Merge "Generate Root CA for Self-Signed Certificates"

ansible/roles/certificates/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+root_dir: "{{ kolla_certificates_dir }}/private/root"
+external_dir: "{{ kolla_certificates_dir }}/private/external"
+internal_dir: "{{ kolla_certificates_dir }}/private/internal"
+backend_dir: "{{ kolla_certificates_dir }}/private/backend"

ansible/roles/certificates/tasks/generate-backend.yml

@@ -0,0 +1,64 @@
+---
+- name: Ensuring private backend directory exist
+  file:
+    path: "{{ backend_dir }}"
+    state: "directory"
+    mode: "0770"
+
+- name: Creating backend SSL configuration file
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}"
+    mode: "0660"
+  with_items:
+    - "openssl-kolla-backend.cnf"
+
+- name: Creating backend Server Certificate key
+  command: >
+    openssl genrsa
+    -out "{{ backend_dir }}/backend.key" 2048
+  args:
+    creates: "{{ kolla_tls_backend_key }}"
+
+- name: Creating backend Server Certificate signing request
+  command: >
+    openssl req
+    -new
+    -key "{{ backend_dir }}/backend.key"
+    -out "{{ backend_dir }}/backend.csr"
+    -config "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf"
+    -sha256
+  args:
+    creates: "{{ backend_dir }}/backend.csr"
+
+- name: Creating backend Server Certificate
+  command: >
+    openssl x509
+    -req
+    -in "{{ backend_dir }}/backend.csr"
+    -CA "{{ root_dir }}/root.crt"
+    -CAkey "{{ root_dir }}/root.key"
+    -CAcreateserial
+    -out "{{ backend_dir }}/backend.crt"
+    -days 500
+    -sha256
+  args:
+    creates: "{{ backend_dir }}/backend.crt"
+
+- name: Setting permissions on backend key
+  file:
+    path: "{{ backend_dir }}/backend.key"
+    mode: "0660"
+    state: file
+
+- name: Copy backend cert to default configuration location
+  copy:
+    src: "{{ backend_dir }}/backend.crt"
+    dest: "{{ kolla_certificates_dir }}/backend-cert.pem"
+    mode: "0660"
+
+- name: Copy backend key to default configuration location
+  copy:
+    src: "{{ backend_dir }}/backend.key"
+    dest: "{{ kolla_certificates_dir }}/backend-key.pem"
+    mode: "0660"

ansible/roles/certificates/tasks/generate-root.yml

@@ -0,0 +1,45 @@
+---
+- name: Ensuring ca directory exist
+  file:
+    path: "{{ kolla_certificates_dir }}/ca"
+    state: "directory"
+    mode: "0770"
+
+- name: Ensuring private root directory exist
+  file:
+    path: "{{ root_dir }}"
+    state: "directory"
+    mode: "0770"
+
+- name: Creating root Certificate key
+  command: >
+    openssl genrsa
+    -out "{{ root_dir }}/root.key"
+    4096
+  args:
+    creates: "{{ root_dir }}/root.key"
+
+- name: Creating and sign root Certificate
+  command: >
+    openssl req
+    -x509
+    -new -nodes
+    -key "{{ root_dir }}/root.key"
+    -sha256
+    -days 1024
+    -out "{{ root_dir }}/root.crt"
+    -subj "/CN=KollaTestCA/"
+  args:
+    creates: "{{ root_dir }}/root.crt"
+
+- name: Setting permissions on root key
+  file:
+    path: "{{ root_dir }}/root.key"
+    mode: "0660"
+    state: file
+
+- name: Creating root Certificate file to be included in container trusted ca-certificates
+  copy:
+    src: "{{ root_dir }}/root.crt"
+    dest: "{{ kolla_certificates_dir }}/ca/root.crt"
+    mode: "0660"

ansible/roles/certificates/tasks/generate.yml

@@ -1,35 +1,14 @@
 ---
 - name: Ensuring private internal directory exist
   file:
-    path: "{{ kolla_certificates_dir }}/private/internal"
+    path: "{{ internal_dir }}"
     state: "directory"
-    recurse: yes
     mode: "0770"
 
 - name: Ensuring private external directory exist
   file:
-    path: "{{ kolla_certificates_dir }}/private/external"
+    path: "{{ external_dir }}"
     state: "directory"
-    recurse: yes
-    mode: "0770"
-
-- name: Ensuring backend certificate and key directories exist
-  file:
-    path: "{{ item | dirname }}"
-    state: "directory"
-    recurse: yes
-    mode: "0770"
-  when:
-    - kolla_enable_tls_backend | bool
-  with_items:
-    - "{{ kolla_tls_backend_cert }}"
-    - "{{ kolla_tls_backend_key }}"
-
-- name: Ensuring ca directory exist
-  file:
-    path: "{{ kolla_certificates_dir }}/ca"
-    state: "directory"
-    recurse: yes
     mode: "0770"
 
 - block:
@@ -40,56 +19,68 @@
         mode: "0660"
       with_items:
         - "openssl-kolla.cnf"
-    - name: Creating external Key
+
-      command: creates="{{ item }}" openssl genrsa -out {{ item }}
+    - name: Creating external Server Certificate key
-      with_items:
+      command: >
-        - "{{ kolla_certificates_dir }}/private/external/external.key"
+        openssl genrsa
+        -out "{{ external_dir }}/external.key" 2048
+      args:
+        creates: "{{ external_dir }}/external.key"
+
+    - name: Creating external Server Certificate signing request
+      command: >
+        openssl req
+        -new
+        -key "{{ external_dir }}/external.key"
+        -out "{{ external_dir }}/external.csr"
+        -config "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
+        -sha256
+      args:
+        creates: "{{ external_dir }}/external.csr"
+
+    - name: Creating external Server Certificate
+      command: >
+        openssl x509
+        -req
+        -in "{{ external_dir }}/external.csr"
+        -CA "{{ root_dir }}/root.crt"
+        -CAkey "{{ root_dir }}/root.key"
+        -CAcreateserial
+        -out "{{ external_dir }}/external.crt"
+        -days 365
+        -sha256
+      args:
+        creates: "{{ external_dir }}/external.crt"
+
     - name: Setting permissions on external key
       file:
-        path: "{{ kolla_certificates_dir }}/private/external/external.key"
+        path: "{{ external_dir }}/external.key"
         mode: "0660"
         state: file
-    - name: Creating external Server Certificate
+
-      command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-        -config {{ kolla_certificates_dir }}/openssl-kolla.cnf \
-        -days 3650 \
-        -extensions v3_req \
-        -key {{ kolla_certificates_dir }}/private/external/external.key \
-        -out {{ item }}
-      with_items:
-        - "{{ kolla_certificates_dir }}/private/external/external.crt"
-    - name: Creating external CA Certificate File
-      copy:
-        src: "{{ kolla_certificates_dir }}/private/external/external.crt"
-        dest: "{{ kolla_external_fqdn_cacert }}"
-        mode: "0660"
     - name: Creating external Server PEM File
       assemble:
-        src: "{{ kolla_certificates_dir }}/private/external"
+        regexp: '.*[crt|key]'
+        src: "{{ external_dir }}"
         dest: "{{ kolla_external_fqdn_cert }}"
         mode: "0660"
+
+    - name: Creating external CA Certificate File
+      copy:
+        src: "{{ root_dir }}/root.crt"
+        dest: "{{ kolla_external_fqdn_cacert }}"
+        mode: "0660"
   when:
     - kolla_enable_tls_external | bool
 
 - block:
-    - name: Copy the external certificate crt to be the internal when internal + external are same network
-      copy:
-        src: "{{ kolla_certificates_dir }}/private/external/external.crt"
-        dest: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
-        remote_src: yes
-        mode: "0660"
-    - name: Copy the external certificate key to be the internal when internal + external are same network
-      copy:
-        src: "{{ kolla_certificates_dir }}/private/external/external.key"
-        dest: "{{ kolla_certificates_dir }}/private/internal/internal.key"
-        remote_src: yes
-        mode: "0660"
     - name: Copy the external PEM file to be the internal when internal + external are same network
       copy:
         src: "{{ kolla_external_fqdn_cert }}"
         dest: "{{ kolla_internal_fqdn_cert }}"
         remote_src: yes
         mode: "0660"
+
     - name: Copy the external CA Certificate file to be the internal when internal + external are same network
       copy:
         src: "{{ kolla_external_fqdn_cacert }}"
@@ -109,68 +100,57 @@
         mode: "0660"
       with_items:
         - "openssl-kolla-internal.cnf"
-    - name: Creating internal Key
+
-      command: creates="{{ item }}" openssl genrsa -out {{ item }}
+    - name: Creating internal Server Certificate key
-      with_items:
+      command: >
-        - "{{ kolla_certificates_dir }}/private/internal/internal.key"
+        openssl genrsa
+        -out "{{ internal_dir }}/internal.key" 2048
+      args:
+        creates: "{{ internal_dir }}/internal.key"
+
+    - name: Creating internal Server Certificate signing request
+      command: >
+        openssl req
+        -new
+        -key "{{ internal_dir }}/internal.key"
+        -out "{{ internal_dir }}/internal.csr"
+        -config "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
+        -sha256
+      args:
+        creates: "{{ internal_dir }}/internal.csr"
+
+    - name: Creating internal Server Certificate
+      command: >
+        openssl x509
+        -req
+        -in "{{ internal_dir }}/internal.csr"
+        -CA "{{ root_dir }}/root.crt"
+        -CAkey "{{ root_dir }}/root.key"
+        -CAcreateserial
+        -out "{{ internal_dir }}/internal.crt"
+        -days 365
+        -sha256
+      args:
+        creates: "{{ internal_dir }}/internal.crt"
+
     - name: Setting permissions on internal key
       file:
-        path: "{{ kolla_certificates_dir }}/private/internal/internal.key"
+        path: "{{ internal_dir }}/internal.key"
         mode: "0660"
         state: file
-    - name: Creating internal Server Certificate
+
-      command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-        -config {{ kolla_certificates_dir }}/openssl-kolla-internal.cnf \
-        -days 3650 \
-        -extensions v3_req \
-        -key {{ kolla_certificates_dir }}/private/internal/internal.key \
-        -out {{ item }}
-      with_items:
-        - "{{ kolla_certificates_dir }}/private/internal/internal.crt"
     - name: Creating internal CA Certificate File
       copy:
-        src: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
+        src: "{{ root_dir }}/root.crt"
         dest: "{{ kolla_internal_fqdn_cacert }}"
         mode: "0660"
+
     - name: Creating internal Server PEM File
       assemble:
-        src: "{{ kolla_certificates_dir }}/private/internal"
+        regexp: '.*[crt|key]'
+        src: "{{ internal_dir }}"
         dest: "{{ kolla_internal_fqdn_cert }}"
         mode: "0660"
   when:
     - kolla_enable_tls_internal | bool
     - not kolla_same_external_internal_vip | bool
-
-- block:
-    - name: Creating backend SSL configuration file
-      template:
-        src: "{{ item }}.j2"
-        dest: "{{ kolla_certificates_dir }}/{{ item }}"
-        mode: "0660"
-      with_items:
-        - "openssl-kolla-backend.cnf"
-    - name: Creating backend Key
-      command: creates="{{ item }}" openssl genrsa -out {{ item }}
-      with_items:
-        - "{{ kolla_tls_backend_key }}"
-    - name: Setting permissions on backend key
-      file:
-        path: "{{ kolla_tls_backend_key }}"
-        mode: "0660"
-        state: file
-    - name: Creating backend Server Certificate
-      command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-        -config {{ kolla_certificates_dir }}/openssl-kolla-backend.cnf \
-        -days 3650 \
-        -extensions v3_req \
-        -key {{ kolla_tls_backend_key }} \
-        -out {{ item }}
-      with_items:
-        - "{{ kolla_tls_backend_cert }}"
-    - name: Creating backend Certificate file to be included in container trusted ca-certificates
-      copy:
-        src: "{{ kolla_tls_backend_cert }}"
-        dest: "{{ kolla_certificates_dir }}/ca/backend-cert.crt"
-        mode: "0660"
-  when:
-    - kolla_enable_tls_backend | bool

ansible/roles/certificates/tasks/main.yml

@@ -1,2 +1,6 @@
 ---
+- include_tasks: generate-root.yml
 - include_tasks: generate.yml
+- include_tasks: generate-backend.yml
+  when:
+    - kolla_enable_tls_backend | bool

releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml

@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Self-signed TLS certificates can be used to test TLS in a
+    development OpenStack environment. The ``kolla-ansible certificates``
+    command will generate the required self-signed TLS certificates. This
+    command has been updated to first create a self-signed root certificate
+    authority. The command then generates the internal and external facing
+    certificates and signs them using the root CA. If backend TLS is enabled,
+    the command will generate the backend certificate and sign it with the
+    root CA.

tests/templates/globals-default.j2

@@ -122,10 +122,10 @@ kolla_enable_tls_internal: "yes"
 kolla_copy_ca_into_containers: "yes"
 kolla_enable_tls_backend: "yes"
 {% if base_distro == "ubuntu" or base_distro == "debian" %}
-openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt"
+openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
 {% endif %}
 {% if base_distro == "centos" %}
-openstack_cacert: "/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt"
+openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
 {% endif %}
 {% endif %}