Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

INFRA-839 Add playbooks, config & docs for enabling Pulp tls with vault #1427

Open
wants to merge 2 commits into
base: stackhpc/2024.1
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions doc/source/configuration/vault.rst
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,31 @@ Enable the required TLS variables in kayobe and kolla

kayobe overcloud host command run --command "systemctl restart kolla-nova_compute-container.service" --become --show-output -l compute

Pulp TLS with Vault
===================
To enable tls for pulp using vault generated certificates, we first need to generate the certificates using vault and then configure the seed + seed-hypervisor + overcloud nodes to add the root CA to their trust.

1. Run the playbook which will generate the certificates and add the root CA to the seed + seed-hypervisor + overcloud nodes

.. code-block::

kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-pulp-tls.yml

2. Next, enable tls for pulp in pulp.yml

.. code-block::

# Whether to enable TLS for Pulp.
pulp_enable_tls: true

3. Redeploy pulp

.. code-block::

kayobe seed service reconfigure -t seed-deploy-containers -kt none

You should now have pulp running with tls enabled using the certificates generated by vault.

Barbican integration
====================

Expand Down
29 changes: 29 additions & 0 deletions etc/kayobe/ansible/copy-ca-to-hosts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
- name: Copy CA certificate and update trust
hosts: overcloud:seed:seed-hypervisor
become: true
vars:
cert_path: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem"

tasks:
- name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS)
copy:
src: "{{ cert_path }}"
dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem"
mode: "0644"
when: ansible_facts.os_family == 'RedHat'

- name: Update CA trust on RedHat family systems
command: "update-ca-trust"
when: ansible_facts.os_family == 'RedHat'

- name: Copy certificate on Debian family systems (Ubuntu, Debian)
copy:
src: "{{ cert_path }}"
dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt"
mode: "0644"
when: ansible_facts.os_family == 'Debian'

- name: Update CA trust on Debian family systems
command: "update-ca-certificates"
when: ansible_facts.os_family == 'Debian'
53 changes: 53 additions & 0 deletions etc/kayobe/ansible/vault-generate-pulp-tls.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
- name: Generate TLS certificate for pulp
hosts: controllers
run_once: true
vars:
vault_api_addr: "https://{{ internal_net_name | net_ip(groups['controllers'][0]) }}:8200"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only thing to point out here is that we have a bootstrapping issue where we have to bring the controllers up and deploy vault before generating the certs. You could use the vault on the seed to generate the certificate for pulp instead, but is it better to always use the overcloud vault? What do people think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want to use vault from the seed (which might make more sense, since this is being deployed on the seed) then we'll need a second intermediate CA?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would make sense to have TLS for Pulp before we need to use Pulp at all, so even before Bifrost. So +1 to not relying on the overcloud vault

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do that as a part 2? and perhaps call this 'Deploying pulp with TLS on an existing cloud?'

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fine by me as long as we have a clear warning in the docs

vault_intermediate_ca_name: "OS-TLS-INT"
tasks:
- name: Include Vault keys
include_vars:
file: "{{ kayobe_env_config_path }}/vault/overcloud-vault-keys.json"
name: vault_keys

- name: Issue a certificate for pulp TLS
hashivault_pki_cert_issue:
url: "{{ vault_api_addr }}"
ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
token: "{{ vault_keys.root_token }}"
mount_point: "{{ vault_intermediate_ca_name }}"
role: "{{ overcloud_vault_pki_internal_tls_role_name }}"
common_name: ""
verify: false
extra_params:
ip_sans: "{{ lookup('vars', admin_oc_net_name ~ '_ips')[groups.seed.0] }}"
register: pulp_cert
environment:
https_proxy: ''

- name: Ensure pulp certificates directory exists
file:
path: "{{ kayobe_env_config_path }}/pulp/certificates"
state: directory
delegate_to: localhost

- name: Copy pulp TLS certificate (including intermediate)
no_log: true
copy:
dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt"
content: |
{{ pulp_cert.data.certificate }}
{{ pulp_cert.data.issuing_ca }}
mode: 0600
delegate_to: localhost

- name: Copy pulp private key
no_log: true
copy:
dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key"
content: "{{ pulp_cert.data.private_key }}"
mode: 0600
delegate_to: localhost

- import_playbook: copy-ca-to-hosts.yml
4 changes: 2 additions & 2 deletions etc/kayobe/pulp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ pulp_port: "{{ '443' if pulp_enable_tls | bool else '80' }}"
pulp_enable_tls: false

# Path to a TLS certificate to use when TLS is enabled.
#pulp_cert_path:
pulp_cert_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.crt' if pulp_enable_tls | bool else '' }}"

# Path to a TLS key to use when TLS is enabled.
#pulp_key_path:
pulp_key_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.key' if pulp_enable_tls | bool else '' }}"

###############################################################################
# Local Pulp access credentials
Expand Down
6 changes: 6 additions & 0 deletions releasenotes/notes/pulp-tls-105e47f0da602a25.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
features:
- |
Playbooks have been added to allow for the configuration of Pulp with TLS
using certificates generated from vault. Instructions have been added to
the docs.