Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Keystone SSL cert/key distribution and configuration
This patch adds the option to provide an SSL certificate for the Keystone service (either self-signed or user provided) and to configure the endpoints and Keystone service appropriately. * A new boolean variable called 'keystone_ssl' enables/disables the configuration of SSL for the Keystone service. * The server key/certificate (and optionally a CA cert) are distributed to all keystone containers and used for the setup of SSL endpoints if the appropriate protocol is set. * The internal/public and the admin endpoints can be set to be served via http or https seperately via the 'keystone_service_*_proto' variables. * The logic to determine the appropriate load balancing configuration based on the Keystone endpoint protocol has been implemented in the haproxy vars. * Two new variables have been implemented for a user-provided server key and certificate: - keystone_user_ssl_cert: <path to cert on deployment host> - keystone_user_ssl_key: <path to cert on deployment host> If either of these is not defined, but a Keystone endpoint has been configured for SSL, then the missing cert/key will be self generated on the first Keystone container and distributed to the other containers. * A new variable has been implemented for a user-provided CA certificate: - keystone_user_ssl_ca_cert: <path to cert on deployment host> * A new variable called 'keystone_ssl_self_signed_subject' has been implemented to allow the user to override the certificate properties, such as the CN and subjectAltName. Upgrade notes: * The SSL-based client authentication configuration in Apache has been removed as it appears to be unused. * The minimum Ansible version for the os_keystone and haproxy_server roles have been increased to v1.9.0 as it's the minimum version that supports ternary filters. * The boolean 'keystone_ssl_enabled' has been renamed to 'keystone_ssl'. This maintains a pattern set in the haproxy role for enablement of ssl offloading in the load balancer. * The Apache configuration appropriately implements the 'SSLCACertificateFile' instead of the 'SSLCACertificatePath' directive in order to ensure that the appropriate signing certificate is provided to the browser. * The 'keystone_self_signed_regen' variable has been renamed to 'keystone_ssl_self_signed_regen'. * The default names for the deployed keys/certificates have been changed: - /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem - /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key DocImpact Partial-Bug: #1466827 Implements: blueprint keystone-federation Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com> (cherry picked from commit 4b35b3e)
- Loading branch information
Jesse Pretorius
committed
Aug 20, 2015
1 parent
33a4f2c
commit caa9733
Showing
14 changed files
with
247 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
--- | ||
# Copyright 2015, Rackspace US, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
- include: keystone_ssl_self_signed.yml | ||
when: > | ||
keystone_ssl | bool and | ||
(keystone_user_ssl_cert is not defined or keystone_user_ssl_key is not defined) | ||
tags: | ||
- keystone-ssl | ||
|
||
- include: keystone_ssl_user_provided.yml | ||
tags: | ||
- keystone-ssl |
36 changes: 36 additions & 0 deletions
36
playbooks/roles/os_keystone/tasks/keystone_ssl_key_create.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
--- | ||
# Copyright 2015, Rackspace US, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
- name: Remove self signed cert for regen | ||
file: | ||
dest: "{{ keystone_ssl_cert }}" | ||
state: "absent" | ||
when: keystone_ssl_self_signed_regen | bool | ||
tags: | ||
- keystone-ssl | ||
|
||
- name: Create self-signed Apache ssl cert | ||
command: > | ||
openssl req -new -nodes -sha256 -x509 -subj | ||
"{{ keystone_ssl_self_signed_subject }}" | ||
-days 3650 | ||
-keyout {{ keystone_ssl_key }} | ||
-out {{ keystone_ssl_cert }} | ||
-extensions v3_ca | ||
creates={{ keystone_ssl_cert }} | ||
notify: Restart Apache | ||
tags: | ||
- keystone-configs | ||
- keystone-ssl |
35 changes: 35 additions & 0 deletions
35
playbooks/roles/os_keystone/tasks/keystone_ssl_key_distribute.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
--- | ||
# Copyright 2014, Rackspace US, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
- name: Distribute self signed cert and key | ||
memcached: | ||
name: "{{ item.name }}" | ||
file_path: "{{ item.src }}" | ||
state: "retrieve" | ||
file_mode: "{{ item.file_mode }}" | ||
dir_mode: "{{ item.dir_mode }}" | ||
server: "{{ memcached_servers }}" | ||
encrypt_string: "{{ memcached_encryption_key }}" | ||
with_items: | ||
- { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert", file_mode: "0644", dir_mode: "0755" } | ||
- { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key", file_mode: "0640", dir_mode: "0750" } | ||
register: memcache_keys | ||
until: memcache_keys|success | ||
retries: 5 | ||
delay: 2 | ||
notify: Restart Apache | ||
tags: | ||
- keystone-config | ||
- keystone-ssl |
31 changes: 31 additions & 0 deletions
31
playbooks/roles/os_keystone/tasks/keystone_ssl_key_store.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
--- | ||
# Copyright 2015, Rackspace US, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
- name: Store self signed cert and key | ||
memcached: | ||
name: "{{ item.name }}" | ||
file_path: "{{ item.src }}" | ||
state: "present" | ||
server: "{{ memcached_servers }}" | ||
encrypt_string: "{{ memcached_encryption_key }}" | ||
with_items: | ||
- { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert" } | ||
- { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key" } | ||
register: memcache_keys | ||
until: memcache_keys|success | ||
retries: 5 | ||
delay: 2 | ||
tags: | ||
- keystone-ssl |
26 changes: 26 additions & 0 deletions
26
playbooks/roles/os_keystone/tasks/keystone_ssl_self_signed.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
--- | ||
# Copyright 2015, Rackspace US, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
- include: keystone_ssl_key_create.yml | ||
when: > | ||
inventory_hostname == groups['keystone_all'][0] | ||
- include: keystone_ssl_key_store.yml | ||
when: > | ||
inventory_hostname == groups['keystone_all'][0] | ||
- include: keystone_ssl_key_distribute.yml | ||
when: > | ||
inventory_hostname != groups['keystone_all'][0] |
43 changes: 43 additions & 0 deletions
43
playbooks/roles/os_keystone/tasks/keystone_ssl_user_provided.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
--- | ||
# Copyright 2015, Rackspace US, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
- name: Drop user provided ssl cert and key | ||
copy: | ||
src: "{{ item.src }}" | ||
dest: "{{ item.dest }}" | ||
owner: "root" | ||
group: "root" | ||
mode: "{{ item.mode }}" | ||
with_items: | ||
- { src: "{{ keystone_user_ssl_cert }}", dest: "{{ keystone_ssl_cert }}", mode: "0644" } | ||
- { src: "{{ keystone_user_ssl_key }}", dest: "{{ keystone_ssl_key }}", mode: "0640" } | ||
when: keystone_user_ssl_cert is defined and keystone_user_ssl_key is defined | ||
notify: Restart Apache | ||
tags: | ||
- keystone-configs | ||
- keystone-ssl | ||
|
||
- name: Drop user provided ssl CA cert | ||
copy: | ||
src: "{{ keystone_user_ssl_ca_cert }}" | ||
dest: "{{ keystone_ssl_ca_cert }}" | ||
owner: "root" | ||
group: "root" | ||
mode: "0644" | ||
when: keystone_user_ssl_ca_cert is defined | ||
notify: Restart Apache | ||
tags: | ||
- keystone-configs | ||
- keystone-ssl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters