Manage certificates for Octavia controller-amphora communication
Octavia presently allows for one method for the controller to
communicate with amphorae: the amphora REST API. Both amphora API and
Octavia controller do bi-directional certificate-based authentication in
order to authenticate and encrypt communication.
This change doesn't affect Octavia user-facing API.
What this change does:
- Creates Octavia CA stored on a node where Octavia controller
is running
- Creates certificates for controller-amphora communication
signed by this CA. (Amphora-side certs are generated by Octavia
itself)
Depends on: https://gerrit.mcp.mirantis.net/7680
Related PROD: PROD-11933
Change-Id: Iedca3b5888af6e331005ed7387d4ca68d34e0261
diff --git a/reclass/storage/system/openstack_gateway_single_octavia.yml b/reclass/storage/system/openstack_gateway_single_octavia.yml
index 264b3f1..7291977 100644
--- a/reclass/storage/system/openstack_gateway_single_octavia.yml
+++ b/reclass/storage/system/openstack_gateway_single_octavia.yml
@@ -5,3 +5,5 @@
openstack_gateway_node01:
classes:
- system.octavia.manager.single
+ - system.salt.minion.ca.octavia_ca
+ - system.salt.minion.cert.octavia_amp_client
diff --git a/salt/minion/ca/octavia_ca.yml b/salt/minion/ca/octavia_ca.yml
new file mode 100644
index 0000000..ac66bec
--- /dev/null
+++ b/salt/minion/ca/octavia_ca.yml
@@ -0,0 +1,29 @@
+parameters:
+ _param:
+ octavia_ca_common_name: Octavia CA
+ octavia_ca_country: cz
+ octavia_ca_locality: Prague
+ octavia_ca_organization: Mirantis
+ octavia_ca_days_valid_authority: 3650
+ octavia_ca_days_valid_certificate: 365
+ salt:
+ minion:
+ ca:
+ octavia_ca:
+ common_name: ${_param:octavia_ca_common_name}
+ country: ${_param:octavia_ca_country}
+ locality: ${_param:octavia_ca_locality}
+ organization: ${_param:octavia_ca_organization}
+ signing_policy:
+ cert_server:
+ type: v3_edge_cert_server
+ minions: '*'
+ cert_client:
+ type: v3_edge_cert_client
+ minions: '*'
+ cert_open:
+ type: v3_edge_cert_open
+ minions: '*'
+ days_valid:
+ authority: ${_param:octavia_ca_days_valid_authority}
+ certificate: ${_param:octavia_ca_days_valid_certificate}
diff --git a/salt/minion/cert/octavia_amp_client.yml b/salt/minion/cert/octavia_amp_client.yml
new file mode 100644
index 0000000..7a8425a
--- /dev/null
+++ b/salt/minion/cert/octavia_amp_client.yml
@@ -0,0 +1,20 @@
+parameters:
+ _param:
+ salt_minion_ca_host: ${_param:openstack_gateway_node01_hostname}.${_param:cluster_domain}
+ salt_minion_ca_authority: octavia_ca
+ salt:
+ minion:
+ cert:
+ octavia_amp_client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: octavia_amp_client
+ signing_policy: cert_open
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ ca_file: ${octavia:manager:certificates:ca_certificate}
+ ca_key_file: ${octavia:manager:certificates:ca_private_key}
+ key_file: ${octavia:manager:haproxy_amphora:client_cert_key}
+ cert_file: ${octavia:manager:haproxy_amphora:client_cert}
+ all_file: ${octavia:manager:haproxy_amphora:client_cert_all}
+ user: octavia
+ group: octavia