ovirt_ansible_engine_ssl

set up SSL for oVirt engine

This role sets up TLS certificates for httpd, ovirt-imageio-proxy and ovirt-websockets-proxy on ovirt-engine machine:

httpd's mod_ssl is configured always
ovirt-imageio-proxy is configured only if it's configuration file is present
ovirt-websocket-proxy is configured always (configuration file 99-ssl.conf containing just key and certificate paths is dropped to configuration directory)

Limitation: the role doesn't deal with different configurations for different virtual hosts in ssl.conf.

Services are restarted when they are known on the system and enabled no matter if they are running or not.

Requirements

PEM-encoded key and certificate files have to be present in the system. Certificate of httpd certificate issuer or any CA up the chain has to be either in the system trustore or specified as a contents of optional httpd_ca_cert variable.

Role Variables

Name	Required	Description, Default
`httpd_key_file`	Required	File with PEM-encoded private key with no encryption. Default: UNDEF
`httpd_cert_file`	Required	File with PEM-encoded certificate. For httpd ≥ 2.4.8, it should also contain intermediate CA certificates Default: UNDEF
`httpd_cert_chain_file`	Optional	certificate chain between httpd certificate and trusted CA. Required to be separate in httpd < 2.4.8 where `SSLCertificateChainFile` became obsolete. When omitted on system with httpd < 2.4.8, lines with `SSLCertificateChainFile` will get commented out Default: UNDEF
`httpd_ca_cert`	Optional	PEM-encoded certificate of CA issuing `httpd` certificate or up the chain Default: UNDEF
`httpd_ca_keystore_path`	Optional	Key store to hold the certificate from `httpd_ca_cert` variable Default: `/etc/pki/ovirt-engine/external_ca.jks`
`httpd_ca_keystore_password`	Optional	Password for key store Default: `changeit`
`httpd_ssl_protocol`	Optional	Line specifying TLS protocols in `ssl.conf`. Default is unspecified for systems with `crypto-policies` package or TLS 1.2+ for systems without it Default: UNDEF or `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`

Dependencies

None.

Example Playbook

---
- hosts: engines
  vars:
    httpd_key_file: /etc/pki/tls/private/localhost.key
    httpd_cert_file: /etc/pki/tls/certs/localhost.crt
    # When we don't want engine to trust all the default CAs, just the issuer
    # of the httpd certificate
    httpd_ca_cert: |
      -----BEGIN CERTIFICATE-----
      MII.....
      -----END CERTIFICATE-----
    tasks:
      - name: setup/update ovirt-engine
        ...

      - name: set up TLS for engine services
        import_role: djasa.ovirt-ansible-engine-ssl

About

Configure externally-issued TLS certificate for oVirt Engine

role aaa ovirt rhev rhv

Install

ansible-galaxy install djasa/ovirt-ansible-engine-ssl

GitHub repository

0 stars

1 forks

0 open issues

License

Unknown

Downloads

Owner

David Jaša