Merge "Add playbook to generate any user defined certificates"

doc/source/user/security/ssl-certificates.rst

@@ -94,6 +94,53 @@ following ways:
 
      haproxy_pki_regen_cert: true
 
+Generating and regenerating self-signed user certificates
+---------------------------------------------------------
+
+Self-signed user certificates are generated but not installed for services
+outside of Openstack ansible. These user certificates are signed by the same
+self-signed certificate authority as is used by openstack services
+but are intended to be used by user applications.
+
+To create user certificates, define a variable with the prefix
+``user_pki_certificates_`` in the ``/etc/openstack_deploy/user_variables.yml``
+file.
+
+Example
+
+.. code-block:: yaml
+
+   user_pki_certificates_example:
+      - name: "example"
+        provider: ownca
+        cn: "example.com"
+        san: "DNS:example.com,IP:x.x.x.x"
+        signed_by: "{{ openstack_pki_service_intermediate_cert_name }}"
+        key_usage:
+          - digitalSignature
+          - keyAgreement
+        extended_key_usage:
+          - serverAuth
+
+To generate a new self-signed certificate for a service, you must set
+the ``user_pki_regen_cert`` variable to true in one of the
+following ways:
+
+* To force a self-signed certificate to regenerate, you can pass the variable
+  to ``openstack-ansible`` on the command line:
+
+  .. code-block:: shell-session
+
+     # openstack-ansible -e "user_pki_regen_cert=true" certificate-generate.yml
+
+* To force a self-signed certificate to regenerate with every playbook run,
+  set the ``user_pki_regen_cert`` variable to ``true`` in the
+  ``/etc/openstack_deploy/user_variables.yml`` file:
+
+  .. code-block:: yaml
+
+     user_pki_regen_cert: true
+
 
 User-provided certificates
 ~~~~~~~~~~~~~~~~~~~~~~~~~~

playbooks/certificate-generate.yml

@@ -0,0 +1,32 @@
+# Copyright 2021, BBC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Generate any extra user certificates
+  hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
+  gather_facts: "{{ osa_gather_facts | default(True) }}"
+  tags:
+    - always
+  tasks:
+    - name: Create user certificates
+      include_role:
+        name: pki
+        tasks_from: main_certs.yml
+      vars:
+        pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+        pki_dir: "{{ openstack_pki_dir }}"
+        cert_dir: "{{ pki_dir }}/certs"
+        pki_search_certificates_pattern: "user_pki_certificates_"
+        pki_regen_cert: "{{ user_pki_regen_cert | default(false) }}"
+      when:
+        - pki_create_certificates | default(true)

playbooks/setup-hosts.yml

@@ -14,6 +14,7 @@
 # limitations under the License.
 
 - import_playbook: certificate-authority.yml
+- import_playbook: certificate-generate.yml
 - import_playbook: openstack-hosts-setup.yml
 - import_playbook: containers-deploy.yml
 - import_playbook: security-hardening.yml