e3cd02eda4
Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with "kolla_admin_openrc_cacert". OS_CACERT is now set to the value of "kolla_admin_openrc_cacert" in the generated admin-openrc.sh file. Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf Partially-Implements: blueprint add-ssl-internal-network Depends-On: https://review.opendev.org/#/c/731344/
138 lines
3.8 KiB
YAML
138 lines
3.8 KiB
YAML
---
|
|
- name: Ensuring private internal directory exist
|
|
file:
|
|
path: "{{ internal_dir }}"
|
|
state: "directory"
|
|
mode: "0770"
|
|
|
|
- name: Ensuring private external directory exist
|
|
file:
|
|
path: "{{ external_dir }}"
|
|
state: "directory"
|
|
mode: "0770"
|
|
|
|
- block:
|
|
- name: Creating external SSL configuration file
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "{{ kolla_certificates_dir }}/{{ item }}"
|
|
mode: "0660"
|
|
with_items:
|
|
- "openssl-kolla.cnf"
|
|
|
|
- name: Creating external Server Certificate key
|
|
command: >
|
|
openssl genrsa
|
|
-out "{{ external_dir }}/external.key" 2048
|
|
args:
|
|
creates: "{{ external_dir }}/external.key"
|
|
|
|
- name: Creating external Server Certificate signing request
|
|
command: >
|
|
openssl req
|
|
-new
|
|
-key "{{ external_dir }}/external.key"
|
|
-out "{{ external_dir }}/external.csr"
|
|
-config "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
|
|
-sha256
|
|
args:
|
|
creates: "{{ external_dir }}/external.csr"
|
|
|
|
- name: Creating external Server Certificate
|
|
command: >
|
|
openssl x509
|
|
-req
|
|
-in "{{ external_dir }}/external.csr"
|
|
-CA "{{ root_dir }}/root.crt"
|
|
-CAkey "{{ root_dir }}/root.key"
|
|
-CAcreateserial
|
|
-out "{{ external_dir }}/external.crt"
|
|
-days 365
|
|
-sha256
|
|
args:
|
|
creates: "{{ external_dir }}/external.crt"
|
|
|
|
- name: Setting permissions on external key
|
|
file:
|
|
path: "{{ external_dir }}/external.key"
|
|
mode: "0660"
|
|
state: file
|
|
|
|
- name: Creating external Server PEM File
|
|
assemble:
|
|
regexp: '.*[crt|key]'
|
|
src: "{{ external_dir }}"
|
|
dest: "{{ kolla_external_fqdn_cert }}"
|
|
mode: "0660"
|
|
when:
|
|
- kolla_enable_tls_external | bool
|
|
|
|
- block:
|
|
- name: Copy the external PEM file to be the internal when internal + external are same network
|
|
copy:
|
|
src: "{{ kolla_external_fqdn_cert }}"
|
|
dest: "{{ kolla_internal_fqdn_cert }}"
|
|
remote_src: yes
|
|
mode: "0660"
|
|
when:
|
|
- kolla_enable_tls_external | bool
|
|
- kolla_enable_tls_internal | bool
|
|
- kolla_same_external_internal_vip | bool
|
|
|
|
- block:
|
|
- name: Creating internal SSL configuration file
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "{{ kolla_certificates_dir }}/{{ item }}"
|
|
mode: "0660"
|
|
with_items:
|
|
- "openssl-kolla-internal.cnf"
|
|
|
|
- name: Creating internal Server Certificate key
|
|
command: >
|
|
openssl genrsa
|
|
-out "{{ internal_dir }}/internal.key" 2048
|
|
args:
|
|
creates: "{{ internal_dir }}/internal.key"
|
|
|
|
- name: Creating internal Server Certificate signing request
|
|
command: >
|
|
openssl req
|
|
-new
|
|
-key "{{ internal_dir }}/internal.key"
|
|
-out "{{ internal_dir }}/internal.csr"
|
|
-config "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
|
|
-sha256
|
|
args:
|
|
creates: "{{ internal_dir }}/internal.csr"
|
|
|
|
- name: Creating internal Server Certificate
|
|
command: >
|
|
openssl x509
|
|
-req
|
|
-in "{{ internal_dir }}/internal.csr"
|
|
-CA "{{ root_dir }}/root.crt"
|
|
-CAkey "{{ root_dir }}/root.key"
|
|
-CAcreateserial
|
|
-out "{{ internal_dir }}/internal.crt"
|
|
-days 365
|
|
-sha256
|
|
args:
|
|
creates: "{{ internal_dir }}/internal.crt"
|
|
|
|
- name: Setting permissions on internal key
|
|
file:
|
|
path: "{{ internal_dir }}/internal.key"
|
|
mode: "0660"
|
|
state: file
|
|
|
|
- name: Creating internal Server PEM File
|
|
assemble:
|
|
regexp: '.*[crt|key]'
|
|
src: "{{ internal_dir }}"
|
|
dest: "{{ kolla_internal_fqdn_cert }}"
|
|
mode: "0660"
|
|
when:
|
|
- kolla_enable_tls_internal | bool
|
|
- not kolla_same_external_internal_vip | bool
|