openstack/kolla-ansible
Code Issues Proposed changes

Adapt to Octavia Certificate Configuration Guide.

Browse Source 
This patch updates the octavia controller deployment to use the
latest octavia certificate configuration guide [1]. The dual CA changes
were introduced in Train.

[1] https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

Change-Id: If89ec0d631568db70690f1a69d00115c59abe678
Closes-Bug: #1862133
This commit is contained in:
Noboru Iwamatsu 2020-02-06 18:26:21 +09:00 committed by Dincer Celik
parent 0747ebf1c9
commit e84c968ed2
7 changed files with 78 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
ansible/roles/octavia/tasks/config.yml
View File

@ -94,9 +94,10 @@
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_items:
- cakey.pem
- ca_01.pem
- client.pem
- client.cert-and-key.pem
- client_ca.cert.pem
- server_ca.cert.pem
- server_ca.key.pem
notify:
- Restart octavia-worker container
@ -112,9 +113,10 @@
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_items:
- cakey.pem
- ca_01.pem
- client.pem
- client.cert-and-key.pem
- client_ca.cert.pem
- server_ca.cert.pem
- server_ca.key.pem
notify:
- Restart octavia-housekeeping container
@ -130,9 +132,10 @@
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_items:
- cakey.pem
- ca_01.pem
- client.pem
- client.cert-and-key.pem
- client_ca.cert.pem
- server_ca.cert.pem
- server_ca.key.pem
notify:
- Restart octavia-health-manager container

14
ansible/roles/octavia/tasks/precheck.yml
View File

@ -35,6 +35,13 @@
- container_facts['octavia_health_manager'] is not defined
- inventory_hostname in groups['octavia-health-manager']
- name: Warn about certificate changes
debug:
msg: >-
Octavia's certificate configuration has been changed since Train. The new
configuration requires 4 PEM files. Please check certificate configuration
guide at https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
- name: Checking certificate files exist for octavia
stat:
path: "{{ node_custom_config }}/octavia/{{ item }}"
@ -44,6 +51,7 @@
failed_when: not result.stat.exists
when: inventory_hostname in groups['octavia-worker']
with_items:
- cakey.pem
- ca_01.pem
- client.pem
- client.cert-and-key.pem
- client_ca.cert.pem
- server_ca.cert.pem
- server_ca.key.pem

18
ansible/roles/octavia/templates/octavia-health-manager.json.j2
View File

@ -8,20 +8,26 @@
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/cakey.pem",
"dest": "/etc/octavia/certs/private/cakey.pem",
"source": "{{ container_config_directory }}/client.cert-and-key.pem",
"dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/ca_01.pem",
"dest": "/etc/octavia/certs/ca_01.pem",
"source": "{{ container_config_directory }}/client_ca.cert.pem",
"dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/client.pem",
"dest": "/etc/octavia/certs/client.pem",
"source": "{{ container_config_directory }}/server_ca.cert.pem",
"dest": "/etc/octavia/certs/server_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/server_ca.key.pem",
"dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia",
"perm": "0600"
}

18
ansible/roles/octavia/templates/octavia-housekeeping.json.j2
View File

@ -8,20 +8,26 @@
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/cakey.pem",
"dest": "/etc/octavia/certs/private/cakey.pem",
"source": "{{ container_config_directory }}/client.cert-and-key.pem",
"dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/ca_01.pem",
"dest": "/etc/octavia/certs/ca_01.pem",
"source": "{{ container_config_directory }}/client_ca.cert.pem",
"dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/client.pem",
"dest": "/etc/octavia/certs/client.pem",
"source": "{{ container_config_directory }}/server_ca.cert.pem",
"dest": "/etc/octavia/certs/server_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/server_ca.key.pem",
"dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia",
"perm": "0600"
}

18
ansible/roles/octavia/templates/octavia-worker.json.j2
View File

@ -8,20 +8,26 @@
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/cakey.pem",
"dest": "/etc/octavia/certs/private/cakey.pem",
"source": "{{ container_config_directory }}/client.cert-and-key.pem",
"dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/ca_01.pem",
"dest": "/etc/octavia/certs/ca_01.pem",
"source": "{{ container_config_directory }}/client_ca.cert.pem",
"dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/client.pem",
"dest": "/etc/octavia/certs/client.pem",
"source": "{{ container_config_directory }}/server_ca.cert.pem",
"dest": "/etc/octavia/certs/server_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/server_ca.key.pem",
"dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia",
"perm": "0600"
}

9
ansible/roles/octavia/templates/octavia.conf.j2
View File

@ -11,15 +11,15 @@ bind_port = {{ octavia_api_listen_port }}
[certificates]
ca_private_key_passphrase = {{ octavia_ca_password }}
ca_private_key = /etc/octavia/certs/private/cakey.pem
ca_certificate = /etc/octavia/certs/ca_01.pem
ca_private_key = /etc/octavia/certs/server_ca.key.pem
ca_certificate = /etc/octavia/certs/server_ca.cert.pem
{% if enable_barbican | bool %}
region_name = {{ openstack_region_name }}
{% endif %}
[haproxy_amphora]
server_ca = /etc/octavia/certs/ca_01.pem
client_cert = /etc/octavia/certs/client.pem
server_ca = /etc/octavia/certs/server_ca.cert.pem
client_cert = /etc/octavia/certs/client.cert-and-key.pem
[database]
connection = mysql+pymysql://{{ octavia_database_user }}:{{ octavia_database_password }}@{{ octavia_database_address }}/{{ octavia_database_name }}
@ -66,6 +66,7 @@ amp_image_tag = amphora
amp_secgroup_list = {{ octavia_amp_secgroup_list }}
amp_flavor_id = {{ octavia_amp_flavor_id }}
amp_ssh_key_name = octavia_ssh_key
client_ca = /etc/octavia/certs/client_ca.cert.pem
network_driver = allowed_address_pairs_driver
compute_driver = compute_nova_driver
amphora_driver = amphora_haproxy_rest_driver

14
releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml Normal file
View File

@ -0,0 +1,14 @@
---
fixes:
- |
Adapt Octavia to the latest dual CA certificate configuration. The
following files should exist in ``/etc/kolla/config/octavia/``:
* ``client.cert-and-key.pem``
* ``client_ca.cert.pem``
* ``server_ca.cert.pem``
* ``server_ca.key.pem``
See the `Octavia documentation
<https://docs.openstack.org/octavia/latest/admin/guides/certificates.html>`__
for details on generating these files.