From 9223deeecd5a6c6efa238463962ea8604d4ce103 Mon Sep 17 00:00:00 2001 From: caoyuan Date: Tue, 20 Mar 2018 20:31:24 +0800 Subject: [PATCH] Use correct variable for default certificate paths The variable {{ node_config_directory }} is used for the configuration directory on the remote hosts, and should not be used for paths on the deploy host (localhost). This changes the default value of the TLS certificate and CA file to reference {{ CONFIG_DIR }}, in line with the directory used for admin-openrc.sh (as of I0709482ead4b7a67e82796e17f85bde151e71bc0). This change also introduces a variable, {{ node_config }}, that references {{ CONFIG_DIR | default('/etc/kolla') }}, to remove duplication. Change-Id: Ibd82ac78630ebfff5824c329d7399e1e900c0ee0 Closes-Bug: #1804025 --- ansible/group_vars/all.yml | 7 ++++-- ansible/post-deploy.yml | 2 +- ansible/roles/certificates/defaults/main.yml | 3 +++ ansible/roles/certificates/tasks/generate.yml | 24 +++++++++---------- ansible/roles/keystone/tasks/precheck.yml | 2 +- .../roles/prechecks/tasks/service_checks.yml | 2 +- doc/source/admin/advanced-configuration.rst | 2 +- etc/kolla/globals.yml | 2 +- .../notes/cert-path-65943386e62f1a8c.yaml | 9 +++++++ 9 files changed, 33 insertions(+), 20 deletions(-) create mode 100644 ansible/roles/certificates/defaults/main.yml create mode 100644 releasenotes/notes/cert-path-65943386e62f1a8c.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index c6c94284b5..f6dd7c3628 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -6,6 +6,9 @@ # again. Persistent files allow for idempotency container_config_directory: "/var/lib/kolla/config_files" +# The directory on the deploy host containing globals.yml. +node_config: "{{ CONFIG_DIR | default('/etc/kolla') }}" + # The directory to merge custom config files the kolla's config files node_custom_config: "/etc/kolla/config" @@ -621,8 +624,8 @@ qdrouterd_user: "openstack" haproxy_user: "openstack" haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}" kolla_enable_tls_external: "no" -kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem" -kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt" +kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem" +kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" #################### diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml index 2e1f9ef97d..ae95aabcb6 100644 --- a/ansible/post-deploy.yml +++ b/ansible/post-deploy.yml @@ -5,5 +5,5 @@ tasks: - template: src: "roles/common/templates/admin-openrc.sh.j2" - dest: "{{ CONFIG_DIR | default('/etc/kolla') }}/admin-openrc.sh" + dest: "{{ node_config }}/admin-openrc.sh" run_once: True diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml new file mode 100644 index 0000000000..a741e6a32a --- /dev/null +++ b/ansible/roles/certificates/defaults/main.yml @@ -0,0 +1,3 @@ +--- +# Directory on deploy node (localhost) in which certificates are generated. +certificates_dir: "{{ node_config }}/certificates" diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml index 3ca4809d3f..0e7db0c5a9 100644 --- a/ansible/roles/certificates/tasks/generate.yml +++ b/ansible/roles/certificates/tasks/generate.yml @@ -2,17 +2,15 @@ - name: Ensuring config directories exist become: true file: - path: "{{ node_config_directory }}/{{ item }}" + path: "{{ certificates_dir }}/private" state: "directory" recurse: yes - with_items: - - "certificates/private" - name: Creating SSL configuration file become: true template: src: "{{ item }}.j2" - dest: "{{ node_config_directory }}/certificates/{{ item }}" + dest: "{{ certificates_dir }}/{{ item }}" with_items: - "openssl-kolla.cnf" @@ -20,12 +18,12 @@ become: true command: creates="{{ item }}" openssl genrsa -out {{ item }} with_items: - - "{{ node_config_directory }}/certificates/private/haproxy.key" + - "{{ certificates_dir }}/private/haproxy.key" - name: Setting permissions on key become: true file: - path: "{{ node_config_directory }}/certificates/private/haproxy.key" + path: "{{ certificates_dir }}/certificates/private/haproxy.key" mode: 0600 state: file @@ -33,23 +31,23 @@ become: true command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \ - -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \ + -config {{ certificates_dir }}/openssl-kolla.cnf \ -days 3650 \ -extensions v3_req \ - -key {{ node_config_directory }}/certificates/private/haproxy.key \ + -key {{ certificates_dir }}/private/haproxy.key \ -out {{ item }} with_items: - - "{{ node_config_directory }}/certificates/private/haproxy.crt" + - "{{ certificates_dir }}/private/haproxy.crt" - name: Creating CA Certificate File become: true copy: - src: "{{ node_config_directory }}/certificates/private/haproxy.crt" - dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt" + src: "{{ certificates_dir }}/private/haproxy.crt" + dest: "{{ kolla_external_fqdn_cacert }}" - name: Creating Server PEM File become: true assemble: - src: "{{ node_config_directory }}/certificates/private" - dest: "{{ node_config_directory }}/certificates/haproxy.pem" + src: "{{ certificates_dir }}/private" + dest: "{{ kolla_external_fqdn_cert }}" mode: 0600 diff --git a/ansible/roles/keystone/tasks/precheck.yml b/ansible/roles/keystone/tasks/precheck.yml index 3df21a2d4e..53c268c793 100644 --- a/ansible/roles/keystone/tasks/precheck.yml +++ b/ansible/roles/keystone/tasks/precheck.yml @@ -44,7 +44,7 @@ - name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails run_once: true - local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ CONFIG_DIR | default('/etc/kolla') }}/globals.yml" + local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml" register: result changed_when: false failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+") diff --git a/ansible/roles/prechecks/tasks/service_checks.yml b/ansible/roles/prechecks/tasks/service_checks.yml index d40d13b8da..e671ea4e2c 100644 --- a/ansible/roles/prechecks/tasks/service_checks.yml +++ b/ansible/roles/prechecks/tasks/service_checks.yml @@ -11,7 +11,7 @@ # will pass, but only because nothing in the vault file has the format of a # YAML dict item. - name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails - local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml" + local_action: command grep '^[^#].*:\s*$' "{{ node_config }}/passwords.yml" run_once: True register: result changed_when: false diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst index 501b2d8605..13d327fc99 100644 --- a/doc/source/admin/advanced-configuration.rst +++ b/doc/source/admin/advanced-configuration.rst @@ -92,7 +92,7 @@ The default for TLS is disabled, to enable TLS networking: .. code-block:: yaml kolla_enable_tls_external: "yes" - kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/mycert.pem" + kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem" .. note:: diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 8244143758..16e4ee7cc2 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -151,7 +151,7 @@ kolla_internal_vip_address: "10.10.10.254" # TLS can be enabled. When TLS is enabled, certificates must be provided to # allow clients to perform authentication. #kolla_enable_tls_external: "no" -#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem" +#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem" ############## diff --git a/releasenotes/notes/cert-path-65943386e62f1a8c.yaml b/releasenotes/notes/cert-path-65943386e62f1a8c.yaml new file mode 100644 index 0000000000..033e74c46a --- /dev/null +++ b/releasenotes/notes/cert-path-65943386e62f1a8c.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Changes the default path for certificates generated via ``kolla-ansible + certificates`` from ``{[ node_config_directory }}/certificates`` to + ``{{ node_config }}``. ``{{ node_config }}`` is the directory containing + ``globals.yml``, which by default is ``/etc/kolla/``. This makes + certificates consistent with other locally generated files, such as + ``admin-openrc.sh``.