openstack/openstack-ansible-os_octavia
Code Issues Proposed changes
fd583d3d20
openstack-ansible-os_octavia/tasks/octavia_certs.yml
German Eichberger fbda283da8 Adds the issuer to the CAs 
Octavia is using certificate authorities to manage
the amp communication but the built-in ansible
certificate commands can't generate proper CA
certificates (they omit the necessary X509 extensions)
nor properly sign CSRs and reference the CA.

The changes here replace the parts where ansible's
certificate commands fall short with running the
openssl command directly. To do so it sets up
the necessary files, directories, and templates
an openssl config file.

Once ansible's certificate capabilities improve we
can retire those commands.

Also improve tests so we gate when this fails.

Change-Id: Iaae462844d783bd6086ce6a2816ea01cafc14e6d
2018-06-22 08:46:14 -07:00

69 lines
2.7 KiB
YAML
Raw Blame History

---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create the server CA private key
openssl_privatekey:
path: "{{ octavia_ca_private_key }}"
passphrase: "{{ octavia_ca_private_key_passphrase }}"
cipher: "{{ octavia_cert_cipher_server }}"
size: "{{ octavia_cert_key_length_server }}"
- name: Create server CA certificate
command: >
openssl req -x509 -passin pass:'{{ octavia_ca_private_key_passphrase }}' -new -nodes -key {{ octavia_ca_private_key }} \
-config {{ octavia_cert_dir }}/openssl.cnf \
-subj "{{ octavia_cert_server_ca_subject }}" \
-days {{ octavia_cert_validity_days }} \
-out {{ octavia_ca_certificate }}
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_ca_certificate }}"
- name: Generate Octavia client certificate
block:
- name: Create the client cert private key
openssl_privatekey:
path: "{{ octavia_cert_dir }}/client.key"
size: "{{ octavia_cert_key_length_client }}"
- name: Create client cert CSR
openssl_csr:
path: "{{ octavia_cert_dir }}/client.csr"
common_name: "{{ octavia_cert_client_req_common_name }}"
country_name: "{{ octavia_cert_client_req_country_name }}"
state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
locality_name: "{{ octavia_cert_client_req_locality_name }}"
organization_name: "{{ octavia_cert_client_req_organization_name }}"
privatekey_path: "{{ octavia_cert_dir }}/client.key"
- name: Create client certificate
command: >
openssl ca -passin pass:'{{ octavia_ca_private_key_passphrase }}' -config {{ octavia_cert_dir }}/openssl.cnf \
-in client.csr -days {{ octavia_cert_validity_days }} -out client-.pem -batch
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_cert_dir }}/client-.pem"
# use cat to avoid mangling the certs
- name: Generate single pem client.pem
shell: "cat client-.pem client.key >{{ octavia_client_cert }}"
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_client_cert }}"
tags:
- skip_ansible_lint
when: octavia_generate_client_cert|bool
View Git Blame Copy Permalink