From aaf4b3f2012cc6ad8c4a45dbe869af7c66aa171e Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Thu, 20 Apr 2023 21:39:35 +0200 Subject: [PATCH] Add TLS support to zun backends By overriding the variable `zun_backend_ssl: True` HTTPS will be enabled, disabling HTTP support on the zun backend api. The ansible-role-pki is used to generate the required TLS certificates if this functionality is enabled. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085 Change-Id: I85f90c573007f422b004b41e785bd1c86a21ec92 --- defaults/main.yml | 52 +++++++++++++++++++++++++++++++++++++++++++++++ handlers/main.yml | 2 ++ tasks/main.yml | 20 ++++++++++++++++++ 3 files changed, 74 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index e02a345..08d2f7a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -284,6 +284,7 @@ zun_services: uwsgi_overrides: "{{ zun_uwsgi_conf_overrides }}" uwsgi_uid: "{{ zun_system_user_name }}" uwsgi_guid: "{{ zun_system_group_name }}" + uwsgi_tls: "{{ zun_backend_ssl | ternary(zun_uwsgi_tls, {}) }}" zun-compute: group: zun_compute service_name: zun-compute @@ -351,6 +352,9 @@ zun_uwsgi_conf_overrides: {} zun_kuryr_uwsgi_conf_overrides: uwsgi: pyargv: --config-file /etc/kuryr/kuryr.conf +zun_uwsgi_tls: + crt: "{{ zun_ssl_cert }}" + key: "{{ zun_ssl_key }}" ## Default zun+kuryr options used within the systemd unit file. zun_kuryr_init_defaults: @@ -380,3 +384,51 @@ zun_kuryr_init_overrides: {} zun_docker_init_overrides: {} zun_docker_cleanup_init_overrides: {} zun_policy_overrides: {} + +### +### Backend TLS +### + +# Define if communication between haproxy and service backends should be +# encrypted with TLS. +zun_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" + +# Storage location for SSL certificate authority +zun_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}" + +# Delegated host for operating the certificate authority +zun_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" + +# zun server certificate +zun_pki_keys_path: "{{ zun_pki_dir ~ '/certs/private/' }}" +zun_pki_certs_path: "{{ zun_pki_dir ~ '/certs/certs/' }}" +zun_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}" +zun_pki_regen_cert: '' +zun_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" +zun_pki_certificates: + - name: "zun_{{ ansible_facts['hostname'] }}" + provider: ownca + cn: "{{ ansible_facts['hostname'] }}" + san: "{{ zun_pki_san }}" + signed_by: "{{ zun_pki_intermediate_cert_name }}" + +# zun destination files for SSL certificates +zun_ssl_cert: /etc/zun/zun.pem +zun_ssl_key: /etc/zun/zun.key + +# Installation details for SSL certificates +zun_pki_install_certificates: + - src: "{{ zun_user_ssl_cert | default(zun_pki_certs_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}" + dest: "{{ zun_ssl_cert }}" + owner: "{{ zun_system_user_name }}" + group: "{{ zun_system_user_name }}" + mode: "0644" + - src: "{{ zun_user_ssl_key | default(zun_pki_keys_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" + dest: "{{ zun_ssl_key }}" + owner: "{{ zun_system_user_name }}" + group: "{{ zun_system_user_name }}" + mode: "0600" + +# Define user-provided SSL certificates +#zun_user_ssl_cert: +#zun_user_ssl_key: diff --git a/handlers/main.yml b/handlers/main.yml index 9cb4835..743d019 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -82,6 +82,7 @@ - "Restart zun services" - "venv changed" - "systemd service changed" + - "cert installed" - name: Start services systemd: @@ -98,3 +99,4 @@ - "Restart zun services" - "venv changed" - "systemd service changed" + - "cert installed" diff --git a/tasks/main.yml b/tasks/main.yml index 7480d32..5c70d27 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -33,6 +33,26 @@ tags: - zun-install +- name: Create and install SSL certificates + include_role: + name: pki + tasks_from: main_certs.yml + apply: + tags: + - zun-config + - pki + vars: + pki_setup_host: "{{ zun_pki_setup_host }}" + pki_dir: "{{ zun_pki_dir }}" + pki_create_certificates: "{{ zun_user_ssl_cert is not defined and zun_user_ssl_key is not defined }}" + pki_regen_cert: "{{ zun_pki_regen_cert }}" + pki_certificates: "{{ zun_pki_certificates }}" + pki_install_certificates: "{{ zun_pki_install_certificates }}" + when: + - zun_backend_ssl + tags: + - always + # NOTE(jrosser) # kuryr-lib appears in u-c and the new pip resolver will fail to install # if two contradictory constraints are given which will always happen