openstack/openstack-ansible-os_nova
Code Issues Proposed changes

Merge "Add TLS support to nova API backends"

Browse Source
This commit is contained in:
Zuul 2023-05-03 14:57:07 +00:00 committed by Gerrit Code Review
commit dd00e710d7
2 changed files with 85 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
defaults/main.yml
View File

@ -267,6 +267,9 @@ nova_nested_virt_enabled: False
nova_wsgi_processes_max: 16 nova_wsgi_processes_max: 16
nova_wsgi_processes: "{{ [[ansible_facts['processor_vcpus']|default(1), 1] | max * 2, nova_wsgi_processes_max] | min }}" nova_wsgi_processes: "{{ [[ansible_facts['processor_vcpus']|default(1), 1] | max * 2, nova_wsgi_processes_max] | min }}"
nova_wsgi_threads: 1 nova_wsgi_threads: 1
nova_uwsgi_tls:
crt: "{{ nova_ssl_cert }}"
key: "{{ nova_ssl_key }}"
## Nova libvirt ## Nova libvirt
# Warning: If nova_libvirt_inject_key or nova_libvirt_inject_password are enabled for Ubuntu compute hosts # Warning: If nova_libvirt_inject_key or nova_libvirt_inject_password are enabled for Ubuntu compute hosts
@ -441,6 +444,7 @@ nova_services:
uwsgi_overrides: "{{ nova_api_metadata_uwsgi_ini_overrides }}" uwsgi_overrides: "{{ nova_api_metadata_uwsgi_ini_overrides }}"
uwsgi_bind_address: "{{ nova_metadata_bind_address }}" uwsgi_bind_address: "{{ nova_metadata_bind_address }}"
uwsgi_port: "{{ nova_metadata_port }}" uwsgi_port: "{{ nova_metadata_port }}"
uwsgi_tls: "{{ nova_backend_ssl | ternary(nova_uwsgi_tls, {}) }}"
wsgi_name: nova-metadata-wsgi wsgi_name: nova-metadata-wsgi
nova-api-os-compute: nova-api-os-compute:
group: nova_api_os_compute group: nova_api_os_compute
@ -451,6 +455,7 @@ nova_services:
uwsgi_overrides: "{{ nova_api_os_compute_uwsgi_ini_overrides }}" uwsgi_overrides: "{{ nova_api_os_compute_uwsgi_ini_overrides }}"
uwsgi_bind_address: "{{ nova_service_bind_address }}" uwsgi_bind_address: "{{ nova_service_bind_address }}"
uwsgi_port: "{{ nova_service_port }}" uwsgi_port: "{{ nova_service_port }}"
uwsgi_tls: "{{ nova_backend_ssl | ternary(nova_uwsgi_tls, {}) }}"
wsgi_name: nova-api-wsgi wsgi_name: nova-api-wsgi
nova-compute: nova-compute:
group: nova_compute group: nova_compute
@ -476,7 +481,7 @@ nova_services:
init_config_overrides: "{{ nova_novncproxy_init_overrides }}" init_config_overrides: "{{ nova_novncproxy_init_overrides }}"
condition: "{{ nova_console_type == 'novnc' }}" condition: "{{ nova_console_type == 'novnc' }}"
start_order: 5 start_order: 5
execstarts: "{{ nova_bin }}/nova-novncproxy" execstarts: "{{ nova_bin }}/nova-novncproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}"
nova-scheduler: nova-scheduler:
group: nova_scheduler group: nova_scheduler
service_name: nova-scheduler service_name: nova-scheduler
@ -490,21 +495,21 @@ nova_services:
init_config_overrides: "{{ {'Install': {'Alias': 'nova-spiceproxy.service'}} | combine(nova_spicehtml5proxy_init_overrides, recursive=True) }}" init_config_overrides: "{{ {'Install': {'Alias': 'nova-spiceproxy.service'}} | combine(nova_spicehtml5proxy_init_overrides, recursive=True) }}"
condition: "{{ nova_console_type == 'spice' }}" condition: "{{ nova_console_type == 'spice' }}"
start_order: 5 start_order: 5
execstarts: "{{ nova_bin }}/nova-spicehtml5proxy" execstarts: "{{ nova_bin }}/nova-spicehtml5proxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}"
nova-serialconsole-proxy: nova-serialconsole-proxy:
group: nova_console group: nova_console
service_name: nova-serialproxy service_name: nova-serialproxy
init_config_overrides: "{{ nova_serialproxy_init_overrides }}" init_config_overrides: "{{ nova_serialproxy_init_overrides }}"
condition: "{{ nova_console_type == 'serialconsole' }}" condition: "{{ nova_console_type == 'serialconsole' }}"
start_order: 5 start_order: 5
execstarts: "{{ nova_bin }}/nova-serialproxy" execstarts: "{{ nova_bin }}/nova-serialproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}"
nova_ironic_sericalconsole-proxy: nova_ironic_sericalconsole-proxy:
group: ironic_console group: ironic_console
service_name: nova-serialproxy service_name: nova-serialproxy
init_config_overrides: "{{ nova_serialproxy_init_overrides }}" init_config_overrides: "{{ nova_serialproxy_init_overrides }}"
condition: "{{ nova_ironic_console_type == 'serialconsole' }}" condition: "{{ nova_ironic_console_type == 'serialconsole' }}"
start_order: 5 start_order: 5
execstarts: "{{ nova_bin }}/nova-serialproxy" execstarts: "{{ nova_bin }}/nova-serialproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}"
nova_novnc_pip_packages: nova_novnc_pip_packages:
- websockify - websockify
@ -583,6 +588,7 @@ nova_pki_certs_path: "{{ nova_pki_dir ~ '/certs/certs/' }}"
nova_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}" nova_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}"
nova_pki_intermediate_chain_path: "{{ nova_pki_dir ~ '/roots/' ~ nova_pki_intermediate_cert_name ~ '/certs/' ~ nova_pki_intermediate_cert_name ~ '-chain.crt' }}" nova_pki_intermediate_chain_path: "{{ nova_pki_dir ~ '/roots/' ~ nova_pki_intermediate_cert_name ~ '/certs/' ~ nova_pki_intermediate_cert_name ~ '-chain.crt' }}"
nova_pki_regen_cert: '' nova_pki_regen_cert: ''
nova_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
# Create client and server cert for compute hosts # Create client and server cert for compute hosts
# This certiticate is used to secure TLS live migrations and VNC sessions # This certiticate is used to secure TLS live migrations and VNC sessions
nova_pki_compute_certificates: nova_pki_compute_certificates:
@ -690,6 +696,7 @@ nova_pki_console_certificates:
- keyEncipherment - keyEncipherment
extended_key_usage: extended_key_usage:
- clientAuth - clientAuth
condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
# Installation details for SSL certificates for console hosts # Installation details for SSL certificates for console hosts
nova_pki_console_install_certificates: nova_pki_console_install_certificates:
@ -698,16 +705,19 @@ nova_pki_console_install_certificates:
owner: "root" owner: "root"
group: "{{ nova_system_group_name }}" group: "{{ nova_system_group_name }}"
mode: "0640" mode: "0640"
condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
- src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client.key.pem') }}" - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client.key.pem') }}"
dest: "{{ nova_vencrypt_client_key }}" dest: "{{ nova_vencrypt_client_key }}"
owner: "root" owner: "root"
group: "{{ nova_system_group_name }}" group: "{{ nova_system_group_name }}"
mode: "0640" mode: "0640"
condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
- src: "{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}" - src: "{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}"
dest: "{{ nova_vencrypt_ca_certs }}" dest: "{{ nova_vencrypt_ca_certs }}"
owner: "root" owner: "root"
group: "{{ nova_system_group_name }}" group: "{{ nova_system_group_name }}"
mode: "0640" mode: "0640"
condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
# host which holds the ssh certificate authority # host which holds the ssh certificate authority
nova_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" nova_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
@ -739,3 +749,39 @@ nova_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
nova_ssh_keypairs_principals: nova_ssh_keypairs_principals:
- user: "{{ nova_system_user_name }}" - user: "{{ nova_system_user_name }}"
principals: "{{ nova_ssh_key_principals | default(['nova']) }}" principals: "{{ nova_ssh_key_principals | default(['nova']) }}"
###
### Backend TLS
###
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
nova_pki_certificates:
# Used to encrypt traffic between haproxy and nova backends
- name: "nova_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ nova_pki_san }}"
signed_by: "{{ nova_pki_intermediate_cert_name }}"
condition: "{{ nova_backend_ssl }}"
# nova destination files for SSL certificates
nova_ssl_cert: /etc/nova/nova.pem
nova_ssl_key: /etc/nova/nova.key
# Installation details for SSL certificates
nova_pki_install_certificates:
- src: "{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ nova_ssl_cert }}"
owner: "{{ nova_system_user_name }}"
group: "{{ nova_system_user_name }}"
mode: "0644"
condition: "{{ nova_backend_ssl }}"
- src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ nova_ssl_key }}"
owner: "{{ nova_system_user_name }}"
group: "{{ nova_system_user_name }}"
mode: "0600"
condition: "{{ nova_backend_ssl }}"

41
tasks/main.yml
View File

@ -130,11 +130,35 @@
tags: tags:
- nova-config - nova-config
# Create certs after libvirt groups have been created but before handlers # Create certs after nova groups have been created but before handlers
- name: Create and install SSL certificates for API
include_role:
name: pki
tasks_from: main_certs.yml
apply:
tags:
- nova-config
- pki
vars:
pki_setup_host: "{{ nova_pki_setup_host }}"
pki_dir: "{{ nova_pki_dir }}"
pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
pki_regen_cert: "{{ nova_pki_regen_cert }}"
pki_certificates: "{{ nova_pki_certificates }}"
pki_install_certificates: "{{ nova_pki_install_certificates }}"
when:
- "'nova_api_metadata' in group_names or 'nova_api_os_compute' in group_names"
tags:
- always
- name: Create and install SSL certificates for compute hosts - name: Create and install SSL certificates for compute hosts
include_role: include_role:
name: pki name: pki
tasks_from: main_certs.yml tasks_from: main_certs.yml
apply:
tags:
- nova-config
- pki
vars: vars:
pki_setup_host: "{{ nova_pki_setup_host }}" pki_setup_host: "{{ nova_pki_setup_host }}"
pki_dir: "{{ nova_pki_dir }}" pki_dir: "{{ nova_pki_dir }}"
@ -146,23 +170,28 @@
- nova_libvirtd_listen_tls == 1 - nova_libvirtd_listen_tls == 1
- "'nova_compute' in group_names" - "'nova_compute' in group_names"
- nova_virt_type != 'ironic' - nova_virt_type != 'ironic'
tags:
- always
# Create certs after nova groups have been created but before handlers
- name: Create and install SSL certificates for console hosts - name: Create and install SSL certificates for console hosts
include_role: include_role:
name: pki name: pki
tasks_from: main_certs.yml tasks_from: main_certs.yml
apply:
tags:
- nova-config
- pki
vars: vars:
pki_setup_host: "{{ nova_pki_setup_host }}" pki_setup_host: "{{ nova_pki_setup_host }}"
pki_dir: "{{ nova_pki_dir }}" pki_dir: "{{ nova_pki_dir }}"
pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}" pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
pki_regen_cert: "{{ nova_pki_regen_cert }}" pki_regen_cert: "{{ nova_pki_regen_cert }}"
pki_certificates: "{{ nova_pki_console_certificates }}" pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}"
pki_install_certificates: "{{ nova_pki_console_install_certificates }}" pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}"
when: when:
- nova_qemu_vnc_tls == 1
- nova_console_type == 'novnc'
- "'nova_console' in group_names" - "'nova_console' in group_names"
tags:
- always
- import_tasks: nova_post_install.yml - import_tasks: nova_post_install.yml
tags: tags: