openstack/kolla-ansible
Code Issues Proposed changes
3d7bcca990
kolla-ansible/ansible/roles/certificates/tasks/generate-backend.yml
Mark Goddard 761ea9a333 Support TLS encryption of RabbitMQ client-server traffic 
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.

The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.

RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.

Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
2020-09-17 12:05:44 +01:00

78 lines
2.0 KiB
YAML
Raw Blame History

---
- name: Ensuring private backend directory exist
file:
path: "{{ backend_dir }}"
state: "directory"
mode: "0770"
- name: Creating backend SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-backend.cnf"
- name: Creating backend Server Certificate key
command: >
openssl genrsa
-out "{{ backend_dir }}/backend.key" 2048
args:
creates: "{{ kolla_tls_backend_key }}"
- name: Creating backend Server Certificate signing request
command: >
openssl req
-new
-key "{{ backend_dir }}/backend.key"
-out "{{ backend_dir }}/backend.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf"
-sha256
args:
creates: "{{ backend_dir }}/backend.csr"
- name: Creating backend Server Certificate
command: >
openssl x509
-req
-in "{{ backend_dir }}/backend.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-out "{{ backend_dir }}/backend.crt"
-days 500
-sha256
args:
creates: "{{ backend_dir }}/backend.crt"
- name: Setting permissions on backend key
file:
path: "{{ backend_dir }}/backend.key"
mode: "0660"
state: file
- name: Copy backend cert to default configuration location
copy:
src: "{{ backend_dir }}/backend.crt"
dest: "{{ kolla_certificates_dir }}/backend-cert.pem"
mode: "0660"
- name: Copy backend key to default configuration location
copy:
src: "{{ backend_dir }}/backend.key"
dest: "{{ kolla_certificates_dir }}/backend-key.pem"
mode: "0660"
- name: Copy backend TLS certificate and key for RabbitMQ
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
remote_src: true
with_items:
- src: "{{ kolla_tls_backend_cert }}"
dest: "{{ kolla_certificates_dir }}/rabbitmq-cert.pem"
- src: "{{ kolla_tls_backend_key }}"
dest: "{{ kolla_certificates_dir }}/rabbitmq-key.pem"
when:
- rabbitmq_enable_tls | bool
View Git Blame Copy Permalink