Merge "Generate self signed TLS certificates"

ansible/group_vars/all.yml

@@ -757,8 +757,8 @@ kolla_enable_tls_internal: "no"
 kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}"
 kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
 kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
-kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
+kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt"
-kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
+kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt"
 kolla_copy_ca_into_containers: "no"
 
 ####################

ansible/roles/certificates/tasks/generate.yml

@@ -1,53 +1,130 @@
 ---
-- name: Ensuring config directories exist
+- name: Ensuring private internal directory exist
-  become: true
   file:
-    path: "{{ certificates_dir }}/private"
+    path: "{{ certificates_dir }}/private/internal"
     state: "directory"
     recurse: yes
+    mode: "0770"
 
-- name: Creating SSL configuration file
+- name: Ensuring private external directory exist
-  become: true
-  template:
-    src: "{{ item }}.j2"
-    dest: "{{ certificates_dir }}/{{ item }}"
-  with_items:
-    - "openssl-kolla.cnf"
-
-- name: Creating Key
-  become: true
-  command: creates="{{ item }}" openssl genrsa -out {{ item }}
-  with_items:
-    - "{{ certificates_dir }}/private/haproxy.key"
-
-- name: Setting permissions on key
-  become: true
   file:
-    path: "{{ certificates_dir }}/private/haproxy.key"
+    path: "{{ certificates_dir }}/private/external"
-    mode: 0600
+    state: "directory"
-    state: file
+    recurse: yes
+    mode: "0770"
 
-- name: Creating Server Certificate
+- name: Ensuring ca directory exist
-  become: true
+  file:
-  command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
+    path: "{{ certificates_dir }}/ca"
-    -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
+    state: "directory"
-    -config {{ certificates_dir }}/openssl-kolla.cnf \
+    recurse: yes
-    -days 3650 \
+    mode: "0770"
-    -extensions v3_req \
-    -key {{ certificates_dir }}/private/haproxy.key \
-    -out {{ item }}
-  with_items:
-    - "{{ certificates_dir }}/private/haproxy.crt"
 
-- name: Creating CA Certificate File
+- block:
-  become: true
+    - name: Creating external SSL configuration file
-  copy:
+      template:
-    src: "{{ certificates_dir }}/private/haproxy.crt"
+        src: "{{ item }}.j2"
-    dest: "{{ kolla_external_fqdn_cacert }}"
+        dest: "{{ certificates_dir }}/{{ item }}"
+        mode: "0660"
+      with_items:
+        - "openssl-kolla.cnf"
+    - name: Creating external Key
+      command: creates="{{ item }}" openssl genrsa -out {{ item }}
+      with_items:
+        - "{{ certificates_dir }}/private/external/external.key"
+    - name: Setting permissions on external key
+      file:
+        path: "{{ certificates_dir }}/private/external/external.key"
+        mode: "0660"
+        state: file
+    - name: Creating external Server Certificate
+      command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
+        -config {{ certificates_dir }}/openssl-kolla.cnf \
+        -days 3650 \
+        -extensions v3_req \
+        -key {{ certificates_dir }}/private/external/external.key \
+        -out {{ item }}
+      with_items:
+        - "{{ certificates_dir }}/private/external/external.crt"
+    - name: Creating external CA Certificate File
+      copy:
+        src: "{{ certificates_dir }}/private/external/external.crt"
+        dest: "{{ kolla_external_fqdn_cacert }}"
+        mode: "0660"
+    - name: Creating external Server PEM File
+      assemble:
+        src: "{{ certificates_dir }}/private/external"
+        dest: "{{ kolla_external_fqdn_cert }}"
+        mode: "0660"
+  when:
+    - kolla_enable_tls_external | bool
 
-- name: Creating Server PEM File
+- block:
-  become: true
+    - name: Copy the external certificate crt to be the internal when internal + external are same network
-  assemble:
+      copy:
-    src: "{{ certificates_dir }}/private"
+        src: "{{ certificates_dir }}/private/external/external.crt"
-    dest: "{{ kolla_external_fqdn_cert }}"
+        dest: "{{ certificates_dir }}/private/internal/internal.crt"
-    mode: 0600
+        remote_src: yes
+        mode: "0660"
+    - name: Copy the external certificate key to be the internal when internal + external are same network
+      copy:
+        src: "{{ certificates_dir }}/private/external/external.key"
+        dest: "{{ certificates_dir }}/private/internal/internal.key"
+        remote_src: yes
+        mode: "0660"
+    - name: Copy the external PEM file to be the internal when internal + external are same network
+      copy:
+        src: "{{ kolla_external_fqdn_cert }}"
+        dest: "{{ kolla_internal_fqdn_cert }}"
+        remote_src: yes
+        mode: "0660"
+    - name: Copy the external CA Certificate file to be the internal when internal + external are same network
+      copy:
+        src: "{{ kolla_external_fqdn_cacert }}"
+        dest: "{{ kolla_internal_fqdn_cacert }}"
+        remote_src: yes
+        mode: "0660"
+  when:
+    - kolla_enable_tls_external | bool
+    - kolla_enable_tls_internal | bool
+    - kolla_same_external_internal_vip | bool
+
+- block:
+    - name: Creating internal SSL configuration file
+      template:
+        src: "{{ item }}.j2"
+        dest: "{{ certificates_dir }}/{{ item }}"
+        mode: "0660"
+      with_items:
+        - "openssl-kolla-internal.cnf"
+    - name: Creating internal Key
+      command: creates="{{ item }}" openssl genrsa -out {{ item }}
+      with_items:
+        - "{{ certificates_dir }}/private/internal/internal.key"
+    - name: Setting permissions on internal key
+      file:
+        path: "{{ certificates_dir }}/private/internal/internal.key"
+        mode: "0660"
+        state: file
+    - name: Creating internal Server Certificate
+      command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
+        -config {{ certificates_dir }}/openssl-kolla-internal.cnf \
+        -days 3650 \
+        -extensions v3_req \
+        -key {{ certificates_dir }}/private/internal/internal.key \
+        -out {{ item }}
+      with_items:
+        - "{{ certificates_dir }}/private/internal/internal.crt"
+    - name: Creating internal CA Certificate File
+      copy:
+        src: "{{ certificates_dir }}/private/internal/internal.crt"
+        dest: "{{ kolla_internal_fqdn_cacert }}"
+        mode: "0660"
+    - name: Creating internal Server PEM File
+      assemble:
+        src: "{{ certificates_dir }}/private/internal"
+        dest: "{{ kolla_internal_fqdn_cert }}"
+        mode: "0660"
+  when:
+    - kolla_enable_tls_internal | bool
+    - not kolla_same_external_internal_vip | bool

ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2

@@ -0,0 +1,21 @@
+[req]
+prompt = no
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+commonName = {{ kolla_internal_fqdn }}
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+{% if kolla_internal_fqdn != kolla_internal_vip_address %}
+DNS.1 = {{ kolla_internal_fqdn }}
+{% else %}
+IP.1 = {{ kolla_internal_fqdn }}
+{% endif %}

ansible/roles/certificates/templates/openssl-kolla.cnf.j2

@@ -1,4 +1,5 @@
 [req]
+prompt = no
 distinguished_name = req_distinguished_name
 req_extensions = v3_req
 

doc/source/admin/advanced-configuration.rst

@@ -140,7 +140,7 @@ have settings similar to this:
    export OS_PASSWORD=demo-password
    export OS_AUTH_URL=https://mykolla.example.net:5000
    # os_cacert is optional for trusted certificates
-   export OS_CACERT=/etc/pki/mykolla-cacert.crt
+   export OS_CACERT=/etc/pki/ca/mykolla-cacert.crt
    export OS_IDENTITY_API_VERSION=3
 
 Self-Signed Certificates
@@ -162,8 +162,9 @@ configuration file:
 
    kolla-ansible certificates
 
-The files haproxy.pem and haproxy-ca.pem will be generated and stored
+The certificate file haproxy.pem will be generated and stored in the
-in the ``/etc/kolla/certificates/`` directory.
+``/etc/kolla/certificates/`` directory, and the CA cert will be in the
+``/etc/kolla/certificates/ca/`` directory.
 
 Adding CA Certificates to the Service Containers
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

etc/kolla/globals.yml

@@ -184,8 +184,8 @@
 #kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}"
 #kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
 #kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
-#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
+#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt"
-#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
+#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt"
 #kolla_copy_ca_into_containers: "no"
 
 ################

releasenotes/notes/generate-internal-external-self-signed-certs-c631a9d934d31fac.yaml

@@ -0,0 +1,23 @@
+---
+features:
+  - |
+    Generate self signed certificates for both the internal and external
+    (public) networks. If they are the same network, then the certificate
+    files will be the same.
+upgrade:
+  - |
+    The default value for ``kolla_external_fqdn_cacert`` has been changed
+    from:
+    "{{ node_config }}/certificates/haproxy-ca.crt"
+    to:
+    "{{ node_config }}/certificates/ca/haproxy.crt"
+
+    and the default value for ``kolla_external_fqdn_cacert`` has been changed
+    from:
+    "{{ node_config }}/certificates/haproxy-ca-internal.crt"
+    to:
+    "{{ node_config }}/certificates/ca/haproxy-internal.crt"
+
+    These variables set the value for the ``OS_CACERT`` environment variable in
+    ``admin-openrc.sh``. This has been done to allow these certificates to be
+    copied into containers when ``kolla_copy_ca_into_containers`` is true.