17 Commits

Author SHA1 Message Date
Ade Lee
017ced4d97 Always update the local certmonger ca cert
The local certmonger cert will renew after half its lifetime, which will
be after 6 months by default.  The current code would extract the CA cert
to a PEM file (and trust it), only if the cert in the existing PEM file
was expired.

But this means that the certmonger local cert could be renewed after six
months and not be replaced in the PEM file until the existing cert
expired at the end of the year.  If certs are issued in this time, they
will not be trusted and the update will fail.

This patch removes this condition, so that the extracted and trusted cert
always matches what is in the PEM file, and what is trusted.

Note, this only place this occurs is on the undercloud - because this is
where we could use the certmonger local cert.  We assume that the haproxy
cert will be re-issued in an update.

Change-Id: If804dc369c5883eeb51f7e6dcd01ee0e5967c7cf
2021-04-06 15:33:19 +00:00
Juan Antonio Osorio Robles
e177129e59 Stop creating symlinks for lbivirt's CA files
These were used in baremetal deployments, but are unused in
containerized deployments. We bind-mount the CA files instead of
creating symlinks nowadays.

Change-Id: Ib05f2bc4be9987b222cef78541fe05988cd8c0a4
Related-Bug: #1821139
2019-03-21 15:27:25 +01:00
Juan Antonio Osorio Robles
5d6201f9fc Explicitly set certmonger's CA cert's permissions
We were relying on the default permissions that were being set by the
command that extracts the certificate into a PEM file. This wasn't the
right approach, as it could be too restrictive in some setups.

Here, we explicitly tell puppet to set the appropriate permissions
instead.

Given this is a certificate file, and there's no private key involved,
we can set it as world readable (0644). As folks in the system need to
access the file.

Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
Closes-bug: #1788257
2019-01-17 08:10:38 +02:00
Alex Schultz
daa4710a0a Fix linting issues
https://review.openstack.org/624989 fixed the lint job and since it's
been broken for a while, we've got some linting issues.

Closes-Bug: #1808883
Change-Id: I3d5df4479cf05f4c4a81d37184e8225ea1478e26
2018-12-17 17:08:05 -07:00
Martin Schuppert
62861db22d Add support for native TLS encryption on NBD for disk migration
The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. In tls-everywhere use case we want to
take advantage of this feature to create the certificates and configure
qemu to use nbd tls.

Related-bug: 1793093
Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
Change-Id: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
2018-12-05 11:31:43 +01:00
Juan Antonio Osorio Robles
5d60472d78 Use exec for CA CRL instead of file resource
This is because the file resource doesn't properly handle query
parameters in URLs. So we are forced to use an exec resource here. It's
fine if we always trigger the CRL downloading, as that's a file that
gets udpated often.

Also ensure we get proper escaped source/destination for the download.

Co-Authored-By: Cédric Jeanneret <cjeanner@redhat.com>
Change-Id: I15ad3ab0cd129a8e1b9261341c0510265bda8016
Closes-Bug: #1787878
2018-08-21 11:33:52 +00:00
Derek Higgins
8187a83259 Disable curl globbing
Disable curl globbing to allow Swift ringbuilder to upload to IPv6
upload addresses. Also dicable globbing in the other places curl
is used.

Change-Id: Iba51cc75bea26b775f790849f0b466a6528ee627
Closes-Bug: #1757118
2018-03-20 11:43:24 +00:00
Juan Antonio Osorio Robles
a4ae09d169 Extract local CA if it expired
This adds a conditional that extracts certmonger's local CA if the
certificate doesn't exist or if it has expired already. This adds the
ability for the deployer to fix the undercloud installation with the
undercloud install command itself if expiration of the CA cert happens.

Change-Id: I61577be2434d7321dd462902d386c6911c2c4f57
Closes-Bug: #1753948
2018-03-14 06:07:26 +00:00
Oliver Walsh
ceb4faebe1 Add support for libvirt VNC TLS with option of a dedicated CA
Configures ca/certs/key for nova-novnc vencrypt.

A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.

Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
2018-02-14 10:23:26 +00:00
Juan Antonio Osorio Robles
139ac85028 Add /bin to PATH for CRL cronjob
Checking the root's mail (/var/mail/root) I finally saw the root cause
of the CRL cronjob not working.

/bin/sh: curl: command not found

now, curl, (and most commands used by that cronjob) is in the /bin bash,
so we need to add it to the environment's PATH for the cronjob.

Change-Id: If10855b801782eeaf2006cd57071d74d13daf8c2
Closes-Bug: #1712404
2017-08-24 09:25:33 +03:00
Juan Antonio Osorio Robles
ab48d3a438 Add -s (silent) to curl command for CRL refresh
Without it, it doesn't reload the services it should.

Change-Id: I43e6188700deb585f905ca700e69b6875f0ded45
Closes-Bug: #1712404
2017-08-22 21:07:38 +03:00
Emilien Macchi
3ee568800d Update resource references for dependencies
The latest version of puppet now reports these as catalog failures so
this change removes the unnecessary references and the references
should be updated.

Closes-Bug: #1702964
Change-Id: Iebc547aa92f9f40e4a633c57d79e6c9cddb5dd28
2017-07-15 22:21:18 -07:00
Juan Antonio Osorio Robles
fabb0b236e Change CRL refresh to run every 2 hours
The default CA issues CRLs for 4 hours by default. So we need to change
these values to reflect this, else we'll get verification issues due to
the CRL having expired before its refreshed.

However, the nextupdate value for the CRLs might not be aligned with the
cron job. And getting this alignment is not entirely trivial. So I opted
for updating every 2 hours to address this.

Change-Id: I732b400462c5cabd7c6c18c007fc9e8c87b700d3
2017-06-26 14:24:26 +00:00
Juan Antonio Osorio Robles
2bb37b6189 Add resource to fetch CRL
This will fetch the CRL file from the specified file or URL. Furtherly
it will set up a cron job to refresh the crl file once a week and notify
the needed services.

bp tls-via-certmonger

Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
2017-06-08 16:57:15 +03:00
Juan Antonio Osorio Robles
8b40d4670d TLS-everywhere: Add resources for libvirt's cert for live migration
This merely requests the certificates that will be used for libvirt's
live migration if TLS-everywhere is enabled.

bp tls-via-certmonger

Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
2017-04-07 11:31:40 +03:00
Emilien Macchi
9b974df7a2 certmonger: improve orchestration for puppet4
The extract-and-trust-ca actually needs /var/lib/certmonger/local/creds
file to be created, which is created when certmonger is started, not
when package is installed.
This patch change the exec dependency to run it only when service is
started.
Also, since the service create the file, let's relax the Exec a little
bit by allowing to retry 5 times after 1s break in case the Exec fails,
for example if service takes more than 5 seconds to create this file.
It will avoid us some race condition in the deployment.

Change-Id: I4cf4a04bddb8f042e8e8f7e1d1b69f846c533e3b
2016-09-20 16:17:43 -04:00
Juan Antonio Osorio Robles
59166f799b Add class to use certmonger's local CA
This class extracts the certificate and adds it to the trusted certs.

bp tls-via-certmonger

Change-Id: I6dc1e0469cd7dbbb51659c8f29975d25b2941ec3
2016-07-21 10:43:52 +03:00