From 934f73af0fb4639455fe6fe2552b242929648f38 Mon Sep 17 00:00:00 2001 From: "Joshua M. Boniface" Date: Wed, 26 Aug 2020 14:08:58 -0400 Subject: [PATCH] Support using existing SSL certs on system Add the additional pvc_api_ssl_cert_path and pvc_api_ssl_key_path group_vars options, which can be used to set the SSL details to existing files on the filesystem if desired. If these are empty (or nonexistent), the original pvc_api_ssl_cert and pvc_api_ssl_key raw format options will be used as they were. Allows the administrator to use outside methods (such as Let's Encrypt) to obtain the certs locally on the system, avoiding changes to the group_vars and redeployment to manage SSL keys. --- group_vars/default/pvc.yml | 17 +++++++++++++++-- roles/pvc/tasks/pvc/main.yml | 4 ++-- roles/pvc/templates/pvc/pvcapid.yaml.j2 | 8 ++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/group_vars/default/pvc.yml b/group_vars/default/pvc.yml index 0c63820..1eb4138 100644 --- a/group_vars/default/pvc.yml +++ b/group_vars/default/pvc.yml @@ -22,17 +22,30 @@ #pvc_fence_failed_action: None # What to do with VMs when a fence is failed (migrate, None) - migrate is DANGEROUS without pvc_suicide_intervals set to < pvc_fence_intervals #pvc_fence_migrate_target_selector: mem # The selector to use for migrating VMs after a fence -# Client API configuration +# Client API basic configuration pvc_api_listen_address: "{{ pvc_upstream_floatingip }}" pvc_api_listen_port: "7370" +pvc_api_secret_key: "" # Use pwgen to generate + +# Client API user tokens +# Create a token (random UUID or password) for each user you wish to have access to the PVC API. +# The first token will always be used for the "local" connection, and thus at least one token MUST be defined. pvc_api_enable_authentication: True -pvc_api_secret_key: "" pvc_api_tokens: - description: "myuser" token: "a3945326-d36c-4024-83b3-2a8931d7785a" + +# PVC API SSL configuration +# Use these options to enable SSL for the API listener, providing security over WAN connections. +# There are two options for defining the SSL certificate and key to use: +# a) Set both pvc_api_ssl_cert_path and pvc_api_ssl_key_path to paths to an existing SSL combined (CA + cert) certificate and key, respectively, on the system. +# b) Set both pvc_api_ssl_cert and pvc_api_ssl_key to the raw PEM-encoded contents of an SSL combined (CA + cert) certificate and key, respectively, which will be installed under /etc/pvc. +# If the _path options are non-empty, the raw entries are ignored and will not be used. pvc_api_enable_ssl: False +pvc_api_ssl_cert_path: pvc_api_ssl_cert: > # A RAW CERTIFICATE FILE, installed to /etc/pvc/api-cert.pem +pvc_api_ssl_key_path: pvc_api_ssl_key: > # A RAW KEY FILE, installed to /etc/pvc/api-key.pem diff --git a/roles/pvc/tasks/pvc/main.yml b/roles/pvc/tasks/pvc/main.yml index e806db9..5ad1c50 100644 --- a/roles/pvc/tasks/pvc/main.yml +++ b/roles/pvc/tasks/pvc/main.yml @@ -27,7 +27,7 @@ dest: /etc/pvc/api-cert.pem mode: 0644 no_log: True - when: pvc_api_enable_ssl + when: pvc_api_enable_ssl and not pvc_api_ssl_cert_path - name: install API SSL key file copy: @@ -35,7 +35,7 @@ dest: /etc/pvc/api-key.pem mode: 0640 no_log: True - when: pvc_api_enable_ssl + when: pvc_api_enable_ssl and not pvc_api_ssl_key_path - name: stop and disable unneccessary services service: diff --git a/roles/pvc/templates/pvc/pvcapid.yaml.j2 b/roles/pvc/templates/pvc/pvcapid.yaml.j2 index bb51696..9502933 100644 --- a/roles/pvc/templates/pvc/pvcapid.yaml.j2 +++ b/roles/pvc/templates/pvc/pvcapid.yaml.j2 @@ -30,9 +30,17 @@ pvc: # enabled: Enabled or disable SSL operation (True/False) enabled: {{ pvc_api_enable_ssl }} # cert_file: SSL certificate file +{% if pvc_api_ssl_cert_path is defined and pvc_api_ssl_cert_path %} + cert_file: "{{ pvc_api_ssl_cert_path }}" +{% else %} cert_file: "/etc/pvc/api-cert.pem" +{% endif %} # key_file: SSL certificate key file +{% if pvc_api_ssl_key_path is defined and pvc_api_ssl_key_path %} + key_file: "{{ pvc_api_ssl_key_path }}" +{% else %} key_file: "/etc/pvc/api-key.pem" +{% endif %} # provisioner: Configuration of the Provisioner API listener provisioner: # database: Backend database configuration