Fix Horizon SSL certificate management and distribution

This patch revises the SSL certificate management and
distribution with something that is more consistent with how
it's done everywhere else in the project. It also repairs the
current user provided certificate distribution which was broken.

* The server key/certificate (and optionally a CA cert) are
  distributed to all horizon containers.

* Two new variables have been implemented for a user-provided
  server key and certificate:
  - horizon_user_ssl_cert: <path to cert on deployment host>
  - horizon_user_ssl_key: <path to cert on deployment host>
  If either of these is not defined, then the missing cert/key
  will be self generated on the first Horizon container and
  distributed to the other containers.

* A new variable has been implemented for a user-provided CA
  certificate:
  - horizon_user_ssl_ca_cert: <path to cert on deployment host>

* A new variable called 'horizon_ssl_self_signed_subject' has
  been implemented to allow the user to override the self-signed
  certificate properties, such as the CN and subjectAltName.

Upgrade notes:

* The Apache configuration appropriately implements the
  'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
  directive in order to ensure that the appropriate signing
  certificate is provided to the browser.

* The variable 'horizon_self_signed' (which defaulted to true)
  has been removed. The decision of whether to generate a
  self-signed certificate has been made based on whether a
  user provided key/cert pair has been provided.

* The 'horizon_self_signed_regen' variable has been renamed
  to 'horizon_ssl_self_signed_regen'.

* The default names for the deployed keys/certificates have been
  changed:
  - /etc/ssl/certs/apache.cert  > /etc/ssl/certs/horizon.pem
  - /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key

DocImpact
UpgradeImpact
Closes-Bug: #1475578

Change-Id: I7089abbd81ce422b21ce65488e8bc32053ba32ca

defaults/main.yml

@@ -50,8 +50,6 @@ horizon_endpoint_type: internalURL
 
 horizon_server_name: "horizon"
 horizon_log_level: info
-horizon_self_signed: true
-horizon_self_signed_regen: false
 horizon_dropdown_max_items: 30
 horizon_time_zone: UTC
 horizon_enforce_password_check: False
@@ -59,13 +57,18 @@ horizon_disable_password_reveal: False
 horizon_enable_password_retrieve: False
 
 ## Horizon SSL
-### Set the cacert pem if you'd like horizon to verify it.
-# horizon_cacert_pem: /path/to/cacert.pem
-horizon_ssl_cert: /etc/ssl/certs/apache.cert
-horizon_ssl_key: /etc/ssl/private/apache.key
-horizon_ssl_cert_path: /etc/ssl/certs
+horizon_ssl_cert: /etc/ssl/certs/horizon.pem
+horizon_ssl_key: /etc/ssl/private/horizon.key
+horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
 horizon_ssl_protocol: "{{ ssl_protocol }}"
 horizon_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
+# if using a self-signed certificate, set this to true to regenerate it
+horizon_ssl_self_signed_regen: false
+horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
+# Set these in user_variables to deploy custom certificates
+#horizon_user_ssl_cert: <path to cert on ansible deployment host>
+#horizon_user_ssl_key: <path to cert on ansible deployment host>
+#horizon_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
 # For multiple regions uncomment this configuration, and
 # add the extra endpoints below the first list item.
@@ -73,6 +76,12 @@ horizon_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
 #   - { url: "{{ keystone_service_internalurl }}", name: "{{ keystone_service_region }}" }
 #   - { url: "http://cluster1.example.com:5000/v2.0", name: "RegionTwo" }
 
+### Set the cacert pem for Keystone if you'd like Horizon to verify it.
+# horizon_cacert_pem: /path/to/cacert.pem
+
+## alternatively, you can set horizon to turn off ssl verification for Keystone
+horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"
+
 ## Launch instance
 horizon_launch_instance_legacy: True
 horizon_launch_instance_ng: False

tasks/horizon_ssl_key_create.yml

@@ -17,23 +17,19 @@
   file:
     dest: "{{ horizon_ssl_cert }}"
     state: "absent"
-  when: >
-    horizon_self_signed_regen == true or
-    horizon_self_signed_regen == "True"
+  when: horizon_ssl_self_signed_regen | bool
+  tags:
+    - horizon-ssl
 
 - name: Create self-signed ssl cert
   command: >
     openssl req -new -nodes -sha256 -x509 -subj
-    "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}"
+    "{{ horizon_ssl_self_signed_subject }}"
     -days 3650
     -keyout {{ horizon_ssl_key }}
     -out {{ horizon_ssl_cert }}
     -extensions v3_ca
     creates={{ horizon_ssl_cert }}
-  when: >
-    horizon_self_signed == true or
-    horizon_self_signed == "True"
   notify: Restart apache2
   tags:
-    - horizon-apache-self-ssl
     - horizon-ssl

tasks/horizon_ssl_key_distribute.yml

@@ -23,14 +23,12 @@
     server: "{{ memcached_servers }}"
     encrypt_string: "{{ memcached_encryption_key }}"
   with_items:
-    - { src: "{{ horizon_ssl_cert }}", name: "apache_cert", file_mode: "0640", dir_mode: "0750" }
-    - { src: "{{ horizon_ssl_key }}", name: "apache_key", file_mode: "0640", dir_mode: "0750" }
+    - { src: "{{ horizon_ssl_cert }}", name: "horizon_ssl_cert", file_mode: "0640", dir_mode: "0750" }
+    - { src: "{{ horizon_ssl_key }}", name: "horizon_ssl_key", file_mode: "0640", dir_mode: "0750" }
   register: memcache_keys
   until: memcache_keys|success
   retries: 5
   delay: 2
   notify: Restart apache2
   tags:
-    - horizon-key
-    - horizon-key-distribute
     - horizon-ssl

tasks/horizon_ssl_key_store.yml

@@ -21,13 +21,11 @@
     server: "{{ memcached_servers }}"
     encrypt_string: "{{ memcached_encryption_key }}"
   with_items:
-    - { src: "{{ horizon_ssl_cert }}", name: "apache_cert" }
-    - { src: "{{ horizon_ssl_key }}", name: "apache_key" }
+    - { src: "{{ horizon_ssl_cert }}", name: "horizon_ssl_cert" }
+    - { src: "{{ horizon_ssl_key }}", name: "horizon_ssl_key" }
   register: memcache_keys
   until: memcache_keys|success
   retries: 5
   delay: 2
   tags:
-    - horizon-key
-    - horizon-key-store
     - horizon-ssl

tasks/horizon_ssl_user_provided.yml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Drop user provided ssl cert
+- name: Drop user provided ssl cert and key
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -21,9 +21,23 @@
     group: "root"
     mode: "{{ item.mode }}"
   with_items:
-    - { src: "/etc/ssl/certs/apache.cert", name: "apache.cert", mode: "0640" }
-    - { src: "/etc/ssl/private/apache.key", name: "apache.key", mode: "0640" }
+    - { src: "{{ horizon_user_ssl_cert }}", dest: "{{ horizon_ssl_cert }}", mode: "0644" }
+    - { src: "{{ horizon_user_ssl_key }}", dest: "{{ horizon_ssl_key }}", mode: "0640" }
+  when: horizon_user_ssl_cert is defined and horizon_user_ssl_key is defined
   notify: Restart apache2
   tags:
     - horizon-configs
     - horizon-ssl
+
+- name: Drop user provided ssl CA cert
+  copy:
+    src: "{{ horizon_user_ssl_ca_cert }}"
+    dest: "{{ horizon_ssl_ca_cert }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: horizon_user_ssl_ca_cert is defined
+  notify: Restart apache2
+  tags:
+    - keystone-configs
+    - keystone-ssl

tasks/main.yml

@@ -23,13 +23,10 @@
 
 - include: horizon_ssl_self_signed.yml
   when: >
-    horizon_self_signed == true or
-    horizon_self_signed == "True"
+    horizon_user_ssl_cert is not defined or
+    horizon_user_ssl_key is not defined
 
 - include: horizon_ssl_user_provided.yml
-  when: >
-    horizon_self_signed == false or
-    horizon_self_signed == "False"
 
 - include: horizon_apache.yml
 

templates/openstack_dashboard.conf.j2

@@ -20,8 +20,9 @@
     SSLEngine on
     SSLCertificateFile    {{ horizon_ssl_cert }}
     SSLCertificateKeyFile {{ horizon_ssl_key }}
-    SSLCACertificatePath  {{ horizon_ssl_cert_path }}
-    SSLCARevocationPath   {{ horizon_ssl_cert_path }}
+    {% if horizon_user_ssl_ca_cert is defined -%}
+    SSLCACertificateFile  {{ horizon_ssl_ca_cert }}
+    {% endif -%}
     SSLCompression Off
     SSLProtocol All -SSLv2 -SSLv3
     SSLHonorCipherOrder On