From a240e24e54049c4d415b329bbea8249ce9298e1b Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Fri, 14 Apr 2023 23:02:25 +0200
Subject: [PATCH] Add TLS support to mistral backends

By overriding the variable `mistral_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the mistral backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Id9248e1618b9f2ad39a698c2ecf9c04e64cd119a
---
 defaults/main.yml | 52 +++++++++++++++++++++++++++++++++++++++++++++++
 handlers/main.yml |  2 ++
 tasks/main.yml    | 20 ++++++++++++++++++
 3 files changed, 74 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 84f6e93..569216b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -85,11 +85,15 @@ mistral_services:
     uwsgi_overrides: "{{ mistral_api_uwsgi_ini_overrides }}"
     uwsgi_bind_address: "{{ mistral_bind_address }}"
     uwsgi_port: "{{ mistral_service_port }}"
+    uwsgi_tls: "{{ mistral_backend_ssl | ternary(mistral_uwsgi_tls, {}) }}"
 
 # UWSGI settings
 mistral_wsgi_processes_max: 16
 mistral_wsgi_processes: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['processor_threads_per_core'])|default(1), 1] | max * 2, mistral_wsgi_processes_max] | min }}"
 mistral_wsgi_threads: 1
+mistral_uwsgi_tls:
+  crt: "{{ mistral_ssl_cert }}"
+  key: "{{ mistral_ssl_key }}"
 
 # RPC
 mistral_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
@@ -175,3 +179,51 @@ mistral_service_adminurl: "{{ mistral_service_adminuri_proto }}://{{ internal_lb
 
 # Specific pip packages provided by the user
 mistral_user_pip_packages: []
+
+###
+### Backend TLS
+###
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+mistral_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+# Storage location for SSL certificate authority
+mistral_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+
+# Delegated host for operating the certificate authority
+mistral_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+
+# mistral server certificate
+mistral_pki_keys_path: "{{ mistral_pki_dir ~ '/certs/private/' }}"
+mistral_pki_certs_path: "{{ mistral_pki_dir ~ '/certs/certs/' }}"
+mistral_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
+mistral_pki_regen_cert: ''
+mistral_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+mistral_pki_certificates:
+  - name: "mistral_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ mistral_pki_san }}"
+    signed_by: "{{ mistral_pki_intermediate_cert_name }}"
+
+# mistral destination files for SSL certificates
+mistral_ssl_cert: /etc/mistral/mistral.pem
+mistral_ssl_key: /etc/mistral/mistral.key
+
+# Installation details for SSL certificates
+mistral_pki_install_certificates:
+  - src: "{{ mistral_user_ssl_cert | default(mistral_pki_certs_path ~ 'mistral_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ mistral_ssl_cert }}"
+    owner: "{{ mistral_system_user_name }}"
+    group: "{{ mistral_system_user_name }}"
+    mode: "0644"
+  - src: "{{ mistral_user_ssl_key | default(mistral_pki_keys_path ~ 'mistral_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ mistral_ssl_key }}"
+    owner: "{{ mistral_system_user_name }}"
+    group: "{{ mistral_system_user_name }}"
+    mode: "0600"
+
+# Define user-provided SSL certificates
+#mistral_user_ssl_cert: <path to cert on ansible deployment host>
+#mistral_user_ssl_key: <path to cert on ansible deployment host>
diff --git a/handlers/main.yml b/handlers/main.yml
index a8b0b42..c0f511e 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -28,6 +28,7 @@
     - "Restart mistral services"
     - "venv changed"
     - "systemd service changed"
+    - "cert installed"
 
 - name: Start services
   service:
@@ -44,3 +45,4 @@
     - "Restart mistral services"
     - "venv changed"
     - "systemd service changed"
+    - "cert installed"
diff --git a/tasks/main.yml b/tasks/main.yml
index 6ef238c..82a58d2 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -90,6 +90,26 @@
   tags:
     - mistral-install
 
+- name: Create and install SSL certificates
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+    apply:
+      tags:
+        - mistral-config
+        - pki
+  vars:
+    pki_setup_host: "{{ mistral_pki_setup_host }}"
+    pki_dir: "{{ mistral_pki_dir }}"
+    pki_create_certificates: "{{ mistral_user_ssl_cert is not defined and mistral_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ mistral_pki_regen_cert }}"
+    pki_certificates: "{{ mistral_pki_certificates }}"
+    pki_install_certificates: "{{ mistral_pki_install_certificates }}"
+  when:
+    - mistral_backend_ssl
+  tags:
+    - always
+
 - import_tasks: mistral_post_install.yml
   tags:
     - mistral-config