Add support for automatic provisioning and renewal of HTTPS
certificates via LetsEncrypt.

Spec is available at:
https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https

Depends-On: https://review.opendev.org/c/openstack/kolla/+/887347


Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
Implements: blueprint letsencrypt-https
Change-Id: I35317ea0343f0db74ddc0e587862e95408e9e106

Adds support to the 'kolla-ansible certificates' command for generating
certificates for libvirt TLS, when libvirt_tls is true. The same
certificate and key are used for the libvirt client and server.

The certificates use the same root CA as the other generated
certificates, and are written to
{{ node_custom_config }}/nova/nova-libvirt/, ready to be picked up by
nova-libvirt and nova-compute.

Change-Id: I1bde9fa018f66037aec82dc74c61ad1f477a7c12

All TLS certificates are incorrectly generated in the 'certificates'
role. The generated certificates don't contain both the 'X509v3
extensions' and 'X509v3 Subject Alternative Name' blocks at all.

This change fixes the 'openssl x509' commands used to generate all the
certificates to include the 'Subject Alternative Name'.

Also, this change fixes both internal and external templates to
constantly use alternative names as described in the RFCs [1] [2].
We use DNS Name in SAN extension only when 'kolla_internal_fqdn' or
'kolla_external_fqdn' is set.

1. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
2. https://datatracker.ietf.org/doc/html/rfc6125#appendix-B.2



Closes-Bug: #1935978
Change-Id: Ie5d82a2e4575bd74674ac38a042df49cfe7f74c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This fixes the `certificates` command to not include CSRs in
the haproxy bundle.
The regex was wrong.

Change-Id: If25a6d5dd40f507fea4470be01baeeb7c8a790b4

This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.

The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.

RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.

Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support

Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with
"kolla_admin_openrc_cacert". OS_CACERT is now set to the value of
"kolla_admin_openrc_cacert" in the generated admin-openrc.sh file.

Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/#/c/731344/

Update the certificate generation task to create a root CA for the
self-signed certificates. The internal and external facing certificates
are then generated using the root CA.

Updated openstack_cacert to use system CA trust store in CI tests
certificate by default.

Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b
Partially-Implements: blueprint add-ssl-internal-network

This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.

Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network

Generate both internal and external self signed TLS certificates.
Duplicate the certificate if internal and external VIPs are the same.

Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74
Partially-Implements: blueprint custom-cacerts

OpenSSL certificate should default to FQDN if possible.
Using IP addresses is not recommended, complicates dual stack
and limits addressing flexibility.

IPv6 control plane implementation [1] follow-up.

[1] Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c

Change-Id: Ibfc02f933ddcc170e9d616d401e294ba0ff5e981

According to [1]:
IP address used in the IP options can be in either IPv4 or IPv6 format.
DNS can be used for IPv4 only, IPv6 only and dual stack.

Also should have FQDNs in subjectAltName per current[2].

[1] https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
[2] https://support.google.com/chrome/a/answer/7391219

Partially-Implements: blueprint ipv6-control-plane

Change-Id: Ibad8f8c734984aeda8ddac1a5db39875bc242bbf

incorrect path when generating certificates.

The 'setting permissions on key' task fails because the task looks for
the haproxy.key in an invalid path. The certificates_dir is defined as
'{{ node_config }}/certificates' in the main.yml . The 'Setting
permissions on Key' task has a path of '{{ certificates_dir
}}/certificates/private/haproxy.key which is incorrect. Removing the
'certificates' in the path corrects this problem and allows the user to
successfully create certificates using 'kolla-ansible certificates'.

Change-Id: I37b10b994b05d955b6f67c908df1472231a91160
Closes-Bug: 1821805

The variable {{ node_config_directory }} is used for the configuration
directory on the remote hosts, and should not be used for paths on the
deploy host (localhost).

This changes the default value of the TLS certificate and CA file to
reference {{ CONFIG_DIR }}, in line with the directory used for
admin-openrc.sh (as of I0709482ead4b7a67e82796e17f85bde151e71bc0).

This change also introduces a variable, {{ node_config }}, that
references {{ CONFIG_DIR | default('/etc/kolla') }}, to remove
duplication.

Change-Id: Ibd82ac78630ebfff5824c329d7399e1e900c0ee0
Closes-Bug: #1804025

include is marked as deprecated since ansible 2.4[0]

[0] https://docs.ansible.com/ansible/2.4/include_module.html#deprecated



Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ic9d71e1865d1c728890625aeddf424a5734c0a8a

The kolla-ansible certificates command creates a self-signed
certificate and corresponding private key.  This change sets the
file mode on the files that contain the private key so that they
are not world readable.

Change-Id: I7bfba5975af8d230e5d00c2ce801a914fbbf2d4e

Add config_owner_user and config_owner_group to group_vars/all,
which is user and group of Kolla configuration files in /etc/kolla.

Add become to post-deploy playbook.

Add become to only neccesary tasks in roles:
- certificate
- common
- destroy
- haproxy
- mariadb
- memcached
- rabbitmq

Change-Id: I2aba745a6e3928c52642f64551470fd08cbfd058
Partial-Implements: blueprint ansible-specific-task-become

Add a new subcommand 'check' to kolla-ansible, used to run the
smoke/sanity checks.

Add stub files to all services that don't currently have checks.

Change-Id: I9f661c5fc51fd5b9b266f23f6c524884613dee48
Partially-implements: blueprint sanity-check-container

certificates need not precheck.yml

Change-Id: Iae9de1e4b6ce43486f412b453a54645229db90ba

* Merge prechecks.yml and site.yml playbook
* Create empty precheck.yml into all roles.

Change-Id: I8a138558a26c0a2a66c5fd48ed37be657c99c1dd
Implements: blueprint condition-pre-check

TLS can be used to encrypt and authenticate the connection with
OpenStack endpoints.  This patch provides the necessary
parameters and changes the resulting service configurations to
enable TLS for the Kolla deployed OpenStack cloud.

The new input parameters are:

kolla_enable_tls_external: "yes" or "no" (default is "no")
kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt"

Implements: blueprint kolla-ssl

Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41

Working towards the blueprint that will add TLS protection
for the external endpoints, kolla needs certificates.

When kolla deploys OpenStack, the external VIP will need
a server side certifcate.  Clients that access those endpoints will
need the public CA certificate that signed that certificate.

This ansible script will create these two certificates to make
it easy to use TLS in a test environment.  The generated
certificate files are:

/etc/kolla/certificates/haproxy.pem  (server side certificate)
/etc/kolla/certificates/haproxy-ca.pem (CA certificate)

The generated certificates are not suitable for use in a
production environment, but will be useful for testing and
verifying operations.

Partially-implements: blueprint ssl-kolla

Change-Id: I208777f9e5eee3bfb06810c7b18a2727beda234d