From 34649668686fa19e1d11eb104094732eb23c0a25 Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Fri, 14 Apr 2023 00:49:44 +0200 Subject: [PATCH] Add TLS support to designate backends By overriding the variable `designate_backend_ssl: True` HTTPS will be enabled, disabling HTTP support on the designate backend api. The ansible-role-pki is used to generate the required TLS certificates if this functionality is enabled. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085 Change-Id: Id5c18a7305c744a2b0252f62debb1b5654e4abd7 --- defaults/main.yml | 48 +++++++++++++++++++++++++++++++++++++ handlers/main.yml | 2 ++ tasks/main.yml | 20 ++++++++++++++++ templates/designate.conf.j2 | 6 +++++ 4 files changed, 76 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 8431614..a34ad74 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -261,3 +261,51 @@ designate_policy_overrides: {} designate_designate_conf_overrides: {} designate_api_paste_ini_overrides: {} designate_rootwrap_conf_overrides: {} + +### +### Backend TLS +### + +# Define if communication between haproxy and service backends should be +# encrypted with TLS. +designate_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" + +# Storage location for SSL certificate authority +designate_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}" + +# Delegated host for operating the certificate authority +designate_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" + +# designate server certificate +designate_pki_keys_path: "{{ designate_pki_dir ~ '/certs/private/' }}" +designate_pki_certs_path: "{{ designate_pki_dir ~ '/certs/certs/' }}" +designate_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}" +designate_pki_regen_cert: '' +designate_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" +designate_pki_certificates: + - name: "designate_{{ ansible_facts['hostname'] }}" + provider: ownca + cn: "{{ ansible_facts['hostname'] }}" + san: "{{ designate_pki_san }}" + signed_by: "{{ designate_pki_intermediate_cert_name }}" + +# designate destination files for SSL certificates +designate_ssl_cert: /etc/designate/designate.pem +designate_ssl_key: /etc/designate/designate.key + +# Installation details for SSL certificates +designate_pki_install_certificates: + - src: "{{ designate_user_ssl_cert | default(designate_pki_certs_path ~ 'designate_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}" + dest: "{{ designate_ssl_cert }}" + owner: "{{ designate_system_user_name }}" + group: "{{ designate_system_user_name }}" + mode: "0644" + - src: "{{ designate_user_ssl_key | default(designate_pki_keys_path ~ 'designate_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" + dest: "{{ designate_ssl_key }}" + owner: "{{ designate_system_user_name }}" + group: "{{ designate_system_user_name }}" + mode: "0600" + +# Define user-provided SSL certificates +#designate_user_ssl_cert: +#designate_user_ssl_key: diff --git a/handlers/main.yml b/handlers/main.yml index 2022ccd..6fad991 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -27,6 +27,7 @@ - "Restart designate services" - "venv changed" - "systemd service changed" + - "cert installed" - name: Perform Designate pools update command: "{{ designate_bin }}/designate-manage pool update --file /etc/designate/pools.yaml" @@ -48,3 +49,4 @@ - "Restart designate services" - "venv changed" - "systemd service changed" + - "cert installed" diff --git a/tasks/main.yml b/tasks/main.yml index f73ec9e..b57b994 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -95,6 +95,26 @@ tags: - designate-install +- name: Create and install SSL certificates + include_role: + name: pki + tasks_from: main_certs.yml + apply: + tags: + - designate-config + - pki + vars: + pki_setup_host: "{{ designate_pki_setup_host }}" + pki_dir: "{{ designate_pki_dir }}" + pki_create_certificates: "{{ designate_user_ssl_cert is not defined and designate_user_ssl_key is not defined }}" + pki_regen_cert: "{{ designate_pki_regen_cert }}" + pki_certificates: "{{ designate_pki_certificates }}" + pki_install_certificates: "{{ designate_pki_install_certificates }}" + when: + - designate_backend_ssl + tags: + - always + - import_tasks: designate_post_install.yml tags: - designate-install diff --git a/templates/designate.conf.j2 b/templates/designate.conf.j2 index a4ecf6e..f7987a5 100644 --- a/templates/designate.conf.j2 +++ b/templates/designate.conf.j2 @@ -36,6 +36,12 @@ rabbit_notification_topic = notifications driver = {{ (designate_ceilometer_enabled | bool) | ternary('messagingv2', 'noop') }} transport_url = {{ designate_oslomsg_notify_transport }}://{% for host in designate_oslomsg_notify_servers.split(',') %}{{ designate_oslomsg_notify_userid }}:{{ designate_oslomsg_notify_password }}@{{ host }}:{{ designate_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ designate_oslomsg_notify_vhost }}{% if designate_oslomsg_notify_use_ssl | bool %}?ssl=1&ssl_version={{ designate_oslomsg_notify_ssl_version }}&ssl_ca_file={{ designate_oslomsg_notify_ssl_ca_file }}{% else %}?ssl=0{% endif %}{% endif %}{% endfor %} +{% if designate_backend_ssl | bool %} +[ssl] +cert_file = {{ designate_ssl_cert }} +key_file = {{ designate_ssl_key }} +{% endif %} + ######################## ## Service Configuration ########################