From b69f2bdaa36a5423ae488514909be44cb96e2c83 Mon Sep 17 00:00:00 2001 From: technowhizz <7688823+technowhizz@users.noreply.github.com> Date: Thu, 12 Dec 2024 22:53:21 +0000 Subject: [PATCH 1/2] INFRA-839 Add config for pulp TLS Add playbooks, config & docs for enabling pulp tls with vault --- doc/source/configuration/vault.rst | 25 +++++++++ etc/kayobe/ansible/copy-ca-to-hosts.yml | 29 ++++++++++ .../ansible/vault-generate-pulp-tls.yml | 53 +++++++++++++++++++ etc/kayobe/pulp.yml | 4 +- .../notes/pulp-tls-105e47f0da602a25.yaml | 6 +++ 5 files changed, 115 insertions(+), 2 deletions(-) create mode 100644 etc/kayobe/ansible/copy-ca-to-hosts.yml create mode 100644 etc/kayobe/ansible/vault-generate-pulp-tls.yml create mode 100644 releasenotes/notes/pulp-tls-105e47f0da602a25.yaml diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst index 893af246c..660e8a48d 100644 --- a/doc/source/configuration/vault.rst +++ b/doc/source/configuration/vault.rst @@ -298,6 +298,31 @@ Enable the required TLS variables in kayobe and kolla kayobe overcloud host command run --command "systemctl restart kolla-nova_compute-container.service" --become --show-output -l compute +Pulp TLS with Vault +=================== +To enable tls for pulp using vault generated certificates, we first need to generate the certificates using vault and then configure the seed + seed-hypervisor + overcloud nodes to add the root CA to their trust. + +1. Run the playbook which will generate the certificates and add the root CA to the seed + seed-hypervisor + overcloud nodes + + .. code-block:: + + kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-pulp-tls.yml + +2. Next, enable tls for pulp in pulp.yml + + .. code-block:: + + # Whether to enable TLS for Pulp. + pulp_enable_tls: true + +3. Redeploy pulp + + .. code-block:: + + kayobe seed service reconfigure -t seed-deploy-containers + +You should now have pulp running with tls enabled using the certificates generated by vault. + Barbican integration ==================== diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml new file mode 100644 index 000000000..eaf1e272c --- /dev/null +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -0,0 +1,29 @@ +--- +- name: Copy CA certificate and update trust + hosts: overcloud:seed:seed-hypervisor + become: true + vars: + cert_path: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem" + + tasks: + - name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS) + copy: + src: "{{ cert_path }}" + dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem" + mode: "0644" + when: ansible_facts.os_family == 'RedHat' + + - name: Update CA trust on RedHat family systems + command: "update-ca-trust" + when: ansible_facts.os_family == 'RedHat' + + - name: Copy certificate on Debian family systems (Ubuntu, Debian) + copy: + src: "{{ cert_path }}" + dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt" + mode: "0644" + when: ansible_facts.os_family == 'Debian' + + - name: Update CA trust on Debian family systems + command: "update-ca-certificates" + when: ansible_facts.os_family == 'Debian' diff --git a/etc/kayobe/ansible/vault-generate-pulp-tls.yml b/etc/kayobe/ansible/vault-generate-pulp-tls.yml new file mode 100644 index 000000000..855639053 --- /dev/null +++ b/etc/kayobe/ansible/vault-generate-pulp-tls.yml @@ -0,0 +1,53 @@ +--- +- name: Generate TLS certificate for pulp + hosts: controllers + run_once: true + vars: + vault_api_addr: "https://{{ internal_net_name | net_ip(groups['controllers'][0]) }}:8200" + vault_intermediate_ca_name: "OS-TLS-INT" + tasks: + - name: Include Vault keys + include_vars: + file: "{{ kayobe_env_config_path }}/vault/overcloud-vault-keys.json" + name: vault_keys + + - name: Issue a certificate for pulp TLS + hashivault_pki_cert_issue: + url: "{{ vault_api_addr }}" + ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}" + token: "{{ vault_keys.root_token }}" + mount_point: "{{ vault_intermediate_ca_name }}" + role: "{{ overcloud_vault_pki_internal_tls_role_name }}" + common_name: "" + verify: false + extra_params: + ip_sans: "{{ lookup('vars', admin_oc_net_name ~ '_ips')[groups.seed.0] }}" + register: pulp_cert + environment: + https_proxy: '' + + - name: Ensure pulp certificates directory exists + file: + path: "{{ kayobe_env_config_path }}/pulp/certificates" + state: directory + delegate_to: localhost + + - name: Copy pulp TLS certificate (including intermediate) + no_log: true + copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt" + content: | + {{ pulp_cert.data.certificate }} + {{ pulp_cert.data.issuing_ca }} + mode: 0600 + delegate_to: localhost + + - name: Copy pulp private key + no_log: true + copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key" + content: "{{ pulp_cert.data.private_key }}" + mode: 0600 + delegate_to: localhost + +- import_playbook: copy-ca-to-hosts.yml diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index aa3c63d01..4b353ed1a 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -14,10 +14,10 @@ pulp_port: "{{ '443' if pulp_enable_tls | bool else '80' }}" pulp_enable_tls: false # Path to a TLS certificate to use when TLS is enabled. -#pulp_cert_path: +pulp_cert_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.crt' if pulp_enable_tls | bool else '' }}" # Path to a TLS key to use when TLS is enabled. -#pulp_key_path: +pulp_key_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.key' if pulp_enable_tls | bool else '' }}" ############################################################################### # Local Pulp access credentials diff --git a/releasenotes/notes/pulp-tls-105e47f0da602a25.yaml b/releasenotes/notes/pulp-tls-105e47f0da602a25.yaml new file mode 100644 index 000000000..ed34e0f8b --- /dev/null +++ b/releasenotes/notes/pulp-tls-105e47f0da602a25.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Playbooks have been added to allow for the configuration of Pulp with TLS + using certificates generated from vault. Instructions have been added to + the docs. From c23938700a0991b4dce0992675a7a9aae59211a5 Mon Sep 17 00:00:00 2001 From: Dawud <7688823+technowhizz@users.noreply.github.com> Date: Fri, 13 Dec 2024 11:06:40 +0000 Subject: [PATCH 2/2] Update doc/source/configuration/vault.rst Dont start bifrost playbooks when deploying pulp tls Co-authored-by: Matt Crees --- doc/source/configuration/vault.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst index 660e8a48d..12fcbef50 100644 --- a/doc/source/configuration/vault.rst +++ b/doc/source/configuration/vault.rst @@ -319,7 +319,7 @@ To enable tls for pulp using vault generated certificates, we first need to gene .. code-block:: - kayobe seed service reconfigure -t seed-deploy-containers + kayobe seed service reconfigure -t seed-deploy-containers -kt none You should now have pulp running with tls enabled using the certificates generated by vault.