Merge "Generate Root CA for Self-Signed Certificates"
This commit is contained in:
commit
e7f39d31e9
5
ansible/roles/certificates/defaults/main.yml
Normal file
5
ansible/roles/certificates/defaults/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
root_dir: "{{ kolla_certificates_dir }}/private/root"
|
||||
external_dir: "{{ kolla_certificates_dir }}/private/external"
|
||||
internal_dir: "{{ kolla_certificates_dir }}/private/internal"
|
||||
backend_dir: "{{ kolla_certificates_dir }}/private/backend"
|
64
ansible/roles/certificates/tasks/generate-backend.yml
Normal file
64
ansible/roles/certificates/tasks/generate-backend.yml
Normal file
@ -0,0 +1,64 @@
|
||||
---
|
||||
- name: Ensuring private backend directory exist
|
||||
file:
|
||||
path: "{{ backend_dir }}"
|
||||
state: "directory"
|
||||
mode: "0770"
|
||||
|
||||
- name: Creating backend SSL configuration file
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ kolla_certificates_dir }}/{{ item }}"
|
||||
mode: "0660"
|
||||
with_items:
|
||||
- "openssl-kolla-backend.cnf"
|
||||
|
||||
- name: Creating backend Server Certificate key
|
||||
command: >
|
||||
openssl genrsa
|
||||
-out "{{ backend_dir }}/backend.key" 2048
|
||||
args:
|
||||
creates: "{{ kolla_tls_backend_key }}"
|
||||
|
||||
- name: Creating backend Server Certificate signing request
|
||||
command: >
|
||||
openssl req
|
||||
-new
|
||||
-key "{{ backend_dir }}/backend.key"
|
||||
-out "{{ backend_dir }}/backend.csr"
|
||||
-config "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf"
|
||||
-sha256
|
||||
args:
|
||||
creates: "{{ backend_dir }}/backend.csr"
|
||||
|
||||
- name: Creating backend Server Certificate
|
||||
command: >
|
||||
openssl x509
|
||||
-req
|
||||
-in "{{ backend_dir }}/backend.csr"
|
||||
-CA "{{ root_dir }}/root.crt"
|
||||
-CAkey "{{ root_dir }}/root.key"
|
||||
-CAcreateserial
|
||||
-out "{{ backend_dir }}/backend.crt"
|
||||
-days 500
|
||||
-sha256
|
||||
args:
|
||||
creates: "{{ backend_dir }}/backend.crt"
|
||||
|
||||
- name: Setting permissions on backend key
|
||||
file:
|
||||
path: "{{ backend_dir }}/backend.key"
|
||||
mode: "0660"
|
||||
state: file
|
||||
|
||||
- name: Copy backend cert to default configuration location
|
||||
copy:
|
||||
src: "{{ backend_dir }}/backend.crt"
|
||||
dest: "{{ kolla_certificates_dir }}/backend-cert.pem"
|
||||
mode: "0660"
|
||||
|
||||
- name: Copy backend key to default configuration location
|
||||
copy:
|
||||
src: "{{ backend_dir }}/backend.key"
|
||||
dest: "{{ kolla_certificates_dir }}/backend-key.pem"
|
||||
mode: "0660"
|
45
ansible/roles/certificates/tasks/generate-root.yml
Normal file
45
ansible/roles/certificates/tasks/generate-root.yml
Normal file
@ -0,0 +1,45 @@
|
||||
---
|
||||
- name: Ensuring ca directory exist
|
||||
file:
|
||||
path: "{{ kolla_certificates_dir }}/ca"
|
||||
state: "directory"
|
||||
mode: "0770"
|
||||
|
||||
- name: Ensuring private root directory exist
|
||||
file:
|
||||
path: "{{ root_dir }}"
|
||||
state: "directory"
|
||||
mode: "0770"
|
||||
|
||||
- name: Creating root Certificate key
|
||||
command: >
|
||||
openssl genrsa
|
||||
-out "{{ root_dir }}/root.key"
|
||||
4096
|
||||
args:
|
||||
creates: "{{ root_dir }}/root.key"
|
||||
|
||||
- name: Creating and sign root Certificate
|
||||
command: >
|
||||
openssl req
|
||||
-x509
|
||||
-new -nodes
|
||||
-key "{{ root_dir }}/root.key"
|
||||
-sha256
|
||||
-days 1024
|
||||
-out "{{ root_dir }}/root.crt"
|
||||
-subj "/CN=KollaTestCA/"
|
||||
args:
|
||||
creates: "{{ root_dir }}/root.crt"
|
||||
|
||||
- name: Setting permissions on root key
|
||||
file:
|
||||
path: "{{ root_dir }}/root.key"
|
||||
mode: "0660"
|
||||
state: file
|
||||
|
||||
- name: Creating root Certificate file to be included in container trusted ca-certificates
|
||||
copy:
|
||||
src: "{{ root_dir }}/root.crt"
|
||||
dest: "{{ kolla_certificates_dir }}/ca/root.crt"
|
||||
mode: "0660"
|
@ -1,35 +1,14 @@
|
||||
---
|
||||
- name: Ensuring private internal directory exist
|
||||
file:
|
||||
path: "{{ kolla_certificates_dir }}/private/internal"
|
||||
path: "{{ internal_dir }}"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
mode: "0770"
|
||||
|
||||
- name: Ensuring private external directory exist
|
||||
file:
|
||||
path: "{{ kolla_certificates_dir }}/private/external"
|
||||
path: "{{ external_dir }}"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
mode: "0770"
|
||||
|
||||
- name: Ensuring backend certificate and key directories exist
|
||||
file:
|
||||
path: "{{ item | dirname }}"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
mode: "0770"
|
||||
when:
|
||||
- kolla_enable_tls_backend | bool
|
||||
with_items:
|
||||
- "{{ kolla_tls_backend_cert }}"
|
||||
- "{{ kolla_tls_backend_key }}"
|
||||
|
||||
- name: Ensuring ca directory exist
|
||||
file:
|
||||
path: "{{ kolla_certificates_dir }}/ca"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
mode: "0770"
|
||||
|
||||
- block:
|
||||
@ -40,56 +19,68 @@
|
||||
mode: "0660"
|
||||
with_items:
|
||||
- "openssl-kolla.cnf"
|
||||
- name: Creating external Key
|
||||
command: creates="{{ item }}" openssl genrsa -out {{ item }}
|
||||
with_items:
|
||||
- "{{ kolla_certificates_dir }}/private/external/external.key"
|
||||
|
||||
- name: Creating external Server Certificate key
|
||||
command: >
|
||||
openssl genrsa
|
||||
-out "{{ external_dir }}/external.key" 2048
|
||||
args:
|
||||
creates: "{{ external_dir }}/external.key"
|
||||
|
||||
- name: Creating external Server Certificate signing request
|
||||
command: >
|
||||
openssl req
|
||||
-new
|
||||
-key "{{ external_dir }}/external.key"
|
||||
-out "{{ external_dir }}/external.csr"
|
||||
-config "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
|
||||
-sha256
|
||||
args:
|
||||
creates: "{{ external_dir }}/external.csr"
|
||||
|
||||
- name: Creating external Server Certificate
|
||||
command: >
|
||||
openssl x509
|
||||
-req
|
||||
-in "{{ external_dir }}/external.csr"
|
||||
-CA "{{ root_dir }}/root.crt"
|
||||
-CAkey "{{ root_dir }}/root.key"
|
||||
-CAcreateserial
|
||||
-out "{{ external_dir }}/external.crt"
|
||||
-days 365
|
||||
-sha256
|
||||
args:
|
||||
creates: "{{ external_dir }}/external.crt"
|
||||
|
||||
- name: Setting permissions on external key
|
||||
file:
|
||||
path: "{{ kolla_certificates_dir }}/private/external/external.key"
|
||||
path: "{{ external_dir }}/external.key"
|
||||
mode: "0660"
|
||||
state: file
|
||||
- name: Creating external Server Certificate
|
||||
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
|
||||
-config {{ kolla_certificates_dir }}/openssl-kolla.cnf \
|
||||
-days 3650 \
|
||||
-extensions v3_req \
|
||||
-key {{ kolla_certificates_dir }}/private/external/external.key \
|
||||
-out {{ item }}
|
||||
with_items:
|
||||
- "{{ kolla_certificates_dir }}/private/external/external.crt"
|
||||
- name: Creating external CA Certificate File
|
||||
copy:
|
||||
src: "{{ kolla_certificates_dir }}/private/external/external.crt"
|
||||
dest: "{{ kolla_external_fqdn_cacert }}"
|
||||
mode: "0660"
|
||||
|
||||
- name: Creating external Server PEM File
|
||||
assemble:
|
||||
src: "{{ kolla_certificates_dir }}/private/external"
|
||||
regexp: '.*[crt|key]'
|
||||
src: "{{ external_dir }}"
|
||||
dest: "{{ kolla_external_fqdn_cert }}"
|
||||
mode: "0660"
|
||||
|
||||
- name: Creating external CA Certificate File
|
||||
copy:
|
||||
src: "{{ root_dir }}/root.crt"
|
||||
dest: "{{ kolla_external_fqdn_cacert }}"
|
||||
mode: "0660"
|
||||
when:
|
||||
- kolla_enable_tls_external | bool
|
||||
|
||||
- block:
|
||||
- name: Copy the external certificate crt to be the internal when internal + external are same network
|
||||
copy:
|
||||
src: "{{ kolla_certificates_dir }}/private/external/external.crt"
|
||||
dest: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
|
||||
remote_src: yes
|
||||
mode: "0660"
|
||||
- name: Copy the external certificate key to be the internal when internal + external are same network
|
||||
copy:
|
||||
src: "{{ kolla_certificates_dir }}/private/external/external.key"
|
||||
dest: "{{ kolla_certificates_dir }}/private/internal/internal.key"
|
||||
remote_src: yes
|
||||
mode: "0660"
|
||||
- name: Copy the external PEM file to be the internal when internal + external are same network
|
||||
copy:
|
||||
src: "{{ kolla_external_fqdn_cert }}"
|
||||
dest: "{{ kolla_internal_fqdn_cert }}"
|
||||
remote_src: yes
|
||||
mode: "0660"
|
||||
|
||||
- name: Copy the external CA Certificate file to be the internal when internal + external are same network
|
||||
copy:
|
||||
src: "{{ kolla_external_fqdn_cacert }}"
|
||||
@ -109,68 +100,57 @@
|
||||
mode: "0660"
|
||||
with_items:
|
||||
- "openssl-kolla-internal.cnf"
|
||||
- name: Creating internal Key
|
||||
command: creates="{{ item }}" openssl genrsa -out {{ item }}
|
||||
with_items:
|
||||
- "{{ kolla_certificates_dir }}/private/internal/internal.key"
|
||||
|
||||
- name: Creating internal Server Certificate key
|
||||
command: >
|
||||
openssl genrsa
|
||||
-out "{{ internal_dir }}/internal.key" 2048
|
||||
args:
|
||||
creates: "{{ internal_dir }}/internal.key"
|
||||
|
||||
- name: Creating internal Server Certificate signing request
|
||||
command: >
|
||||
openssl req
|
||||
-new
|
||||
-key "{{ internal_dir }}/internal.key"
|
||||
-out "{{ internal_dir }}/internal.csr"
|
||||
-config "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
|
||||
-sha256
|
||||
args:
|
||||
creates: "{{ internal_dir }}/internal.csr"
|
||||
|
||||
- name: Creating internal Server Certificate
|
||||
command: >
|
||||
openssl x509
|
||||
-req
|
||||
-in "{{ internal_dir }}/internal.csr"
|
||||
-CA "{{ root_dir }}/root.crt"
|
||||
-CAkey "{{ root_dir }}/root.key"
|
||||
-CAcreateserial
|
||||
-out "{{ internal_dir }}/internal.crt"
|
||||
-days 365
|
||||
-sha256
|
||||
args:
|
||||
creates: "{{ internal_dir }}/internal.crt"
|
||||
|
||||
- name: Setting permissions on internal key
|
||||
file:
|
||||
path: "{{ kolla_certificates_dir }}/private/internal/internal.key"
|
||||
path: "{{ internal_dir }}/internal.key"
|
||||
mode: "0660"
|
||||
state: file
|
||||
- name: Creating internal Server Certificate
|
||||
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
|
||||
-config {{ kolla_certificates_dir }}/openssl-kolla-internal.cnf \
|
||||
-days 3650 \
|
||||
-extensions v3_req \
|
||||
-key {{ kolla_certificates_dir }}/private/internal/internal.key \
|
||||
-out {{ item }}
|
||||
with_items:
|
||||
- "{{ kolla_certificates_dir }}/private/internal/internal.crt"
|
||||
|
||||
- name: Creating internal CA Certificate File
|
||||
copy:
|
||||
src: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
|
||||
src: "{{ root_dir }}/root.crt"
|
||||
dest: "{{ kolla_internal_fqdn_cacert }}"
|
||||
mode: "0660"
|
||||
|
||||
- name: Creating internal Server PEM File
|
||||
assemble:
|
||||
src: "{{ kolla_certificates_dir }}/private/internal"
|
||||
regexp: '.*[crt|key]'
|
||||
src: "{{ internal_dir }}"
|
||||
dest: "{{ kolla_internal_fqdn_cert }}"
|
||||
mode: "0660"
|
||||
when:
|
||||
- kolla_enable_tls_internal | bool
|
||||
- not kolla_same_external_internal_vip | bool
|
||||
|
||||
- block:
|
||||
- name: Creating backend SSL configuration file
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ kolla_certificates_dir }}/{{ item }}"
|
||||
mode: "0660"
|
||||
with_items:
|
||||
- "openssl-kolla-backend.cnf"
|
||||
- name: Creating backend Key
|
||||
command: creates="{{ item }}" openssl genrsa -out {{ item }}
|
||||
with_items:
|
||||
- "{{ kolla_tls_backend_key }}"
|
||||
- name: Setting permissions on backend key
|
||||
file:
|
||||
path: "{{ kolla_tls_backend_key }}"
|
||||
mode: "0660"
|
||||
state: file
|
||||
- name: Creating backend Server Certificate
|
||||
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
|
||||
-config {{ kolla_certificates_dir }}/openssl-kolla-backend.cnf \
|
||||
-days 3650 \
|
||||
-extensions v3_req \
|
||||
-key {{ kolla_tls_backend_key }} \
|
||||
-out {{ item }}
|
||||
with_items:
|
||||
- "{{ kolla_tls_backend_cert }}"
|
||||
- name: Creating backend Certificate file to be included in container trusted ca-certificates
|
||||
copy:
|
||||
src: "{{ kolla_tls_backend_cert }}"
|
||||
dest: "{{ kolla_certificates_dir }}/ca/backend-cert.crt"
|
||||
mode: "0660"
|
||||
when:
|
||||
- kolla_enable_tls_backend | bool
|
||||
|
@ -1,2 +1,6 @@
|
||||
---
|
||||
- include_tasks: generate-root.yml
|
||||
- include_tasks: generate.yml
|
||||
- include_tasks: generate-backend.yml
|
||||
when:
|
||||
- kolla_enable_tls_backend | bool
|
||||
|
@ -0,0 +1,11 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Self-signed TLS certificates can be used to test TLS in a
|
||||
development OpenStack environment. The ``kolla-ansible certificates``
|
||||
command will generate the required self-signed TLS certificates. This
|
||||
command has been updated to first create a self-signed root certificate
|
||||
authority. The command then generates the internal and external facing
|
||||
certificates and signs them using the root CA. If backend TLS is enabled,
|
||||
the command will generate the backend certificate and sign it with the
|
||||
root CA.
|
@ -122,10 +122,10 @@ kolla_enable_tls_internal: "yes"
|
||||
kolla_copy_ca_into_containers: "yes"
|
||||
kolla_enable_tls_backend: "yes"
|
||||
{% if base_distro == "ubuntu" or base_distro == "debian" %}
|
||||
openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt"
|
||||
openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
|
||||
{% endif %}
|
||||
{% if base_distro == "centos" %}
|
||||
openstack_cacert: "/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt"
|
||||
openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user