Merge "Generate Root CA for Self-Signed Certificates"

This commit is contained in:
Zuul 2020-06-16 11:12:26 +00:00 committed by Gerrit Code Review
commit e7f39d31e9
7 changed files with 216 additions and 107 deletions

View File

@ -0,0 +1,5 @@
---
root_dir: "{{ kolla_certificates_dir }}/private/root"
external_dir: "{{ kolla_certificates_dir }}/private/external"
internal_dir: "{{ kolla_certificates_dir }}/private/internal"
backend_dir: "{{ kolla_certificates_dir }}/private/backend"

View File

@ -0,0 +1,64 @@
---
- name: Ensuring private backend directory exist
file:
path: "{{ backend_dir }}"
state: "directory"
mode: "0770"
- name: Creating backend SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-backend.cnf"
- name: Creating backend Server Certificate key
command: >
openssl genrsa
-out "{{ backend_dir }}/backend.key" 2048
args:
creates: "{{ kolla_tls_backend_key }}"
- name: Creating backend Server Certificate signing request
command: >
openssl req
-new
-key "{{ backend_dir }}/backend.key"
-out "{{ backend_dir }}/backend.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf"
-sha256
args:
creates: "{{ backend_dir }}/backend.csr"
- name: Creating backend Server Certificate
command: >
openssl x509
-req
-in "{{ backend_dir }}/backend.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-out "{{ backend_dir }}/backend.crt"
-days 500
-sha256
args:
creates: "{{ backend_dir }}/backend.crt"
- name: Setting permissions on backend key
file:
path: "{{ backend_dir }}/backend.key"
mode: "0660"
state: file
- name: Copy backend cert to default configuration location
copy:
src: "{{ backend_dir }}/backend.crt"
dest: "{{ kolla_certificates_dir }}/backend-cert.pem"
mode: "0660"
- name: Copy backend key to default configuration location
copy:
src: "{{ backend_dir }}/backend.key"
dest: "{{ kolla_certificates_dir }}/backend-key.pem"
mode: "0660"

View File

@ -0,0 +1,45 @@
---
- name: Ensuring ca directory exist
file:
path: "{{ kolla_certificates_dir }}/ca"
state: "directory"
mode: "0770"
- name: Ensuring private root directory exist
file:
path: "{{ root_dir }}"
state: "directory"
mode: "0770"
- name: Creating root Certificate key
command: >
openssl genrsa
-out "{{ root_dir }}/root.key"
4096
args:
creates: "{{ root_dir }}/root.key"
- name: Creating and sign root Certificate
command: >
openssl req
-x509
-new -nodes
-key "{{ root_dir }}/root.key"
-sha256
-days 1024
-out "{{ root_dir }}/root.crt"
-subj "/CN=KollaTestCA/"
args:
creates: "{{ root_dir }}/root.crt"
- name: Setting permissions on root key
file:
path: "{{ root_dir }}/root.key"
mode: "0660"
state: file
- name: Creating root Certificate file to be included in container trusted ca-certificates
copy:
src: "{{ root_dir }}/root.crt"
dest: "{{ kolla_certificates_dir }}/ca/root.crt"
mode: "0660"

View File

@ -1,35 +1,14 @@
---
- name: Ensuring private internal directory exist
file:
path: "{{ kolla_certificates_dir }}/private/internal"
path: "{{ internal_dir }}"
state: "directory"
recurse: yes
mode: "0770"
- name: Ensuring private external directory exist
file:
path: "{{ kolla_certificates_dir }}/private/external"
path: "{{ external_dir }}"
state: "directory"
recurse: yes
mode: "0770"
- name: Ensuring backend certificate and key directories exist
file:
path: "{{ item | dirname }}"
state: "directory"
recurse: yes
mode: "0770"
when:
- kolla_enable_tls_backend | bool
with_items:
- "{{ kolla_tls_backend_cert }}"
- "{{ kolla_tls_backend_key }}"
- name: Ensuring ca directory exist
file:
path: "{{ kolla_certificates_dir }}/ca"
state: "directory"
recurse: yes
mode: "0770"
- block:
@ -40,56 +19,68 @@
mode: "0660"
with_items:
- "openssl-kolla.cnf"
- name: Creating external Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/external/external.key"
- name: Creating external Server Certificate key
command: >
openssl genrsa
-out "{{ external_dir }}/external.key" 2048
args:
creates: "{{ external_dir }}/external.key"
- name: Creating external Server Certificate signing request
command: >
openssl req
-new
-key "{{ external_dir }}/external.key"
-out "{{ external_dir }}/external.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
-sha256
args:
creates: "{{ external_dir }}/external.csr"
- name: Creating external Server Certificate
command: >
openssl x509
-req
-in "{{ external_dir }}/external.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-out "{{ external_dir }}/external.crt"
-days 365
-sha256
args:
creates: "{{ external_dir }}/external.crt"
- name: Setting permissions on external key
file:
path: "{{ kolla_certificates_dir }}/private/external/external.key"
path: "{{ external_dir }}/external.key"
mode: "0660"
state: file
- name: Creating external Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_certificates_dir }}/private/external/external.key \
-out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/external/external.crt"
- name: Creating external CA Certificate File
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.crt"
dest: "{{ kolla_external_fqdn_cacert }}"
mode: "0660"
- name: Creating external Server PEM File
assemble:
src: "{{ kolla_certificates_dir }}/private/external"
regexp: '.*[crt|key]'
src: "{{ external_dir }}"
dest: "{{ kolla_external_fqdn_cert }}"
mode: "0660"
- name: Creating external CA Certificate File
copy:
src: "{{ root_dir }}/root.crt"
dest: "{{ kolla_external_fqdn_cacert }}"
mode: "0660"
when:
- kolla_enable_tls_external | bool
- block:
- name: Copy the external certificate crt to be the internal when internal + external are same network
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.crt"
dest: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
remote_src: yes
mode: "0660"
- name: Copy the external certificate key to be the internal when internal + external are same network
copy:
src: "{{ kolla_certificates_dir }}/private/external/external.key"
dest: "{{ kolla_certificates_dir }}/private/internal/internal.key"
remote_src: yes
mode: "0660"
- name: Copy the external PEM file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ kolla_internal_fqdn_cert }}"
remote_src: yes
mode: "0660"
- name: Copy the external CA Certificate file to be the internal when internal + external are same network
copy:
src: "{{ kolla_external_fqdn_cacert }}"
@ -109,68 +100,57 @@
mode: "0660"
with_items:
- "openssl-kolla-internal.cnf"
- name: Creating internal Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/internal/internal.key"
- name: Creating internal Server Certificate key
command: >
openssl genrsa
-out "{{ internal_dir }}/internal.key" 2048
args:
creates: "{{ internal_dir }}/internal.key"
- name: Creating internal Server Certificate signing request
command: >
openssl req
-new
-key "{{ internal_dir }}/internal.key"
-out "{{ internal_dir }}/internal.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
-sha256
args:
creates: "{{ internal_dir }}/internal.csr"
- name: Creating internal Server Certificate
command: >
openssl x509
-req
-in "{{ internal_dir }}/internal.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-out "{{ internal_dir }}/internal.crt"
-days 365
-sha256
args:
creates: "{{ internal_dir }}/internal.crt"
- name: Setting permissions on internal key
file:
path: "{{ kolla_certificates_dir }}/private/internal/internal.key"
path: "{{ internal_dir }}/internal.key"
mode: "0660"
state: file
- name: Creating internal Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla-internal.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_certificates_dir }}/private/internal/internal.key \
-out {{ item }}
with_items:
- "{{ kolla_certificates_dir }}/private/internal/internal.crt"
- name: Creating internal CA Certificate File
copy:
src: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
src: "{{ root_dir }}/root.crt"
dest: "{{ kolla_internal_fqdn_cacert }}"
mode: "0660"
- name: Creating internal Server PEM File
assemble:
src: "{{ kolla_certificates_dir }}/private/internal"
regexp: '.*[crt|key]'
src: "{{ internal_dir }}"
dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660"
when:
- kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool
- block:
- name: Creating backend SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-backend.cnf"
- name: Creating backend Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_tls_backend_key }}"
- name: Setting permissions on backend key
file:
path: "{{ kolla_tls_backend_key }}"
mode: "0660"
state: file
- name: Creating backend Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla-backend.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_tls_backend_key }} \
-out {{ item }}
with_items:
- "{{ kolla_tls_backend_cert }}"
- name: Creating backend Certificate file to be included in container trusted ca-certificates
copy:
src: "{{ kolla_tls_backend_cert }}"
dest: "{{ kolla_certificates_dir }}/ca/backend-cert.crt"
mode: "0660"
when:
- kolla_enable_tls_backend | bool

View File

@ -1,2 +1,6 @@
---
- include_tasks: generate-root.yml
- include_tasks: generate.yml
- include_tasks: generate-backend.yml
when:
- kolla_enable_tls_backend | bool

View File

@ -0,0 +1,11 @@
---
features:
- |
Self-signed TLS certificates can be used to test TLS in a
development OpenStack environment. The ``kolla-ansible certificates``
command will generate the required self-signed TLS certificates. This
command has been updated to first create a self-signed root certificate
authority. The command then generates the internal and external facing
certificates and signs them using the root CA. If backend TLS is enabled,
the command will generate the backend certificate and sign it with the
root CA.

View File

@ -122,10 +122,10 @@ kolla_enable_tls_internal: "yes"
kolla_copy_ca_into_containers: "yes"
kolla_enable_tls_backend: "yes"
{% if base_distro == "ubuntu" or base_distro == "debian" %}
openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt"
openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
{% endif %}
{% if base_distro == "centos" %}
openstack_cacert: "/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt"
openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
{% endif %}
{% endif %}