From fd2808722950d4a1bdbb8efc60d4e2b6419a72f1 Mon Sep 17 00:00:00 2001
From: Dave McCowan <dmccowan@cisco.com>
Date: Sat, 20 Feb 2016 14:54:41 -0500
Subject: [PATCH] Add Ansible scripts to generate TLS certificates for testing

Working towards the blueprint that will add TLS protection
for the external endpoints, kolla needs certificates.

When kolla deploys OpenStack, the external VIP will need
a server side certifcate.  Clients that access those endpoints will
need the public CA certificate that signed that certificate.

This ansible script will create these two certificates to make
it easy to use TLS in a test environment.  The generated
certificate files are:

/etc/kolla/certificates/haproxy.pem  (server side certificate)
/etc/kolla/certificates/haproxy-ca.pem (CA certificate)

The generated certificates are not suitable for use in a
production environment, but will be useful for testing and
verifying operations.

Partially-implements: blueprint ssl-kolla

Change-Id: I208777f9e5eee3bfb06810c7b18a2727beda234d
---
 ansible/certificates.yml                      |  4 ++
 ansible/roles/certificates/tasks/generate.yml | 41 +++++++++++++++++++
 ansible/roles/certificates/tasks/main.yml     |  2 +
 .../templates/openssl-kolla.cnf.j2            | 16 ++++++++
 tools/kolla-ansible                           |  6 +++
 5 files changed, 69 insertions(+)
 create mode 100644 ansible/certificates.yml
 create mode 100644 ansible/roles/certificates/tasks/generate.yml
 create mode 100644 ansible/roles/certificates/tasks/main.yml
 create mode 100644 ansible/roles/certificates/templates/openssl-kolla.cnf.j2

diff --git a/ansible/certificates.yml b/ansible/certificates.yml
new file mode 100644
index 0000000000..410c698e99
--- /dev/null
+++ b/ansible/certificates.yml
@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - certificates
diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml
new file mode 100644
index 0000000000..dd82bbdd13
--- /dev/null
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -0,0 +1,41 @@
+---
+- name: Ensuring config directories exist
+  file:
+    path: "{{ node_config_directory }}/{{ item }}"
+    state: "directory"
+    recurse: yes
+  with_items:
+    - "certificates/private"
+
+- name: Creating SSL configuration file
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ node_config_directory }}/certificates/{{ item }}"
+  with_items:
+    - "openssl-kolla.cnf"
+
+- name: Creating Key
+  command: creates="{{ item }}" openssl genrsa -out {{ item }}
+  with_items:
+    - "{{ node_config_directory }}/certificates/private/haproxy.key"
+
+- name: Creating Server Certificate
+  command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
+    -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_address }}" \
+    -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
+    -days 3650 \
+    -extensions v3_req \
+    -key {{ node_config_directory }}/certificates/private/haproxy.key \
+    -out {{ item }}
+  with_items:
+    - "{{ node_config_directory }}/certificates/private/haproxy.crt"
+
+- name: Creating CA Certificate File
+  copy:
+    src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
+    dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
+
+- name: Creating Server PEM File
+  assemble:
+    src: "{{ node_config_directory }}/certificates/private"
+    dest: "{{ node_config_directory }}/certificates/haproxy.pem"
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml
new file mode 100644
index 0000000000..2403646bcf
--- /dev/null
+++ b/ansible/roles/certificates/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+- include: generate.yml
diff --git a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
new file mode 100644
index 0000000000..8ebf22caa2
--- /dev/null
+++ b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
@@ -0,0 +1,16 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+commonName = {{ kolla_external_address }}
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+IP.1 = {{ kolla_external_vip_address }}
diff --git a/tools/kolla-ansible b/tools/kolla-ansible
index 14c88dfe37..0a1965cdbb 100755
--- a/tools/kolla-ansible
+++ b/tools/kolla-ansible
@@ -41,6 +41,8 @@ Commands:
     deploy       Deploy and start all kolla containers
     post-deploy  Do post deploy on deploy node
     pull         Pull all images for containers (only pulls, no runnnig container changes)
+    reconfigure  Reconfigure OpenStack service
+    certificates Generate self-signed certificate for TLS *For Development Only*
 EOF
 }
 
@@ -137,6 +139,10 @@ case "$1" in
         ACTION="Reconfigure OpenStack service"
         EXTRA_OPTS="$EXTRA_OPTS -e action=reconfigure"
         ;;
+(certificates)
+        ACTION="Generate TLS Certificates"
+        PLAYBOOK="${BASEDIR}/ansible/certificates.yml"
+        ;;
 (*)     usage
         exit 0
         ;;