Adds certificate generation

This will generate self-signed certificates needed
for Octavia during install.

It's a manual pick since we can't delete the neutron
integration because the tests are still based n-lbaas
and the USER variable is not set in Queens.

Change-Id: I39bbc4c43633b844b55f463723ba1b72d79fd206
(cherry picked from commit 1515ca276b4d878ecad58f8b07a1976d304c294d)

defaults/main.yml

@@ -271,17 +271,6 @@ octavia_amp_ram: 1024
 octavia_amp_vcpu: 1
 octavia_amp_disk: 2
 
-# client certs
-octavia_client_ca: "{{ octavia_system_home_folder }}/certs/ca_01.pem"
-octavia_client_cert: "{{ octavia_system_home_folder }}/certs/client.pem"
-# server
-octavia_server_ca: "{{ octavia_system_home_folder }}/certs/ca_01.pem"
-# ca certs
-octavia_ca_private_key: "{{ octavia_system_home_folder }}/certs/private/cakey.pem"
-octavia_ca_certificate: "{{ octavia_system_home_folder }}/certs/ca_01.pem"
-octavia_ca_private_key_passphrase: foobar
-octavia_signing_digest: sha256
-
 # spare pool - increase to speed up load balancer creation and fail over
 octavia_spare_amphora_pool_size: 1
 
@@ -433,7 +422,34 @@ octavia_amphora_driver: amphora_haproxy_rest_driver
 octavia_compute_driver: compute_nova_driver
 octavia_network_driver: allowed_address_pairs_driver
 
+# Certificate generation
+# this directory needs to be accessible
+octavia_cert_dir: "{{ lookup('env', 'HOME') }}/openstack-ansible/octavia"
+octavia_cert_user: "{{ lookup('env', 'USER') }}"
+octavia_cert_key_length_server: '4096' # key length
+octavia_cert_cipher_server: 'aes256'
+octavia_cert_cipher_client: 'aes256'
+octavia_cert_key_length_client: '4096' # key length
+octavia_cert_server_ca_common_name: 'www.example.com' # change this to something more real
+octavia_cert_client_ca_common_name: 'www.example.com' # change this to something more real
+octavia_cert_client_req_common_name: 'www.example.com' # change this to something more real
+octavia_generate_client_cert: True # generate self signed client certs
+octavia_generate_certs: True
+
+# client certs
+octavia_client_ca_key: "{{ octavia_cert_dir }}/ca_01.key"
+octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem"
+octavia_client_cert: "{{ octavia_cert_dir }}/client.pem"
+# server
+octavia_server_ca: "{{ octavia_ca_certificate }}"
+# ca certs
+octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem"
+octavia_ca_private_key_passphrase: "{{ octavia_cert_password_client }}"
+octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
+octavia_signing_digest: sha256
+
 ## Tunable overrides
 octavia_octavia_conf_overrides: {}
 octavia_api_paste_ini_overrides: {}
 octavia_policy_overrides: {}
+

doc/source/configure-octavia.rst

@@ -163,18 +163,9 @@ Creating the cryptographic certificates
     For production installation make sure that you review this very carefully with your
     own security requirements and potantially use your own CA to sign the certificates.
 
-#. Run the certificate script.
+The system will automatically generate and use self-signed certificates with
-
+different Certificate Authorities for control plane and amphora. Make sure
-   In the bin directory of the Octavia project you cloned above run:
+to store a copy in a safe place for potential disaster recovery.
-
-   .. code-block:: bash
-
-      mkdir /var/lib/octavia/certs
-      source create_certificates.sh /var/lib/octavia/certs `pwd`/../etc/certificates/openssl.cnf
-
-.. note::
-   The certificates will be created in ``/var/lib/octavia/certs`` where the
-   ansible script are expecting them.
 
 Optional: Configuring Octavia with ssh access to the amphora
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

releasenotes/notes/certificate_generation-a9cdcc8e3b1e186f.yaml

@@ -0,0 +1,14 @@
+---
+
+features:
+  - |
+    Octavia requires SSL certificates for communication with the amphora. This
+    adds the automatic creation of self signed certificates for this purpose.
+    It uses different certificate authorities for amphora and control plane
+    thus insuring maximum security.
+security:
+  - |
+    It is recommended that the certificate generation is always reviewed by
+    security professionals since algorithms and key-lengths considered secure
+    change all the time.
+

tasks/main.yml

@@ -32,6 +32,18 @@
   tags:
     - always
 
+- include: octavia_certs_install.yml
+  when: octavia_generate_certs | bool
+  delegate_to: localhost
+  tags:
+    - octavia-install
+
+- include: octavia_certs.yml
+  when: octavia_generate_certs | bool
+  delegate_to: localhost
+  tags:
+    - octavia-config
+
 - include: octavia_pre_install.yml
   tags:
     - octavia-install

tasks/octavia_certs.yml

@@ -0,0 +1,70 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create the server CA private key
+  openssl_privatekey:
+    path: "{{ octavia_ca_private_key }}"
+    passphrase: "{{ octavia_ca_private_key_passphrase }}"
+    cipher: "{{ octavia_cert_cipher_server }}"
+    size: "{{ octavia_cert_key_length_server }}"
+
+- name: Create server CA CSR
+  openssl_csr:
+    path: "{{ octavia_cert_dir }}/ca_server_01.csr"
+    common_name: "{{ octavia_cert_server_ca_common_name }}"
+    privatekey_path: "{{ octavia_ca_private_key }}"
+    privatekey_passphrase: "{{ octavia_ca_private_key_passphrase }}"
+
+- name: Create server CA certificate
+  openssl_certificate:
+    path: "{{ octavia_ca_certificate }}"
+    privatekey_path: "{{ octavia_ca_private_key }}"
+    privatekey_passphrase: "{{ octavia_ca_private_key_passphrase }}"
+    csr_path: "{{ octavia_cert_dir }}/ca_server_01.csr"
+    provider: selfsigned
+    owner: "{{ octavia_cert_user }}"
+
+- name: Generate Octavia client certificate
+  block:
+    - name: Create the client cert private key
+      openssl_privatekey:
+        path: "{{ octavia_cert_dir }}/client.key"
+        size: "{{ octavia_cert_key_length_client }}"
+
+    - name: Create client cert CSR
+      openssl_csr:
+        path: "{{ octavia_cert_dir }}/client.csr"
+        common_name: "{{ octavia_cert_client_req_common_name }}"
+        privatekey_path: "{{ octavia_cert_dir }}/client.key"
+
+    - name: Create client certificate
+      openssl_certificate:
+        path: "{{ octavia_cert_dir }}/client-.pem"
+        privatekey_path: "{{ octavia_ca_private_key }}"
+        privatekey_passphrase: "{{ octavia_ca_private_key_passphrase }}"
+        csr_path: "{{ octavia_cert_dir }}/client.csr"
+        provider: selfsigned
+        owner: "{{ octavia_cert_user }}"
+
+    # use cat to avoid mangling the certs
+    - name: Generate single pem client.pem
+      shell: "cat client-.pem client.key >{{ octavia_client_cert }}"
+      args:
+        chdir: "{{ octavia_cert_dir }}"
+        creates: "{{ octavia_client_cert }}"
+      tags:
+          - skip_ansible_lint
+
+  when: octavia_generate_client_cert|bool

tasks/octavia_certs_install.yml

@@ -0,0 +1,67 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure python OpenSSL dependencies are installed.
+  pip:
+    name: pyOpenSSL
+    state: present
+
+- name: Generate Cert Dirs
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: "{{ item.mode }}"
+    owner: "{{ octavia_cert_user }}"
+  with_items:
+    - { path: "{{ octavia_cert_dir }}", mode: '0750' }
+    - { path: "{{ octavia_cert_dir }}/newcerts", mode: '0750'}
+    - { path: "{{ octavia_cert_dir }}/private", mode: '0750'}
+
+# These are run at the very first installation of Octavia
+# While Octavia acts as a CA for the server certificates,
+# for the amphora it only needs a client certificate and
+# the (public) certificate authority certificate.
+# Generating the secret key here and storing it
+# on the deploy host allows us to rotate the client
+# certificate without recycling the amphora since
+# we can keep the same CA.
+
+- name: Generate client certificate
+  block:
+    - name: Create the client CAs private key
+      openssl_privatekey:
+        path: "{{ octavia_client_ca_key }}"
+        passphrase: "{{ octavia_cert_password_client }}"
+        cipher: "{{ octavia_cert_cipher_client }}"
+        size: "{{ octavia_cert_key_length_client }}"
+
+    - name: Create client CA CSR
+      openssl_csr:
+        path: "{{ octavia_cert_dir }}/ca_01.csr"
+        common_name: "{{ octavia_cert_client_ca_common_name }}"
+        privatekey_path: "{{ octavia_client_ca_key }}"
+        privatekey_passphrase: "{{ octavia_cert_password_client }}"
+
+    - name: Create client CA certificate
+      openssl_certificate:
+        path: "{{ octavia_client_ca }}"
+        privatekey_path: "{{ octavia_client_ca_key }}"
+        privatekey_passphrase: "{{ octavia_cert_password_client }}"
+        csr_path: "{{ octavia_cert_dir }}/ca_01.csr"
+        provider: selfsigned
+        owner: "{{ octavia_cert_user }}"
+
+  when: octavia_generate_client_cert | bool == True
+

tests/os_octavia-overrides.yml

@@ -95,7 +95,7 @@ octavia_amphora_driver: "{% if test_octavia_amphora | bool %}amphora_haproxy_res
 octavia_compute_driver: "{% if test_octavia_amphora | bool %}compute_nova_driver{% else %}compute_noop_driver{% endif %}"
 octavia_network_driver: "{% if test_octavia_amphora | bool %}allowed_address_pairs_driver{% else %}network_noop_driver{% endif %}"
 
-#Neutron mappings
+#Neutron mappings (using OpenStack client came with Rocky)
 neutron_plugin_base:
   - router
   - metering
@@ -132,3 +132,9 @@ neutron_rpc_conn_pool_size: |
   endpoint_type = internalURL
   service_name = neutron
   auth_version = 3
+
+# cert generation
+octavia_cert_dir: /var/tmp/certs
+octavia_cert_password_client: 'changeme'
+octavia_cert_user: zuul
+

tests/test-configure-octavia.yml

@@ -18,36 +18,6 @@
   become: True
   gather_facts: True
   tasks:
-    - name: Install apt packages
-      apt:
-        pkg: "{{ item }}"
-        state: "{{ octavia_package_state }}"
-        update_cache: yes
-      register: install_packages
-      until: install_packages|success
-      retries: 5
-      delay: 2
-      with_items:
-        - git
-    - name: Clone Octavia
-      git:
-        repo: "https://git.openstack.org/openstack/octavia"
-        dest: "{{ octavia_system_home_folder }}/octavia"
-        version: "{{ octavia_git_install_branch }}"
-    - name: Change permission
-      file:
-        path: "{{ octavia_system_home_folder }}/octavia/bin/create_certificates.sh"
-        mode: 0755
-    - name: Generate certs
-      shell: "{{ octavia_system_home_folder }}/octavia/bin/create_certificates.sh {{ octavia_system_home_folder }}/certs {{ octavia_system_home_folder }}/octavia/etc/certificates/openssl.cnf"
-      args:
-        creates: "{{ octavia_system_home_folder }}/certs/ca_01.pem"
-      tags:
-        - skip_ansible_lint
-    - name: Fix certs/private directory access
-      file:
-        path: "{{ octavia_system_home_folder }}/certs/private"
-        mode: 0755
     - name: Install pip requirements
       pip:
         name: "shade"

tests/test-install-octavia.yml

@@ -27,3 +27,7 @@
     - role: "{{ octavia_rolename | default('os_octavia') }}"
   vars_files:
     - common/test-vars.yml
+  environment:
+    # for some reason in the Queens version we don't have a USER set?
+    USER: zuul
+