Set REQUESTS_CA_BUNDLE env var

In order to force requests module inside venvs to trust system-trusted certificate authorities, we need to define environment variable that will provide full path to CA file. Otherwise certifi provided file will be used, that can't be updated with new CA once they're added to system trust store. Change-Id: I79446813602ae094bb788d3c29654fb814ec19a8
2021-06-18 18:33:31 +03:00 · 2021-06-18 18:33:31 +03:00 · 92b1d408b8
commit 92b1d408b8
parent 77ff7c7f26
10 changed files with 65 additions and 12 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -88,6 +88,10 @@ openstack_host_environment_path:
  - /usr/games
  - /usr/local/games

+# Allows the ability to override or add extra parameters to the systemd global config
+# that will be applied by default to all units
+openstack_systemd_global_overrides: {}
+
 # Set the level of reverse path filtering to use
 openstack_host_rp_filter_all: 0
 openstack_host_rp_filter_default: 0
@ -170,8 +174,8 @@ openstack_hosts_enable_yum_fastestmirror: yes
 #    src: /etc/ssl/certs/snake-oil-cert-latest.pem     #the source file on the deploy host
 openstack_host_ca_certificates: []

-# target directory for user supplied CA certificates
-openstack_host_ca_location: "{{ _openstack_host_ca_location }}"
+# Path to the file with trusted CA that will be used by python requests module
+openstack_ca_bundle_path: "{{ _openstack_ca_bundle_path }}"

 # extra configuration for OS package manager
 openstack_hosts_package_manager_extra_conf: ''
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -28,3 +28,7 @@
  until: _restart  is success
  retries: 5
  delay: 2
+
+- name: Systemd daemon reload
+  systemd:
+    daemon_reload: yes
--- a/releasenotes/notes/requests_ca_bundle-1a678a22b3375976.yaml
+++ b/releasenotes/notes/requests_ca_bundle-1a678a22b3375976.yaml
@ -0,0 +1,15 @@
+---
+features:
+  - |
+    New variable ``openstack_ca_bundle_path`` has been added which defines
+    the path to the ca-bundle certificate which contains all system-trusted CA
+    and will be used by the Python Requests module.
+  - |
+    Added variable ``openstack_systemd_global_overrides`` that defines
+    some defaults for all systemd services. It will be deployed to all hosts
+    and containers, but can be controlled with group_vars or host_vars as well
+    if needed.
+deprecations:
+  - |
+    Since certificates and CA distribution are now handled with PKI role,
+    variable ``openstack_host_ca_location`` has been deprecated and removed.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -47,6 +47,33 @@
  tags:
    - openstack_hosts-config

+- name: Ensure environement is applied during sudo
+  lineinfile:
+    path: /etc/pam.d/sudo
+    line: "session    required   pam_env.so readenv=1 user_readenv=0"
+    regexp: 'session\s+required\s+pam_env\.so'
+    insertbefore: '^@include'
+  when: ansible_facts['distribution'] | lower == 'debian'
+
+- name: Create systemd global directory
+  file:
+    path: /etc/systemd/system.conf.d/
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0644"
+
+- name: Add DefaultEnvironment to systemd
+  config_template:
+    src: systemd-environment.j2
+    dest: /etc/systemd/system.conf.d/osa-default-environment.conf
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    config_overrides: "{{ openstack_systemd_global_overrides }}"
+    config_type: ini
+  notify: Systemd daemon reload
+
 # Configure host files should apply to all nodes
 - name: Configure etc hosts files
  include_tasks: openstack_update_hosts_file.yml
--- a/templates/environment.j2
+++ b/templates/environment.j2
@ -1,8 +1,7 @@
 PATH="{{ openstack_host_environment_path | join(':') }}"
-{% if global_environment_variables is defined %}
-{%   for key, value in global_environment_variables.items() %}
-{%     if value %}
+REQUESTS_CA_BUNDLE="{{ openstack_ca_bundle_path }}"
+{% for key, value in global_environment_variables.items() %}
+{%   if value %}
 {{ key }}={{ value }}
-{%     endif %}
-{%   endfor %}
-{% endif %}
+{%   endif %}
+{% endfor %}
--- a/templates/systemd-environment.j2
+++ b/templates/systemd-environment.j2
@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+[Manager]
+DefaultEnvironment=REQUESTS_CA_BUNDLE={{ openstack_ca_bundle_path }}
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -94,4 +94,4 @@ _package_repos:
    state: present
    filename: "osbpo"

-_openstack_host_ca_location: /usr/local/share/ca-certificates/
+_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt
--- a/vars/redhat-8.yml
+++ b/vars/redhat-8.yml
@ -104,4 +104,4 @@ _package_repos:
    gpgcheck: no
    module_hotfixes: yes

-_openstack_host_ca_location: /etc/pki/ca-trust/source/anchors/
+_openstack_ca_bundle_path: /etc/pki/tls/certs/ca-bundle.crt
--- a/vars/ubuntu-18.04.yml
+++ b/vars/ubuntu-18.04.yml
@ -96,4 +96,4 @@ _package_repos:
    state: present
    filename: "uca"

-_openstack_host_ca_location: /usr/local/share/ca-certificates/
+_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt
--- a/vars/ubuntu-20.04.yml
+++ b/vars/ubuntu-20.04.yml
@ -97,4 +97,4 @@ _package_repos: []

 _uca_repo: "deb {{ apt_repo_url | default('http://ubuntu-cloud.archive.canonical.com/ubuntu') }} {{ ansible_facts['lsb']['codename'] }}-updates/{{ openstack_distrib_code_name | lower }} main"

-_openstack_host_ca_location: /usr/local/share/ca-certificates/
+_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt