Fix usage of Subject Alternative Name for TLS

All TLS certificates are incorrectly generated in the 'certificates'
role. The generated certificates don't contain both the 'X509v3
extensions' and 'X509v3 Subject Alternative Name' blocks at all.

This change fixes the 'openssl x509' commands used to generate all the
certificates to include the 'Subject Alternative Name'.

Also, this change fixes both internal and external templates to
constantly use alternative names as described in the RFCs [1] [2].
We use DNS Name in SAN extension only when 'kolla_internal_fqdn' or
'kolla_external_fqdn' is set.

1. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
2. https://datatracker.ietf.org/doc/html/rfc6125#appendix-B.2



Closes-Bug: #1935978
Change-Id: Ie5d82a2e4575bd74674ac38a042df49cfe7f74c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

ansible/roles/certificates/tasks/generate-backend.yml

@@ -39,6 +39,8 @@
     -CA "{{ root_dir }}/root.crt"
     -CAkey "{{ root_dir }}/root.key"
     -CAcreateserial
+    -extensions v3_req
+    -extfile "{{ kolla_certificates_dir }}/openssl-kolla-backend.cnf"
     -out "{{ backend_dir }}/backend.crt"
     -days 500
     -sha256

ansible/roles/certificates/tasks/generate.yml

@@ -46,6 +46,8 @@
         -CA "{{ root_dir }}/root.crt"
         -CAkey "{{ root_dir }}/root.key"
         -CAcreateserial
+        -extensions v3_req
+        -extfile "{{ kolla_certificates_dir }}/openssl-kolla.cnf"
         -out "{{ external_dir }}/external.crt"
         -days 365
         -sha256
@@ -114,6 +116,8 @@
         -CA "{{ root_dir }}/root.crt"
         -CAkey "{{ root_dir }}/root.key"
         -CAcreateserial
+        -extensions v3_req
+        -extfile "{{ kolla_certificates_dir }}/openssl-kolla-internal.cnf"
         -out "{{ internal_dir }}/internal.crt"
         -days 365
         -sha256

ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2

@@ -8,7 +8,6 @@ countryName = US
 stateOrProvinceName = NC
 localityName = RTP
 organizationalUnitName = kolla
-commonName = {{ kolla_internal_fqdn }}
 
 [v3_req]
 subjectAltName = @alt_names
@@ -16,6 +15,5 @@ subjectAltName = @alt_names
 [alt_names]
 {% if kolla_internal_fqdn != kolla_internal_vip_address %}
 DNS.1 = {{ kolla_internal_fqdn }}
-{% else %}
-IP.1 = {{ kolla_internal_fqdn }}
 {% endif %}
+IP.1 = {{ kolla_internal_vip_address }}

ansible/roles/certificates/templates/openssl-kolla.cnf.j2

@@ -8,7 +8,6 @@ countryName = US
 stateOrProvinceName = NC
 localityName = RTP
 organizationalUnitName = kolla
-commonName = {{ kolla_external_fqdn }}
 
 [v3_req]
 subjectAltName = @alt_names
@@ -16,6 +15,5 @@ subjectAltName = @alt_names
 [alt_names]
 {% if kolla_external_fqdn != kolla_external_vip_address %}
 DNS.1 = {{ kolla_external_fqdn }}
-{% else %}
-IP.1 = {{ kolla_external_fqdn }}
 {% endif %}
+IP.1 = {{ kolla_external_vip_address }}