Merge "Include PKI role only once"

2024-05-03 19:41:40 +00:00 · 2024-05-03 19:41:40 +00:00 · 737da47464
parent 4943bab3fd 466e7572bb
commit 737da47464
2 changed files with 20 additions and 31 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -725,6 +725,7 @@ nova_pki_compute_install_certificates:
 # nova_user_ssl_ca_cert: <path to cert on ansible deployment host>

 # TLS certficates for console hosts
+nova_pki_console_condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' and 'nova_console' in group_names }}"
 nova_pki_console_certificates:
  # Client certificate used by novnv proxy to authenticate with compute hosts using vencrypt
  - name: "nova_{{ ansible_facts['hostname'] }}-client"
@ -738,7 +739,7 @@ nova_pki_console_certificates:
      - keyEncipherment
    extended_key_usage:
      - clientAuth
-    condition: "{{ nova_qemu_vnc_tls == 1 and 'novnc' in nova_console_proxy_types }}"
+    condition: "{{ nova_pki_console_condition | bool }}"

 # Installation details for SSL certificates for console hosts
 nova_pki_console_install_certificates:
@ -747,19 +748,19 @@ nova_pki_console_install_certificates:
    owner: "root"
    group: "{{ nova_system_group_name }}"
    mode: "0640"
-    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
+    condition: "{{ nova_pki_console_condition | bool }}"
  - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client.key.pem') }}"
    dest: "{{ nova_vencrypt_client_key }}"
    owner: "root"
    group: "{{ nova_system_group_name }}"
    mode: "0640"
-    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
+    condition: "{{ nova_pki_console_condition | bool }}"
  - src: "{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}"
    dest: "{{ nova_vencrypt_ca_certs }}"
    owner: "root"
    group: "{{ nova_system_group_name }}"
    mode: "0640"
-    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
+    condition: "{{ nova_pki_console_condition | bool }}"

 # host which holds the ssh certificate authority
 nova_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
@ -799,6 +800,14 @@ nova_ssh_keypairs_principals:
 # Define if communication between haproxy and service backends should be
 # encrypted with TLS.
 nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+nova_pki_certificates_condition: >-
+  {{
+    nova_backend_ssl and (
+      'nova_console' in group_names or
+      'nova_api_metadata' in group_names or
+      'nova_api_os_compute' in group_names
+    )
+  }}

 nova_pki_certificates:
   # Used to encrypt traffic between haproxy and nova backends
@ -807,7 +816,7 @@ nova_pki_certificates:
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ nova_pki_san }}"
    signed_by: "{{ nova_pki_intermediate_cert_name }}"
-    condition: "{{ nova_backend_ssl }}"
+    condition: "{{ nova_pki_certificates_condition | bool }}"

 # nova destination files for SSL certificates
 nova_ssl_cert: /etc/nova/nova.pem
@ -820,13 +829,13 @@ nova_pki_install_certificates:
    owner: "{{ nova_system_user_name }}"
    group: "{{ nova_system_user_name }}"
    mode: "0644"
-    condition: "{{ nova_backend_ssl }}"
+    condition: "{{ nova_pki_certificates_condition | bool }}"
  - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api.key.pem') }}"
    dest: "{{ nova_ssl_key }}"
    owner: "{{ nova_system_user_name }}"
    group: "{{ nova_system_user_name }}"
    mode: "0600"
-    condition: "{{ nova_backend_ssl }}"
+    condition: "{{ nova_pki_certificates_condition | bool }}"

 # Periodically move records for deleted resources to shadow tables
 nova_archive_deleted: False
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -139,7 +139,7 @@
    - nova-config

 # Create certs after nova groups have been created but before handlers
- name: Create and install SSL certificates for API
+- name: Create and install SSL certificates for API and Consoles
  include_role:
    name: pki
    tasks_from: main_certs.yml
@ -152,10 +152,10 @@
    pki_dir: "{{ nova_pki_dir }}"
    pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
    pki_regen_cert: "{{ nova_pki_regen_cert }}"
-    pki_certificates: "{{ nova_pki_certificates }}"
-    pki_install_certificates: "{{ nova_pki_install_certificates }}"
+    pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}"
+    pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}"
  when:
-    - "'nova_api_metadata' in group_names or 'nova_api_os_compute' in group_names"
+    - nova_pki_certificates_condition | bool or nova_pki_console_condition | bool
  tags:
    - always

@ -181,26 +181,6 @@
  tags:
    - always

- name: Create and install SSL certificates for console hosts
-  include_role:
-    name: pki
-    tasks_from: main_certs.yml
-    apply:
-      tags:
-        - nova-config
-        - pki
-  vars:
-    pki_setup_host: "{{ nova_pki_setup_host }}"
-    pki_dir: "{{ nova_pki_dir }}"
-    pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
-    pki_regen_cert: "{{ nova_pki_regen_cert }}"
-    pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}"
-    pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}"
-  when:
-    - "'nova_console' in group_names"
-  tags:
-    - always
-
 - name: Including nova_post_install tasks
  import_tasks: nova_post_install.yml
  tags: