From 2d1f4b405bb712677c0facd45fbb76d486974293 Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Fri, 14 Apr 2023 23:03:37 +0200 Subject: [PATCH] Add TLS support to trove backends By overriding the variable `trove_backend_ssl: True` HTTPS will be enabled, disabling HTTP support on the trove backend api. The ansible-role-pki is used to generate the required TLS certificates if this functionality is enabled. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085 Change-Id: I15223354a28f0cc6c203f0cb3a19b9af834d4158 --- defaults/main.yml | 52 +++++++++++++++++++++++++++++++++++++++++++++++ handlers/main.yml | 1 + tasks/main.yml | 20 ++++++++++++++++++ 3 files changed, 73 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 8587130..728a356 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -72,6 +72,9 @@ trove_api_workers: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['proce # uWSGI settings trove_wsgi_threads: 1 trove_use_uwsgi: True +trove_uwsgi_tls: + crt: "{{ trove_ssl_cert }}" + key: "{{ trove_ssl_key }}" ## Cap the maximum number of threads / workers when a user value is unspecified. trove_conductor_workers_max: 16 @@ -280,6 +283,7 @@ trove_services: uwsgi_overrides: "{{ trove_api_uwsgi_ini_overrides }}" uwsgi_bind_address: "{{ trove_service_host }}" uwsgi_port: "{{ trove_service_port }}" + uwsgi_tls: "{{ trove_backend_ssl | ternary(trove_uwsgi_tls, {}) }}" start_order: 1 trove-conductor: group: trove_conductor @@ -293,3 +297,51 @@ trove_services: execstarts: "{{ trove_bin }}/trove-taskmanager" init_config_overrides: "{{ trove_taskmanager_init_config_overrides }}" start_order: 3 + +### +### Backend TLS +### + +# Define if communication between haproxy and service backends should be +# encrypted with TLS. +trove_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" + +# Storage location for SSL certificate authority +trove_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}" + +# Delegated host for operating the certificate authority +trove_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" + +# trove server certificate +trove_pki_keys_path: "{{ trove_pki_dir ~ '/certs/private/' }}" +trove_pki_certs_path: "{{ trove_pki_dir ~ '/certs/certs/' }}" +trove_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}" +trove_pki_regen_cert: '' +trove_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" +trove_pki_certificates: + - name: "trove_{{ ansible_facts['hostname'] }}" + provider: ownca + cn: "{{ ansible_facts['hostname'] }}" + san: "{{ trove_pki_san }}" + signed_by: "{{ trove_pki_intermediate_cert_name }}" + +# trove destination files for SSL certificates +trove_ssl_cert: /etc/trove/trove.pem +trove_ssl_key: /etc/trove/trove.key + +# Installation details for SSL certificates +trove_pki_install_certificates: + - src: "{{ trove_user_ssl_cert | default(trove_pki_certs_path ~ 'trove_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}" + dest: "{{ trove_ssl_cert }}" + owner: "{{ trove_system_user_name }}" + group: "{{ trove_system_user_name }}" + mode: "0644" + - src: "{{ trove_user_ssl_key | default(trove_pki_keys_path ~ 'trove_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" + dest: "{{ trove_ssl_key }}" + owner: "{{ trove_system_user_name }}" + group: "{{ trove_system_user_name }}" + mode: "0600" + +# Define user-provided SSL certificates +#trove_user_ssl_cert: +#trove_user_ssl_key: diff --git a/handlers/main.yml b/handlers/main.yml index 30c3143..2ea8eca 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -31,3 +31,4 @@ - "Restart trove services" - "venv changed" - "systemd service changed" + - "cert installed" diff --git a/tasks/main.yml b/tasks/main.yml index ab80ce0..64170bf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -87,6 +87,26 @@ tags: - trove-install +- name: Create and install SSL certificates + include_role: + name: pki + tasks_from: main_certs.yml + apply: + tags: + - trove-config + - pki + vars: + pki_setup_host: "{{ trove_pki_setup_host }}" + pki_dir: "{{ trove_pki_dir }}" + pki_create_certificates: "{{ trove_user_ssl_cert is not defined and trove_user_ssl_key is not defined }}" + pki_regen_cert: "{{ trove_pki_regen_cert }}" + pki_certificates: "{{ trove_pki_certificates }}" + pki_install_certificates: "{{ trove_pki_install_certificates }}" + when: + - trove_backend_ssl + tags: + - always + - name: Install the python venv import_role: name: "python_venv_build"