openstack/openstack-ansible-os_nova
Code Issues Proposed changes

Include PKI role only once

Browse Source 
This patch proposes to move condition on when to install certificates from
the role include statement to a combined "view" for API and Consoles.

While adding computes to the same logic might be beneficial for CI and
AIO metal deployments, it potentially might have a negative effect for
real deployments, as it will create bunch of Skipped tasks for computes
so we leave them separated.

With that API and Console are usually placed on same hosts, so it makes
sense to distribute certs towards them once but keeping possibility of
different hosts in mind.

Change-Id: I8e28a79a6e3a5be1fe54004ea1d2c3a3ccdc20bc
This commit is contained in:
Dmitriy Rabotyagov 2024-04-10 13:26:33 +02:00 committed by Jonathan Rosser
parent ea39d38321
commit 466e7572bb
2 changed files with 20 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
defaults/main.yml
View File

@ -724,6 +724,7 @@ nova_pki_compute_install_certificates:
# nova_user_ssl_ca_cert: <path to cert on ansible deployment host>
# TLS certficates for console hosts
nova_pki_console_condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' and 'nova_console' in group_names }}"
nova_pki_console_certificates:
# Client certificate used by novnv proxy to authenticate with compute hosts using vencrypt
- name: "nova_{{ ansible_facts['hostname'] }}-client"
@ -737,7 +738,7 @@ nova_pki_console_certificates:
- keyEncipherment
extended_key_usage:
- clientAuth
condition: "{{ nova_qemu_vnc_tls == 1 and 'novnc' in nova_console_proxy_types }}"
condition: "{{ nova_pki_console_condition | bool }}"
# Installation details for SSL certificates for console hosts
nova_pki_console_install_certificates:
@ -746,19 +747,19 @@ nova_pki_console_install_certificates:
owner: "root"
group: "{{ nova_system_group_name }}"
mode: "0640"
condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
condition: "{{ nova_pki_console_condition | bool }}"
- src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client.key.pem') }}"
dest: "{{ nova_vencrypt_client_key }}"
owner: "root"
group: "{{ nova_system_group_name }}"
mode: "0640"
condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
condition: "{{ nova_pki_console_condition | bool }}"
- src: "{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}"
dest: "{{ nova_vencrypt_ca_certs }}"
owner: "root"
group: "{{ nova_system_group_name }}"
mode: "0640"
condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
condition: "{{ nova_pki_console_condition | bool }}"
# host which holds the ssh certificate authority
nova_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
@ -798,6 +799,14 @@ nova_ssh_keypairs_principals:
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
nova_pki_certificates_condition: >-
{{
nova_backend_ssl and (
'nova_console' in group_names or
'nova_api_metadata' in group_names or
'nova_api_os_compute' in group_names
)
}}
nova_pki_certificates:
# Used to encrypt traffic between haproxy and nova backends
@ -806,7 +815,7 @@ nova_pki_certificates:
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ nova_pki_san }}"
signed_by: "{{ nova_pki_intermediate_cert_name }}"
condition: "{{ nova_backend_ssl }}"
condition: "{{ nova_pki_certificates_condition | bool }}"
# nova destination files for SSL certificates
nova_ssl_cert: /etc/nova/nova.pem
@ -819,13 +828,13 @@ nova_pki_install_certificates:
owner: "{{ nova_system_user_name }}"
group: "{{ nova_system_user_name }}"
mode: "0644"
condition: "{{ nova_backend_ssl }}"
condition: "{{ nova_pki_certificates_condition | bool }}"
- src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api.key.pem') }}"
dest: "{{ nova_ssl_key }}"
owner: "{{ nova_system_user_name }}"
group: "{{ nova_system_user_name }}"
mode: "0600"
condition: "{{ nova_backend_ssl }}"
condition: "{{ nova_pki_certificates_condition | bool }}"
# Periodically move records for deleted resources to shadow tables
nova_archive_deleted: False

28
tasks/main.yml
View File

@ -139,7 +139,7 @@
- nova-config
# Create certs after nova groups have been created but before handlers
- name: Create and install SSL certificates for API
- name: Create and install SSL certificates for API and Consoles
include_role:
name: pki
tasks_from: main_certs.yml
@ -152,10 +152,10 @@
pki_dir: "{{ nova_pki_dir }}"
pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
pki_regen_cert: "{{ nova_pki_regen_cert }}"
pki_certificates: "{{ nova_pki_certificates }}"
pki_install_certificates: "{{ nova_pki_install_certificates }}"
pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}"
pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}"
when:
- "'nova_api_metadata' in group_names or 'nova_api_os_compute' in group_names"
- nova_pki_certificates_condition | bool or nova_pki_console_condition | bool
tags:
- always
@ -181,26 +181,6 @@
tags:
- always
- name: Create and install SSL certificates for console hosts
include_role:
name: pki
tasks_from: main_certs.yml
apply:
tags:
- nova-config
- pki
vars:
pki_setup_host: "{{ nova_pki_setup_host }}"
pki_dir: "{{ nova_pki_dir }}"
pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
pki_regen_cert: "{{ nova_pki_regen_cert }}"
pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}"
pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}"
when:
- "'nova_console' in group_names"
tags:
- always
- name: Including nova_post_install tasks
import_tasks: nova_post_install.yml
tags: