From 540eb9a01e0d48f3959d8f09ce1d3e2fdc7da485 Mon Sep 17 00:00:00 2001 From: James Kirsch Date: Thu, 4 Jun 2020 21:27:24 -0700 Subject: [PATCH] Replace internal and external VIP CA with root CA Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with "kolla_admin_openrc_cacert". OS_CACERT is now set to the value of "kolla_admin_openrc_cacert" in the generated admin-openrc.sh file. Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf Partially-Implements: blueprint add-ssl-internal-network Depends-On: https://review.opendev.org/#/c/731344/ (cherry picked from commit e3cd02eda4a1fc1913d61df928ba4c24c8eea57d) --- ansible/group_vars/all.yml | 3 +-- ansible/roles/certificates/tasks/generate.yml | 19 ------------------- .../roles/common/templates/admin-openrc.sh.j2 | 6 ++---- etc/kolla/globals.yml | 3 +-- ...-self-signed-root-ca-bc523acab7290cfe.yaml | 6 ++++++ tests/templates/globals-default.j2 | 1 + 6 files changed, 11 insertions(+), 27 deletions(-) diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index bb68e7d71c..1e11c8c2bc 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -763,8 +763,7 @@ kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_ kolla_certificates_dir: "{{ node_config }}/certificates" kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem" -kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt" -kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt" +kolla_admin_openrc_cacert: "" kolla_copy_ca_into_containers: "no" kolla_verify_tls_backend: "yes" haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}" diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml index 1bd54aedc6..acb68fa57f 100644 --- a/ansible/roles/certificates/tasks/generate.yml +++ b/ansible/roles/certificates/tasks/generate.yml @@ -64,12 +64,6 @@ src: "{{ external_dir }}" dest: "{{ kolla_external_fqdn_cert }}" mode: "0660" - - - name: Creating external CA Certificate File - copy: - src: "{{ root_dir }}/root.crt" - dest: "{{ kolla_external_fqdn_cacert }}" - mode: "0660" when: - kolla_enable_tls_external | bool @@ -80,13 +74,6 @@ dest: "{{ kolla_internal_fqdn_cert }}" remote_src: yes mode: "0660" - - - name: Copy the external CA Certificate file to be the internal when internal + external are same network - copy: - src: "{{ kolla_external_fqdn_cacert }}" - dest: "{{ kolla_internal_fqdn_cacert }}" - remote_src: yes - mode: "0660" when: - kolla_enable_tls_external | bool - kolla_enable_tls_internal | bool @@ -139,12 +126,6 @@ mode: "0660" state: file - - name: Creating internal CA Certificate File - copy: - src: "{{ root_dir }}/root.crt" - dest: "{{ kolla_internal_fqdn_cacert }}" - mode: "0660" - - name: Creating internal Server PEM File assemble: regexp: '.*[crt|key]' diff --git a/ansible/roles/common/templates/admin-openrc.sh.j2 b/ansible/roles/common/templates/admin-openrc.sh.j2 index 1d7ab04ce2..d5a1d0b29c 100644 --- a/ansible/roles/common/templates/admin-openrc.sh.j2 +++ b/ansible/roles/common/templates/admin-openrc.sh.j2 @@ -18,8 +18,6 @@ export OS_MISTRAL_ENDPOINT_TYPE=internalURL export OS_IDENTITY_API_VERSION=3 export OS_REGION_NAME={{ openstack_region_name }} export OS_AUTH_PLUGIN=password -{% if kolla_enable_tls_internal | bool and kolla_internal_fqdn_cacert %} -export OS_CACERT={{ kolla_internal_fqdn_cacert }} -{% elif kolla_enable_tls_external | bool and kolla_external_fqdn_cacert %} -export OS_CACERT={{ kolla_external_fqdn_cacert }} +{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %} +export OS_CACERT={{ kolla_admin_openrc_cacert }} {% endif %} diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 3b01c2bb95..658d5dab52 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -189,8 +189,7 @@ #kolla_certificates_dir: "{{ node_config }}/certificates" #kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem" #kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem" -#kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt" -#kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt" +#kolla_admin_openrc_cacert: "" #kolla_copy_ca_into_containers: "no" #kolla_verify_tls_backend: "yes" #haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}" diff --git a/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml b/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml index d766d72d20..206c50af00 100644 --- a/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml +++ b/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml @@ -9,3 +9,9 @@ features: certificates and signs them using the root CA. If backend TLS is enabled, the command will generate the backend certificate and sign it with the root CA. +upgrade: + - | + Replaced ``kolla_external_fqdn_cacert`` and ``kolla_internal_fqdn_cacert`` + with ``kolla_admin_openrc_cacert``, which by default is not set. + ``OS_CACERT`` is now set to the value of ``kolla_admin_openrc_cacert`` in + the generated ``admin-openrc.sh`` file. diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2 index 72f2751014..4d41ec3c4d 100644 --- a/tests/templates/globals-default.j2 +++ b/tests/templates/globals-default.j2 @@ -127,6 +127,7 @@ openstack_cacert: "/etc/ssl/certs/ca-certificates.crt" {% if base_distro == "centos" %} openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt" {% endif %} +kolla_admin_openrc_cacert: "{% raw %}{{ kolla_certificates_dir }}{% endraw %}/ca/root.crt" {% endif %} {% if scenario == 'linuxbridge' %}