Enable trust anchor injection

This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation

Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
This commit is contained in:
Juan Antonio Osorio Robles 2015-11-03 15:27:28 +02:00
parent 97b12afbad
commit 14c4417e42
9 changed files with 136 additions and 6 deletions

View File

@ -0,0 +1,6 @@
parameter_defaults:
SSLRootCertificate: |
The contents of your root CA certificate go here
resource_registry:
OS::TripleO::NodeTLSCAData: ../puppet/extraconfig/tls/ca-inject.yaml

View File

@ -33,6 +33,7 @@ resource_registry:
# NodeExtraConfig == All nodes configuration pre service deployment
# NodeExtraConfigPost == All nodes configuration post service deployment
OS::TripleO::NodeUserData: firstboot/userdata_default.yaml
OS::TripleO::NodeTLSCAData: puppet/extraconfig/tls/no-ca.yaml
OS::TripleO::NodeTLSData: puppet/extraconfig/tls/no-tls.yaml
OS::TripleO::ControllerExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
OS::TripleO::ComputeExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml

View File

@ -176,6 +176,13 @@ resources:
ceph::profile::params::cluster_network: {get_input: ceph_cluster_network}
ceph::profile::params::public_network: {get_input: ceph_public_network}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
depends_on: CephStorageDeployment
type: OS::TripleO::NodeTLSCAData
properties:
server: {get_resource: CephStorage}
# Hook for site-specific additional pre-deployment config, e.g extra hieradata
CephStorageExtraConfigPre:
depends_on: CephStorageDeployment
@ -186,7 +193,7 @@ resources:
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
depends_on: CephStorageExtraConfigPre
depends_on: [CephStorageExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: CephStorage}
@ -227,5 +234,6 @@ outputs:
list_join:
- ','
- - {get_attr: [CephStorageDeployment, deploy_stdout]}
- {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_attr: [CephStorageExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}

View File

@ -257,10 +257,17 @@ resources:
snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name}
snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
depends_on: BlockStorageDeployment
type: OS::TripleO::NodeTLSCAData
properties:
server: {get_resource: BlockStorage}
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
depends_on: BlockStorageDeployment
depends_on: NodeTLSCAData
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: BlockStorage}
@ -304,4 +311,5 @@ outputs:
list_join:
- ''
- - {get_attr: [BlockStorageDeployment, deploy_stdout]}
- {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_param: UpdateIdentifier}

View File

@ -540,6 +540,13 @@ resources:
enable_package_install: {get_param: EnablePackageInstall}
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
depends_on: NovaComputeDeployment
type: OS::TripleO::NodeTLSCAData
properties:
server: {get_resource: NovaCompute}
# Hook for site-specific additional pre-deployment config, e.g extra hieradata
ComputeExtraConfigPre:
depends_on: NovaComputeDeployment
@ -550,7 +557,7 @@ resources:
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
depends_on: ComputeExtraConfigPre
depends_on: [ComputeExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: NovaCompute}
@ -602,5 +609,6 @@ outputs:
list_join:
- ','
- - {get_attr: [NovaComputeDeployment, deploy_stdout]}
- {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_attr: [ComputeExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}

View File

@ -701,9 +701,16 @@ resources:
bridge_name: br-ex
interface_name: {get_param: NeutronPublicInterface}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
depends_on: NetworkDeployment
type: OS::TripleO::NodeTLSCAData
properties:
server: {get_resource: Controller}
# Hook for site-specific passing of private keys/certificates
NodeTLSData:
depends_on: NetworkDeployment
depends_on: NodeTLSCAData
type: OS::TripleO::NodeTLSData
properties:
server: {get_resource: Controller}
@ -1305,7 +1312,7 @@ resources:
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
depends_on: ControllerExtraConfigPre
depends_on: [ControllerExtraConfigPre, NodeTLSData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: Controller}
@ -1385,6 +1392,7 @@ outputs:
list_join:
- ','
- - {get_attr: [ControllerDeployment, deploy_stdout]}
- {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_attr: [NodeTLSData, deploy_stdout]}
- {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}

View File

@ -0,0 +1,66 @@
heat_template_version: 2015-04-30
description: >
This is a template which will inject the trusted anchor.
parameters:
# Can be overriden via parameter_defaults in the environment
SSLRootCertificate:
description: >
The content of a CA's SSL certificate file in PEM format.
This is evaluated on the client side.
type: string
SSLRootCertificatePath:
default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
description: >
The filepath of the root certificate as it will be stored in the nodes.
Note that the path has to be one that can be picked up by the update
trust anchor command. e.g. in RHEL it would be
/etc/pki/ca-trust/source/anchors/ca.crt.pem
type: string
UpdateTrustAnchorsCommand:
default: update-ca-trust extract
description: >
command that will be executed to update the trust anchors.
type: string
# Passed in by controller.yaml
server:
description: ID of the node to apply this config to
type: string
resources:
CAConfig:
type: OS::Heat::SoftwareConfig
properties:
group: script
inputs:
- name: cacert_path
- name: cacert_content
- name: update_anchor_command
outputs:
- name: root_cert_md5sum
config: |
#!/bin/sh
cat > ${cacert_path} << EOF
${cacert_content}
EOF
chmod 0440 ${cacert_path}
chown root:root ${cacert_path}
${update_anchor_command}
md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
CADeployment:
type: OS::Heat::SoftwareDeployment
properties:
config: {get_resource: CAConfig}
server: {get_param: server}
input_values:
cacert_path: {get_param: SSLRootCertificatePath}
cacert_content: {get_param: SSLRootCertificate}
update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
outputs:
deploy_stdout:
description: Deployment reference
value: {get_attr: [CADeployment, root_cert_md5sum]}

View File

@ -0,0 +1,17 @@
heat_template_version: 2015-04-30
description: >
This is a default no-op template which can be passed to the
OS::Nova::Server resources. This template can be replaced with
a different implementation via the resource registry, such that
deployers may customize their configuration.
parameters:
server: # Here for compatibility with controller.yaml
description: ID of the controller node to apply this config to
type: string
outputs:
deploy_stdout:
description: Deployment reference, used to trigger puppet apply on changes
value: 'Root CA cert injection not enabled.'

View File

@ -218,10 +218,17 @@ resources:
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
depends_on: SwiftStorageHieraDeploy
type: OS::TripleO::NodeTLSCAData
properties:
server: {get_resource: SwiftStorage}
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
depends_on: SwiftStorageHieraDeploy
depends_on: NodeTLSCAData
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: SwiftStorage}
@ -272,4 +279,5 @@ outputs:
list_join:
- ','
- - {get_attr: [SwiftStorageHieraDeploy, deploy_stdout]}
- {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_param: UpdateIdentifier}