From 98f32bd51b74728ac5feff3d02a76f67e6218d04 Mon Sep 17 00:00:00 2001 From: =?utf8?q?S=C3=A9bastien=20Han?= Date: Tue, 3 Apr 2018 15:20:06 +0200 Subject: [PATCH] ceph-iscsi: fix certificates generation and distribution MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han (cherry picked from commit f3caee84605e17f1fdfa4add634f0bf2c2cd510e) Signed-off-by: Sébastien Han --- group_vars/iscsi-gws.yml.sample | 3 ++ roles/ceph-iscsi-gw/defaults/main.yml | 3 ++ roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml | 53 +++++++++++-------- roles/ceph-iscsi-gw/tasks/generate_crt.yml | 33 ------------ roles/ceph-iscsi-gw/tasks/main.yml | 6 ++- .../centos/7/cluster/group_vars/iscsi-gws | 1 + 6 files changed, 43 insertions(+), 56 deletions(-) delete mode 100644 roles/ceph-iscsi-gw/tasks/generate_crt.yml diff --git a/group_vars/iscsi-gws.yml.sample b/group_vars/iscsi-gws.yml.sample index 8751f4215..620bb6b65 100644 --- a/group_vars/iscsi-gws.yml.sample +++ b/group_vars/iscsi-gws.yml.sample @@ -58,3 +58,6 @@ dummy: #client_connections: {} +# Whether or not to generate secure certificate to iSCSI gateway nodes +#generate_crt: False + diff --git a/roles/ceph-iscsi-gw/defaults/main.yml b/roles/ceph-iscsi-gw/defaults/main.yml index 4d7966aa1..b440d5384 100644 --- a/roles/ceph-iscsi-gw/defaults/main.yml +++ b/roles/ceph-iscsi-gw/defaults/main.yml @@ -49,3 +49,6 @@ rbd_devices: {} # - { client: 'iqn.1991-05.com.microsoft:w2k12r2', image_list: 'rbd.ansible4', chap: 'w2k12r2/microsoft_w2k12', status: 'absent' } client_connections: {} + +# Whether or not to generate secure certificate to iSCSI gateway nodes +generate_crt: False diff --git a/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml b/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml index 96de286f2..28795b686 100644 --- a/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml +++ b/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml @@ -2,10 +2,10 @@ - name: set_fact crt_files set_fact: crt_files: - - "/etc/ceph/iscsi-gateway.crt" - - "/etc/ceph/iscsi-gateway.key" - - "/etc/ceph/iscsi-gateway.pem" - - "/etc/ceph/iscsi-gateway-pub.key" + - "iscsi-gateway.crt" + - "iscsi-gateway.key" + - "iscsi-gateway.pem" + - "iscsi-gateway-pub.key" - name: stat for crt file(s) local_action: @@ -17,25 +17,36 @@ always_run: true register: crt_files_exist -- name: try to fetch crt file(s) +- name: create ssl crt/key files + local_action: + module: shell openssl req -newkey rsa:2048 -nodes -keyout {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key -x509 -days 365 -out {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}" + run_once: True + with_items: "{{ crt_files_exist.results }}" + when: + - item.stat.exists == false + +- name: create pem + local_action: + module: shell cat {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem + run_once: True + register: pem + with_items: "{{ crt_files_exist.results }}" + when: + - item.stat.exists == false + +- name: create public key from pem + local_action: + module: shell openssl x509 -inform pem -in {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem -pubkey -noout > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway-pub.key + run_once: True + when: + - pem.changed + +- name: copy crt file(s) to gateway nodes copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" - dest: "{{ item.0 }}" + src: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + dest: "/etc/ceph/{{ item }}" owner: root group: root mode: 0400 changed_when: false - with_together: - - "{{ crt_files }}" - - "{{ crt_files_exist.results }}" - when: item.1.stat.exists == true - -- name: set_fact generate_crt - set_fact: - generate_crt: true - with_items: "{{ crt_files_exist.results }}" - when: item.stat.exists == false - -- name: include generate_crt.yml - include: generate_crt.yml - when: generate_crt|default(false)|bool + with_items: "{{ crt_files }}" diff --git a/roles/ceph-iscsi-gw/tasks/generate_crt.yml b/roles/ceph-iscsi-gw/tasks/generate_crt.yml deleted file mode 100644 index 067e631de..000000000 --- a/roles/ceph-iscsi-gw/tasks/generate_crt.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: create ssl crt/key files - shell: | - openssl req -newkey rsa:2048 -nodes -keyout /etc/ceph/iscsi-gateway.key -x509 -days 365 -out /etc/ceph/iscsi-gateway.crt -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}" - run_once: True - -- name: create pem - shell: | - cat /etc/ceph/iscsi-gateway.crt /etc/ceph/iscsi-gateway.key > /etc/ceph/iscsi-gateway.pem - run_once: True - register: pem - -- name: create public key from pem - shell: | - openssl x509 -inform pem -in /etc/ceph/iscsi-gateway.pem -pubkey -noout > /etc/ceph/iscsi-gateway-pub.key - run_once: True - when: - - pem.changed - -- name: lock ssl file access to root only - file: - path: "{{ item }}" - mode: 0400 - owner: root - group: root - with_items: "{{ crt_files }}" - -- name: copy crt(s) to the ansible server - fetch: - src: "{{ item }}" - dest: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" - flat: yes - with_items: "{{ crt_files }}" diff --git a/roles/ceph-iscsi-gw/tasks/main.yml b/roles/ceph-iscsi-gw/tasks/main.yml index d2bf4ab07..aab119900 100644 --- a/roles/ceph-iscsi-gw/tasks/main.yml +++ b/roles/ceph-iscsi-gw/tasks/main.yml @@ -5,7 +5,7 @@ when: - containerized_deployment -- name: check_mandatory_vars.yml +- name: include check_mandatory_vars.yml include: check_mandatory_vars.yml - name: include prerequisites.yml @@ -16,6 +16,8 @@ # the API for https support. - name: include deploy_ssl_keys.yml include: deploy_ssl_keys.yml + when: + - generate_crt|bool -- name: configure_iscsi.yml +- name: include configure_iscsi.yml include: configure_iscsi.yml diff --git a/tests/functional/centos/7/cluster/group_vars/iscsi-gws b/tests/functional/centos/7/cluster/group_vars/iscsi-gws index f08f50a87..f5b41fc3f 100644 --- a/tests/functional/centos/7/cluster/group_vars/iscsi-gws +++ b/tests/functional/centos/7/cluster/group_vars/iscsi-gws @@ -1,2 +1,3 @@ --- gateway_ip_list: 192.168.1.90 +generate_crt: True -- 2.39.5