Merge "Add kolla_externally_managed_cert option"
This commit is contained in:
Zuul
Gerrit Code Review
commit
69b053469f
@ -75,3 +75,5 @@ haproxy_check_timeout: "10s"
|
|||||||
|
|
||||||
# Check http://www.haproxy.org/download/1.5/doc/configuration.txt for available options
|
# Check http://www.haproxy.org/download/1.5/doc/configuration.txt for available options
|
||||||
haproxy_defaults_balance: "roundrobin"
|
haproxy_defaults_balance: "roundrobin"
|
||||||
|
|
||||||
|
kolla_externally_managed_cert: False
|
||||||
|
|||||||
@ -101,6 +101,7 @@
|
|||||||
become: true
|
become: true
|
||||||
when:
|
when:
|
||||||
- kolla_enable_tls_external | bool
|
- kolla_enable_tls_external | bool
|
||||||
|
- not kolla_externally_managed_cert | bool
|
||||||
- inventory_hostname in groups[service.group]
|
- inventory_hostname in groups[service.group]
|
||||||
- service.enabled | bool
|
- service.enabled | bool
|
||||||
with_items:
|
with_items:
|
||||||
@ -118,6 +119,7 @@
|
|||||||
become: true
|
become: true
|
||||||
when:
|
when:
|
||||||
- kolla_enable_tls_internal | bool
|
- kolla_enable_tls_internal | bool
|
||||||
|
- not kolla_externally_managed_cert | bool
|
||||||
- inventory_hostname in groups[service.group]
|
- inventory_hostname in groups[service.group]
|
||||||
- service.enabled | bool
|
- service.enabled | bool
|
||||||
with_items:
|
with_items:
|
||||||
|
|||||||
@ -46,7 +46,9 @@
|
|||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
register: haproxy_cert_file
|
register: haproxy_cert_file
|
||||||
changed_when: false
|
changed_when: false
|
||||||
when: kolla_enable_tls_external | bool
|
when:
|
||||||
|
- kolla_enable_tls_external | bool
|
||||||
|
- not kolla_externally_managed_cert | bool
|
||||||
|
|
||||||
- name: Fail if external haproxy certificate is absent
|
- name: Fail if external haproxy certificate is absent
|
||||||
run_once: true
|
run_once: true
|
||||||
@ -55,6 +57,7 @@
|
|||||||
when:
|
when:
|
||||||
- kolla_enable_tls_external | bool
|
- kolla_enable_tls_external | bool
|
||||||
- not haproxy_cert_file.stat.exists
|
- not haproxy_cert_file.stat.exists
|
||||||
|
- not kolla_externally_managed_cert | bool
|
||||||
|
|
||||||
- name: Checking if internal haproxy certificate exists
|
- name: Checking if internal haproxy certificate exists
|
||||||
run_once: true
|
run_once: true
|
||||||
@ -63,7 +66,9 @@
|
|||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
register: haproxy_internal_cert_file
|
register: haproxy_internal_cert_file
|
||||||
changed_when: false
|
changed_when: false
|
||||||
when: kolla_enable_tls_internal | bool
|
when:
|
||||||
|
- kolla_enable_tls_internal | bool
|
||||||
|
- not kolla_externally_managed_cert | bool
|
||||||
|
|
||||||
- name: Fail if internal haproxy certificate is absent
|
- name: Fail if internal haproxy certificate is absent
|
||||||
run_once: true
|
run_once: true
|
||||||
@ -72,6 +77,7 @@
|
|||||||
when:
|
when:
|
||||||
- kolla_enable_tls_internal | bool
|
- kolla_enable_tls_internal | bool
|
||||||
- not haproxy_internal_cert_file.stat.exists
|
- not haproxy_internal_cert_file.stat.exists
|
||||||
|
- not kolla_externally_managed_cert | bool
|
||||||
|
|
||||||
- name: Checking the kolla_external_vip_interface is present
|
- name: Checking the kolla_external_vip_interface is present
|
||||||
fail: "msg='Please check the kolla_external_vip_interface property - interface {{ kolla_external_vip_interface }} not found'"
|
fail: "msg='Please check the kolla_external_vip_interface property - interface {{ kolla_external_vip_interface }} not found'"
|
||||||
|
|||||||
3
ansible/roles/service-cert-copy/defaults/main.yml
Normal file
3
ansible/roles/service-cert-copy/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
kolla_externally_managed_cert: False
|
||||||
@ -28,6 +28,7 @@
|
|||||||
- item.value.haproxy is defined
|
- item.value.haproxy is defined
|
||||||
- item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
|
- item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
|
||||||
- item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
|
- item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
|
||||||
|
- not kolla_externally_managed_cert | bool
|
||||||
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
|
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
|
||||||
notify:
|
notify:
|
||||||
- "Restart {{ item.key }} container"
|
- "Restart {{ item.key }} container"
|
||||||
@ -49,6 +50,7 @@
|
|||||||
- item.value.haproxy is defined
|
- item.value.haproxy is defined
|
||||||
- item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
|
- item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
|
||||||
- item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
|
- item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
|
||||||
|
- not kolla_externally_managed_cert | bool
|
||||||
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
|
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
|
||||||
notify:
|
notify:
|
||||||
- "Restart {{ item.key }} container"
|
- "Restart {{ item.key }} container"
|
||||||
|
|||||||
@ -322,3 +322,15 @@ The combined certificate and key file ``haproxy.pem`` (which is the default
|
|||||||
value for ``kolla_external_fqdn_cert``) will be generated and stored in the
|
value for ``kolla_external_fqdn_cert``) will be generated and stored in the
|
||||||
``/etc/kolla/certificates/`` directory, and a copy of the CA certificate
|
``/etc/kolla/certificates/`` directory, and a copy of the CA certificate
|
||||||
(``root.crt``) will be stored in the ``/etc/kolla/certificates/ca/`` directory.
|
(``root.crt``) will be stored in the ``/etc/kolla/certificates/ca/`` directory.
|
||||||
|
|
||||||
|
Generating your certificates without kolla-ansible
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
If you want to manage your TLS certificates outside kolla-ansible directly on
|
||||||
|
your hosts, you can do it by setting ``kolla_externally_managed_cert`` to
|
||||||
|
``true``. This will make kolla-ansible ignore any copy of certificate from
|
||||||
|
the operator to kolla-ansible managed hosts and will keep other configuration
|
||||||
|
options for TLS as is.
|
||||||
|
|
||||||
|
If using this option, make sure that all certificates are present on the
|
||||||
|
appropriate hosts in the appropriate location.
|
||||||
|
|||||||
5
releasenotes/notes/external-tls-72d36e8aa0b6ccaf.yaml
Normal file
5
releasenotes/notes/external-tls-72d36e8aa0b6ccaf.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Add `kolla_externally_managed_cert` option to disable copy of certificates
|
||||||
|
from the operator host to kolla-ansible managed hosts.
|
||||||
Loading…
Reference in New Issue
Block a user