Skip to content
Snippets Groups Projects
Commit e84c968e authored by Noboru Iwamatsu's avatar Noboru Iwamatsu Committed by Dincer Celik
Browse files

Adapt to Octavia Certificate Configuration Guide. 

This patch updates the octavia controller deployment to use the
latest octavia certificate configuration guide [1]. The dual CA changes
were introduced in Train.

[1] https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

Change-Id: If89ec0d631568db70690f1a69d00115c59abe678
Closes-Bug: #1862133
parent 0747ebf1
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 78 additions and 34 deletions
ansible/roles/octavia/tasks/config.yml
+ 12
9
View file @ e84c968e
...@@ -94,9 +94,10 @@ ...@@ -94,9 +94,10 @@
- inventory_hostname in groups[service.group] - inventory_hostname in groups[service.group]
- service.enabled | bool - service.enabled | bool
with_items: with_items:
- cakey.pem - client.cert-and-key.pem
- ca_01.pem - client_ca.cert.pem
- client.pem - server_ca.cert.pem
- server_ca.key.pem
notify: notify:
- Restart octavia-worker container - Restart octavia-worker container
...@@ -112,9 +113,10 @@ ...@@ -112,9 +113,10 @@
- inventory_hostname in groups[service.group] - inventory_hostname in groups[service.group]
- service.enabled | bool - service.enabled | bool
with_items: with_items:
- cakey.pem - client.cert-and-key.pem
- ca_01.pem - client_ca.cert.pem
- client.pem - server_ca.cert.pem
- server_ca.key.pem
notify: notify:
- Restart octavia-housekeeping container - Restart octavia-housekeeping container
...@@ -130,9 +132,10 @@ ...@@ -130,9 +132,10 @@
- inventory_hostname in groups[service.group] - inventory_hostname in groups[service.group]
- service.enabled | bool - service.enabled | bool
with_items: with_items:
- cakey.pem - client.cert-and-key.pem
- ca_01.pem - client_ca.cert.pem
- client.pem - server_ca.cert.pem
- server_ca.key.pem
notify: notify:
- Restart octavia-health-manager container - Restart octavia-health-manager container
......
ansible/roles/octavia/tasks/precheck.yml
+ 11
3
View file @ e84c968e
...@@ -35,6 +35,13 @@ ...@@ -35,6 +35,13 @@
- container_facts['octavia_health_manager'] is not defined - container_facts['octavia_health_manager'] is not defined
- inventory_hostname in groups['octavia-health-manager'] - inventory_hostname in groups['octavia-health-manager']
- name: Warn about certificate changes
debug:
msg: >-
Octavia's certificate configuration has been changed since Train. The new
configuration requires 4 PEM files. Please check certificate configuration
guide at https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
- name: Checking certificate files exist for octavia - name: Checking certificate files exist for octavia
stat: stat:
path: "{{ node_custom_config }}/octavia/{{ item }}" path: "{{ node_custom_config }}/octavia/{{ item }}"
...@@ -44,6 +51,7 @@ ...@@ -44,6 +51,7 @@
failed_when: not result.stat.exists failed_when: not result.stat.exists
when: inventory_hostname in groups['octavia-worker'] when: inventory_hostname in groups['octavia-worker']
with_items: with_items:
- cakey.pem - client.cert-and-key.pem
- ca_01.pem - client_ca.cert.pem
- client.pem - server_ca.cert.pem
- server_ca.key.pem
ansible/roles/octavia/templates/octavia-health-manager.json.j2
+ 12
6
View file @ e84c968e
...@@ -8,20 +8,26 @@ ...@@ -8,20 +8,26 @@
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/cakey.pem", "source": "{{ container_config_directory }}/client.cert-and-key.pem",
"dest": "/etc/octavia/certs/private/cakey.pem", "dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/ca_01.pem", "source": "{{ container_config_directory }}/client_ca.cert.pem",
"dest": "/etc/octavia/certs/ca_01.pem", "dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/client.pem", "source": "{{ container_config_directory }}/server_ca.cert.pem",
"dest": "/etc/octavia/certs/client.pem", "dest": "/etc/octavia/certs/server_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/server_ca.key.pem",
"dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
} }
......
ansible/roles/octavia/templates/octavia-housekeeping.json.j2
+ 12
6
View file @ e84c968e
...@@ -8,20 +8,26 @@ ...@@ -8,20 +8,26 @@
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/cakey.pem", "source": "{{ container_config_directory }}/client.cert-and-key.pem",
"dest": "/etc/octavia/certs/private/cakey.pem", "dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/ca_01.pem", "source": "{{ container_config_directory }}/client_ca.cert.pem",
"dest": "/etc/octavia/certs/ca_01.pem", "dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/client.pem", "source": "{{ container_config_directory }}/server_ca.cert.pem",
"dest": "/etc/octavia/certs/client.pem", "dest": "/etc/octavia/certs/server_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/server_ca.key.pem",
"dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
} }
......
ansible/roles/octavia/templates/octavia-worker.json.j2
+ 12
6
View file @ e84c968e
...@@ -8,20 +8,26 @@ ...@@ -8,20 +8,26 @@
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/cakey.pem", "source": "{{ container_config_directory }}/client.cert-and-key.pem",
"dest": "/etc/octavia/certs/private/cakey.pem", "dest": "/etc/octavia/certs/client.cert-and-key.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/ca_01.pem", "source": "{{ container_config_directory }}/client_ca.cert.pem",
"dest": "/etc/octavia/certs/ca_01.pem", "dest": "/etc/octavia/certs/client_ca.cert.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/client.pem", "source": "{{ container_config_directory }}/server_ca.cert.pem",
"dest": "/etc/octavia/certs/client.pem", "dest": "/etc/octavia/certs/server_ca.cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/server_ca.key.pem",
"dest": "/etc/octavia/certs/server_ca.key.pem",
"owner": "octavia", "owner": "octavia",
"perm": "0600" "perm": "0600"
} }
......
ansible/roles/octavia/templates/octavia.conf.j2
+ 5
4
View file @ e84c968e
...@@ -11,15 +11,15 @@ bind_port = {{ octavia_api_listen_port }} ...@@ -11,15 +11,15 @@ bind_port = {{ octavia_api_listen_port }}
[certificates] [certificates]
ca_private_key_passphrase = {{ octavia_ca_password }} ca_private_key_passphrase = {{ octavia_ca_password }}
ca_private_key = /etc/octavia/certs/private/cakey.pem ca_private_key = /etc/octavia/certs/server_ca.key.pem
ca_certificate = /etc/octavia/certs/ca_01.pem ca_certificate = /etc/octavia/certs/server_ca.cert.pem
{% if enable_barbican | bool %} {% if enable_barbican | bool %}
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
{% endif %} {% endif %}
[haproxy_amphora] [haproxy_amphora]
server_ca = /etc/octavia/certs/ca_01.pem server_ca = /etc/octavia/certs/server_ca.cert.pem
client_cert = /etc/octavia/certs/client.pem client_cert = /etc/octavia/certs/client.cert-and-key.pem
[database] [database]
connection = mysql+pymysql://{{ octavia_database_user }}:{{ octavia_database_password }}@{{ octavia_database_address }}/{{ octavia_database_name }} connection = mysql+pymysql://{{ octavia_database_user }}:{{ octavia_database_password }}@{{ octavia_database_address }}/{{ octavia_database_name }}
...@@ -66,6 +66,7 @@ amp_image_tag = amphora ...@@ -66,6 +66,7 @@ amp_image_tag = amphora
amp_secgroup_list = {{ octavia_amp_secgroup_list }} amp_secgroup_list = {{ octavia_amp_secgroup_list }}
amp_flavor_id = {{ octavia_amp_flavor_id }} amp_flavor_id = {{ octavia_amp_flavor_id }}
amp_ssh_key_name = octavia_ssh_key amp_ssh_key_name = octavia_ssh_key
client_ca = /etc/octavia/certs/client_ca.cert.pem
network_driver = allowed_address_pairs_driver network_driver = allowed_address_pairs_driver
compute_driver = compute_nova_driver compute_driver = compute_nova_driver
amphora_driver = amphora_haproxy_rest_driver amphora_driver = amphora_haproxy_rest_driver
......
releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml 0 → 100644
+ 14
0
View file @ e84c968e
---
fixes:
- |
Adapt Octavia to the latest dual CA certificate configuration. The
following files should exist in ``/etc/kolla/config/octavia/``:
* ``client.cert-and-key.pem``
* ``client_ca.cert.pem``
* ``server_ca.cert.pem``
* ``server_ca.key.pem``
See the `Octavia documentation
<https://docs.openstack.org/octavia/latest/admin/guides/certificates.html>`__
for details on generating these files.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment