The local certmonger cert will renew after half its lifetime, which will
be after 6 months by default. The current code would extract the CA cert
to a PEM file (and trust it), only if the cert in the existing PEM file
was expired.
But this means that the certmonger local cert could be renewed after six
months and not be replaced in the PEM file until the existing cert
expired at the end of the year. If certs are issued in this time, they
will not be trusted and the update will fail.
This patch removes this condition, so that the extracted and trusted cert
always matches what is in the PEM file, and what is trusted.
Note, this only place this occurs is on the undercloud - because this is
where we could use the certmonger local cert. We assume that the haproxy
cert will be re-issued in an update.
Change-Id: If804dc369c5883eeb51f7e6dcd01ee0e5967c7cf
These were used in baremetal deployments, but are unused in
containerized deployments. We bind-mount the CA files instead of
creating symlinks nowadays.
Change-Id: Ib05f2bc4be9987b222cef78541fe05988cd8c0a4
Related-Bug: #1821139
We were relying on the default permissions that were being set by the
command that extracts the certificate into a PEM file. This wasn't the
right approach, as it could be too restrictive in some setups.
Here, we explicitly tell puppet to set the appropriate permissions
instead.
Given this is a certificate file, and there's no private key involved,
we can set it as world readable (0644). As folks in the system need to
access the file.
Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
Closes-bug: #1788257
https://review.openstack.org/624989 fixed the lint job and since it's
been broken for a while, we've got some linting issues.
Closes-Bug: #1808883
Change-Id: I3d5df4479cf05f4c4a81d37184e8225ea1478e26
The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. In tls-everywhere use case we want to
take advantage of this feature to create the certificates and configure
qemu to use nbd tls.
Related-bug: 1793093
Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
Change-Id: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
This is because the file resource doesn't properly handle query
parameters in URLs. So we are forced to use an exec resource here. It's
fine if we always trigger the CRL downloading, as that's a file that
gets udpated often.
Also ensure we get proper escaped source/destination for the download.
Co-Authored-By: Cédric Jeanneret <cjeanner@redhat.com>
Change-Id: I15ad3ab0cd129a8e1b9261341c0510265bda8016
Closes-Bug: #1787878
Disable curl globbing to allow Swift ringbuilder to upload to IPv6
upload addresses. Also dicable globbing in the other places curl
is used.
Change-Id: Iba51cc75bea26b775f790849f0b466a6528ee627
Closes-Bug: #1757118
This adds a conditional that extracts certmonger's local CA if the
certificate doesn't exist or if it has expired already. This adds the
ability for the deployer to fix the undercloud installation with the
undercloud install command itself if expiration of the CA cert happens.
Change-Id: I61577be2434d7321dd462902d386c6911c2c4f57
Closes-Bug: #1753948
Configures ca/certs/key for nova-novnc vencrypt.
A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.
Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
Checking the root's mail (/var/mail/root) I finally saw the root cause
of the CRL cronjob not working.
/bin/sh: curl: command not found
now, curl, (and most commands used by that cronjob) is in the /bin bash,
so we need to add it to the environment's PATH for the cronjob.
Change-Id: If10855b801782eeaf2006cd57071d74d13daf8c2
Closes-Bug: #1712404
The latest version of puppet now reports these as catalog failures so
this change removes the unnecessary references and the references
should be updated.
Closes-Bug: #1702964
Change-Id: Iebc547aa92f9f40e4a633c57d79e6c9cddb5dd28
The default CA issues CRLs for 4 hours by default. So we need to change
these values to reflect this, else we'll get verification issues due to
the CRL having expired before its refreshed.
However, the nextupdate value for the CRLs might not be aligned with the
cron job. And getting this alignment is not entirely trivial. So I opted
for updating every 2 hours to address this.
Change-Id: I732b400462c5cabd7c6c18c007fc9e8c87b700d3
This will fetch the CRL file from the specified file or URL. Furtherly
it will set up a cron job to refresh the crl file once a week and notify
the needed services.
bp tls-via-certmonger
Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
This merely requests the certificates that will be used for libvirt's
live migration if TLS-everywhere is enabled.
bp tls-via-certmonger
Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
The extract-and-trust-ca actually needs /var/lib/certmonger/local/creds
file to be created, which is created when certmonger is started, not
when package is installed.
This patch change the exec dependency to run it only when service is
started.
Also, since the service create the file, let's relax the Exec a little
bit by allowing to retry 5 times after 1s break in case the Exec fails,
for example if service takes more than 5 seconds to create this file.
It will avoid us some race condition in the deployment.
Change-Id: I4cf4a04bddb8f042e8e8f7e1d1b69f846c533e3b