From cffe8f8cb0b29906c27c3b644a1865bf8b73b9ea Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 17 Jun 2025 11:58:53 +0100 Subject: [PATCH] Add proxysql cert generation --- .../ansible/openbao-generate-internal-tls.yml | 35 +++++++++++++++++++ .../ansible/vault-generate-internal-tls.yml | 35 +++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/etc/kayobe/ansible/openbao-generate-internal-tls.yml b/etc/kayobe/ansible/openbao-generate-internal-tls.yml index 2cc9e841a..d96b9f2bd 100644 --- a/etc/kayobe/ansible/openbao-generate-internal-tls.yml +++ b/etc/kayobe/ansible/openbao-generate-internal-tls.yml @@ -54,3 +54,38 @@ dest: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" mode: "0600" delegate_to: localhost + +# NOTE(seunghun1ee): Kolla Ansible reuses internal TLS certificate when +# creating certificate for proxysql +# https://opendev.org/openstack/kolla-ansible/src/branch/stable/2025.1/ansible/roles/certificates/tasks/generate.yml#L169-L183 + - name: Generate ProxySQL certificates + when: kolla_enable_proxysql + block: + - name: Copy ProxySQL certificate + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-cert.pem" + content: | + {{ internal_cert.data.certificate }} + {{ internal_cert.data.issuing_ca }} + mode: "0600" + delegate_to: localhost + + - name: Copy ProxySQL certificate key + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-key.pem" + content: | + {{ internal_cert.data.private_key }} + mode: "0600" + delegate_to: localhost + +# NOTE(seunghun1ee): ProxySQL only expects root CA to be named ``root.crt`` because of +# https://opendev.org/openstack/kolla-ansible/src/branch/stable/2025.1/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2#L36 +# Make a duplicate of ``openbao.crt`` named ``root.crt`` + - name: Copy root CA for ProxySQL + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/openbao/OS-TLS-ROOT.pem" + dest: "{{ kayobe_env_config_path }}/kolla/certificates/ca/root.crt" + mode: "0600" + delegate_to: localhost diff --git a/etc/kayobe/ansible/vault-generate-internal-tls.yml b/etc/kayobe/ansible/vault-generate-internal-tls.yml index a585d1bc9..3095b6615 100644 --- a/etc/kayobe/ansible/vault-generate-internal-tls.yml +++ b/etc/kayobe/ansible/vault-generate-internal-tls.yml @@ -54,3 +54,38 @@ dest: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" mode: "0600" delegate_to: localhost + +# NOTE(seunghun1ee): Kolla Ansible reuses internal TLS certificate when +# creating certificate for proxysql +# https://opendev.org/openstack/kolla-ansible/src/branch/stable/2025.1/ansible/roles/certificates/tasks/generate.yml#L169-L183 + - name: Generate ProxySQL certificates + when: kolla_enable_proxysql + block: + - name: Copy ProxySQL certificate + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-cert.pem" + content: | + {{ internal_cert.data.certificate }} + {{ internal_cert.data.issuing_ca }} + mode: "0600" + delegate_to: localhost + + - name: Copy ProxySQL certificate key + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-key.pem" + content: | + {{ internal_cert.data.private_key }} + mode: "0600" + delegate_to: localhost + +# NOTE(seunghun1ee): ProxySQL only expects root CA to be named ``root.crt`` because of +# https://opendev.org/openstack/kolla-ansible/src/branch/stable/2025.1/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2#L36 +# Make a duplicate of ``vault.crt`` named ``root.crt`` + - name: Copy root CA for ProxySQL + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem" + dest: "{{ kayobe_env_config_path }}/kolla/certificates/ca/root.crt" + mode: "0600" + delegate_to: localhost