Skip to content
Snippets Groups Projects
Select Git revision
  • deployment default
1 result
Search by author
  • Any Author
  • KANAPA SYLVERE p1919734 KANAPA SYLVERE p1919734 p1919734
1 author
  1. Jun 16, 2020
  3. Jun 15, 2020
    • James Kirsch's avatar
      Generate Root CA for Self-Signed Certificates · a982d3ac
      James Kirsch authored 
      Update the certificate generation task to create a root CA for the
self-signed certificates. The internal and external facing certificates
are then generated using the root CA.

Updated openstack_cacert to use system CA trust store in CI tests
certificate by default.

Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b
Partially-Implements: blueprint add-ssl-internal-network
      a982d3ac
  5. Apr 09, 2020
    • James Kirsch's avatar
      Add support for encrypting backend Keystone HAProxy traffic · b475643c
      James Kirsch authored 
      This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.

Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
      b475643c
  7. Jan 28, 2020
    • James Kirsch's avatar
      Generate self signed TLS certificates · d100904f
      James Kirsch authored 
      Generate both internal and external self signed TLS certificates.
Duplicate the certificate if internal and external VIPs are the same.

Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74
Partially-Implements: blueprint custom-cacerts
      d100904f
  9. Mar 27, 2019
    • jamesbagwell's avatar
      Removing '/certificates' entry in generate.yml as this causes an · c0a3970e
      jamesbagwell authored 
      incorrect path when generating certificates.

The 'setting permissions on key' task fails because the task looks for
the haproxy.key in an invalid path. The certificates_dir is defined as
'{{ node_config }}/certificates' in the main.yml . The 'Setting
permissions on Key' task has a path of '{{ certificates_dir
}}/certificates/private/haproxy.key which is incorrect. Removing the
'certificates' in the path corrects this problem and allows the user to
successfully create certificates using 'kolla-ansible certificates'.

Change-Id: I37b10b994b05d955b6f67c908df1472231a91160
Closes-Bug: 1821805
      c0a3970e
  11. Nov 19, 2018
    • caoyuan's avatar
      Use correct variable for default certificate paths · 9223deee
      caoyuan authored 
      The variable {{ node_config_directory }} is used for the configuration
directory on the remote hosts, and should not be used for paths on the
deploy host (localhost).

This changes the default value of the TLS certificate and CA file to
reference {{ CONFIG_DIR }}, in line with the directory used for
admin-openrc.sh (as of I0709482ead4b7a67e82796e17f85bde151e71bc0).

This change also introduces a variable, {{ node_config }}, that
references {{ CONFIG_DIR | default('/etc/kolla') }}, to remove
duplication.

Change-Id: Ibd82ac78630ebfff5824c329d7399e1e900c0ee0
Closes-Bug: #1804025
      9223deee
  13. May 09, 2018
    • Mark Giles's avatar
      Make generated private key files not world readable · 3991ebcd
      Mark Giles authored 
      The kolla-ansible certificates command creates a self-signed
certificate and corresponding private key.  This change sets the
file mode on the files that contain the private key so that they
are not world readable.

Change-Id: I7bfba5975af8d230e5d00c2ce801a914fbbf2d4e
      3991ebcd
  15. Sep 25, 2017
    • Duong Ha-Quang's avatar
      Specify 'become' to necessary tasks (general roles) · 26b2c2d9
      Duong Ha-Quang authored 
      Add config_owner_user and config_owner_group to group_vars/all,
which is user and group of Kolla configuration files in /etc/kolla.

Add become to post-deploy playbook.

Add become to only neccesary tasks in roles:
- certificate
- common
- destroy
- haproxy
- mariadb
- memcached
- rabbitmq

Change-Id: I2aba745a6e3928c52642f64551470fd08cbfd058
Partial-Implements: blueprint ansible-specific-task-become
      26b2c2d9
  17. Mar 03, 2016
    • Dave McCowan's avatar
      Add TLS protection on external API endpoints · 3daded62
      Dave McCowan authored 
      TLS can be used to encrypt and authenticate the connection with
OpenStack endpoints.  This patch provides the necessary
parameters and changes the resulting service configurations to
enable TLS for the Kolla deployed OpenStack cloud.

The new input parameters are:

kolla_enable_tls_external: "yes" or "no" (default is "no")
kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt"

Implements: blueprint kolla-ssl

Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41
      3daded62
  19. Feb 26, 2016
    • Dave McCowan's avatar
      Add Ansible scripts to generate TLS certificates for testing · fd280872
      Dave McCowan authored 
      Working towards the blueprint that will add TLS protection
for the external endpoints, kolla needs certificates.

When kolla deploys OpenStack, the external VIP will need
a server side certifcate.  Clients that access those endpoints will
need the public CA certificate that signed that certificate.

This ansible script will create these two certificates to make
it easy to use TLS in a test environment.  The generated
certificate files are:

/etc/kolla/certificates/haproxy.pem  (server side certificate)
/etc/kolla/certificates/haproxy-ca.pem (CA certificate)

The generated certificates are not suitable for use in a
production environment, but will be useful for testing and
verifying operations.

Partially-implements: blueprint ssl-kolla

Change-Id: I208777f9e5eee3bfb06810c7b18a2727beda234d
      fd280872