openstack/openstack-ansible-os_octavia
Code Issues Proposed changes

Octavia certificate distribution

Browse Source 
Current copy certificates task works only if octavia_cert_setup_host is
localhost, because it copies from local path. See bug 1842117

To fix this issue certs are slurped and registered after they are
created.
If octavia_cert_setup_host is 'localhost' cert variables are
registered to task_vars scope.
If octavia_cert_setup_host is one of the octavia containers or utility
containers, i.e. setup host exists in inventory cert variables are
registered to hostvars[octavia_cert_setup_host] i.e hostvars scope.
Certs facts are set according to octavia_cert_setup_host value.
Certs distribution play copies certs from certs facts to each octavia
conatainer.

Change-Id: I0906c7cf80c3345fb993a71fe190fa2f6baa55e4
Closes-Bug: 1842117
This commit is contained in:
Vadim Kuznetsov 2019-09-03 12:05:58 -04:00 committed by Dmitriy Rabotyagov
parent ae5edf5593
commit 833b58da2c
4 changed files with 97 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
tasks/main.yml
View File

@ -93,6 +93,11 @@
tags: tags:
- octavia-install - octavia-install
- include_tasks: octavia_certs_distribute.yml
when: octavia_generate_certs | bool
tags:
- octavia-config
- name: Import uwsgi role - name: Import uwsgi role
import_role: import_role:
name: uwsgi name: uwsgi

67
tasks/octavia_certs.yml
View File

@ -57,6 +57,43 @@
dest: "{{ octavia_cert_dir }}/openssl.cnf" dest: "{{ octavia_cert_dir }}/openssl.cnf"
mode: 0440 mode: 0440
- name: Create the server CA private key
openssl_privatekey:
path: "{{ octavia_ca_private_key }}"
passphrase: "{{ octavia_ca_private_key_passphrase }}"
cipher: "{{ octavia_cert_cipher_server }}"
size: "{{ octavia_cert_key_length_server }}"
- name: Create server CA certificate
command: >
openssl req -x509 -passin pass:'{{ octavia_ca_private_key_passphrase }}' -new -nodes -key {{ octavia_ca_private_key }} \
-config {{ octavia_cert_dir }}/openssl.cnf \
-subj "{{ octavia_cert_server_ca_subject }}" \
-days {{ octavia_cert_validity_days }} \
-out {{ octavia_ca_certificate }}
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_ca_certificate }}"
- name: Store octavia ca private key
slurp:
src: "{{ octavia_ca_private_key }}"
register: _octavia_ca_private_key
changed_when: false
- name: Store octavia ca cert
slurp:
src: "{{ octavia_ca_certificate }}"
register: _octavia_ca_certificate
changed_when: false
# same as octavia ca cert
- name: Store octavia server ca
slurp:
src: "{{ octavia_server_ca }}"
register: _octavia_server_ca
changed_when: false
# These are run at the very first installation of Octavia # These are run at the very first installation of Octavia
# While Octavia acts as a CA for the server certificates, # While Octavia acts as a CA for the server certificates,
# for the amphora it only needs a client certificate and # for the amphora it only needs a client certificate and
@ -91,24 +128,6 @@
chdir: "{{ octavia_cert_dir }}" chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_client_ca }}" creates: "{{ octavia_client_ca }}"
- name: Create the server CA private key
openssl_privatekey:
path: "{{ octavia_ca_private_key }}"
passphrase: "{{ octavia_ca_private_key_passphrase }}"
cipher: "{{ octavia_cert_cipher_server }}"
size: "{{ octavia_cert_key_length_server }}"
- name: Create server CA certificate
command: >
openssl req -x509 -passin pass:'{{ octavia_ca_private_key_passphrase }}' -new -nodes -key {{ octavia_ca_private_key }} \
-config {{ octavia_cert_dir }}/openssl.cnf \
-subj "{{ octavia_cert_server_ca_subject }}" \
-days {{ octavia_cert_validity_days }} \
-out {{ octavia_ca_certificate }}
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_ca_certificate }}"
- name: Create the client cert private key - name: Create the client cert private key
openssl_privatekey: openssl_privatekey:
path: "{{ octavia_cert_dir }}/client.key" path: "{{ octavia_cert_dir }}/client.key"
@ -140,3 +159,15 @@
creates: "{{ octavia_client_cert }}" creates: "{{ octavia_client_cert }}"
tags: tags:
- skip_ansible_lint - skip_ansible_lint
- name: Store octavia client ca
slurp:
src: "{{ octavia_client_ca }}"
register: _octavia_client_ca
changed_when: false
- name: Store octavia client cert
slurp:
src: "{{ octavia_client_cert }}"
register: _octavia_client_cert
changed_when: false

43
tasks/octavia_certs_distribute.yml Normal file
View File

@ -0,0 +1,43 @@
---
- name: Create certs directory
file:
path: /etc/octavia/certs/
state: directory
- name: Register a fact for the cert and key
set_fact:
octavia_ca_private_key_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_ca_private_key']['content'] | b64decode }}"
octavia_ca_certificate_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_ca_certificate']['content'] | b64decode }}"
octavia_server_ca_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_server_ca']['content'] | b64decode }}"
octavia_client_ca_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_client_ca']['content'] | b64decode }}"
octavia_client_cert_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_client_cert']['content'] | b64decode }}"
when: octavia_cert_setup_host != 'localhost'
- name: Register a fact for the cert and key
set_fact:
octavia_ca_private_key_fact: "{{ _octavia_ca_private_key['content'] | b64decode }}"
octavia_ca_certificate_fact: "{{ _octavia_ca_certificate['content'] | b64decode }}"
octavia_server_ca_fact: "{{ _octavia_server_ca['content'] | b64decode }}"
octavia_client_ca_fact: "{{ _octavia_client_ca['content'] | b64decode }}"
octavia_client_cert_fact: "{{ _octavia_client_cert['content'] | b64decode }}"
when: octavia_cert_setup_host == 'localhost'
- name: Copy certificates
copy:
content: "{{ item.content }}"
dest: "{{ item.dest }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
with_items:
- content: "{{ octavia_ca_private_key_fact }}"
dest: "/etc/octavia/certs/ca_key.pem"
- content: "{{ octavia_ca_certificate_fact }}"
dest: "/etc/octavia/certs/ca.pem"
- content: "{{ octavia_server_ca_fact }}"
dest: "/etc/octavia/certs/server_ca.pem"
- content: "{{ octavia_client_ca_fact }}"
dest: "/etc/octavia/certs/client_ca.pem"
- content: "{{ octavia_client_cert_fact }}"
dest: "/etc/octavia/certs/client.pem"

22
tasks/octavia_post_install.yml
View File

@ -33,28 +33,6 @@
when: when:
- ansible_distribution == 'CentOS' - ansible_distribution == 'CentOS'
- name: Create certs directory
file: path=/etc/octavia/certs/ state=directory
- name: Copy certificates
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
with_items:
- src: "{{ octavia_client_ca }}"
dest: "/etc/octavia/certs/client_ca.pem"
- src: "{{ octavia_client_cert }}"
dest: "/etc/octavia/certs/client.pem"
- src: "{{ octavia_server_ca }}"
dest: "/etc/octavia/certs/server_ca.pem"
- src: "{{ octavia_ca_certificate }}"
dest: "/etc/octavia/certs/ca.pem"
- src: "{{ octavia_ca_private_key }}"
dest: "/etc/octavia/certs/ca_key.pem"
- name: Copy user provided HAProxy templates - name: Copy user provided HAProxy templates
copy: copy:
src: "{{ item.src }}" src: "{{ item.src }}"