From 4f785b4e5f1805824f86c431c2e209e4e2f42b24 Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Sat, 8 Apr 2023 17:48:11 +0200
Subject: [PATCH] Add TLS support to barbican backends

By overriding the variable `barbican_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the barbican backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I68abd8b2c63231ece3b7184d6e52168cee5ce3d1
---
 defaults/main.yml | 52 +++++++++++++++++++++++++++++++++++++++++++++++
 handlers/main.yml |  1 +
 tasks/main.yml    | 20 ++++++++++++++++++
 3 files changed, 73 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index ebc8cb5..e2149a8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -72,6 +72,7 @@ barbican_services:
     wsgi_app: True
     wsgi_name: barbican-wsgi-api
     start_order: 1
+    uwsgi_tls: "{{ barbican_backend_ssl | ternary(barbican_uwsgi_tls, {}) }}"
   barbican-worker:
     group: barbican_all
     service_name: barbican-worker
@@ -214,6 +215,9 @@ barbican_service_project_name: service
 barbican_wsgi_processes_max: 16
 barbican_wsgi_processes: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['processor_threads_per_core'])|default(1), 1] | max *2, barbican_wsgi_processes_max] | min }}"
 barbican_wsgi_threads: 1
+barbican_uwsgi_tls:
+  crt: "{{ barbican_ssl_cert }}"
+  key: "{{ barbican_ssl_key }}"
 
 # Memcached override
 barbican_memcached_servers: "{{ memcached_servers }}"
@@ -232,3 +236,51 @@ barbican_optional_oslomsg_amqp1_pip_packages:
   - oslo.messaging[amqp1]
 
 barbican_uwsgi_init_overrides: {}
+
+###
+### Backend TLS
+###
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+barbican_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+# Storage location for SSL certificate authority
+barbican_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+
+# Delegated host for operating the certificate authority
+barbican_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+
+# barbican server certificate
+barbican_pki_keys_path: "{{ barbican_pki_dir ~ '/certs/private/' }}"
+barbican_pki_certs_path: "{{ barbican_pki_dir ~ '/certs/certs/' }}"
+barbican_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
+barbican_pki_regen_cert: ''
+barbican_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+barbican_pki_certificates:
+  - name: "barbican_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ barbican_pki_san }}"
+    signed_by: "{{ barbican_pki_intermediate_cert_name }}"
+
+# barbican destination files for SSL certificates
+barbican_ssl_cert: /etc/barbican/barbican.pem
+barbican_ssl_key: /etc/barbican/barbican.key
+
+# Installation details for SSL certificates
+barbican_pki_install_certificates:
+  - src: "{{ barbican_user_ssl_cert | default(barbican_pki_certs_path ~ 'barbican_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ barbican_ssl_cert }}"
+    owner: "{{ barbican_system_user_name }}"
+    group: "{{ barbican_system_user_name }}"
+    mode: "0644"
+  - src: "{{ barbican_user_ssl_key | default(barbican_pki_keys_path ~ 'barbican_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ barbican_ssl_key }}"
+    owner: "{{ barbican_system_user_name }}"
+    group: "{{ barbican_system_user_name }}"
+    mode: "0600"
+
+# Define user-provided SSL certificates
+#barbican_user_ssl_cert: <path to cert on ansible deployment host>
+#barbican_user_ssl_key: <path to cert on ansible deployment host>
diff --git a/handlers/main.yml b/handlers/main.yml
index 86d7764..e0180f1 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -22,3 +22,4 @@
   listen:
     - "venv changed"
     - "systemd service changed"
+    - "cert installed"
diff --git a/tasks/main.yml b/tasks/main.yml
index c8811f5..532d868 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -96,6 +96,26 @@
   tags:
     - barbican-install
 
+- name: Create and install SSL certificates
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+    apply:
+      tags:
+        - barbican-config
+        - pki
+  vars:
+    pki_setup_host: "{{ barbican_pki_setup_host }}"
+    pki_dir: "{{ barbican_pki_dir }}"
+    pki_create_certificates: "{{ barbican_user_ssl_cert is not defined and barbican_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ barbican_pki_regen_cert }}"
+    pki_certificates: "{{ barbican_pki_certificates }}"
+    pki_install_certificates: "{{ barbican_pki_install_certificates }}"
+  when:
+    - barbican_backend_ssl
+  tags:
+    - always
+
 - import_tasks: barbican_post_install.yml
   tags:
     - barbican-config