Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS Everywhere adoption #331

Merged
merged 30 commits into from
Apr 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
63c70b4
Update node hostname
fao89 Apr 3, 2024
7d75d3e
TLS Everywhere adoption documentation
xek Mar 6, 2024
f0190a8
Add information on how to migrate IPA CA cert
Mar 8, 2024
72c4822
Update the documentation to be less verbose
xek Mar 12, 2024
a5e1a54
Add TLS adoption tests
xek Mar 12, 2024
8416f61
Update documentation with disabling certmonger on computes
Mar 13, 2024
7be769c
Add enable_tlse variable in tests
xek Mar 13, 2024
41c9d70
Enable TLS-E on EDPM
xek Mar 15, 2024
82dbed9
Set the private key length from IPA
xek Mar 15, 2024
7d3a7f5
Add the issuer label used by EDPM
xek Mar 15, 2024
db33a9b
Apply new openstack-operator config
xek Mar 20, 2024
abab4a3
Use TLS for OVN adoption if it is enabled
xek Mar 20, 2024
6566b6e
Adjest standalone fqdn
xek Mar 21, 2024
27ea5f1
Add tlsCert conf to osdpd
xek Mar 21, 2024
7f81770
Further EDPM adjustements for TLS-E
xek Mar 21, 2024
6aebc14
Update OVN user documentation with TLS-e
afaranha Mar 25, 2024
2087076
Reapply review comment changes
vakwetu Apr 1, 2024
10653e1
Update OVN user documentation with TLS-e
xek Mar 25, 2024
695f665
Test stopping certmonger
xek Apr 2, 2024
c13cb2a
Disable TLS-E by default
xek Apr 4, 2024
700f0df
Add note about the need to restart
xek Apr 8, 2024
0d720d9
Fix failure when enable_tlse is not defined
xek Apr 9, 2024
b5be0c1
Fall back to standalone.localdomain
xek Apr 11, 2024
339602e
Update doc to run env with TLS enabled
afaranha Apr 11, 2024
41c8f9e
Add missing variable computes
xek Apr 15, 2024
4ace621
Add customIssuer to documentation
xek Apr 16, 2024
f45d2d9
Update the ToC and TLS section
xek Apr 17, 2024
b6ac7fb
Add dataplane tls configuration
xek Apr 19, 2024
0c64ab6
Update 'Stop and disable certmonger' script
afaranha Apr 17, 2024
9244ea3
Minor documentation wording adjustements
xek Apr 17, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
/docs_build
/Gemfile.lock
/local
/tests/config/base/tls_overrides.yaml
/tests/config/tmp
/tests/secrets.yaml
/tests/playbooks/tmp
Expand All @@ -17,3 +18,4 @@
.idea
*.swp
*.swo
*~
8 changes: 8 additions & 0 deletions docs_dev/assemblies/development_environment.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,14 @@ cd ~/install_yamls/devsetup
make standalone
----

To deploy using TLS everywhere enabled, instead run:

[,bash]
---
cd ~/install_yamls/devsetup
TLS_ENABLED=true make standalone
---

== Install the openstack-k8s-operators (openstack-operator)

[,bash]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ include::../modules/con_about-node-selector.adoc[leveloffset=+1]

include::../modules/con_about-machine-configs.adoc[leveloffset=+1]

include::../modules/con_tlse-description.adoc[leveloffset=+1]

include::../modules/con_key-manager-service-support-for-crypto-plugins.adoc[leveloffset=+1]

//include::../modules/con_identity-service-authentication.adoc[leveloffset=+1]
Expand Down
2 changes: 2 additions & 0 deletions docs_user/main.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ endif::[]

include::assemblies/assembly_planning-the-new-deployment.adoc[leveloffset=+1]

include::modules/proc_migrating-tls-everywhere.adoc[leveloffset=+1]

include::assemblies/assembly_migrating-databases-to-the-control-plane.adoc[leveloffset=+1]

include::assemblies/assembly_adopting-openstack-control-plane-services.adoc[leveloffset=+1]
Expand Down
18 changes: 18 additions & 0 deletions docs_user/modules/con_tlse-description.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
[id="con_tlse-description_{context}"]

= TLS Everywhere

Note: The assumption is, that the new deployment will adopt the settings from the
old deployment, so in case TLS Everywhere is disabled, it won't be enabled on
the new deployment.

If the Director deployment was deployed with TLS Everywhere, FreeIPA (IdM) is used
to issue certificates for the OpenStack services. Certmonger, a client process which
is installed on all hosts, interacts with FreeIPA (IdM) to request, install, track
and renew these certificates.

The new Operator based deployment uses the cert-manager operator to issue, track
and renew the certificates.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This raises a question in my mind: how does cert renewal work on data plane, as any Operator doesn't act on the data plane nodes directly? (Again, not a blocker.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an ansible playbook that runs when the secret changes, which deploys the certificate from the control plane into the data plane. That's covered under the dataplane-operator TLS-E implementation.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an ansible playbook that runs when the secret changes

nope, user must run a deployment


Because the same root CA is used to generate new certificates, the currently used chain
of trust doesn't have to be modified.
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,20 @@ cd -

. Create a `nova-compute-extra-config` service:
+
. If TLS Everywhere is enabled, append the following to the OpenStackDataPlaneService spec:
+
[source,yaml]
----
tlsCert:
contents:
- dnsnames
- ips
networks:
- ctlplane
issuer: osp-rootca-issuer-internal
caCerts: combined-ca-bundle
----
+
[source,yaml]
----
oc apply -f - <<EOF
Expand Down Expand Up @@ -217,6 +231,8 @@ endif::[]

. Deploy the `OpenStackDataPlaneNodeSet` CR:
+
. If TLS Everywhere is enabled, change spec:tlsEnabled to true
+
[source,yaml]
----
oc apply -f - <<EOF
Expand Down
29 changes: 29 additions & 0 deletions docs_user/modules/proc_deploying-backend-services.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ endif::[]
For production environments, the deployment method will likely be
different.

* If TLS Everywhere is enabled on the source environment, the `tls` root CA from the source environment must be copied over to the rootca-internal issuer.

* There are free PVs available to be claimed (for MariaDB and RabbitMQ).
ifeval::["{build}" != "downstream"]
+
Expand Down Expand Up @@ -128,6 +130,33 @@ oc set data secret/osp-secret "SwiftPassword=$SWIFT_PASSWORD"
. Deploy `OpenStackControlPlane`. Make sure to only enable DNS,
MariaDB, Memcached, and RabbitMQ services. All other services must
be disabled.

. If the source environment enables TLS Everywhere, modify
spec:tls section with the following override before applying it:

+
[source,yaml]
----
apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
name: openstack
spec:
tls:
podLevel:
enabled: true
internal:
ca:
customIssuer: rootca-internal
ovn:
ca:
customIssuer: rootca-internal
ingress:
ca:
customIssuer: rootca-internal
enabled: true
----

+
[source,yaml]
----
Expand Down
44 changes: 41 additions & 3 deletions docs_user/modules/proc_migrating-ovn-data.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,17 @@ grep -rI 'ovn_[ns]b_conn' /var/lib/config-data/puppet-generated/
----
oc apply -f - <<EOF
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ovn-data-cert
namespace: openstack
spec:
commonName: ovn-data-cert
secretName: ovn-data-cert
issuerRef:
name: rootca-internal
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
Expand Down Expand Up @@ -77,6 +88,9 @@ spec:
volumeMounts:
- mountPath: /backup
name: ovn-data
- mountPath: /etc/pki/tls/misc
name: ovn-data-cert
readOnly: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand All @@ -88,6 +102,9 @@ spec:
- name: ovn-data
persistentVolumeClaim:
claimName: ovn-data
- name: ovn-data-cert
secret:
secretName: ovn-data-cert
EOF
----

Expand All @@ -97,13 +114,20 @@ EOF
oc wait --for=condition=Ready pod/ovn-copy-data --timeout=30s
----

. Backup OVN databases.
. Backup OVN databases on an environment without TLS everywhere.
+
----
oc exec ovn-copy-data -- bash -c "ovsdb-client backup tcp:$SOURCE_OVSDB_IP:6641 > /backup/ovs-nb.db"
oc exec ovn-copy-data -- bash -c "ovsdb-client backup tcp:$SOURCE_OVSDB_IP:6642 > /backup/ovs-sb.db"
----

. Backup OVN databases on a TLS everywhere environment.
+
----
oc exec ovn-copy-data -- bash -c "ovsdb-client backup --ca-cert=/etc/pki/tls/misc/ca.crt --private-key=/etc/pki/tls/misc/tls.key --certificate=/etc/pki/tls/misc/tls.crt ssl:$SOURCE_OVSDB_IP:6641 > /backup/ovs-nb.db"
oc exec ovn-copy-data -- bash -c "ovsdb-client backup --ca-cert=/etc/pki/tls/misc/ca.crt --private-key=/etc/pki/tls/misc/tls.key --certificate=/etc/pki/tls/misc/tls.crt ssl:$SOURCE_OVSDB_IP:6642 > /backup/ovs-sb.db"
----

. Start the control plane OVN database services prior to import, keeping `northd/ovn-controller` stopped.
+
[source,yaml]
Expand Down Expand Up @@ -145,20 +169,34 @@ PODIFIED_OVSDB_NB_IP=$(oc get svc --selector "statefulset.kubernetes.io/pod-name
PODIFIED_OVSDB_SB_IP=$(oc get svc --selector "statefulset.kubernetes.io/pod-name=ovsdbserver-sb-0" -ojsonpath='{.items[0].spec.clusterIP}')
----

. Upgrade database schema for the backup files.
. Upgrade database schema for the backup files on an environment without TLS everywhere.
+
----
oc exec ovn-copy-data -- bash -c "ovsdb-client get-schema tcp:$PODIFIED_OVSDB_NB_IP:6641 > /backup/ovs-nb.ovsschema && ovsdb-tool convert /backup/ovs-nb.db /backup/ovs-nb.ovsschema"
oc exec ovn-copy-data -- bash -c "ovsdb-client get-schema tcp:$PODIFIED_OVSDB_SB_IP:6642 > /backup/ovs-sb.ovsschema && ovsdb-tool convert /backup/ovs-sb.db /backup/ovs-sb.ovsschema"
----

. Restore database backup to the control plane OVN database servers.
. Upgrade database schema for the backup files on a TLS everywhere environment.
+
----
oc exec ovn-copy-data -- bash -c "ovsdb-client get-schema --ca-cert=/etc/pki/tls/misc/ca.crt --private-key=/etc/pki/tls/misc/tls.key --certificate=/etc/pki/tls/misc/tls.crt ssl:$PODIFIED_OVSDB_NB_IP:6641 > /backup/ovs-nb.ovsschema && ovsdb-tool convert /backup/ovs-nb.db /backup/ovs-nb.ovsschema"
oc exec ovn-copy-data -- bash -c "ovsdb-client get-schema --ca-cert=/etc/pki/tls/misc/ca.crt --private-key=/etc/pki/tls/misc/tls.key --certificate=/etc/pki/tls/misc/tls.crt ssl:$PODIFIED_OVSDB_SB_IP:6642 > /backup/ovs-sb.ovsschema && ovsdb-tool convert /backup/ovs-sb.db /backup/ovs-sb.ovsschema"
----

. Restore database backup to the control plane OVN database servers on an environment without TLS everywhere.
+
----
oc exec ovn-copy-data -- bash -c "ovsdb-client restore tcp:$PODIFIED_OVSDB_NB_IP:6641 < /backup/ovs-nb.db"
oc exec ovn-copy-data -- bash -c "ovsdb-client restore tcp:$PODIFIED_OVSDB_SB_IP:6642 < /backup/ovs-sb.db"
----

. Restore database backup to podified OVN database servers on a TLS everywhere environment.
+
----
oc exec ovn-copy-data -- bash -c "ovsdb-client restore --ca-cert=/etc/pki/tls/misc/ca.crt --private-key=/etc/pki/tls/misc/tls.key --certificate=/etc/pki/tls/misc/tls.crt ssl:$PODIFIED_OVSDB_NB_IP:6641 < /backup/ovs-nb.db"
oc exec ovn-copy-data -- bash -c "ovsdb-client restore --ca-cert=/etc/pki/tls/misc/ca.crt --private-key=/etc/pki/tls/misc/tls.key --certificate=/etc/pki/tls/misc/tls.crt ssl:$PODIFIED_OVSDB_SB_IP:6642 < /backup/ovs-sb.db"
----

. Check that the control plane OVN databases contain objects from backup, for example:
+
----
Expand Down
Loading
Loading