Set REQUESTS_CA_BUNDLE env var

In order to force requests module inside venvs to trust system-trusted
certificate authorities, we need to define environment variable
that will provide full path to CA file. Otherwise certifi provided file
will be used, that can't be updated with new CA once they're added
to system trust store.

Change-Id: I79446813602ae094bb788d3c29654fb814ec19a8
This commit is contained in:
Dmitriy Rabotyagov 2021-06-18 18:33:31 +03:00 committed by Dmitriy Rabotyagov
parent 77ff7c7f26
commit 92b1d408b8
10 changed files with 65 additions and 12 deletions

View File

@ -88,6 +88,10 @@ openstack_host_environment_path:
- /usr/games
- /usr/local/games
# Allows the ability to override or add extra parameters to the systemd global config
# that will be applied by default to all units
openstack_systemd_global_overrides: {}
# Set the level of reverse path filtering to use
openstack_host_rp_filter_all: 0
openstack_host_rp_filter_default: 0
@ -170,8 +174,8 @@ openstack_hosts_enable_yum_fastestmirror: yes
# src: /etc/ssl/certs/snake-oil-cert-latest.pem #the source file on the deploy host
openstack_host_ca_certificates: []
# target directory for user supplied CA certificates
openstack_host_ca_location: "{{ _openstack_host_ca_location }}"
# Path to the file with trusted CA that will be used by python requests module
openstack_ca_bundle_path: "{{ _openstack_ca_bundle_path }}"
# extra configuration for OS package manager
openstack_hosts_package_manager_extra_conf: ''

View File

@ -28,3 +28,7 @@
until: _restart is success
retries: 5
delay: 2
- name: Systemd daemon reload
systemd:
daemon_reload: yes

View File

@ -0,0 +1,15 @@
---
features:
- |
New variable ``openstack_ca_bundle_path`` has been added which defines
the path to the ca-bundle certificate which contains all system-trusted CA
and will be used by the Python Requests module.
- |
Added variable ``openstack_systemd_global_overrides`` that defines
some defaults for all systemd services. It will be deployed to all hosts
and containers, but can be controlled with group_vars or host_vars as well
if needed.
deprecations:
- |
Since certificates and CA distribution are now handled with PKI role,
variable ``openstack_host_ca_location`` has been deprecated and removed.

View File

@ -47,6 +47,33 @@
tags:
- openstack_hosts-config
- name: Ensure environement is applied during sudo
lineinfile:
path: /etc/pam.d/sudo
line: "session required pam_env.so readenv=1 user_readenv=0"
regexp: 'session\s+required\s+pam_env\.so'
insertbefore: '^@include'
when: ansible_facts['distribution'] | lower == 'debian'
- name: Create systemd global directory
file:
path: /etc/systemd/system.conf.d/
state: directory
owner: "root"
group: "root"
mode: "0644"
- name: Add DefaultEnvironment to systemd
config_template:
src: systemd-environment.j2
dest: /etc/systemd/system.conf.d/osa-default-environment.conf
owner: "root"
group: "root"
mode: "0644"
config_overrides: "{{ openstack_systemd_global_overrides }}"
config_type: ini
notify: Systemd daemon reload
# Configure host files should apply to all nodes
- name: Configure etc hosts files
include_tasks: openstack_update_hosts_file.yml

View File

@ -1,8 +1,7 @@
PATH="{{ openstack_host_environment_path | join(':') }}"
{% if global_environment_variables is defined %}
REQUESTS_CA_BUNDLE="{{ openstack_ca_bundle_path }}"
{% for key, value in global_environment_variables.items() %}
{% if value %}
{{ key }}={{ value }}
{% endif %}
{% endfor %}
{% endif %}

View File

@ -0,0 +1,4 @@
# {{ ansible_managed }}
[Manager]
DefaultEnvironment=REQUESTS_CA_BUNDLE={{ openstack_ca_bundle_path }}

View File

@ -94,4 +94,4 @@ _package_repos:
state: present
filename: "osbpo"
_openstack_host_ca_location: /usr/local/share/ca-certificates/
_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt

View File

@ -104,4 +104,4 @@ _package_repos:
gpgcheck: no
module_hotfixes: yes
_openstack_host_ca_location: /etc/pki/ca-trust/source/anchors/
_openstack_ca_bundle_path: /etc/pki/tls/certs/ca-bundle.crt

View File

@ -96,4 +96,4 @@ _package_repos:
state: present
filename: "uca"
_openstack_host_ca_location: /usr/local/share/ca-certificates/
_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt

View File

@ -97,4 +97,4 @@ _package_repos: []
_uca_repo: "deb {{ apt_repo_url | default('http://ubuntu-cloud.archive.canonical.com/ubuntu') }} {{ ansible_facts['lsb']['codename'] }}-updates/{{ openstack_distrib_code_name | lower }} main"
_openstack_host_ca_location: /usr/local/share/ca-certificates/
_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt