Initialise ssh and ssl certificates
This is needed later by the keystone, nova and repo_server roles Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/840445 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/840514 Change-Id: I3a3e9ee62fde37c65fa182bf59f12031c390d968
This commit is contained in:
parent
a504a35d29
commit
3458ee0ee1
|
@ -119,3 +119,63 @@
|
|||
user: "{{ ansible_user_id }}"
|
||||
key: "{{ root_public_key }}"
|
||||
when: ansible_user_id != 'root'
|
||||
|
||||
- name: Create SSHD CA
|
||||
hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
|
||||
gather_facts: false
|
||||
become: yes
|
||||
tasks:
|
||||
- name: "Create SSHD certificate authority"
|
||||
include_role:
|
||||
name: openstack.osa.ssh_keypairs
|
||||
vars:
|
||||
ssh_keypairs_setup_host: localhost
|
||||
ssh_keypairs_dir: "/etc/openstack_deploy/ssh_keypairs"
|
||||
ssh_keypairs:
|
||||
- name: "OpenStack-Ansible-SSH-Signing-Key"
|
||||
ssh_keypairs_install_authorities: false
|
||||
ssh_keypairs_install_keypairs: false
|
||||
ssh_keypairs_install_authorized_keys: false
|
||||
|
||||
- name: Create CA certificates
|
||||
hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
|
||||
gather_facts: "false"
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Create CA certificates"
|
||||
include_role:
|
||||
name: pki
|
||||
tasks_from: main_ca.yml
|
||||
vars:
|
||||
pki_dir: "/etc/openstack_deploy/pki"
|
||||
pki_create_ca: true
|
||||
pki_authorities:
|
||||
- name: "ExampleCorpRoot"
|
||||
provider: selfsigned
|
||||
basic_constraints: "CA:TRUE"
|
||||
cn: "Example Corp Root CA"
|
||||
email_address: "pki@example.com"
|
||||
country_name: "GB"
|
||||
state_or_province_name: "England"
|
||||
organization_name: "Example Corporation"
|
||||
organizational_unit_name: "IT Security"
|
||||
key_usage:
|
||||
- digitalSignature
|
||||
- cRLSign
|
||||
- keyCertSign
|
||||
not_after: "+3650d"
|
||||
- name: "ExampleCorpIntermediate"
|
||||
provider: ownca
|
||||
basic_constraints: "CA:TRUE,pathlen:0"
|
||||
cn: "Example Corp Openstack Infrastructure Intermediate CA"
|
||||
email_address: "pki@example.com"
|
||||
country_name: "GB"
|
||||
state_or_province_name: "England"
|
||||
organization_name: "Example Corporation"
|
||||
organizational_unit_name: "IT Security"
|
||||
key_usage:
|
||||
- digitalSignature
|
||||
- cRLSign
|
||||
- keyCertSign
|
||||
not_after: "+3650d"
|
||||
signed_by: "ExampleCorpRoot"
|
||||
|
|
|
@ -496,3 +496,17 @@ uwsgi_python_executable: "{{ openstack_venv_python_executable }}"
|
|||
|
||||
## OpenStack db setup host
|
||||
openstack_db_setup_host: infra1
|
||||
|
||||
## ssh keypairs
|
||||
openstack_ssh_keypairs_dir: "/etc/openstack_deploy/ssh_keypairs"
|
||||
openstack_ssh_signing_key: "OpenStack-Ansible-SSH-Signing-Key"
|
||||
openstack_ssh_keypairs_authorities:
|
||||
- name: "{{ openstack_ssh_signing_key }}"
|
||||
|
||||
## certificate authority
|
||||
openstack_pki_authorities:
|
||||
# placeholder to ensure that this var is defined and list is length > 0
|
||||
- true
|
||||
|
||||
openstack_pki_dir: "/etc/openstack_deploy/pki"
|
||||
openstack_pki_service_intermediate_cert_name: "ExampleCorpIntermediate"
|
||||
|
|
Loading…
Reference in New Issue