Enable docker registry and HTTPS cert by default

Remove feature flag that controlled the creation of Docker Registry and Rest API/GUI (HTTPS). This will enable by default creation of these certs during bootstrap, which then will be used after first controller's unlock. Certs will be anchored using the system-local-ca issuer CA certificates, that can be provided by user using bootstrap overrides. If not provided, they will be anchored using the k8s RCA. Test plan: PASS: Bootstrap AIO-SX w/ system-local-ca overrides. - Verify certificates w/ sudo show-certs.sh; - Login into registry.local; - Access horizon - Verify that the certificate provided to the browser is correct. Bootstrap DC + SX subcloud w/ system-local-ca overrides. - Verify certificates w/ sudo show-certs.sh; - Login into registry.local and registry.central; - Access horizon - Verify that the certificate provided to the browser is correct. Story: 2009811 Task: 49704 Change-Id: Iccbf53ecd7ef5d8cc64092bbf0da77c13787008b Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
2024-03-11 17:03:38 -04:00 · 2024-03-11 17:03:38 -04:00 · 0d9051a469
commit 0d9051a469
parent 83a8421dc4
4 changed files with 11 additions and 21 deletions
--- a/playbookconfig/src/playbooks/create-platform-certificates-in-upgrade.yml
+++ b/playbookconfig/src/playbooks/create-platform-certificates-in-upgrade.yml
@ -1,6 +1,6 @@
 ---
 #
-# Copyright (c) 2022-2023 Wind River Systems, Inc.
+# Copyright (c) 2022-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@ -18,7 +18,6 @@
    mode: ''
    upgrade_in_progress: true
    system_local_ca_overrides: false
-    create_platform_certificates: true

  roles:
    - common/install-platform-certificates
--- a/playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/define-certs-to-create.yml
+++ b/playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/define-certs-to-create.yml
@ -1,6 +1,6 @@
 ---
 #
-# Copyright (c) 2023 Wind River Systems, Inc.
+# Copyright (c) 2023-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@ -17,8 +17,8 @@
 - name: If first bootstrap, mark the creation flags for the required certificates
  set_fact:
    install_system_open_ldap_certificate: "{{ distributed_cloud_role != 'subcloud' }}"
-    install_system_registry_local_certificate: "{{ create_platform_certificates }}"
-    install_system_restapi_gui_certificate: "{{ create_platform_certificates }}"
+    install_system_registry_local_certificate: true
+    install_system_restapi_gui_certificate: true
  when: mode == 'bootstrap'

 - name: If upgrading, generate required certificates only if they don't exist
@ -40,8 +40,6 @@
    set_fact:
      install_system_open_ldap_certificate: "{{ not (cert_exists.results[0].stdout | bool)
                                                and distributed_cloud_role != 'subcloud' }}"
-      install_system_registry_local_certificate: "{{ not (cert_exists.results[1].stdout | bool)
-                                                     and create_platform_certificates }}"
-      install_system_restapi_gui_certificate: "{{ not (cert_exists.results[2].stdout | bool)
-                                                  and create_platform_certificates }}"
+      install_system_registry_local_certificate: "{{ not (cert_exists.results[1].stdout | bool) }}"
+      install_system_restapi_gui_certificate: "{{ not (cert_exists.results[2].stdout | bool) }}"
  when: upgrade_in_progress
--- a/playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 #
-# Copyright (c) 2022-2023 Wind River Systems, Inc.
+# Copyright (c) 2022-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@ -9,10 +9,6 @@
 # kubernetes at a later step
 #

- name: Set create_platform_certificates if not defined
-  set_fact:
-    create_platform_certificates: "{{ create_platform_certificates | default(false) }}"
-
 - name: Get distributed_cloud_role if not defined
  shell: |
    source /etc/platform/openrc
@ -80,10 +76,10 @@
    include_tasks: install-docker-registry-certificate.yml

  - name: Signal that creation of RestAPI/GUI and Docker Registry at bootstrap is enabled
-    copy:
-      dest: "{{ platform_config_dir }}/{{ create_platform_certificates_flag_filename }}"
-      content: ""
+    file:
+      path: "{{ platform_config_dir }}/{{ create_platform_certificates_flag_filename }}"
+      mode: 0644
+      state: touch
    become: yes
-    when: create_platform_certificates

  when: distributed_cloud_role != 'subcloud' or subcloud_local_ca_should_be_altered
--- a/playbookconfig/src/playbooks/vars/bootstrap/main.yml
+++ b/playbookconfig/src/playbooks/vars/bootstrap/main.yml
@ -1,5 +1,2 @@
 ---
 system_local_ca_overrides: false
-
-# Temporary feature flag https://storyboard.openstack.org/#!/story/2009811
-create_platform_certificates: false