From e0e213efce5e195e93812d088b045d893495c771 Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Fri, 14 Apr 2023 23:01:26 +0200
Subject: [PATCH] Add TLS support to gnocchi backends

By overriding the variable `gnocchi_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the gnocchi backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ie2c824052b0024d440b20febb34b6bde22f4fac2
---
 defaults/main.yml | 52 +++++++++++++++++++++++++++++++++++++++++++++++
 handlers/main.yml |  2 ++
 tasks/main.yml    | 20 ++++++++++++++++++
 3 files changed, 74 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 032788f..437652c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -143,6 +143,9 @@ gnocchi_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
 gnocchi_wsgi_threads: 1
 gnocchi_wsgi_processes_max: 16
 gnocchi_wsgi_processes: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['processor_threads_per_core'])|default(1), 1] | max * 2, gnocchi_wsgi_processes_max] | min }}"
+gnocchi_uwsgi_tls:
+  crt: "{{ gnocchi_ssl_cert }}"
+  key: "{{ gnocchi_ssl_key }}"
 
 gnocchi_metricd_workers_max: 16
 gnocchi_metricd_workers: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['processor_threads_per_core'])|default(1), 1] | max * 2, gnocchi_metricd_workers_max] | min }}"
@@ -163,6 +166,7 @@ gnocchi_services:
     uwsgi_bind_address: "{{ gnocchi_service_address }}"
     uwsgi_port: "{{ gnocchi_service_port }}"
     uwsgi_overrides: "{{ gnocchi_uwsgi_conf_overrides }}"
+    uwsgi_tls: "{{ gnocchi_backend_ssl | ternary(gnocchi_uwsgi_tls, {}) }}"
   gnocchi-metricd:
     group: "gnocchi_metricd"
     service_name: "gnocchi-metricd"
@@ -211,3 +215,51 @@ gnocchi_policy_git_file_path: "gnocchi/rest/policy.json"
 gnocchi_api_paste_ini_overrides: {}
 gnocchi_conf_overrides: {}
 gnocchi_policy_overrides: {}
+
+###
+### Backend TLS
+###
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+gnocchi_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+# Storage location for SSL certificate authority
+gnocchi_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+
+# Delegated host for operating the certificate authority
+gnocchi_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+
+# gnocchi server certificate
+gnocchi_pki_keys_path: "{{ gnocchi_pki_dir ~ '/certs/private/' }}"
+gnocchi_pki_certs_path: "{{ gnocchi_pki_dir ~ '/certs/certs/' }}"
+gnocchi_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
+gnocchi_pki_regen_cert: ''
+gnocchi_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+gnocchi_pki_certificates:
+  - name: "gnocchi_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ gnocchi_pki_san }}"
+    signed_by: "{{ gnocchi_pki_intermediate_cert_name }}"
+
+# gnocchi destination files for SSL certificates
+gnocchi_ssl_cert: /etc/gnocchi/gnocchi.pem
+gnocchi_ssl_key: /etc/gnocchi/gnocchi.key
+
+# Installation details for SSL certificates
+gnocchi_pki_install_certificates:
+  - src: "{{ gnocchi_user_ssl_cert | default(gnocchi_pki_certs_path ~ 'gnocchi_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ gnocchi_ssl_cert }}"
+    owner: "{{ gnocchi_system_user_name }}"
+    group: "{{ gnocchi_system_user_name }}"
+    mode: "0644"
+  - src: "{{ gnocchi_user_ssl_key | default(gnocchi_pki_keys_path ~ 'gnocchi_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ gnocchi_ssl_key }}"
+    owner: "{{ gnocchi_system_user_name }}"
+    group: "{{ gnocchi_system_user_name }}"
+    mode: "0600"
+
+# Define user-provided SSL certificates
+#gnocchi_user_ssl_cert: <path to cert on ansible deployment host>
+#gnocchi_user_ssl_key: <path to cert on ansible deployment host>
diff --git a/handlers/main.yml b/handlers/main.yml
index 675018c..19c1e24 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -31,6 +31,7 @@
     - "Restart gnocchi services"
     - "venv changed"
     - "systemd service changed"
+    - "cert installed"
 
 # Note (odyssey4me):
 # The policy.json file is currently read continually by the services
@@ -70,3 +71,4 @@
     - "Restart gnocchi services"
     - "venv changed"
     - "systemd service changed"
+    - "cert installed"
diff --git a/tasks/main.yml b/tasks/main.yml
index 99a3cb5..b545a22 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -53,6 +53,26 @@
   tags:
     - gnocchi-install
 
+- name: Create and install SSL certificates
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+    apply:
+      tags:
+        - gnocchi-config
+        - pki
+  vars:
+    pki_setup_host: "{{ gnocchi_pki_setup_host }}"
+    pki_dir: "{{ gnocchi_pki_dir }}"
+    pki_create_certificates: "{{ gnocchi_user_ssl_cert is not defined and gnocchi_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ gnocchi_pki_regen_cert }}"
+    pki_certificates: "{{ gnocchi_pki_certificates }}"
+    pki_install_certificates: "{{ gnocchi_pki_install_certificates }}"
+  when:
+    - gnocchi_backend_ssl
+  tags:
+    - always
+
 - name: Install the python venv
   import_role:
     name: "python_venv_build"