openstack/kolla-ansible
Code Issues Proposed changes
kolla-ansible/ansible/roles/certificates/tasks/generate.yml
James Kirsch 5581a28253 Add support for LetsEncrypt-managed certs 
Add support for automatic provisioning and renewal of HTTPS
certificates via LetsEncrypt.

Spec is available at:
https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https

Depends-On: https://review.opendev.org/c/openstack/kolla/+/887347
Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
Implements: blueprint letsencrypt-https
Change-Id: I35317ea0343f0db74ddc0e587862e95408e9e106
2023-11-07 10:59:51 +01:00

145 lines
4.1 KiB
YAML
Raw Blame History

---
- name: Ensuring private internal directory exist
file:
path: "{{ internal_dir }}"
state: "directory"
mode: "0770"
- name: Ensuring private external directory exist
file:
path: "{{ external_dir }}"
state: "directory"
mode: "0770"
- block:
- name: Creating external SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla.cnf"
- name: Creating external Server Certificate key
command: >
openssl genrsa
-out "{{ external_dir }}/external.key" 2048
args:
creates: "{{ external_dir }}/external.key"
- name: Creating external Server Certificate signing request
command: >
openssl req
-new
-key "{{ external_dir }}/external.key"
-out "{{ external_dir }}/external.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
-sha256
args:
creates: "{{ external_dir }}/external.csr"
- name: Creating external Server Certificate
command: >
openssl x509
-req
-in "{{ external_dir }}/external.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-extensions v3_req
-extfile "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
-out "{{ external_dir }}/external.crt"
-days 365
-sha256
args:
creates: "{{ external_dir }}/external.crt"
- name: Setting permissions on external key
file:
path: "{{ external_dir }}/external.key"
mode: "0660"
state: file
- name: Creating external Server PEM File
assemble:
regexp: \.(crt|key)$
src: "{{ external_dir }}"
dest: "{{ kolla_external_fqdn_cert }}"
mode: "0660"
when:
- not enable_letsencrypt | bool
- kolla_enable_tls_external | bool
- block:
- name: Copy the external PEM file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ kolla_internal_fqdn_cert }}"
remote_src: yes
mode: "0660"
when:
- not enable_letsencrypt | bool
- kolla_enable_tls_external | bool
- kolla_enable_tls_internal | bool
- kolla_same_external_internal_vip | bool
- block:
- name: Creating internal SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-internal.cnf"
- name: Creating internal Server Certificate key
command: >
openssl genrsa
-out "{{ internal_dir }}/internal.key" 2048
args:
creates: "{{ internal_dir }}/internal.key"
- name: Creating internal Server Certificate signing request
command: >
openssl req
-new
-key "{{ internal_dir }}/internal.key"
-out "{{ internal_dir }}/internal.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
-sha256
args:
creates: "{{ internal_dir }}/internal.csr"
- name: Creating internal Server Certificate
command: >
openssl x509
-req
-in "{{ internal_dir }}/internal.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-extensions v3_req
-extfile "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
-out "{{ internal_dir }}/internal.crt"
-days 365
-sha256
args:
creates: "{{ internal_dir }}/internal.crt"
- name: Setting permissions on internal key
file:
path: "{{ internal_dir }}/internal.key"
mode: "0660"
state: file
- name: Creating internal Server PEM File
assemble:
regexp: \.(crt|key)$
src: "{{ internal_dir }}"
dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660"
when:
- not enable_letsencrypt | bool
- kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool
View Git Blame Copy Permalink