271bf64239
This patch revises the SSL certificate management and distribution with something that is more consistent with how it's done everywhere else in the project. It also repairs the current user provided certificate distribution which was broken. * The server key/certificate (and optionally a CA cert) are distributed to all horizon containers. * Two new variables have been implemented for a user-provided server key and certificate: - horizon_user_ssl_cert: <path to cert on deployment host> - horizon_user_ssl_key: <path to cert on deployment host> If either of these is not defined, then the missing cert/key will be self generated on the first Horizon container and distributed to the other containers. * A new variable has been implemented for a user-provided CA certificate: - horizon_user_ssl_ca_cert: <path to cert on deployment host> * A new variable called 'horizon_ssl_self_signed_subject' has been implemented to allow the user to override the self-signed certificate properties, such as the CN and subjectAltName. Upgrade notes: * The Apache configuration appropriately implements the 'SSLCACertificateFile' instead of the 'SSLCACertificatePath' directive in order to ensure that the appropriate signing certificate is provided to the browser. * The variable 'horizon_self_signed' (which defaulted to true) has been removed. The decision of whether to generate a self-signed certificate has been made based on whether a user provided key/cert pair has been provided. * The 'horizon_self_signed_regen' variable has been renamed to 'horizon_ssl_self_signed_regen'. * The default names for the deployed keys/certificates have been changed: - /etc/ssl/certs/apache.cert > /etc/ssl/certs/horizon.pem - /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key DocImpact UpgradeImpact Closes-Bug: #1475578 Change-Id: I7089abbd81ce422b21ce65488e8bc32053ba32ca
44 lines
1.4 KiB
YAML
44 lines
1.4 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Drop user provided ssl cert and key
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "{{ item.mode }}"
|
|
with_items:
|
|
- { src: "{{ horizon_user_ssl_cert }}", dest: "{{ horizon_ssl_cert }}", mode: "0644" }
|
|
- { src: "{{ horizon_user_ssl_key }}", dest: "{{ horizon_ssl_key }}", mode: "0640" }
|
|
when: horizon_user_ssl_cert is defined and horizon_user_ssl_key is defined
|
|
notify: Restart apache2
|
|
tags:
|
|
- horizon-configs
|
|
- horizon-ssl
|
|
|
|
- name: Drop user provided ssl CA cert
|
|
copy:
|
|
src: "{{ horizon_user_ssl_ca_cert }}"
|
|
dest: "{{ horizon_ssl_ca_cert }}"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
when: horizon_user_ssl_ca_cert is defined
|
|
notify: Restart apache2
|
|
tags:
|
|
- keystone-configs
|
|
- keystone-ssl
|