yml
+++ b/ansible/roles/etcd/tasks/config.yml
@ -25,5 +25,9 @@
  notify:
    - Restart {{ item.key }} container

+- include_tasks: copy-certs.yml
+  when:
+    - etcd_enable_tls | bool
+
 - include_tasks: check-containers.yml
  when: kolla_action != "config"
--- a/ansible/roles/etcd/tasks/copy-certs.yml
+++ b/ansible/roles/etcd/tasks/copy-certs.yml
@ -0,0 +1,50 @@
+---
+- name: "{{ project_name }} | Copying over extra CA certificates"
+  become: true
+  copy:
+    src: "{{ kolla_certificates_dir }}/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
+  notify:
+    - "Restart {{ item.key }} container"
+
+- name: "{{ project_name }} | Copying over etcd TLS certificate"
+  vars:
+    certs:
+      - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-cert.pem"
+      - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem"
+      - "{{ kolla_certificates_dir }}/{{ project_name }}-cert.pem"
+      - "{{ kolla_tls_backend_cert }}"
+    backend_tls_cert: "{{ lookup('first_found', certs) }}"
+  copy:
+    src: "{{ backend_tls_cert }}"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-cert.pem"
+    mode: "0644"
+  become: true
+  with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
+  notify:
+    - "Restart {{ item.key }} container"
+  when:
+    - etcd_enable_tls | bool
+
+- name: "{{ project_name }} | Copying over etcd TLS key"
+  vars:
+    keys:
+      - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-key.pem"
+      - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem"
+      - "{{ kolla_certificates_dir }}/{{ project_name }}-key.pem"
+      - "{{ kolla_tls_backend_key }}"
+    backend_tls_key: "{{ lookup('first_found', keys) }}"
+  copy:
+    src: "{{ backend_tls_key }}"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-key.pem"
+    mode: "0600"
+  become: true
+  with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
+  notify:
+    - "Restart {{ item.key }} container"
+  when:
+    - etcd_enable_tls | bool
--- a/ansible/roles/etcd/templates/etcd.json.j2
+++ b/ansible/roles/etcd/templates/etcd.json.j2
@ -1,3 +1,18 @@
 {
-    "command": "etcd"
+    "command": "etcd",
+    "config_files": [
+        {% if etcd_enable_tls | bool %}
+        {
+            "source": "{{ container_config_directory }}/etcd-cert.pem",
+            "dest": "/etc/etcd/certs/etcd-cert.pem",
+            "owner": "etcd",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/etcd-key.pem",
+            "dest": "/etc/etcd/certs/etcd-key.pem",
+            "owner": "etcd",
+            "perm": "0600"
+        }{% endif %}
+    ]
 }
--- a/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml
+++ b/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Add "etcd_enable_tls" configuration parameter which can be used to enable
+    TLS encryption for the etcd service. The default value of
+    "etcd_enable_tls" is set by the value of "kolla_enable_tls_backend".