Add TLS support to neutron_server backends

By overriding the variable `neutron_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the neutron backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I9f16f916d1ef3e5937c91f6b09a3d4073594ecb4

defaults/main.yml

@@ -190,6 +190,9 @@ neutron_use_uwsgi: "{{ (neutron_plugin_type not in ['ml2.ovn']) }}"
 neutron_wsgi_processes_max: 16
 neutron_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, neutron_wsgi_processes_max] | min }}"
 neutron_wsgi_threads: 1
+neutron_uwsgi_tls:
+  crt: "{{ neutron_ssl_cert }}"
+  key: "{{ neutron_ssl_key }}"
 
 ###
 ### Quotas
@@ -563,3 +566,51 @@ ovs_dpdk_pmd_cpu_mask: 2
 ovs_dpdk_socket_mem: "1024"
 ovs_dpdk_nr_1g_pages: 0
 ovs_dpdk_nr_2m_pages: 0
+
+###
+### Backend TLS
+###
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+neutron_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+# Storage location for SSL certificate authority
+neutron_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+
+# Delegated host for operating the certificate authority
+neutron_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+
+# neutron server certificate
+neutron_pki_keys_path: "{{ neutron_pki_dir ~ '/certs/private/' }}"
+neutron_pki_certs_path: "{{ neutron_pki_dir ~ '/certs/certs/' }}"
+neutron_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
+neutron_pki_regen_cert: ''
+neutron_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+neutron_pki_certificates:
+  - name: "neutron_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ neutron_pki_san }}"
+    signed_by: "{{ neutron_pki_intermediate_cert_name }}"
+
+# neutron destination files for SSL certificates
+neutron_ssl_cert: "{{ neutron_conf_version_dir }}/neutron.pem"
+neutron_ssl_key: "{{ neutron_conf_version_dir }}/neutron.key"
+
+# Installation details for SSL certificates
+neutron_pki_install_certificates:
+  - src: "{{ neutron_user_ssl_cert | default(neutron_pki_certs_path ~ 'neutron_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ neutron_ssl_cert }}"
+    owner: "{{ neutron_system_user_name }}"
+    group: "{{ neutron_system_user_name }}"
+    mode: "0644"
+  - src: "{{ neutron_user_ssl_key | default(neutron_pki_keys_path ~ 'neutron_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ neutron_ssl_key }}"
+    owner: "{{ neutron_system_user_name }}"
+    group: "{{ neutron_system_user_name }}"
+    mode: "0600"
+
+# Define user-provided SSL certificates
+#neutron_user_ssl_cert: <path to cert on ansible deployment host>
+#neutron_user_ssl_key: <path to cert on ansible deployment host>

handlers/main.yml

@@ -28,6 +28,7 @@
     - "Restart neutron services"
     - "venv changed"
     - "systemd service changed"
+    - "cert installed"
 
 # NOTE(cloudnull):
 # When installing or upgrading it is possible that an old metadata proxy process will not
@@ -132,6 +133,7 @@
     - "Restart neutron services"
     - "venv changed"
     - "systemd service changed"
+    - "cert installed"
 
 - name: start ovn service
   service:

tasks/main.yml

@@ -124,10 +124,35 @@
     - neutron-config
 
 # create the ssl certs before the installation of the services.
-- name: Create and install SSL certificates
+- name: Create and install SSL certificates for API
   include_role:
     name: pki
     tasks_from: main_certs.yml
+    apply:
+      tags:
+        - neutron-config
+        - pki
+  vars:
+    pki_setup_host: "{{ neutron_pki_setup_host }}"
+    pki_dir: "{{ neutron_pki_dir }}"
+    pki_create_certificates: "{{ neutron_user_ssl_cert is not defined and neutron_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ neutron_pki_regen_cert }}"
+    pki_certificates: "{{ neutron_pki_certificates }}"
+    pki_install_certificates: "{{ neutron_pki_install_certificates }}"
+  when:
+    - neutron_backend_ssl
+    - neutron_services['neutron-server']['group'] in group_names
+  tags:
+    - always
+
+- name: Create and install SSL certificates for OVN
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+    apply:
+      tags:
+        - neutron_ovn-config
+        - pki
   vars:
     pki_setup_host: "{{ neutron_ovn_pki_setup_host }}"
     pki_dir: "{{ neutron_ovn_pki_dir }}"
@@ -140,8 +165,7 @@
     - neutron_ovn_ssl
     - (neutron_services['neutron-ovn-controller']['group'] in group_names) or (neutron_services['neutron-ovn-northd']['group'] in group_names) or (neutron_services['neutron-server']['group'] in group_names)
   tags:
-    - neutron_ovn-config
+    - always
-    - pki
 
 # Include provider specific config(s)
 - include_tasks: "{{ item }}"

templates/neutron.conf.j2

@@ -25,6 +25,9 @@ dns_domain = {{ neutron_dns_domain }}
 
 {% if neutron_services['neutron-server']['group'] in group_names %}
 
+# Enable SSL on the API server
+use_ssl = {{ neutron_backend_ssl }}
+
 # General, only applies to neutron server host group
 vlan_transparent = False
 
@@ -258,3 +261,9 @@ drivers = {{ (neutron_plugin_type == 'ml2.opendaylight') | ternary('odl_v2', 'ov
 [flowclassifier]
 drivers = {{ (neutron_plugin_type == 'ml2.opendaylight') | ternary('odl_v2', 'ovs') }}
 {% endif %}
+
+{% if neutron_services['neutron-server']['group'] in group_names and neutron_backend_ssl | bool %}
+[ssl]
+cert_file = {{ neutron_ssl_cert }}
+key_file = {{ neutron_ssl_key }}
+{% endif %}

vars/main.yml

@@ -470,6 +470,7 @@ neutron_services:
     uwsgi_overrides: "{{ neutron_api_uwsgi_ini_overrides }}"
     uwsgi_bind_address: "{{ neutron_api_bind_address }}"
     uwsgi_port: "{{ neutron_service_port }}"
+    uwsgi_tls: "{{ neutron_backend_ssl | ternary(neutron_uwsgi_tls, {}) }}"
     uwsgi_pyargv: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}{%- if ('ml2.genericswitch' in neutron_plugin_types) %} --config-file {{ neutron_conf_dir }}/{{ neutron_plugins['ml2.genericswitch'].plugin_ini }}{%- endif %}"
     wsgi_name: "neutron-api"
     execstarts: "{{ neutron_bin }}/neutron-server --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}{%- if ('ml2.genericswitch' in neutron_plugin_types) %} --config-file {{ neutron_conf_dir }}/{{ neutron_plugins['ml2.genericswitch'].plugin_ini }}{%- endif %}"