Add TLS support to octavia backends

By overriding the variable `octavia_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the octavia backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Id6c187cad4e444fb83ca1f938bd13bb9b73652b3
This commit is contained in:
Damian Dabrowski 2023-04-17 21:13:07 +02:00
parent c672dc1848
commit ee554649bd
3 changed files with 58 additions and 3 deletions

View File

@ -218,6 +218,7 @@ octavia_services:
uwsgi_overrides: "{{ octavia_api_uwsgi_ini_overrides }}"
uwsgi_port: "{{ octavia_service_port }}"
uwsgi_bind_address: "{{ octavia_uwsgi_bind_address }}"
uwsgi_tls: "{{ octavia_backend_ssl | ternary(octavia_uwsgi_tls, {}) }}"
octavia-worker:
group: octavia-worker
service_name: octavia-worker
@ -431,7 +432,9 @@ octavia_wsgi_processes_max: 16
octavia_wsgi_processes: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['processor_threads_per_core'])|default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }}"
octavia_wsgi_threads: 1
octavia_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
octavia_api_uwsgi_ini_overrides: {}
octavia_uwsgi_tls:
crt: "{{ octavia_api_ssl_cert }}"
key: "{{ octavia_api_ssl_key }}"
# Set up the drivers
octavia_enabled_provider_drivers: "{{ _octavia_enabled_provider_drivers }}"
@ -500,6 +503,14 @@ octavia_cert_authorities:
not_after: "+{{ octavia_cert_validity_days }}d"
octavia_cert_certificates:
# Communication between haproxy and octavia API
- name: "octavia-api_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ octavia_api_cert_san }}"
signed_by: "{{ octavia_api_intermediate_cert_name }}"
condition: "{{ octavia_backend_ssl | bool }}"
# Communication between octavia control plane and amphoras
- name: "octavia_client"
provider: ownca
cn: "{{ octavia_cert_client_req_common_name }}"
@ -512,38 +523,56 @@ octavia_cert_certificates:
extended_key_usage:
- clientAuth
- emailProtection
condition: "{{ octavia_generate_certs | bool }}"
# Installation details for SSL certificates
octavia_cert_install_certificates:
# Communication between haproxy and octavia API
- src: "{{ octavia_api_user_ssl_cert | default(octavia_cert_certs_dir ~ 'octavia-api_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ octavia_api_ssl_cert }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_user_name }}"
mode: "0644"
condition: "{{ octavia_backend_ssl | bool }}"
- src: "{{ octavia_api_user_ssl_key | default(octavia_cert_keys_dir ~ 'octavia-api_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ octavia_api_ssl_key }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_user_name }}"
mode: "0600"
condition: "{{ octavia_backend_ssl | bool }}"
# Server CA
- src: "{{ octavia_ca_certificate | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/certs/OctaviaServerRoot.crt') }}"
dest: "/etc/octavia/certs/server_ca.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
- src: "{{ octavia_ca_private_key | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/private/OctaviaServerRoot.key.pem') }}"
dest: "/etc/octavia/certs/ca_key.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# Client CA
- src: "{{ octavia_client_ca | default(octavia_cert_dir ~ '/roots/OctaviaClientRoot/certs/OctaviaClientRoot.crt') }}"
dest: "/etc/octavia/certs/client_ca.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# Client certificate
- src: "{{ octavia_client_cert | default(octavia_cert_certs_dir ~ '/octavia_client.crt') }}"
dest: "/etc/octavia/certs/client.pem.crt"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
- src: "{{ octavia_client_key | default(octavia_cert_keys_dir ~ '/octavia_client.key.pem') }}"
dest: "/etc/octavia/certs/client.pem.key"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
condition: "{{ octavia_generate_certs | bool }}"
# Custom client CA
#octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem"
@ -572,3 +601,24 @@ octavia_num_security_group_rules: "{{ (octavia_num_secgroups|int)*100 }}"
octavia_octavia_conf_overrides: {}
octavia_api_paste_ini_overrides: {}
octavia_policy_overrides: {}
octavia_api_uwsgi_ini_overrides: {}
###
### Backend TLS
###
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
octavia_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
# octavia server certificate
octavia_api_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
octavia_api_cert_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
# octavia destination files for SSL certificates
octavia_api_ssl_cert: /etc/octavia/certs/octavia-api.pem
octavia_api_ssl_key: /etc/octavia/certs/octavia-api.key
# Define user-provided SSL certificates
#octavia_api_user_ssl_cert: <path to cert on ansible deployment host>
#octavia_api_user_ssl_key: <path to cert on ansible deployment host>

View File

@ -21,3 +21,4 @@
listen:
- "venv changed"
- "systemd service changed"
- "cert installed"

View File

@ -111,6 +111,10 @@
- name: Create and install SSL certificates
include_role:
name: pki
apply:
tags:
- octavia-config
- pki
vars:
pki_setup_host: "{{ octavia_cert_setup_host }}"
pki_dir: "{{ octavia_cert_dir }}"
@ -122,7 +126,7 @@
pki_certificates: "{{ octavia_cert_certificates }}"
pki_install_certificates: "{{ octavia_cert_install_certificates }}"
when:
- octavia_generate_certs | bool
- (octavia_generate_certs | bool) or (octavia_backend_ssl | bool)
tags:
- always