Replace internal and external VIP CA with root CA

Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with "kolla_admin_openrc_cacert". OS_CACERT is now set to the value of "kolla_admin_openrc_cacert" in the generated admin-openrc.sh file. Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf Partially-Implements: blueprint add-ssl-internal-network Depends-On: https://review.opendev.org/#/c/731344/
2020-06-04 21:27:24 -07:00 · 2020-06-04 21:27:24 -07:00 · e3cd02eda4
commit e3cd02eda4
parent a982d3acbb
6 changed files with 11 additions and 27 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -763,8 +763,7 @@ kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_
 kolla_certificates_dir: "{{ node_config }}/certificates"
 kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
 kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
-kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
+kolla_admin_openrc_cacert: ""
 kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
 kolla_copy_ca_into_containers: "no"
 kolla_verify_tls_backend: "yes"
 haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@ -64,12 +64,6 @@
        src: "{{ external_dir }}"
        dest: "{{ kolla_external_fqdn_cert }}"
        mode: "0660"
    - name: Creating external CA Certificate File
      copy:
        src: "{{ root_dir }}/root.crt"
        dest: "{{ kolla_external_fqdn_cacert }}"
        mode: "0660"
  when:
    - kolla_enable_tls_external | bool
@ -80,13 +74,6 @@
        dest: "{{ kolla_internal_fqdn_cert }}"
        remote_src: yes
        mode: "0660"
    - name: Copy the external CA Certificate file to be the internal when internal + external are same network
      copy:
        src: "{{ kolla_external_fqdn_cacert }}"
        dest: "{{ kolla_internal_fqdn_cacert }}"
        remote_src: yes
        mode: "0660"
  when:
    - kolla_enable_tls_external | bool
    - kolla_enable_tls_internal | bool
@ -139,12 +126,6 @@
        mode: "0660"
        state: file
    - name: Creating internal CA Certificate File
      copy:
        src: "{{ root_dir }}/root.crt"
        dest: "{{ kolla_internal_fqdn_cacert }}"
        mode: "0660"
    - name: Creating internal Server PEM File
      assemble:
        regexp: '.*[crt|key]'
--- a/ansible/roles/common/templates/admin-openrc.sh.j2
+++ b/ansible/roles/common/templates/admin-openrc.sh.j2
@ -18,8 +18,6 @@ export OS_MISTRAL_ENDPOINT_TYPE=internalURL
 export OS_IDENTITY_API_VERSION=3
 export OS_REGION_NAME={{ openstack_region_name }}
 export OS_AUTH_PLUGIN=password
-{% if kolla_enable_tls_internal | bool and kolla_internal_fqdn_cacert %}
+{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
-export OS_CACERT={{ kolla_internal_fqdn_cacert }}
+export OS_CACERT={{ kolla_admin_openrc_cacert }}
 {% elif  kolla_enable_tls_external | bool and kolla_external_fqdn_cacert %}
 export OS_CACERT={{ kolla_external_fqdn_cacert }}
 {% endif %}
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -189,8 +189,7 @@
 #kolla_certificates_dir: "{{ node_config }}/certificates"
 #kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
 #kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
-#kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
+#kolla_admin_openrc_cacert: ""
 #kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
 #kolla_copy_ca_into_containers: "no"
 #kolla_verify_tls_backend: "yes"
 #haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
--- a/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml
+++ b/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml
@ -9,3 +9,9 @@ features:
    certificates and signs them using the root CA. If backend TLS is enabled,
    the command will generate the backend certificate and sign it with the
    root CA.
 upgrade:
  - |
    Replaced ``kolla_external_fqdn_cacert`` and ``kolla_internal_fqdn_cacert``
    with ``kolla_admin_openrc_cacert``, which by default is not set.
    ``OS_CACERT`` is now set to the value of ``kolla_admin_openrc_cacert`` in
    the generated ``admin-openrc.sh`` file.
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@ -127,6 +127,7 @@ openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
 {% if base_distro == "centos" %}
 openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
 {% endif %}
 kolla_admin_openrc_cacert: "{% raw %}{{ kolla_certificates_dir }}{% endraw %}/ca/root.crt"
 {% endif %}
 {% if scenario == 'linuxbridge' %}