Add kolla_externally_managed_cert option

This option disables copy of certificates from the operator host to kolla-ansible managed hosts. This is especially useful if you already have some mechanisms to handle your certificates directly on your hosts. Co-Authored-By: Marc 'risson' Schmitt <marc.schmitt@risson.space> Change-Id: Ie18b2464cb5a65a88c4ac191a921b8074a14f504
2021-01-28 15:31:23 +01:00 · 2021-01-28 15:31:23 +01:00 · 57220ce1d9
commit 57220ce1d9
parent 01c0c39fb0
7 changed files with 34 additions and 2 deletions
--- a/ansible/roles/haproxy/defaults/main.yml
+++ b/ansible/roles/haproxy/defaults/main.yml
@ -75,3 +75,5 @@ haproxy_check_timeout: "10s"

 # Check http://www.haproxy.org/download/1.5/doc/configuration.txt for available options
 haproxy_defaults_balance: "roundrobin"
+
+kolla_externally_managed_cert: False
--- a/ansible/roles/haproxy/tasks/config.yml
+++ b/ansible/roles/haproxy/tasks/config.yml
@ -101,6 +101,7 @@
  become: true
  when:
    - kolla_enable_tls_external | bool
+    - not kolla_externally_managed_cert | bool
    - inventory_hostname in groups[service.group]
    - service.enabled | bool
  with_items:
@ -118,6 +119,7 @@
  become: true
  when:
    - kolla_enable_tls_internal | bool
+    - not kolla_externally_managed_cert | bool
    - inventory_hostname in groups[service.group]
    - service.enabled | bool
  with_items:
--- a/ansible/roles/haproxy/tasks/precheck.yml
+++ b/ansible/roles/haproxy/tasks/precheck.yml
@ -44,7 +44,9 @@
  delegate_to: localhost
  register: haproxy_cert_file
  changed_when: false
-  when: kolla_enable_tls_external | bool
+  when:
+    - kolla_enable_tls_external | bool
+    - not kolla_externally_managed_cert | bool

 - name: Fail if external haproxy certificate is absent
  run_once: true
@ -53,6 +55,7 @@
  when:
    - kolla_enable_tls_external | bool
    - not haproxy_cert_file.stat.exists
+    - not kolla_externally_managed_cert | bool

 - name: Checking if internal haproxy certificate exists
  run_once: true
@ -61,7 +64,9 @@
  delegate_to: localhost
  register: haproxy_internal_cert_file
  changed_when: false
-  when: kolla_enable_tls_internal | bool
+  when:
+    - kolla_enable_tls_internal | bool
+    - not kolla_externally_managed_cert | bool

 - name: Fail if internal haproxy certificate is absent
  run_once: true
@ -70,6 +75,7 @@
  when:
    - kolla_enable_tls_internal | bool
    - not haproxy_internal_cert_file.stat.exists
+    - not kolla_externally_managed_cert | bool

 - name: Checking the kolla_external_vip_interface is present
  fail: "msg='Please check the kolla_external_vip_interface property - interface {{ kolla_external_vip_interface }} not found'"
--- a/ansible/roles/service-cert-copy/defaults/main.yml
+++ b/ansible/roles/service-cert-copy/defaults/main.yml
@ -0,0 +1,3 @@
+---
+
+kolla_externally_managed_cert: False
--- a/ansible/roles/service-cert-copy/tasks/main.yml
+++ b/ansible/roles/service-cert-copy/tasks/main.yml
@ -28,6 +28,7 @@
    - item.value.haproxy is defined
    - item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
    - item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
+    - not kolla_externally_managed_cert | bool
  with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
  notify:
    - "Restart {{ item.key }} container"
@ -49,6 +50,7 @@
    - item.value.haproxy is defined
    - item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
    - item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
+    - not kolla_externally_managed_cert | bool
  with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
  notify:
    - "Restart {{ item.key }} container"
--- a/doc/source/admin/tls.rst
+++ b/doc/source/admin/tls.rst
@ -322,3 +322,15 @@ The combined certificate and key file ``haproxy.pem`` (which is the default
 value for ``kolla_external_fqdn_cert``) will be generated and stored in the
 ``/etc/kolla/certificates/`` directory, and a copy of the CA certificate
 (``root.crt``) will be stored in the ``/etc/kolla/certificates/ca/`` directory.
+
+Generating your certificates without kolla-ansible
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you want to manage your TLS certificates outside kolla-ansible directly on
+your hosts, you can do it by setting ``kolla_externally_managed_cert`` to
+``true``. This will make kolla-ansible ignore any copy of certificate from
+the operator to kolla-ansible managed hosts and will keep other configuration
+options for TLS as is.
+
+If using this option, make sure that all certificates are present on the
+appropriate hosts in the appropriate location.
--- a/releasenotes/notes/external-tls-72d36e8aa0b6ccaf.yaml
+++ b/releasenotes/notes/external-tls-72d36e8aa0b6ccaf.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add `kolla_externally_managed_cert` option to disable copy of certificates
+    from the operator host to kolla-ansible managed hosts.