[ English | English (United Kingdom) | español | Deutsch | Indonesia | русский | français ]
Mengamankan layanan dengan sertifikat SSL¶
OpenStack Security Guide merekomendasikan untuk menyediakan komunikasi yang aman antara berbagai layanan dalam penyebaran OpenStack. Proyek OpenStack-Ansible saat ini menawarkan kemampuan untuk mengonfigurasi sertifikat SSL untuk komunikasi aman antara layanan:
All public endpoints reside behind haproxy, resulting in the only certificate management for externally visible https services are those for haproxy. Certain internal services such as RabbitMQ also require proper SSL configuration.
Saat menggunakan dengan OpenStack-Ansible, Anda bisa menggunakan sertifikat yang ditandatangani sendiri yang dihasilkan selama proses penyebaran atau memberikan sertifikat SSL, kunci, dan sertifikat CA dari otoritas sertifikat tepercaya Anda sendiri. Lingkungan yang sangat aman menggunakan sertifikat terpercaya, user-provided (disediakan pengguna) untuk sebanyak mungkin layanan.
Catatan
Lakukan semua konfigurasi sertifikat SSL dalam file /etc/openstack_deploy/user_variables.yml
. Jangan mengedit playbook atau role itu sendiri.
Openstack-Ansible uses an ansible role ansible_role_pki as a general tool to manage and install self-signed and user provided certificates.
Catatan
The openstack-ansible example configurations are designed to be minimal
examples and in test or development use-cases will set external_lb_vip_address
to the IP address of the haproxy external endpoint. For a production
deployment it is advised to set external_lb_vip_address
to be
the FQDN which resolves via DNS to the IP of the external endpoint.
Sertifikat yang ditandatangani sendiri (self-signed certificate)¶
Self-signed certificates enable you to start quickly and encrypt data in transit. However, they do not provide a high level of trust for public endpoints in highly secure environments. By default, self-signed certificates are used in OpenStack-Ansible. When self-signed certificates are used, certificate verification is automatically disabled.
Self-signed certificates can play an important role in securing internal services within the Openstack-Ansible deployment, as they can only be issued by the private CA associated with the deployment. Using mutual TLS between backend services such as RabbitMQ and MariaDB with self-signed certificates and a robust CA setup can ensure that only correctly authenticated clients can connect to these internal services.
Membuat dan membuat ulang sertifikat yang ditandatangani sendiri (self-signed certificate)¶
Sertifikat yang ditandatangani sendiri dibuat untuk setiap layanan selama menjalankan pertama dari playbook.
To regenerate a new self-signed certificate for a service, you must set
the <servicename>_pki_regen_cert
variable to true in one of the
following ways:
Untuk memaksa sertifikat yang ditandatangani sendiri untuk dibuat ulang, Anda bisa meneruskan variabel ke
openstack-ansible
pada baris perintah:# openstack-ansible -e "haproxy_pki_regen_cert=true" haproxy-install.yml
To force a self-signed certificate to regenerate with every playbook run, set the appropriate regeneration option to
true
. For example, if you have already run thehaproxy
playbook, but you want to regenerate the self-signed certificate, set thehaproxy_pki_regen_cert
variable totrue
in the/etc/openstack_deploy/user_variables.yml
file:haproxy_pki_regen_cert: true
Generating and regenerating self-signed user certificates¶
Self-signed user certificates are generated but not installed for services outside of Openstack ansible. These user certificates are signed by the same self-signed certificate authority as is used by openstack services but are intended to be used by user applications.
To generate user certificates, define a variable with the prefix
user_pki_certificates_
in the /etc/openstack_deploy/user_variables.yml
file.
Example
user_pki_certificates_example:
- name: "example"
provider: ownca
cn: "example.com"
san: "DNS:example.com,IP:x.x.x.x"
signed_by: "{{ openstack_pki_service_intermediate_cert_name }}"
key_usage:
- digitalSignature
- keyAgreement
extended_key_usage:
- serverAuth
Generate the certificate with the following command:
# openstack-ansible certificate-generate.yml
To regenerate a new self-signed certificate for a service, you must set
the user_pki_regen_cert
variable to true in one of the
following ways:
Untuk memaksa sertifikat yang ditandatangani sendiri untuk dibuat ulang, Anda bisa meneruskan variabel ke
openstack-ansible
pada baris perintah:# openstack-ansible -e "user_pki_regen_cert=true" certificate-generate.yml
To force a self-signed certificate to regenerate with every playbook run, set the
user_pki_regen_cert
variable totrue
in the/etc/openstack_deploy/user_variables.yml
file:user_pki_regen_cert: true
User-provided certificate (sertifikat yang disediakan pengguna)¶
Untuk kepercayaan tambahan di lingkungan yang sangat aman, Anda dapat memberikan sertifikat SSL, kunci, dan sertifikat CA Anda sendiri. Memperoleh sertifikat dari otoritas sertifikat tepercaya berada di luar ruang lingkup dokumen ini, tetapi bagian Certificate Management dari Linux Documentation Project menjelaskan cara membuat otoritas sertifikat Anda sendiri dan menandatangani sertifikat.
Gunakan proses berikut untuk menggunakan sertifikat SSL yang disediakan pengguna di OpenStack-Ansible:
Salin file sertifikat SSL, kunci, dan CA Anda ke host penyebaran.
Tentukan path ke sertifikat SSL, kunci, dan sertifikat CA Anda di file
/etc/openstack_deploy/user_variables.yml
.Jalankan playbook untuk layanan itu.
Contoh HAProxy¶
Variabel yang akan ditetapkan yang menyediakan jalur pada deployment node ke sertifikat untuk konfigurasi HAProxy adalah:
haproxy_user_ssl_cert: /etc/openstack_deploy/ssl/example.com.crt
haproxy_user_ssl_key: /etc/openstack_deploy/ssl/example.com.key
haproxy_user_ssl_ca_cert: /etc/openstack_deploy/ssl/ExampleCA.crt
Contoh RabbitMQ¶
Untuk menggunakan sertifikat yang disediakan pengguna untuk RabbitMQ, salin sertifikat ke host penyebaran, edit file /etc/openstack_deploy/user_variables.yml
dan tetapkan tiga variabel berikut:
rabbitmq_user_ssl_cert: /etc/openstack_deploy/ssl/example.com.crt
rabbitmq_user_ssl_key: /etc/openstack_deploy/ssl/example.com.key
rabbitmq_user_ssl_ca_cert: /etc/openstack_deploy/ssl/ExampleCA.crt
Kemudian, jalankan playbook untuk menerapkan sertifikat:
# openstack-ansible rabbitmq-install.yml
Playbook menyebarkan sertifikat SSL, kunci, dan sertifikat CA yang disediakan pengguna ke setiap container RabbitMQ.
Prosesnya identik untuk layanan lain. Ganti rabbitmq dalam variabel konfigurasi sebelumnya dengan horizon, haproxy, atau keystone, dan kemudian jalankan playbook untuk layanan itu untuk menggunakan sertifikat yang disediakan pengguna ke layanan tersebut.
Certbot certificates¶
The HAProxy ansible role supports using certbot to automatically deploy trusted SSL certificates for the public endpoint. Each HAProxy server will individually request a SSL certificate using certbot.
Certbot defaults to using LetsEncrypt as the Certificate Authority, other
Certificate Authorities can be used by setting the
haproxy_ssl_letsencrypt_certbot_server
variable in the
/etc/openstack_deploy/user_variables.yml
file:
haproxy_ssl_letsencrypt_certbot_server: "https://acme-staging-v02.api.letsencrypt.org/directory"
The http-01 type challenge is used by certbot to deploy certificates so it is required that the public endpoint is accessible directly by the Certificate Authority.
Deployment of certificates using LetsEncrypt has been validated for openstack-ansible using Ubuntu Focal. Other distributions should work but are not tested.
To deploy certificates with certbot, add the following to
/etc/openstack_deploy/user_variables.yml
to enable the
certbot function in the haproxy ansible role, and to
create a new backend service called certbot
to service
http-01 challenge requests.
haproxy_ssl: true
haproxy_ssl_letsencrypt_enable: True
haproxy_ssl_letsencrypt_install_method: "distro"
haproxy_ssl_letsencrypt_email: "email.address@example.com"
If you don't have horizon deployed, you will need to define dummy service that will listen on 80 and 443 ports and will be used for acme-challenge, whose backend is certbot on the haproxy host:
haproxy_extra_services:
# the external facing service which serves the apache test site, with a acl for LE requests
- service:
haproxy_service_name: certbot
haproxy_redirect_http_port: 80 #redirect port 80 to port ssl
haproxy_redirect_scheme: "https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }" #redirect all non-ssl traffic to ssl except acme-challenge
haproxy_port: 443
haproxy_frontend_acls: "{{ haproxy_ssl_letsencrypt_acl }}" #use a frontend ACL specify the backend to use for acme-challenge
haproxy_ssl: True
haproxy_backend_nodes: #apache is running on locally on 127.0.0.1:80 serving a dummy site
- name: local-test-service
ip_addr: 127.0.0.1
haproxy_balance_type: http
haproxy_backend_port: 80
haproxy_backend_options:
- "httpchk HEAD /" # request to use for health check for the example service
TLS for Haproxy Internal VIP¶
As well as load balancing public endpoints, haproxy is also used to load balance internal connections.
By default, OpenStack-Ansible does not secure connections to the internal VIP.
To enable this you must set the following variables in the
/etc/openstack_deploy/user_variables.yml
file:
openstack_service_adminuri_proto: https
openstack_service_internaluri_proto: https
haproxy_ssl_all_vips: true
Run all playbooks to configure haproxy and openstack services.
When enabled haproxy will use the same TLS certificate on all interfaces (internal and external). It is not currently possible in OpenStack-Ansible to use different self-signed or user-provided TLS certificates on different haproxy interfaces.
The only way to use a different TLS certificates on the internal and external VIP is to use certbot.
Enabling TLS on the internal VIP for existing deployments will cause some downtime, this is because haproxy only listens on a single well known port for each OpenStack service and OpenStack services are configured to use http or https. This means once haproxy is updated to only accept HTTPS connections, the OpenStack services will stop working until they are updated to use HTTPS.
For this reason it is recommended that TLS for haproxy internal VIP on existing deployments is deployed at the same time as enabling TLS for Haproxy backends, as this may also cause downtime. For new deployments this should be enabled from the start.
TLS for Haproxy Backends¶
Securing the internal communications from haproxy to backend services is currently work in progress.
TLS for Live Migrations¶
Live migration of VM's using SSH is deprecated and the OpenStack Nova Docs recommends using the more secure native TLS method supported by QEMU. The default live migration method used by OpenStack-Ansible has been updated to use TLS migrations.
QEMU-native TLS requires all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261.
It is not possible to have a mixed estate of some compute nodes using SSH and some using TLS for live migrations, as this would prevent live migrations between the compute nodes.
There are no issues enabling TLS live migration during an OpenStack upgrade, as long as you do not need to live migrate instances during the upgrade. If you you need to live migrate instances during an upgrade, enable TLS live migrations before or after the upgrade.
To force the use of SSH instead of TLS for live migrations you must set the
nova_libvirtd_listen_tls
variable to 0
in the
/etc/openstack_deploy/user_variables.yml
file:
nova_libvirtd_listen_tls: 0
TLS for VNC¶
When using VNC for console access there are 3 connections to secure, client to haproxy, haproxy to noVNC Proxy and noVNC Proxy to Compute nodes. The OpenStack Nova Docs for remote console access cover console security in much more detail.
In OpenStack-Ansible TLS to haproxy is configured in haproxy, TLS from haproxy to noVNC is not currently enabled and TLS from nVNC to Compute nodes is enabled by default.
Changes will not apply to any existing running guests on the compute node, so this configuration should be done before launching any instances. For existing deployments it is recommended that you migrate instances off the compute node before enabling.
To help with the transition from unencrypted VNC to VeNCrypt, initially noVNC proxy auth scheme allows for both encrypted and unencrypted sessions using the variable nova_vencrypt_auth_scheme. This will be restricted to VeNCrypt only in future versions of OpenStack-Ansible.
nova_vencrypt_auth_scheme: "vencrypt,none"
To not encrypt data from noVNC proxy to Compute nodes you must set the
nova_qemu_vnc_tls
variable to 0
in the
/etc/openstack_deploy/user_variables.yml
file:
nova_qemu_vnc_tls: 0