From 466e7572bb520147dec87194f467f7e99a29b562 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 10 Apr 2024 13:26:33 +0200 Subject: [PATCH] Include PKI role only once This patch proposes to move condition on when to install certificates from the role include statement to a combined "view" for API and Consoles. While adding computes to the same logic might be beneficial for CI and AIO metal deployments, it potentially might have a negative effect for real deployments, as it will create bunch of Skipped tasks for computes so we leave them separated. With that API and Console are usually placed on same hosts, so it makes sense to distribute certs towards them once but keeping possibility of different hosts in mind. Change-Id: I8e28a79a6e3a5be1fe54004ea1d2c3a3ccdc20bc --- defaults/main.yml | 23 ++++++++++++++++------- tasks/main.yml | 28 ++++------------------------ 2 files changed, 20 insertions(+), 31 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index df479ae9..76a8bccc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -724,6 +724,7 @@ nova_pki_compute_install_certificates: # nova_user_ssl_ca_cert: # TLS certficates for console hosts +nova_pki_console_condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' and 'nova_console' in group_names }}" nova_pki_console_certificates: # Client certificate used by novnv proxy to authenticate with compute hosts using vencrypt - name: "nova_{{ ansible_facts['hostname'] }}-client" @@ -737,7 +738,7 @@ nova_pki_console_certificates: - keyEncipherment extended_key_usage: - clientAuth - condition: "{{ nova_qemu_vnc_tls == 1 and 'novnc' in nova_console_proxy_types }}" + condition: "{{ nova_pki_console_condition | bool }}" # Installation details for SSL certificates for console hosts nova_pki_console_install_certificates: @@ -746,19 +747,19 @@ nova_pki_console_install_certificates: owner: "root" group: "{{ nova_system_group_name }}" mode: "0640" - condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}" + condition: "{{ nova_pki_console_condition | bool }}" - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client.key.pem') }}" dest: "{{ nova_vencrypt_client_key }}" owner: "root" group: "{{ nova_system_group_name }}" mode: "0640" - condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}" + condition: "{{ nova_pki_console_condition | bool }}" - src: "{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}" dest: "{{ nova_vencrypt_ca_certs }}" owner: "root" group: "{{ nova_system_group_name }}" mode: "0640" - condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}" + condition: "{{ nova_pki_console_condition | bool }}" # host which holds the ssh certificate authority nova_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" @@ -798,6 +799,14 @@ nova_ssh_keypairs_principals: # Define if communication between haproxy and service backends should be # encrypted with TLS. nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" +nova_pki_certificates_condition: >- + {{ + nova_backend_ssl and ( + 'nova_console' in group_names or + 'nova_api_metadata' in group_names or + 'nova_api_os_compute' in group_names + ) + }} nova_pki_certificates: # Used to encrypt traffic between haproxy and nova backends @@ -806,7 +815,7 @@ nova_pki_certificates: cn: "{{ ansible_facts['hostname'] }}" san: "{{ nova_pki_san }}" signed_by: "{{ nova_pki_intermediate_cert_name }}" - condition: "{{ nova_backend_ssl }}" + condition: "{{ nova_pki_certificates_condition | bool }}" # nova destination files for SSL certificates nova_ssl_cert: /etc/nova/nova.pem @@ -819,13 +828,13 @@ nova_pki_install_certificates: owner: "{{ nova_system_user_name }}" group: "{{ nova_system_user_name }}" mode: "0644" - condition: "{{ nova_backend_ssl }}" + condition: "{{ nova_pki_certificates_condition | bool }}" - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api.key.pem') }}" dest: "{{ nova_ssl_key }}" owner: "{{ nova_system_user_name }}" group: "{{ nova_system_user_name }}" mode: "0600" - condition: "{{ nova_backend_ssl }}" + condition: "{{ nova_pki_certificates_condition | bool }}" # Periodically move records for deleted resources to shadow tables nova_archive_deleted: False diff --git a/tasks/main.yml b/tasks/main.yml index 2649e3f9..f60d7776 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -139,7 +139,7 @@ - nova-config # Create certs after nova groups have been created but before handlers -- name: Create and install SSL certificates for API +- name: Create and install SSL certificates for API and Consoles include_role: name: pki tasks_from: main_certs.yml @@ -152,10 +152,10 @@ pki_dir: "{{ nova_pki_dir }}" pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}" pki_regen_cert: "{{ nova_pki_regen_cert }}" - pki_certificates: "{{ nova_pki_certificates }}" - pki_install_certificates: "{{ nova_pki_install_certificates }}" + pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}" + pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}" when: - - "'nova_api_metadata' in group_names or 'nova_api_os_compute' in group_names" + - nova_pki_certificates_condition | bool or nova_pki_console_condition | bool tags: - always @@ -181,26 +181,6 @@ tags: - always -- name: Create and install SSL certificates for console hosts - include_role: - name: pki - tasks_from: main_certs.yml - apply: - tags: - - nova-config - - pki - vars: - pki_setup_host: "{{ nova_pki_setup_host }}" - pki_dir: "{{ nova_pki_dir }}" - pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}" - pki_regen_cert: "{{ nova_pki_regen_cert }}" - pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}" - pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}" - when: - - "'nova_console' in group_names" - tags: - - always - - name: Including nova_post_install tasks import_tasks: nova_post_install.yml tags: