fd7509cd43
The external PKI role can generate a self signed CA and Intermediate certificate, and then create a server certificate for haproxy if no defaults are overridden. The new openstack_pki_* settings allow an external self signed CA to be used, but still create valid haproxy server certificates from that external CA in an openstack-ansible deployment. The original beheviour providing user supplied certificates in the haproxy_user_ssl_* variables will still work, disabling the generation of certificates but using the external PKI role to just install the supplied certs and keys. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/788031 Change-Id: I7482f55e991bacd9dccd2748c236dcd9d01124f3
69 lines
2.5 KiB
YAML
69 lines
2.5 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Gather variables for each operating system
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
|
|
- "{{ ansible_facts['distribution'] | lower }}.yml"
|
|
- "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_version'].split('.')[0] }}.yml"
|
|
- "{{ ansible_facts['os_family'] | lower }}.yml"
|
|
tags:
|
|
- always
|
|
|
|
- import_tasks: haproxy_pre_install.yml
|
|
tags:
|
|
- haproxy_server-install
|
|
|
|
- import_tasks: haproxy_install.yml
|
|
tags:
|
|
- haproxy_server-install
|
|
|
|
#NOTE (jrosser) the self signed certificate is also needed for bootstrapping
|
|
#letsencrypt, as haproxy will not start with ssl config but a missing certificate
|
|
- name: Create and install SSL certificates
|
|
include_role:
|
|
name: pki
|
|
vars:
|
|
pki_setup_host: "{{ haproxy_pki_setup_host }}"
|
|
pki_dir: "{{ haproxy_pki_dir }}"
|
|
pki_create_ca: "{{ haproxy_pki_create_ca }}"
|
|
pki_authorities: "{{ haproxy_pki_authorities }}"
|
|
pki_install_ca: "{{ haproxy_pki_install_ca }}"
|
|
pki_create_certificates: "{{ haprpxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined }}"
|
|
pki_certificates: "{{ haproxy_pki_certificates }}"
|
|
pki_install_certificates: "{{ haproxy_pki_install_certificates }}"
|
|
when:
|
|
- haproxy_ssl | bool
|
|
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
|
|
|
- import_tasks: haproxy_post_install.yml
|
|
tags:
|
|
- haproxy_server-config
|
|
|
|
# NOTE(jrosser) we must reload the haproxy config before doing the first time certbot setup to ensure the letsencypt backend is configured
|
|
- meta: flush_handlers
|
|
|
|
- include_tasks: haproxy_ssl_letsencrypt.yml
|
|
when:
|
|
- haproxy_ssl | bool
|
|
- haproxy_ssl_letsencrypt_enable | bool
|
|
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
|
args:
|
|
apply:
|
|
tags:
|
|
- haproxy_server-config
|
|
- letsencrypt
|