opendev
/
system-config
Code Issues Proposed changes

Merge "Generate ssl check list directly from letsencrypt variables"

This commit is contained in:
Zuul 2020-05-28 23:31:11 +00:00 committed by Gerrit Code Review
parent fc39f87f1e c9215801f0
commit 3f61433c59
28 changed files with 212 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/groups.yaml
View File

@ -28,6 +28,8 @@ groups:
# backup-server:
# - backup[0-9]*.opendev.org
cacti: cacti[0-9]*.open*.org
certcheck:
- cacti[0-9]*.open*.org
cloud-launcher:
- bridge.openstack.org
codesearch:

4
manifests/site.pp
View File

@ -28,7 +28,9 @@ node /^health\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^cacti\d+\.open.*\.org$/ {
$group = "cacti"
include openstack_project::ssl_cert_check
# NOTE(ianw) 2020-05 : disabled pending removal, migrated to
# ansible.
# include openstack_project::ssl_cert_check
class { 'openstack_project::cacti':
cacti_hosts => hiera_array('cacti_hosts'),
vhost_name => 'cacti.openstack.org',

17
playbooks/group_vars/certcheck.yaml Normal file
View File

@ -0,0 +1,17 @@
letsencrypt_certcheck_additional_domains:
- ask.openstack.org 443
- ethercalc.openstack.org 443
- etherpad.openstack.org 443
- firehose.openstack.org 8883
- git.openstack.org 443
- openstackid-dev.openstack.org 443
- openstackid.org 443
- refstack.openstack.org 443
- review.openstack.org 443
- storyboard.openstack.org 443
- survey.openstack.org 443
- static.openstack.org 443
- translate.openstack.org 443
- wiki.openstack.org 443
- www.openstack.org 443
- zuul.openstack.org 443

2
playbooks/host_vars/gitea01.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
gitea01-main:
- gitea01.opendev.org
- gitea01.opendev.org:3000
- opendev.org

2
playbooks/host_vars/gitea02.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
gitea02-main:
- gitea02.opendev.org
- gitea02.opendev.org:3000
- opendev.org

2
playbooks/host_vars/gitea03.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
gitea03-main:
- gitea03.opendev.org
- gitea03.opendev.org:3000
- opendev.org

2
playbooks/host_vars/gitea04.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
gitea04-main:
- gitea04.opendev.org
- gitea04.opendev.org:3000
- opendev.org

2
playbooks/host_vars/gitea05.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
gitea05-main:
- gitea05.opendev.org
- gitea05.opendev.org:3000
- opendev.org

2
playbooks/host_vars/gitea06.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
gitea06-main:
- gitea06.opendev.org
- gitea06.opendev.org:3000
- opendev.org

2
playbooks/host_vars/gitea07.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
gitea07-main:
- gitea07.opendev.org
- gitea07.opendev.org:3000
- opendev.org

2
playbooks/host_vars/gitea08.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
gitea08-main:
- gitea08.opendev.org
- gitea08.opendev.org:3000
- opendev.org

2
playbooks/host_vars/insecure-ci-registry01.opendev.org.yaml
View File

@ -1,4 +1,4 @@
letsencrypt_certs:
insecure-ci-registry01-main:
- insecure-ci-registry01.opendev.org
- insecure-ci-registry01.opendev.org:5000
- insecure-ci-registry.opendev.org

24
playbooks/roles/install-certcheck/README.rst Normal file
View File

@ -0,0 +1,24 @@
Install ssl-cert-check
Installs the ssl-cert-check tool and a cron job to check the freshness
of the SSL certificates for the configured domains daily.
**Role Variables**
.. zuul:rolevar:: ssl_cert_check_domain_list
:default: /var/lib/certcheck/domainlist
The list of domains to check
.. zuul:rolevar:: ssl_cert_check_days
:default: 30
Warn about certificates who have less than this number of days to
expiry.
.. zuul:rolevar:: ssl_cert_check_email
:default: root
The email to send reports to

3
playbooks/roles/install-certcheck/defaults/main.yaml Normal file
View File

@ -0,0 +1,3 @@
cert_check_domain_list: /var/lib/certcheck/domainlist
cert_check_days: 30
cert_check_email: root

32
playbooks/roles/install-certcheck/tasks/main.yaml Normal file
View File

@ -0,0 +1,32 @@
- name: Ensure dependencies
package:
name:
- openssl
- bsd-mailx
- name: Ensure certcheck user
user:
name: certcheck
comment: User for SSL validation
- name: Ensure certcheck config directory
file:
state: directory
path: '{{ cert_check_domain_list | dirname }}'
owner: certcheck
group: certcheck
mode: 0755
- name: Pull latest ssl-cert-check from git
git:
repo: 'https://github.com/Matty9191/ssl-cert-check'
dest: /opt/ssl-cert-check
- name: Install cron job
cron:
user: certcheck
name: 'Run certcheck'
state: present
job: "/opt/ssl-cert-check/ssl-cert-check -a -q -f {{ cert_check_domain_list }} -x {{ cert_check_days }} -e {{ cert_check_email }}"
hour: 12
minute: 04

27
playbooks/roles/letsencrypt-config-certcheck/README.rst Normal file
View File

@ -0,0 +1,27 @@
Generate SSL check list
This role automatically generates a list of domains for the
certificate validation checks. This ensures our certificates are
valid and are being renewed as expected.
This role must run after ``letsencrypt-request-certs`` role, as that
builds the ``letsencrypt_certcheck_domains`` variable for each
host and certificate. It must also run on a host that has already run
the ``install-certcheck`` role.
**Role Variables**
.. zuul:rolevar:: letsencrypt_certcheck_domain_list
:default: /var/lib/certcheck/ssldomains
The ssl-cert-check domain configuration file to write. See also
the ``install-certcheck`` role.
.. zuul:rolevar:: letsencrypt_certcheck_additional_domains
:default: []
A list of additional domains to check for hosts not using the
``letsencrypt-*`` roles. Each entry should be in the format
``hostname port``.

1
playbooks/roles/letsencrypt-config-certcheck/defaults/main.yaml Normal file
View File

@ -0,0 +1 @@
letsencrypt_certcheck_domain_list: /var/lib/certcheck/ssldomains

17
playbooks/roles/letsencrypt-config-certcheck/tasks/main.yaml Normal file
View File

@ -0,0 +1,17 @@
- name: Make domain list
set_fact:
letsencrypt_certcheck_domains: []
- name: Build SSL domain list
set_fact:
letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains }} + {{ hostvars[item]["letsencrypt_certcheck_domains" ] }}'
with_inventory_hostnames:
- letsencrypt:!disabled
- name: Write configuration file
template:
dest: '{{ letsencrypt_certcheck_domain_list }}'
src: ssldomains.j2
owner: certcheck
group: certcheck
mode: 0644

6
playbooks/roles/letsencrypt-config-certcheck/templates/ssldomains.j2 Normal file
View File

@ -0,0 +1,6 @@
{% for domain in letsencrypt_certcheck_domains %}
{{ domain }}
{% endfor %}
{% for domain in letsencrypt_certcheck_additional_domains %}
{{ domain }}
{% endfor %}

4
playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml
View File

@ -1,6 +1,6 @@
- name: 'Build arguments for letsencrypt acme.sh driver for: {{ item.key }}'
set_fact:
acme_args: '"{% for domain in item.value %}-d {{ domain }} {% endfor %}"'
acme_args: '"{% for domain in item.value %}-d {{ domain.split(":")[0] }} {% endfor %}"'
- name: 'Run acme.sh driver for {{ item.key }} certificate issue'
shell:
@ -12,4 +12,4 @@
LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
notify: 'letsencrypt updated {{ item.key }}'
# Keys generated!
# Keys generated!

9
playbooks/roles/letsencrypt-request-certs/README.rst
View File

@ -62,3 +62,12 @@ provision process.
_acme-challenge.hostname01.opendev.org. IN CNAME acme.opendev.org.
_acme-challenge.hostname.opendev.org. IN CNAME acme.opendev.org.
_acme-challenge.foo.opendev.org. IN CNAME acme.opendev.org.
The hostname in the first entry for each certificate will be
registered with the ``letsencrypt-config-certcheck`` for periodic
freshness tests; from the example above, ``hostname01.opendev.org``
and ``foo.opendev.org`` would be checked. By default this will
check on port 443; if the certificate is actually active on another
port you can specify it after a colon;
e.g. ``foo.opendev.org:5000`` would indicate this host listens with
this certificate on port 5000.

2
playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml
View File

@ -2,7 +2,7 @@
set_fact:
# NOTE(ianw): note the domains are passed in one string (between
# ") as it makes argument parsing a little easier in the driver.sh
acme_args: '"{% for domain in cert.value %}-d {{ domain }} {% endfor %}"'
acme_args: '"{% for domain in cert.value %}-d {{ domain.split(":")[0] }} {% endfor %}"'
- name: Run acme.sh driver for certificate issue
shell:

28
playbooks/roles/letsencrypt-request-certs/tasks/main.yaml
View File

@ -1,10 +1,6 @@
- set_fact:
acme_txt_required: []
- name: Show cert list
debug:
var: letsencrypt_certs
# Handle multiple certs for a single host; like
#
# letsencrypt_certs:
@ -22,5 +18,25 @@
loop_control:
loop_var: cert
- debug:
var: acme_txt_required
- name: Create ssl check domain list
# For each generated certificate get the first entry as the domain
# to run the certificate validation tests against. If it specifies
# a port explicitly, use that, otherwise assume 443.
#
# Later in ssl-check role, the final certificate validation list is
# generated by walking the letsencrypt_certcheck_domains variable
# for each host in the letsencrypt group.
set_fact:
letsencrypt_certcheck_domains: >-
{%- set d = [] -%}
{%- for cert in letsencrypt_certs.keys() -%}
{%- for host in letsencrypt_certs[cert] -%}
{%- if loop.first -%}
{%- if not ":" in host -%}
{%- set host = host+":443" -%}
{%- endif -%}
{%- set d = d.append(host.replace(":"," ")) -%}
{% endif %}
{% endfor %}
{% endfor %}
{{- d -}}

6
playbooks/service-letsencrypt.yaml
View File

@ -1,6 +1,9 @@
# This needs to happen in order. letsencrypt hosts export their TXT
# authentication records which is installed onto adns1, and then the
# hosts verify to issue/renew keys
- hosts: "certcheck:!disabled"
roles:
- install-certcheck
- hosts: "letsencrypt:!disabled"
name: "Base: deploy and renew certificates"
roles:
@ -14,3 +17,6 @@
name: "Create certs"
roles:
- letsencrypt-create-certs
- hosts: "certcheck:!disabled"
roles:
- letsencrypt-config-certcheck

3
playbooks/zuul/templates/gate-groups.yaml.j2
View File

@ -5,6 +5,9 @@ groups:
docker:
- bionic-docker
certcheck:
- bridge.openstack.org
letsencrypt:
- letsencrypt01.opendev.org
- letsencrypt02.opendev.org

4
playbooks/zuul/templates/host_vars/letsencrypt01.opendev.org.yaml.j2
View File

@ -1,7 +1,7 @@
letsencrypt_certs:
letsencrypt01-main-service:
- letsencrypt01.opendev.org
- letsencrypt01.opendev.org:5000
- letsencrypt.opendev.org
- alias.opendev.org
letsencrypt01-other-service:
- someotherservice.opendev.org
- someotherservice.opendev.org

23
testinfra/test_letsencrypt.py
View File

@ -15,6 +15,7 @@
import pytest
testinfra_hosts = ['adns-letsencrypt.opendev.org',
'bridge.openstack.org',
'letsencrypt01.opendev.org',
'letsencrypt02.opendev.org']
@ -138,3 +139,25 @@ def test_acme_sh_config(host):
config = host.file('/root/.acme.sh/account.conf')
assert config.exists
assert config.contains("^ACCOUNT_EMAIL='le-test@opendev.org'")
def test_certcheck_config(host, zuul_data):
if host.backend.get_hostname() != 'bridge.openstack.org':
pytest.skip()
if zuul_data['extra']['zuul']['job'] != 'system-config-run-letsencrypt':
pytest.skip()
domainlist = host.file('/var/lib/certcheck/ssldomains')
# TODO(ianw): figure out a flag or something from the
# system-config-run-letsencrypt test so that we can assert this
# file exists only in that case.
if not domainlist.exists:
pytest.skip()
assert domainlist.exists
assert domainlist.user == 'certcheck'
# from variables
assert domainlist.contains('^letsencrypt01.opendev.org 5000')
# from extra list; may need to change if list is modified
assert domainlist.contains('^wiki.openstack.org 443')

3
zuul.d/system-config-run.yaml
View File

@ -191,6 +191,9 @@
- playbooks/service-nameserver.yaml
- playbooks/service-letsencrypt.yaml
host-vars:
bridge.openstack.org:
host_copy_output:
'/var/lib/certcheck': logs
letsencrypt01.opendev.org:
host_copy_output:
'/var/log/acme.sh': logs