vault: Support generating external TLS certificates for testing

These should not generally be used in production, since the CA is self-signed.

Author: markgoddard

doc/source/configuration/vault.rst

@@ -137,6 +137,30 @@ Setup Vault HA on the overcloud hosts
 Certificates generation
 =======================
 
+Create the external TLS certificates (testing only)
+---------------------------------------------------
+
+Typically external API TLS certificates should be generated by a organisation's trusted internal or third-party CA.
+For test and development purposes it is possible to use Vault as a CA for the external API.
+
+1. Run the playbook
+
+   .. code-block::
+
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml
+
+2. Use ansible-vault to encrypt the PEM bundle in $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy.pem. Commit the PEM bundle to the kayobe configuration.
+
+   .. code-block::
+
+      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy.pem
+
+   Or if environments are being used
+
+   .. code-block::
+
+      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem
+
 Create the internal TLS certificates
 ------------------------------------
 
@@ -189,14 +213,21 @@ Certificates deployment
 Enable the required TLS variables in kayobe and kolla
 -----------------------------------------------------
 
-1. Set the following in kayobe-config/etc/kayobe/kolla.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla.yml
+1. If using Vault as a CA for the external API, set the following in kayobe-config/etc/kayobe/kolla.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla.yml
+
+   .. code-block::
+
+      # Whether TLS is enabled for the external API endpoints. Default is 'no'.
+      kolla_enable_tls_external: yes
+
+2. Set the following in kayobe-config/etc/kayobe/kolla.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla.yml
 
    .. code-block::
 
       # Whether TLS is enabled for the internal API endpoints. Default is 'no'.
       kolla_enable_tls_internal: yes
 
-2. Set the following in etc/kayobe/kolla/globals.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla/globals.yml
+3. Set the following in etc/kayobe/kolla/globals.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla/globals.yml
 
    .. code-block::
 
@@ -213,7 +244,7 @@ Enable the required TLS variables in kayobe and kolla
       # If using RabbitMQ TLS:
       rabbitmq_enable_tls: "yes"
 
-3. Deploy backend and internal TLS
+4. Deploy OpenStack
 
    .. warning::
 

etc/kayobe/ansible/vault-generate-test-external-tls.yml

@@ -0,0 +1,55 @@
+---
+- name: Generate external API certificate (for testing only)
+  hosts: controllers
+  run_once: true
+  vars:
+    vault_api_addr: "https://{{ kolla_internal_fqdn }}:8200"
+    # NOTE: Using the same CA as internal TLS.
+    vault_intermediate_ca_name: "OS-TLS-INT"
+  tasks:
+    - name: Include Vault keys
+      include_vars:
+        file: "{{ kayobe_env_config_path }}/vault/overcloud-vault-keys.json"
+        name: vault_keys
+
+    - name: Issue a certificate for external TLS
+      hashivault_pki_cert_issue:
+        url: "{{ vault_api_addr }}"
+        ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
+        token: "{{ vault_keys.root_token }}"
+        mount_point: "{{ vault_intermediate_ca_name }}"
+        role: "{{ overcloud_vault_pki_external_tls_role_name }}"
+        common_name: "{% if kolla_external_fqdn != kolla_external_vip_address %}{{ kolla_external_fqdn }}{% endif %}"
+        extra_params:
+          ip_sans: "{{ kolla_external_vip_address }}"
+      register: external_cert
+
+    - name: Ensure certificates directory exists
+      file:
+        path: "{{ kayobe_env_config_path }}/kolla/certificates"
+        state: directory
+      delegate_to: localhost
+
+    - name: Ensure CA certificates directory exists
+      file:
+        path: "{{ kayobe_env_config_path }}/kolla/certificates/ca"
+        state: directory
+      delegate_to: localhost
+
+    - name: Copy external API PEM bundle
+      no_log: true
+      copy:
+        dest: "{{ kayobe_env_config_path }}/kolla/certificates/haproxy.pem"
+        content: |
+          {{ external_cert.data.certificate }}
+          {{ external_cert.data.issuing_ca }}
+          {{ external_cert.data.private_key }}
+        mode: 0600
+      delegate_to: localhost
+
+    - name: Copy root CA
+      copy:
+        src: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem"
+        dest: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt"
+        mode: 0600
+      delegate_to: localhost

etc/kayobe/inventory/group_vars/all/vault

@@ -64,6 +64,9 @@ overcloud_vault_pki_internal_tls_role_name: "{{ overcloud_vault_pki_default_role
 # Overcloud Vault PKI Backend TLS Role name
 overcloud_vault_pki_backend_tls_role_name: "{{ overcloud_vault_pki_default_role_name }}"
 
+# Overcloud Vault PKI External TLS Role name (for testing only)
+overcloud_vault_pki_external_tls_role_name: "{{ overcloud_vault_pki_default_role_name }}"
+
 # Overcloud Vault PKI Roles definition
 overcloud_vault_pki_roles:
   - name: "{{ overcloud_vault_pki_default_role_name }}"