openstack/kolla-ansible
Code Issues Proposed changes

Merge "Add support for encrypting backend Keystone HAProxy traffic"

Browse Source
This commit is contained in:
Zuul 2020-04-09 16:10:50 +00:00 committed by Gerrit Code Review
commit 2d8edc374d
25 changed files with 290 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ansible/certificates.yml
View File

@ -1,4 +1,7 @@
--- ---
- import_playbook: gather-facts.yml
when: kolla_enable_tls_backend | default(false) | bool
- name: Apply role certificates - name: Apply role certificates
hosts: localhost hosts: localhost
roles: roles:

15
ansible/group_vars/all.yml
View File

@ -747,11 +747,18 @@ haproxy_user: "openstack"
haproxy_enable_external_vip: "{{ 'no' if kolla_same_external_internal_vip | bool else 'yes' }}" haproxy_enable_external_vip: "{{ 'no' if kolla_same_external_internal_vip | bool else 'yes' }}"
kolla_enable_tls_internal: "no" kolla_enable_tls_internal: "no"
kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}" kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}"
kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem" kolla_certificates_dir: "{{ node_config }}/certificates"
kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt" kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
kolla_copy_ca_into_containers: "no" kolla_copy_ca_into_containers: "no"
kolla_verify_tls_backend: "yes"
haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
haproxy_backend_cacert_dir: "/etc/ssl/certs"
kolla_enable_tls_backend: "no"
kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem"
kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem"
#################### ####################
# Kibana options # Kibana options

3
ansible/inventory/all-in-one
View File

@ -35,6 +35,9 @@ compute
[baremetal:children] [baremetal:children]
control control
[tls-backend:children]
control
[grafana:children] [grafana:children]
monitoring monitoring

3
ansible/inventory/multinode
View File

@ -39,6 +39,9 @@ compute
storage storage
monitoring monitoring
[tls-backend:children]
control
# You can explicitly specify which hosts run each project by updating the # You can explicitly specify which hosts run each project by updating the
# groups in the sections below. Common services are grouped together. # groups in the sections below. Common services are grouped together.
[chrony-server:children] [chrony-server:children]

3
ansible/roles/certificates/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
# Directory on deploy node (localhost) in which certificates are generated.
certificates_dir: "{{ node_config }}/certificates"

92
ansible/roles/certificates/tasks/generate.yml
View File

@ -1,21 +1,33 @@
--- ---
- name: Ensuring private internal directory exist - name: Ensuring private internal directory exist
file: file:
path: "{{ certificates_dir }}/private/internal" path: "{{ kolla_certificates_dir }}/private/internal"
state: "directory" state: "directory"
recurse: yes recurse: yes
mode: "0770" mode: "0770"
- name: Ensuring private external directory exist - name: Ensuring private external directory exist
file: file:
path: "{{ certificates_dir }}/private/external" path: "{{ kolla_certificates_dir }}/private/external"
state: "directory" state: "directory"
recurse: yes recurse: yes
mode: "0770" mode: "0770"
- name: Ensuring backend certificate and key directories exist
file:
path: "{{ item | dirname }}"
state: "directory"
recurse: yes
mode: "0770"
when:
- kolla_enable_tls_backend | bool
with_items:
- "{{ kolla_tls_backend_cert }}"
- "{{ kolla_tls_backend_key }}"
- name: Ensuring ca directory exist - name: Ensuring ca directory exist
file: file:
path: "{{ certificates_dir }}/ca" path: "{{ kolla_certificates_dir }}/ca"
state: "directory" state: "directory"
recurse: yes recurse: yes
mode: "0770" mode: "0770"
@ -24,36 +36,36 @@
- name: Creating external SSL configuration file - name: Creating external SSL configuration file
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "{{ certificates_dir }}/{{ item }}" dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660" mode: "0660"
with_items: with_items:
- "openssl-kolla.cnf" - "openssl-kolla.cnf"
- name: Creating external Key - name: Creating external Key
command: creates="{{ item }}" openssl genrsa -out {{ item }} command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items: with_items:
- "{{ certificates_dir }}/private/external/external.key" - "{{ kolla_certificates_dir }}/private/external/external.key"
- name: Setting permissions on external key - name: Setting permissions on external key
file: file:
path: "{{ certificates_dir }}/private/external/external.key" path: "{{ kolla_certificates_dir }}/private/external/external.key"
mode: "0660" mode: "0660"
state: file state: file
- name: Creating external Server Certificate - name: Creating external Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ certificates_dir }}/openssl-kolla.cnf \ -config {{ kolla_certificates_dir }}/openssl-kolla.cnf \
-days 3650 \ -days 3650 \
-extensions v3_req \ -extensions v3_req \
-key {{ certificates_dir }}/private/external/external.key \ -key {{ kolla_certificates_dir }}/private/external/external.key \
-out {{ item }} -out {{ item }}
with_items: with_items:
- "{{ certificates_dir }}/private/external/external.crt" - "{{ kolla_certificates_dir }}/private/external/external.crt"
- name: Creating external CA Certificate File - name: Creating external CA Certificate File
copy: copy:
src: "{{ certificates_dir }}/private/external/external.crt" src: "{{ kolla_certificates_dir }}/private/external/external.crt"
dest: "{{ kolla_external_fqdn_cacert }}" dest: "{{ kolla_external_fqdn_cacert }}"
mode: "0660" mode: "0660"
- name: Creating external Server PEM File - name: Creating external Server PEM File
assemble: assemble:
src: "{{ certificates_dir }}/private/external" src: "{{ kolla_certificates_dir }}/private/external"
dest: "{{ kolla_external_fqdn_cert }}" dest: "{{ kolla_external_fqdn_cert }}"
mode: "0660" mode: "0660"
when: when:
@ -62,14 +74,14 @@
- block: - block:
- name: Copy the external certificate crt to be the internal when internal + external are same network - name: Copy the external certificate crt to be the internal when internal + external are same network
copy: copy:
src: "{{ certificates_dir }}/private/external/external.crt" src: "{{ kolla_certificates_dir }}/private/external/external.crt"
dest: "{{ certificates_dir }}/private/internal/internal.crt" dest: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
remote_src: yes remote_src: yes
mode: "0660" mode: "0660"
- name: Copy the external certificate key to be the internal when internal + external are same network - name: Copy the external certificate key to be the internal when internal + external are same network
copy: copy:
src: "{{ certificates_dir }}/private/external/external.key" src: "{{ kolla_certificates_dir }}/private/external/external.key"
dest: "{{ certificates_dir }}/private/internal/internal.key" dest: "{{ kolla_certificates_dir }}/private/internal/internal.key"
remote_src: yes remote_src: yes
mode: "0660" mode: "0660"
- name: Copy the external PEM file to be the internal when internal + external are same network - name: Copy the external PEM file to be the internal when internal + external are same network
@ -93,38 +105,72 @@
- name: Creating internal SSL configuration file - name: Creating internal SSL configuration file
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "{{ certificates_dir }}/{{ item }}" dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660" mode: "0660"
with_items: with_items:
- "openssl-kolla-internal.cnf" - "openssl-kolla-internal.cnf"
- name: Creating internal Key - name: Creating internal Key
command: creates="{{ item }}" openssl genrsa -out {{ item }} command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items: with_items:
- "{{ certificates_dir }}/private/internal/internal.key" - "{{ kolla_certificates_dir }}/private/internal/internal.key"
- name: Setting permissions on internal key - name: Setting permissions on internal key
file: file:
path: "{{ certificates_dir }}/private/internal/internal.key" path: "{{ kolla_certificates_dir }}/private/internal/internal.key"
mode: "0660" mode: "0660"
state: file state: file
- name: Creating internal Server Certificate - name: Creating internal Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ certificates_dir }}/openssl-kolla-internal.cnf \ -config {{ kolla_certificates_dir }}/openssl-kolla-internal.cnf \
-days 3650 \ -days 3650 \
-extensions v3_req \ -extensions v3_req \
-key {{ certificates_dir }}/private/internal/internal.key \ -key {{ kolla_certificates_dir }}/private/internal/internal.key \
-out {{ item }} -out {{ item }}
with_items: with_items:
- "{{ certificates_dir }}/private/internal/internal.crt" - "{{ kolla_certificates_dir }}/private/internal/internal.crt"
- name: Creating internal CA Certificate File - name: Creating internal CA Certificate File
copy: copy:
src: "{{ certificates_dir }}/private/internal/internal.crt" src: "{{ kolla_certificates_dir }}/private/internal/internal.crt"
dest: "{{ kolla_internal_fqdn_cacert }}" dest: "{{ kolla_internal_fqdn_cacert }}"
mode: "0660" mode: "0660"
- name: Creating internal Server PEM File - name: Creating internal Server PEM File
assemble: assemble:
src: "{{ certificates_dir }}/private/internal" src: "{{ kolla_certificates_dir }}/private/internal"
dest: "{{ kolla_internal_fqdn_cert }}" dest: "{{ kolla_internal_fqdn_cert }}"
mode: "0660" mode: "0660"
when: when:
- kolla_enable_tls_internal | bool - kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool - not kolla_same_external_internal_vip | bool
- block:
- name: Creating backend SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-backend.cnf"
- name: Creating backend Key
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ kolla_tls_backend_key }}"
- name: Setting permissions on backend key
file:
path: "{{ kolla_tls_backend_key }}"
mode: "0660"
state: file
- name: Creating backend Server Certificate
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-config {{ kolla_certificates_dir }}/openssl-kolla-backend.cnf \
-days 3650 \
-extensions v3_req \
-key {{ kolla_tls_backend_key }} \
-out {{ item }}
with_items:
- "{{ kolla_tls_backend_cert }}"
- name: Creating backend Certificate file to be included in container trusted ca-certificates
copy:
src: "{{ kolla_tls_backend_cert }}"
dest: "{{ kolla_certificates_dir }}/ca/backend-cert.crt"
mode: "0660"
when:
- kolla_enable_tls_backend | bool

18
ansible/roles/certificates/templates/openssl-kolla-backend.cnf.j2 Normal file
View File

@ -0,0 +1,18 @@
[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = US
stateOrProvinceName = NC
localityName = RTP
organizationalUnitName = kolla
[v3_req]
subjectAltName = @alt_names
[alt_names]
{% for host in groups['tls-backend']%}
IP.{{ loop.index }} = {{ 'api' | kolla_address(host) }}
{% endfor %}

1
ansible/roles/haproxy-config/defaults/main.yml
View File

@ -13,3 +13,4 @@ haproxy_backend_http_extra: []
haproxy_backend_tcp_extra: [] haproxy_backend_tcp_extra: []
haproxy_health_check: "check inter 2000 rise 2 fall 5" haproxy_health_check: "check inter 2000 rise 2 fall 5"
haproxy_health_check_ssl: "check check-ssl inter 2000 rise 2 fall 5"

18
ansible/roles/haproxy-config/templates/haproxy_single_service_listen.cfg.j2
View File

@ -10,7 +10,7 @@ userlist {{ service_name }}-user
{%- macro listen_macro(service_name, service_port, listen_port, {%- macro listen_macro(service_name, service_port, listen_port,
service_mode, external, service_mode, external,
haproxy_http_extra, haproxy_tcp_extra, host_group, haproxy_http_extra, haproxy_tcp_extra, host_group,
custom_member_list, auth_user, auth_pass) %} custom_member_list, auth_user, auth_pass, tls_backend) %}
listen {{ service_name }} listen {{ service_name }}
{% if service_mode == 'redirect' %} {% if service_mode == 'redirect' %}
mode http mode http
@ -59,10 +59,21 @@ listen {{ service_name }}
{{ custom_member }} {{ custom_member }}
{% endfor %} {% endfor %}
{% else %} {% else %}
{% set backend_tls_info = '' %}
{% if tls_backend|bool %}
{% set haproxy_health_check_final = haproxy_health_check_ssl %}
{% if kolla_verify_tls_backend|bool %}
{% set backend_tls_info = 'ssl verify required ca-file %s'|format(haproxy_backend_cacert) %}
{% else %}
{% set backend_tls_info = 'ssl verify none' %}
{% endif %}
{% else %}
{% set haproxy_health_check_final = haproxy_health_check %}
{% endif %}
{% for host in groups[host_group] %} {% for host in groups[host_group] %}
{% set host_name = hostvars[host]['ansible_hostname'] %} {% set host_name = hostvars[host]['ansible_hostname'] %}
{% set host_ip = 'api' | kolla_address(host) %} {% set host_ip = 'api' | kolla_address(host) %}
server {{ host_name }} {{ host_ip }}:{{ listen_port }} {{ haproxy_health_check }} server {{ host_name }} {{ host_ip }}:{{ listen_port }} {{ haproxy_health_check_final }} {{ backend_tls_info }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endif %} {% endif %}
@ -86,6 +97,7 @@ listen {{ service_name }}
{# Additional options can be defined in config, and are additive to the global extras #} {# Additional options can be defined in config, and are additive to the global extras #}
{% set haproxy_tcp_extra = haproxy_service.frontend_tcp_extra|default([]) + haproxy_service.backend_tcp_extra|default([]) + haproxy_frontend_tcp_extra + haproxy_backend_tcp_extra %} {% set haproxy_tcp_extra = haproxy_service.frontend_tcp_extra|default([]) + haproxy_service.backend_tcp_extra|default([]) + haproxy_frontend_tcp_extra + haproxy_backend_tcp_extra %}
{% set haproxy_http_extra = haproxy_service.frontend_http_extra|default([]) + haproxy_service.backend_http_extra|default([]) + haproxy_frontend_http_extra + haproxy_backend_http_extra %} {% set haproxy_http_extra = haproxy_service.frontend_http_extra|default([]) + haproxy_service.backend_http_extra|default([]) + haproxy_frontend_http_extra + haproxy_backend_http_extra %}
{% set tls_backend = haproxy_service.tls_backend|default(false) %}
{# Allow for basic auth #} {# Allow for basic auth #}
{% set auth_user = haproxy_service.auth_user|default() %} {% set auth_user = haproxy_service.auth_user|default() %}
{% set auth_pass = haproxy_service.auth_pass|default() %} {% set auth_pass = haproxy_service.auth_pass|default() %}
@ -94,6 +106,6 @@ listen {{ service_name }}
{% endif %} {% endif %}
{{ listen_macro(haproxy_name, haproxy_service.port, listen_port, {{ listen_macro(haproxy_name, haproxy_service.port, listen_port,
mode, external, haproxy_http_extra, haproxy_tcp_extra, mode, external, haproxy_http_extra, haproxy_tcp_extra,
host_group, custom_member_list, auth_user, auth_pass) }} host_group, custom_member_list, auth_user, auth_pass, tls_backend) }}
{% endif %} {% endif %}
{%- endfor -%} {%- endfor -%}

18
ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
View File

@ -53,7 +53,7 @@ frontend {{ service_name }}_front
{%- macro backend_macro(service_name, listen_port, service_mode, host_group, {%- macro backend_macro(service_name, listen_port, service_mode, host_group,
custom_member_list, backend_http_extra, custom_member_list, backend_http_extra,
backend_tcp_extra, auth_user, auth_pass) %} backend_tcp_extra, auth_user, auth_pass, tls_backend) %}
backend {{ service_name }}_back backend {{ service_name }}_back
{% if service_mode == 'redirect' %} {% if service_mode == 'redirect' %}
mode http mode http
@ -79,10 +79,21 @@ backend {{ service_name }}_back
{{ custom_member }} {{ custom_member }}
{% endfor %} {% endfor %}
{% else %} {% else %}
{% set backend_tls_info = '' %}
{% if tls_backend|bool %}
{% set haproxy_health_check_final = haproxy_health_check_ssl %}
{% if kolla_verify_tls_backend|bool %}
{% set backend_tls_info = 'ssl verify required ca-file %s'|format(haproxy_backend_cacert) %}
{% else %}
{% set backend_tls_info = 'ssl verify none' %}
{% endif %}
{% else %}
{% set haproxy_health_check_final = haproxy_health_check %}
{% endif %}
{% for host in groups[host_group] %} {% for host in groups[host_group] %}
{% set host_name = hostvars[host]['ansible_hostname'] %} {% set host_name = hostvars[host]['ansible_hostname'] %}
{% set host_ip = 'api' | kolla_address(host) %} {% set host_ip = 'api' | kolla_address(host) %}
server {{ host_name }} {{ host_ip }}:{{ listen_port }} {{ haproxy_health_check }} server {{ host_name }} {{ host_ip }}:{{ listen_port }} {{ haproxy_health_check_final }} {{ backend_tls_info }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endmacro %} {% endmacro %}
@ -107,6 +118,7 @@ backend {{ service_name }}_back
{% set backend_tcp_extra = haproxy_service.backend_tcp_extra|default([]) %} {% set backend_tcp_extra = haproxy_service.backend_tcp_extra|default([]) %}
{% set frontend_http_extra = haproxy_service.frontend_http_extra|default([]) + haproxy_frontend_http_extra %} {% set frontend_http_extra = haproxy_service.frontend_http_extra|default([]) + haproxy_frontend_http_extra %}
{% set backend_http_extra = haproxy_service.backend_http_extra|default([]) %} {% set backend_http_extra = haproxy_service.backend_http_extra|default([]) %}
{% set tls_backend = haproxy_service.tls_backend|default(false) %}
{# Allow for basic auth #} {# Allow for basic auth #}
{% set auth_user = haproxy_service.auth_user|default() %} {% set auth_user = haproxy_service.auth_user|default() %}
{% set auth_pass = haproxy_service.auth_pass|default() %} {% set auth_pass = haproxy_service.auth_pass|default() %}
@ -119,7 +131,7 @@ backend {{ service_name }}_back
{% if haproxy_service.mode != 'redirect' %} {% if haproxy_service.mode != 'redirect' %}
{{ backend_macro(haproxy_name, listen_port, mode, host_group, {{ backend_macro(haproxy_name, listen_port, mode, host_group,
custom_member_list, backend_http_extra, backend_tcp_extra, custom_member_list, backend_http_extra, backend_tcp_extra,
auth_user, auth_pass) }} auth_user, auth_pass, tls_backend) }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{%- endfor -%} {%- endfor -%}

14
ansible/roles/haproxy/tasks/config.yml
View File

@ -125,6 +125,20 @@
notify: notify:
- Restart haproxy container - Restart haproxy container
- name: Copying over extra CA certificates
vars:
service: "{{ haproxy_services['haproxy'] }}"
become: true
copy:
src: "{{ kolla_certificates_dir }}/ca/"
dest: "{{ node_config_directory }}/haproxy/ca-certificates"
mode: "0644"
when:
- inventory_hostname in groups[service.group]
- kolla_copy_ca_into_containers | bool
notify:
- Restart haproxy container
- name: Copying over haproxy start script - name: Copying over haproxy start script
vars: vars:
service: "{{ haproxy_services['haproxy'] }}" service: "{{ haproxy_services['haproxy'] }}"

3
ansible/roles/haproxy/templates/haproxy_main.cfg.j2
View File

@ -18,6 +18,9 @@ global
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
tune.ssl.default-dh-param 4096 tune.ssl.default-dh-param 4096
{% endif %} {% endif %}
{% if kolla_enable_tls_internal | bool or kolla_enable_tls_external | bool %}
ca-base {{ haproxy_backend_cacert_dir }}
{% endif %}
defaults defaults
log global log global

8
ansible/roles/keystone/defaults/main.yml
View File

@ -14,18 +14,21 @@ keystone_services:
enabled: "{{ enable_keystone }}" enabled: "{{ enable_keystone }}"
mode: "http" mode: "http"
external: false external: false
tls_backend: "{{ keystone_enable_tls_backend }}"
port: "{{ keystone_public_port }}" port: "{{ keystone_public_port }}"
listen_port: "{{ keystone_public_listen_port }}" listen_port: "{{ keystone_public_listen_port }}"
keystone_external: keystone_external:
enabled: "{{ enable_keystone }}" enabled: "{{ enable_keystone }}"
mode: "http" mode: "http"
external: true external: true
tls_backend: "{{ keystone_enable_tls_backend }}"
port: "{{ keystone_public_port }}" port: "{{ keystone_public_port }}"
listen_port: "{{ keystone_public_listen_port }}" listen_port: "{{ keystone_public_listen_port }}"
keystone_admin: keystone_admin:
enabled: "{{ enable_keystone }}" enabled: "{{ enable_keystone }}"
mode: "http" mode: "http"
external: false external: false
tls_backend: "{{ keystone_enable_tls_backend }}"
port: "{{ keystone_admin_port }}" port: "{{ keystone_admin_port }}"
listen_port: "{{ keystone_admin_listen_port }}" listen_port: "{{ keystone_admin_listen_port }}"
keystone-ssh: keystone-ssh:
@ -141,3 +144,8 @@ keystone_ks_services:
- {'interface': 'admin', 'url': '{{ keystone_admin_url }}'} - {'interface': 'admin', 'url': '{{ keystone_admin_url }}'}
- {'interface': 'internal', 'url': '{{ keystone_internal_url }}'} - {'interface': 'internal', 'url': '{{ keystone_internal_url }}'}
- {'interface': 'public', 'url': '{{ keystone_public_url }}'} - {'interface': 'public', 'url': '{{ keystone_public_url }}'}
####################
# TLS
####################
keystone_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

14
ansible/roles/keystone/tasks/config.yml
View File

@ -38,19 +38,9 @@
run_once: True run_once: True
register: keystone_domain_directory register: keystone_domain_directory
- name: Copying over extra CA certificates - include_tasks: copy-certs.yml
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when: when:
- item.value.enabled | bool - kolla_copy_ca_into_containers | bool or keystone_enable_tls_backend | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ keystone_services }}"
notify:
- "Restart {{ item.key }} container"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:

6
ansible/roles/keystone/tasks/copy-certs.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: "Copy certificates and keys for {{ project_name }}"
import_role:
role: service-cert-copy
vars:
project_services: "{{ keystone_services }}"

14
ansible/roles/keystone/templates/keystone.json.j2
View File

@ -34,7 +34,19 @@
"dest": "/etc/{{ keystone_dir }}/wsgi-keystone.conf", "dest": "/etc/{{ keystone_dir }}/wsgi-keystone.conf",
"owner": "keystone", "owner": "keystone",
"perm": "0600" "perm": "0600"
} }{% if keystone_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/keystone-cert.pem",
"dest": "/etc/keystone/certs/keystone-cert.pem",
"owner": "keystone",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/keystone-key.pem",
"dest": "/etc/keystone/certs/keystone-key.pem",
"owner": "keystone",
"perm": "0600"
}{% endif %}
], ],
"permissions": [ "permissions": [
{ {

15
ansible/roles/keystone/templates/wsgi-keystone.conf.j2
View File

@ -5,6 +5,9 @@
{% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %} {% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
{% endif %} {% endif %}
{% set binary_path = '/usr/bin' if keystone_install_type == 'binary' else '/var/lib/kolla/venv/bin' %} {% set binary_path = '/usr/bin' if keystone_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if keystone_enable_tls_backend | bool %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }}
@ -42,6 +45,12 @@ LogLevel info
ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log" ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat
{% if keystone_enable_tls_backend | bool %}
SSLEngine on
SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
{% endif %}
</VirtualHost> </VirtualHost>
<VirtualHost *:{{ keystone_admin_listen_port }}> <VirtualHost *:{{ keystone_admin_listen_port }}>
@ -56,4 +65,10 @@ LogLevel info
ErrorLog "{{ keystone_log_dir }}/keystone-apache-admin-error.log" ErrorLog "{{ keystone_log_dir }}/keystone-apache-admin-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ keystone_log_dir }}/keystone-apache-admin-access.log" logformat CustomLog "{{ keystone_log_dir }}/keystone-apache-admin-access.log" logformat
{% if keystone_enable_tls_backend | bool %}
SSLEngine on
SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
{% endif %}
</VirtualHost> </VirtualHost>

54
ansible/roles/service-cert-copy/tasks/main.yml Normal file
View File

@ -0,0 +1,54 @@
---
- name: "{{ project_name }} | Copying over extra CA certificates"
become: true
copy:
src: "{{ kolla_certificates_dir }}/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- kolla_copy_ca_into_containers | bool
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
notify:
- "Restart {{ item.key }} container"
- name: "{{ project_name }} | Copying over backend internal TLS certificate"
vars:
certs:
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-cert.pem"
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem"
- "{{ kolla_certificates_dir }}/{{ project_name }}-cert.pem"
- "{{ kolla_tls_backend_cert }}"
backend_tls_cert: "{{ lookup('first_found', certs) }}"
copy:
src: "{{ backend_tls_cert }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-cert.pem"
mode: "0644"
become: true
when:
- item.value.haproxy is defined
- item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
- item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
notify:
- "Restart {{ item.key }} container"
- name: "{{ project_name }} | Copying over backend internal TLS key"
vars:
keys:
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-key.pem"
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem"
- "{{ kolla_certificates_dir }}/{{ project_name }}-key.pem"
- "{{ kolla_tls_backend_key }}"
backend_tls_key: "{{ lookup('first_found', keys) }}"
copy:
src: "{{ backend_tls_key }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-key.pem"
mode: "0600"
become: true
when:
- item.value.haproxy is defined
- item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
- item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
notify:
- "Restart {{ item.key }} container"

11
doc/source/admin/advanced-configuration.rst
View File

@ -99,12 +99,12 @@ The default for TLS is disabled, to enable TLS networking:
.. code-block:: yaml .. code-block:: yaml
kolla_enable_tls_external: "yes" kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem" kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/mycert.pem"
and/or and/or
kolla_enable_tls_internal: "yes" kolla_enable_tls_internal: "yes"
kolla_internal_fqdn_cert: "{{ node_config }}/certificates/mycert-internal.pem" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/mycert-internal.pem"
.. note:: .. note::
@ -181,7 +181,7 @@ service containers to enable trust for those CA certificates. This is required
for any certificates that are either self-signed or signed by a private CA, for any certificates that are either self-signed or signed by a private CA,
and are not already present in the service image trust store. and are not already present in the service image trust store.
All certificate file names will have the "kolla-customca-" prefix appended to All certificate file names will have the "kolla-customca-" prefix prepended to
it when it is copied into the containers. For example, if a certificate file is it when it is copied into the containers. For example, if a certificate file is
named "internal.crt", it will be named "kolla-customca-internal.crt" in the named "internal.crt", it will be named "kolla-customca-internal.crt" in the
containers. containers.
@ -192,6 +192,11 @@ the ``/usr/local/share/ca-certificates/`` directory.
For Centos and Red Hat Linux containers, the certificate files will be copied For Centos and Red Hat Linux containers, the certificate files will be copied
to the ``/etc/pki/ca-trust/source/anchors/`` directory. to the ``/etc/pki/ca-trust/source/anchors/`` directory.
In addition, the ``openstack_cacert`` should be configured with the path to
the cacert in the container. For example, if the self-signed certificate task
was used and the deployment is on ubuntu, the path would be:
"/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt"
.. _service-config: .. _service-config:
OpenStack Service Configuration in Kolla OpenStack Service Configuration in Kolla

15
etc/kolla/globals.yml
View File

@ -184,11 +184,18 @@
# allow clients to perform authentication. # allow clients to perform authentication.
#kolla_enable_tls_internal: "no" #kolla_enable_tls_internal: "no"
#kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}" #kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}"
#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem" #kolla_certificates_dir: "{{ node_config }}/certificates"
#kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" #kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy.crt" #kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/ca/haproxy-internal.crt" #kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
#kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
#kolla_copy_ca_into_containers: "no" #kolla_copy_ca_into_containers: "no"
#kolla_verify_tls_backend: "yes"
#haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
#haproxy_backend_cacert_dir: "/etc/ssl/certs"
#kolla_enable_tls_backend: "no"
#kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem"
#kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem"
################ ################
# Region options # Region options

12
releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml
View File

@ -12,10 +12,8 @@ features:
issues: issues:
- | - |
Python <= 2.7.9 will not trust self-signed or privately signed CAs even Python Requests library will not trust self-signed or privately signed CAs
if they are added into the OS trusted CA folder and update-ca-trust is even if they are added into the OS trusted CA folder and update-ca-trust is
executed. This is also true for the Python Requests library, regardless of executed. For services that rely on the Python Requests library, either CA
Python version. For services that run Python <= 2.7.9 or rely on the verification must be explicitly disabled in the service or the path to the
Python Requests library, either CA verification must be explicitly disabled CA certificate must be configured using the ``openstack_cacert`` parameter.
in the service or the path to the CA certificate must be configured using
the ``openstack_cacert`` parameter.

7
releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Added configuration options to enable backend TLS encryption from HAProxy
to the Keystone service. When used in conjunction with enabling TLS for
service API endpoints, network communcation will be encrypted end to end,
from client through HAProxy to the Keystone service.

2
tests/check-config.sh
View File

@ -16,6 +16,8 @@ function check_config {
for f in $(sudo find /etc/kolla \ for f in $(sudo find /etc/kolla \
-not -regex /etc/kolla/config.* \ -not -regex /etc/kolla/config.* \
-not -regex /etc/kolla/certificates.* \ -not -regex /etc/kolla/certificates.* \
-not -regex .*pem \
-not -regex .*key \
-not -regex ".*ca-certificates.*" \ -not -regex ".*ca-certificates.*" \
-not -path /etc/kolla \ -not -path /etc/kolla \
-not -name admin-openrc.sh \ -not -name admin-openrc.sh \

2
tests/templates/globals-default.j2
View File

@ -117,8 +117,8 @@ ceph_nova_user: "cinder"
{% if tls_enabled %} {% if tls_enabled %}
kolla_enable_tls_external: "yes" kolla_enable_tls_external: "yes"
kolla_enable_tls_internal: "yes" kolla_enable_tls_internal: "yes"
kolla_verify_internal_ca_certs: "no"
kolla_copy_ca_into_containers: "yes" kolla_copy_ca_into_containers: "yes"
kolla_enable_tls_backend: "yes"
{% if base_distro == "ubuntu" or base_distro == "debian" %} {% if base_distro == "ubuntu" or base_distro == "debian" %}
openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt" openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt"
{% endif %} {% endif %}

3
tests/templates/inventory.j2
View File

@ -53,6 +53,9 @@ compute
storage storage
monitoring monitoring
[tls-backend:children]
control
# You can explicitly specify which hosts run each project by updating the # You can explicitly specify which hosts run each project by updating the
# groups in the sections below. Common services are grouped together. # groups in the sections below. Common services are grouped together.
[chrony-server:children] [chrony-server:children]