18 Commits

Author SHA1 Message Date
Alan Bishop
37b8666f64 Add certmonger-etcd-refresh.sh script
Add a script that refreshes the etcd cert and key files in all
containers that reference them. This includes etcd itself, plus any
cinder services that access etcd.

Change-Id: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d
(cherry picked from commit 95db8b4947f0a80a0109131eda8f66ed4acb90d6)
2020-08-04 10:41:17 -07:00
Damien Ciabrini
e0fa5abdf6 Ensure post-save certmonger scripts target the right HA container
HAProxy and RabbitMQ can reload their TLS certificate on change,
without being restarted. To do that, a post-save script scan the
list of running container, copy the new certs and trigger a reload
action in the service.

Make sure that those post-save script only get the right container
out of the "$container_cli ps" command, i.e. that the scripts Work
both with HA and non-HA deployments.

Change-Id: Iaba8da504f9c7a54656cf1abe259dff779ea7125
Closes-Bug: #1885284
(cherry picked from commit 3e942b7ff5cc91bfee7cc19d31b502548dcf3f57)
2020-07-21 07:52:35 +00:00
Dave Wilde (d34dh0r53)
146674dcea Ensure that the HAProxy certificate is updated
While doing research for this bugzilla[1] I found that since the
actual certificate PEM file is being bind mounted the mount is acting
as a hard link to the inode of the PEM rather than just a pointer to
it's location in the directory.  When the new file is copied over the
inode is updated but the container still maintains a link to the stale
inode.  This patch copies the contents of the certificate into the
container so that the HUP of HAProxy will reload the certificate.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1765839

Change-Id: Idf106c9ffa23ed00c497e1e5014e1b5718254320
Closes-Bug: 1871663
(cherry picked from commit c1e09672a52fea82d853d17145901109291ac1f1)
2020-07-06 16:17:02 +00:00
Damien Ciabrini
00a06edc5c Support for mariadb's ed25519 authentication
Add the ability to configure all mysql users to require authenticating
to the server via mariadb's ed25519 auth plugin [1], rather than the
default native authentication [2].

[1] https://mariadb.com/kb/en/authentication-plugin-ed25519/
[2] https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/

Change-Id: I430ea8e1fa15fb263d1d4ef8c39615021d907f8a
Partial-Bug: #1866093
2020-03-25 17:45:43 +01:00
Francesco Pantano
165ed10dc1
Fix restart unit condition on radosgw
This change just fixes the restart condition
for the radosgw file used when the certificate
is renewed.

Change-Id: Id3f76cd03c993d013090c7c764d6963a64a1c74f
2020-03-09 14:46:06 +01:00
Francesco Pantano
7013cd94ee
Add Certmonger ceph_rgw class to config tls
This patch adds the ceph_rgw class required by certmonger to
create the cert/key.
This patch also creates the service_pem file since the rgw
container private key, public certificate and any other CA or
intermediate certificates should be in one file, in PEM format.

Change-Id: I960f7c48866ef11e58e63d80217f7df660455fe1
2020-03-03 13:01:22 +01:00
Francesco Pantano
eec31fd149
Add ceph dashboard frontend endpoint and tls-e integration
This change exposes to the end-user the new ceph dashboard
frontend which is fully integrated with grafana service.
This review also adds all the info/classes to integrate the
service with tls-everywhere framework, providing the cert
request and generation that will be passed to ceph dashboard
via ceph-ansible.

Depends-On: https://review.opendev.org/#/c/704308
Change-Id: Id6d2e4b00355cd84baccc2b493f3205c2b32a44b
2020-01-30 12:37:52 +01:00
Cédric Jeanneret
86eab6ce8c Corrected default value for container_cli
Since Stein (OSP-15), we're using podman by default. We therefore must
reflect this in certmonger refresh secripts.

Change-Id: I377511aa0be7efbf58cd2a70e8b9a774bb679f61
2019-11-28 09:12:51 +01:00
fpantano
13d0dc504e
Add certmonger-grafana-refresh script
Following the pattern of the other openstack components,
we need the refresh script that trigger a restart of the
ceph grafana container when the certificate gets renewed.
This commit adds also the postsave_cmd in the ceph_grafana
puppet file to reflect the the change.

Change-Id: I91df82eec1715bd7a9d0b1ac44f72dd76f9e54cd
2019-08-20 08:23:58 +02:00
Nagasai Vinaykumar Kapalavai
be82c86906 Qdr: InternalTLS support.
Configuration changes to provide Internal TLS support
for Qdr.

Change-Id: I30142db8bfa55412b8c8224aeb05916184117a86
2019-03-28 16:28:05 -04:00
Juan Antonio Osorio Robles
c5d8ed538a haproxy/certmonger: use container_cli to trigger HUP signal
We were using pkill, which would fail due to SELinux. Using the
container cli would be a better option. It's also more portable.

Change-Id: I6bf92bc1e74797d9132ae595af8929e67d439f43
Closes-Bug: #1821149
2019-03-21 10:13:07 +00:00
Grzegorz Grasza
7cc4a3da6f neutron dhcpd: Add script for certmonger postsave_cmd
The default update procedure didn't work, so are fixing that.

Related-Bug: #1811401
Needed-By: I449df13ea2c49a8cf6d2e8e632b2b39707071c52
Change-Id: I9954cf33efedf2ec3dfb03109595cd4431feff60
2019-02-04 11:28:29 +01:00
Grzegorz Grasza
e6306badac novnc-proxy: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.

Related-Bug: #1811401
Needed-By: Idc0844c8726aa53bc4cbd55f902248f854d2464f
Change-Id: Ifacbee9e31d84be1008ab7545defac71cf65793f
2019-02-01 16:45:41 +01:00
Grzegorz Grasza
4deea3a46b redis: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.

The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.

Related-Bug: #1811401
Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c
Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
2019-01-25 17:28:26 +01:00
Grzegorz Grasza
801391a13e rabbitmq: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.

The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.

Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
2019-01-25 15:47:32 +01:00
Juan Antonio Osorio Robles
bd9846062c Reload HAProxy when certificate is renewed
This is meant to fix the issue of the certificate renewal not
automatically restarting/reloading the haproxy service.

It's all done by a script that's installed by puppet.

Preferably this patch and the one pointed by this should merge at the
same time.

Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Needed-By: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08
Change-Id: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
2019-01-25 10:40:44 +01:00
Oliver Walsh
ceb4faebe1 Add support for libvirt VNC TLS with option of a dedicated CA
Configures ca/certs/key for nova-novnc vencrypt.

A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.

Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
2018-02-14 10:23:26 +00:00
Juan Antonio Osorio Robles
f85199c778 Add manifests to install and configure stunnel
Some services (such as Redis) can't use mod_proxy as a TLS proxy,
since they're not HTTP services. So stunnel is necessary for these.

Thus, we add manifests to configure it as such.

bp tls-via-certmonger

Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c
2017-08-25 10:11:08 +00:00