From a982d3acbb06e57d8ede66935cbee464a3782fc2 Mon Sep 17 00:00:00 2001 From: James Kirsch Date: Wed, 27 May 2020 14:08:31 -0700 Subject: [PATCH] Generate Root CA for Self-Signed Certificates Update the certificate generation task to create a root CA for the self-signed certificates. The internal and external facing certificates are then generated using the root CA. Updated openstack_cacert to use system CA trust store in CI tests certificate by default. Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b Partially-Implements: blueprint add-ssl-internal-network --- ansible/roles/certificates/defaults/main.yml | 5 + .../certificates/tasks/generate-backend.yml | 64 ++++++ .../certificates/tasks/generate-root.yml | 45 +++++ ansible/roles/certificates/tasks/generate.yml | 190 ++++++++---------- ansible/roles/certificates/tasks/main.yml | 4 + ...-self-signed-root-ca-bc523acab7290cfe.yaml | 11 + tests/templates/globals-default.j2 | 4 +- 7 files changed, 216 insertions(+), 107 deletions(-) create mode 100644 ansible/roles/certificates/defaults/main.yml create mode 100644 ansible/roles/certificates/tasks/generate-backend.yml create mode 100644 ansible/roles/certificates/tasks/generate-root.yml create mode 100644 releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml new file mode 100644 index 0000000000..a478311eff --- /dev/null +++ b/ansible/roles/certificates/defaults/main.yml @@ -0,0 +1,5 @@ +--- +root_dir: "{{ kolla_certificates_dir }}/private/root" +external_dir: "{{ kolla_certificates_dir }}/private/external" +internal_dir: "{{ kolla_certificates_dir }}/private/internal" +backend_dir: "{{ kolla_certificates_dir }}/private/backend" diff --git a/ansible/roles/certificates/tasks/generate-backend.yml b/ansible/roles/certificates/tasks/generate-backend.yml new file mode 100644 index 0000000000..8eab9e48b3 --- /dev/null +++ b/ansible/roles/certificates/tasks/generate-backend.yml @@ -0,0 +1,64 @@ +--- +- name: Ensuring private backend directory exist + file: + path: "{{ backend_dir }}" + state: "directory" + mode: "0770" + +- name: Creating backend SSL configuration file + template: + src: "{{ item }}.j2" + dest: "{{ kolla_certificates_dir }}/{{ item }}" + mode: "0660" + with_items: + - "openssl-kolla-backend.cnf" + +- name: Creating backend Server Certificate key + command: > + openssl genrsa + -out "{{ backend_dir }}/backend.key" 2048 + args: + creates: "{{ kolla_tls_backend_key }}" + +- name: Creating backend Server Certificate signing request + command: > + openssl req + -new + -key "{{ backend_dir }}/backend.key" + -out "{{ backend_dir }}/backend.csr" + -config "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf" + -sha256 + args: + creates: "{{ backend_dir }}/backend.csr" + +- name: Creating backend Server Certificate + command: > + openssl x509 + -req + -in "{{ backend_dir }}/backend.csr" + -CA "{{ root_dir }}/root.crt" + -CAkey "{{ root_dir }}/root.key" + -CAcreateserial + -out "{{ backend_dir }}/backend.crt" + -days 500 + -sha256 + args: + creates: "{{ backend_dir }}/backend.crt" + +- name: Setting permissions on backend key + file: + path: "{{ backend_dir }}/backend.key" + mode: "0660" + state: file + +- name: Copy backend cert to default configuration location + copy: + src: "{{ backend_dir }}/backend.crt" + dest: "{{ kolla_certificates_dir }}/backend-cert.pem" + mode: "0660" + +- name: Copy backend key to default configuration location + copy: + src: "{{ backend_dir }}/backend.key" + dest: "{{ kolla_certificates_dir }}/backend-key.pem" + mode: "0660" diff --git a/ansible/roles/certificates/tasks/generate-root.yml b/ansible/roles/certificates/tasks/generate-root.yml new file mode 100644 index 0000000000..ac7e8d4bf3 --- /dev/null +++ b/ansible/roles/certificates/tasks/generate-root.yml @@ -0,0 +1,45 @@ +--- +- name: Ensuring ca directory exist + file: + path: "{{ kolla_certificates_dir }}/ca" + state: "directory" + mode: "0770" + +- name: Ensuring private root directory exist + file: + path: "{{ root_dir }}" + state: "directory" + mode: "0770" + +- name: Creating root Certificate key + command: > + openssl genrsa + -out "{{ root_dir }}/root.key" + 4096 + args: + creates: "{{ root_dir }}/root.key" + +- name: Creating and sign root Certificate + command: > + openssl req + -x509 + -new -nodes + -key "{{ root_dir }}/root.key" + -sha256 + -days 1024 + -out "{{ root_dir }}/root.crt" + -subj "/CN=KollaTestCA/" + args: + creates: "{{ root_dir }}/root.crt" + +- name: Setting permissions on root key + file: + path: "{{ root_dir }}/root.key" + mode: "0660" + state: file + +- name: Creating root Certificate file to be included in container trusted ca-certificates + copy: + src: "{{ root_dir }}/root.crt" + dest: "{{ kolla_certificates_dir }}/ca/root.crt" + mode: "0660" diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml index 0647bfe3e9..1bd54aedc6 100644 --- a/ansible/roles/certificates/tasks/generate.yml +++ b/ansible/roles/certificates/tasks/generate.yml @@ -1,35 +1,14 @@ --- - name: Ensuring private internal directory exist file: - path: "{{ kolla_certificates_dir }}/private/internal" + path: "{{ internal_dir }}" state: "directory" - recurse: yes mode: "0770" - name: Ensuring private external directory exist file: - path: "{{ kolla_certificates_dir }}/private/external" + path: "{{ external_dir }}" state: "directory" - recurse: yes - mode: "0770" - -- name: Ensuring backend certificate and key directories exist - file: - path: "{{ item | dirname }}" - state: "directory" - recurse: yes - mode: "0770" - when: - - kolla_enable_tls_backend | bool - with_items: - - "{{ kolla_tls_backend_cert }}" - - "{{ kolla_tls_backend_key }}" - -- name: Ensuring ca directory exist - file: - path: "{{ kolla_certificates_dir }}/ca" - state: "directory" - recurse: yes mode: "0770" - block: @@ -40,56 +19,68 @@ mode: "0660" with_items: - "openssl-kolla.cnf" - - name: Creating external Key - command: creates="{{ item }}" openssl genrsa -out {{ item }} - with_items: - - "{{ kolla_certificates_dir }}/private/external/external.key" + + - name: Creating external Server Certificate key + command: > + openssl genrsa + -out "{{ external_dir }}/external.key" 2048 + args: + creates: "{{ external_dir }}/external.key" + + - name: Creating external Server Certificate signing request + command: > + openssl req + -new + -key "{{ external_dir }}/external.key" + -out "{{ external_dir }}/external.csr" + -config "{{ kolla_certificates_dir }}/openssl-kolla.cnf" + -sha256 + args: + creates: "{{ external_dir }}/external.csr" + + - name: Creating external Server Certificate + command: > + openssl x509 + -req + -in "{{ external_dir }}/external.csr" + -CA "{{ root_dir }}/root.crt" + -CAkey "{{ root_dir }}/root.key" + -CAcreateserial + -out "{{ external_dir }}/external.crt" + -days 365 + -sha256 + args: + creates: "{{ external_dir }}/external.crt" + - name: Setting permissions on external key file: - path: "{{ kolla_certificates_dir }}/private/external/external.key" + path: "{{ external_dir }}/external.key" mode: "0660" state: file - - name: Creating external Server Certificate - command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ - -config {{ kolla_certificates_dir }}/openssl-kolla.cnf \ - -days 3650 \ - -extensions v3_req \ - -key {{ kolla_certificates_dir }}/private/external/external.key \ - -out {{ item }} - with_items: - - "{{ kolla_certificates_dir }}/private/external/external.crt" - - name: Creating external CA Certificate File - copy: - src: "{{ kolla_certificates_dir }}/private/external/external.crt" - dest: "{{ kolla_external_fqdn_cacert }}" - mode: "0660" + - name: Creating external Server PEM File assemble: - src: "{{ kolla_certificates_dir }}/private/external" + regexp: '.*[crt|key]' + src: "{{ external_dir }}" dest: "{{ kolla_external_fqdn_cert }}" mode: "0660" + + - name: Creating external CA Certificate File + copy: + src: "{{ root_dir }}/root.crt" + dest: "{{ kolla_external_fqdn_cacert }}" + mode: "0660" when: - kolla_enable_tls_external | bool - block: - - name: Copy the external certificate crt to be the internal when internal + external are same network - copy: - src: "{{ kolla_certificates_dir }}/private/external/external.crt" - dest: "{{ kolla_certificates_dir }}/private/internal/internal.crt" - remote_src: yes - mode: "0660" - - name: Copy the external certificate key to be the internal when internal + external are same network - copy: - src: "{{ kolla_certificates_dir }}/private/external/external.key" - dest: "{{ kolla_certificates_dir }}/private/internal/internal.key" - remote_src: yes - mode: "0660" - name: Copy the external PEM file to be the internal when internal + external are same network copy: src: "{{ kolla_external_fqdn_cert }}" dest: "{{ kolla_internal_fqdn_cert }}" remote_src: yes mode: "0660" + - name: Copy the external CA Certificate file to be the internal when internal + external are same network copy: src: "{{ kolla_external_fqdn_cacert }}" @@ -109,68 +100,57 @@ mode: "0660" with_items: - "openssl-kolla-internal.cnf" - - name: Creating internal Key - command: creates="{{ item }}" openssl genrsa -out {{ item }} - with_items: - - "{{ kolla_certificates_dir }}/private/internal/internal.key" + + - name: Creating internal Server Certificate key + command: > + openssl genrsa + -out "{{ internal_dir }}/internal.key" 2048 + args: + creates: "{{ internal_dir }}/internal.key" + + - name: Creating internal Server Certificate signing request + command: > + openssl req + -new + -key "{{ internal_dir }}/internal.key" + -out "{{ internal_dir }}/internal.csr" + -config "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf" + -sha256 + args: + creates: "{{ internal_dir }}/internal.csr" + + - name: Creating internal Server Certificate + command: > + openssl x509 + -req + -in "{{ internal_dir }}/internal.csr" + -CA "{{ root_dir }}/root.crt" + -CAkey "{{ root_dir }}/root.key" + -CAcreateserial + -out "{{ internal_dir }}/internal.crt" + -days 365 + -sha256 + args: + creates: "{{ internal_dir }}/internal.crt" + - name: Setting permissions on internal key file: - path: "{{ kolla_certificates_dir }}/private/internal/internal.key" + path: "{{ internal_dir }}/internal.key" mode: "0660" state: file - - name: Creating internal Server Certificate - command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ - -config {{ kolla_certificates_dir }}/openssl-kolla-internal.cnf \ - -days 3650 \ - -extensions v3_req \ - -key {{ kolla_certificates_dir }}/private/internal/internal.key \ - -out {{ item }} - with_items: - - "{{ kolla_certificates_dir }}/private/internal/internal.crt" + - name: Creating internal CA Certificate File copy: - src: "{{ kolla_certificates_dir }}/private/internal/internal.crt" + src: "{{ root_dir }}/root.crt" dest: "{{ kolla_internal_fqdn_cacert }}" mode: "0660" + - name: Creating internal Server PEM File assemble: - src: "{{ kolla_certificates_dir }}/private/internal" + regexp: '.*[crt|key]' + src: "{{ internal_dir }}" dest: "{{ kolla_internal_fqdn_cert }}" mode: "0660" when: - kolla_enable_tls_internal | bool - not kolla_same_external_internal_vip | bool - -- block: - - name: Creating backend SSL configuration file - template: - src: "{{ item }}.j2" - dest: "{{ kolla_certificates_dir }}/{{ item }}" - mode: "0660" - with_items: - - "openssl-kolla-backend.cnf" - - name: Creating backend Key - command: creates="{{ item }}" openssl genrsa -out {{ item }} - with_items: - - "{{ kolla_tls_backend_key }}" - - name: Setting permissions on backend key - file: - path: "{{ kolla_tls_backend_key }}" - mode: "0660" - state: file - - name: Creating backend Server Certificate - command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ - -config {{ kolla_certificates_dir }}/openssl-kolla-backend.cnf \ - -days 3650 \ - -extensions v3_req \ - -key {{ kolla_tls_backend_key }} \ - -out {{ item }} - with_items: - - "{{ kolla_tls_backend_cert }}" - - name: Creating backend Certificate file to be included in container trusted ca-certificates - copy: - src: "{{ kolla_tls_backend_cert }}" - dest: "{{ kolla_certificates_dir }}/ca/backend-cert.crt" - mode: "0660" - when: - - kolla_enable_tls_backend | bool diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml index 23e2751e67..21b253bebb 100644 --- a/ansible/roles/certificates/tasks/main.yml +++ b/ansible/roles/certificates/tasks/main.yml @@ -1,2 +1,6 @@ --- +- include_tasks: generate-root.yml - include_tasks: generate.yml +- include_tasks: generate-backend.yml + when: + - kolla_enable_tls_backend | bool diff --git a/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml b/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml new file mode 100644 index 0000000000..d766d72d20 --- /dev/null +++ b/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + Self-signed TLS certificates can be used to test TLS in a + development OpenStack environment. The ``kolla-ansible certificates`` + command will generate the required self-signed TLS certificates. This + command has been updated to first create a self-signed root certificate + authority. The command then generates the internal and external facing + certificates and signs them using the root CA. If backend TLS is enabled, + the command will generate the backend certificate and sign it with the + root CA. diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2 index e44b46809d..72f2751014 100644 --- a/tests/templates/globals-default.j2 +++ b/tests/templates/globals-default.j2 @@ -122,10 +122,10 @@ kolla_enable_tls_internal: "yes" kolla_copy_ca_into_containers: "yes" kolla_enable_tls_backend: "yes" {% if base_distro == "ubuntu" or base_distro == "debian" %} -openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt" +openstack_cacert: "/etc/ssl/certs/ca-certificates.crt" {% endif %} {% if base_distro == "centos" %} -openstack_cacert: "/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt" +openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt" {% endif %} {% endif %}