From e84c968ed21764fd8859d369c2aa50bd10ef0937 Mon Sep 17 00:00:00 2001
From: Noboru Iwamatsu <n_iwamatsu@fujitsu.com>
Date: Thu, 6 Feb 2020 18:26:21 +0900
Subject: [PATCH] Adapt to Octavia Certificate Configuration Guide.
This patch updates the octavia controller deployment to use the
latest octavia certificate configuration guide [1]. The dual CA changes
were introduced in Train.
[1] https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
Change-Id: If89ec0d631568db70690f1a69d00115c59abe678
Closes-Bug: #1862133
---
ansible/roles/octavia/tasks/config.yml | 21 +++++++++++--------
ansible/roles/octavia/tasks/precheck.yml | 14 ++++++++++---
.../templates/octavia-health-manager.json.j2 | 18 ++++++++++------
.../templates/octavia-housekeeping.json.j2 | 18 ++++++++++------
.../octavia/templates/octavia-worker.json.j2 | 18 ++++++++++------
.../roles/octavia/templates/octavia.conf.j2 | 9 ++++----
...-octavia-cert-config-28f0ef2799406957.yaml | 14 +++++++++++++
7 files changed, 78 insertions(+), 34 deletions(-)
create mode 100644 releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml
diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml
index a60991d808..fc480d5b86 100644
--- a/ansible/roles/octavia/tasks/config.yml
+++ b/ansible/roles/octavia/tasks/config.yml
@@ -94,9 +94,10 @@
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_items:
- - cakey.pem
- - ca_01.pem
- - client.pem
+ - client.cert-and-key.pem
+ - client_ca.cert.pem
+ - server_ca.cert.pem
+ - server_ca.key.pem
notify:
- Restart octavia-worker container
@@ -112,9 +113,10 @@
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_items:
- - cakey.pem
- - ca_01.pem
- - client.pem
+ - client.cert-and-key.pem
+ - client_ca.cert.pem
+ - server_ca.cert.pem
+ - server_ca.key.pem
notify:
- Restart octavia-housekeeping container
@@ -130,9 +132,10 @@
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_items:
- - cakey.pem
- - ca_01.pem
- - client.pem
+ - client.cert-and-key.pem
+ - client_ca.cert.pem
+ - server_ca.cert.pem
+ - server_ca.key.pem
notify:
- Restart octavia-health-manager container
diff --git a/ansible/roles/octavia/tasks/precheck.yml b/ansible/roles/octavia/tasks/precheck.yml
index 6e00c29b02..38a692c184 100644
--- a/ansible/roles/octavia/tasks/precheck.yml
+++ b/ansible/roles/octavia/tasks/precheck.yml
@@ -35,6 +35,13 @@
- container_facts['octavia_health_manager'] is not defined
- inventory_hostname in groups['octavia-health-manager']
+- name: Warn about certificate changes
+ debug:
+ msg: >-
+ Octavia's certificate configuration has been changed since Train. The new
+ configuration requires 4 PEM files. Please check certificate configuration
+ guide at https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
+
- name: Checking certificate files exist for octavia
stat:
path: "{{ node_custom_config }}/octavia/{{ item }}"
@@ -44,6 +51,7 @@
failed_when: not result.stat.exists
when: inventory_hostname in groups['octavia-worker']
with_items:
- - cakey.pem
- - ca_01.pem
- - client.pem
+ - client.cert-and-key.pem
+ - client_ca.cert.pem
+ - server_ca.cert.pem
+ - server_ca.key.pem
diff --git a/ansible/roles/octavia/templates/octavia-health-manager.json.j2 b/ansible/roles/octavia/templates/octavia-health-manager.json.j2
index 51d83f40af..e70ddb9491 100644
--- a/ansible/roles/octavia/templates/octavia-health-manager.json.j2
+++ b/ansible/roles/octavia/templates/octavia-health-manager.json.j2
@@ -8,20 +8,26 @@
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/cakey.pem",
- "dest": "/etc/octavia/certs/private/cakey.pem",
+ "source": "{{ container_config_directory }}/client.cert-and-key.pem",
+ "dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia",
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/ca_01.pem",
- "dest": "/etc/octavia/certs/ca_01.pem",
+ "source": "{{ container_config_directory }}/client_ca.cert.pem",
+ "dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/client.pem",
- "dest": "/etc/octavia/certs/client.pem",
+ "source": "{{ container_config_directory }}/server_ca.cert.pem",
+ "dest": "/etc/octavia/certs/server_ca.cert.pem",
+ "owner": "octavia",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/server_ca.key.pem",
+ "dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia",
"perm": "0600"
}
diff --git a/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 b/ansible/roles/octavia/templates/octavia-housekeeping.json.j2
index 16731e271e..88580ae1a9 100644
--- a/ansible/roles/octavia/templates/octavia-housekeeping.json.j2
+++ b/ansible/roles/octavia/templates/octavia-housekeeping.json.j2
@@ -8,20 +8,26 @@
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/cakey.pem",
- "dest": "/etc/octavia/certs/private/cakey.pem",
+ "source": "{{ container_config_directory }}/client.cert-and-key.pem",
+ "dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia",
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/ca_01.pem",
- "dest": "/etc/octavia/certs/ca_01.pem",
+ "source": "{{ container_config_directory }}/client_ca.cert.pem",
+ "dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/client.pem",
- "dest": "/etc/octavia/certs/client.pem",
+ "source": "{{ container_config_directory }}/server_ca.cert.pem",
+ "dest": "/etc/octavia/certs/server_ca.cert.pem",
+ "owner": "octavia",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/server_ca.key.pem",
+ "dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia",
"perm": "0600"
}
diff --git a/ansible/roles/octavia/templates/octavia-worker.json.j2 b/ansible/roles/octavia/templates/octavia-worker.json.j2
index 042349b84f..6220916734 100644
--- a/ansible/roles/octavia/templates/octavia-worker.json.j2
+++ b/ansible/roles/octavia/templates/octavia-worker.json.j2
@@ -8,20 +8,26 @@
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/cakey.pem",
- "dest": "/etc/octavia/certs/private/cakey.pem",
+ "source": "{{ container_config_directory }}/client.cert-and-key.pem",
+ "dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia",
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/ca_01.pem",
- "dest": "/etc/octavia/certs/ca_01.pem",
+ "source": "{{ container_config_directory }}/client_ca.cert.pem",
+ "dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
- "source": "{{ container_config_directory }}/client.pem",
- "dest": "/etc/octavia/certs/client.pem",
+ "source": "{{ container_config_directory }}/server_ca.cert.pem",
+ "dest": "/etc/octavia/certs/server_ca.cert.pem",
+ "owner": "octavia",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/server_ca.key.pem",
+ "dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia",
"perm": "0600"
}
diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2
index b6bd7b21a8..d44e0e02df 100644
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -11,15 +11,15 @@ bind_port = {{ octavia_api_listen_port }}
[certificates]
ca_private_key_passphrase = {{ octavia_ca_password }}
-ca_private_key = /etc/octavia/certs/private/cakey.pem
-ca_certificate = /etc/octavia/certs/ca_01.pem
+ca_private_key = /etc/octavia/certs/server_ca.key.pem
+ca_certificate = /etc/octavia/certs/server_ca.cert.pem
{% if enable_barbican | bool %}
region_name = {{ openstack_region_name }}
{% endif %}
[haproxy_amphora]
-server_ca = /etc/octavia/certs/ca_01.pem
-client_cert = /etc/octavia/certs/client.pem
+server_ca = /etc/octavia/certs/server_ca.cert.pem
+client_cert = /etc/octavia/certs/client.cert-and-key.pem
[database]
connection = mysql+pymysql://{{ octavia_database_user }}:{{ octavia_database_password }}@{{ octavia_database_address }}/{{ octavia_database_name }}
@@ -66,6 +66,7 @@ amp_image_tag = amphora
amp_secgroup_list = {{ octavia_amp_secgroup_list }}
amp_flavor_id = {{ octavia_amp_flavor_id }}
amp_ssh_key_name = octavia_ssh_key
+client_ca = /etc/octavia/certs/client_ca.cert.pem
network_driver = allowed_address_pairs_driver
compute_driver = compute_nova_driver
amphora_driver = amphora_haproxy_rest_driver
diff --git a/releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml b/releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml
new file mode 100644
index 0000000000..ec060e119b
--- /dev/null
+++ b/releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml
@@ -0,0 +1,14 @@
+---
+fixes:
+ - |
+ Adapt Octavia to the latest dual CA certificate configuration. The
+ following files should exist in ``/etc/kolla/config/octavia/``:
+
+ * ``client.cert-and-key.pem``
+ * ``client_ca.cert.pem``
+ * ``server_ca.cert.pem``
+ * ``server_ca.key.pem``
+
+ See the `Octavia documentation
+ <https://docs.openstack.org/octavia/latest/admin/guides/certificates.html>`__
+ for details on generating these files.
--
GitLab