starlingx/ansible-playbooks
Code Issues Proposed changes

Enable docker registry and HTTPS cert by default

Browse Source 
Remove feature flag that controlled the creation of Docker Registry and
Rest API/GUI (HTTPS). This will enable by default creation of these
certs during bootstrap, which then will be used after first
controller's unlock.

Certs will be anchored using the system-local-ca issuer CA
certificates, that can be provided by user using bootstrap overrides.
If not provided, they will be anchored using the k8s RCA.

Test plan:
PASS: Bootstrap AIO-SX w/ system-local-ca overrides.
      - Verify certificates w/ sudo show-certs.sh;
      - Login into registry.local;
      - Access horizon - Verify that the certificate provided to the
        browser is correct.
      Bootstrap DC + SX subcloud w/ system-local-ca overrides.
      - Verify certificates w/ sudo show-certs.sh;
      - Login into registry.local and registry.central;
      - Access horizon - Verify that the certificate provided to the
        browser is correct.

Story: 2009811
Task: 49704

Change-Id: Iccbf53ecd7ef5d8cc64092bbf0da77c13787008b
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
This commit is contained in:
Marcelo Loebens 2024-03-11 17:03:38 -04:00 committed by Marcelo de Castro Loebens
parent 83a8421dc4
commit 0d9051a469
4 changed files with 11 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
playbookconfig/src/playbooks/create-platform-certificates-in-upgrade.yml
View File

@ -1,6 +1,6 @@
--- ---
# #
# Copyright (c) 2022-2023 Wind River Systems, Inc. # Copyright (c) 2022-2024 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
@ -18,7 +18,6 @@
mode: '' mode: ''
upgrade_in_progress: true upgrade_in_progress: true
system_local_ca_overrides: false system_local_ca_overrides: false
create_platform_certificates: true
roles: roles:
- common/install-platform-certificates - common/install-platform-certificates

12
playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/define-certs-to-create.yml
View File

@ -1,6 +1,6 @@
--- ---
# #
# Copyright (c) 2023 Wind River Systems, Inc. # Copyright (c) 2023-2024 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
@ -17,8 +17,8 @@
- name: If first bootstrap, mark the creation flags for the required certificates - name: If first bootstrap, mark the creation flags for the required certificates
set_fact: set_fact:
install_system_open_ldap_certificate: "{{ distributed_cloud_role != 'subcloud' }}" install_system_open_ldap_certificate: "{{ distributed_cloud_role != 'subcloud' }}"
install_system_registry_local_certificate: "{{ create_platform_certificates }}" install_system_registry_local_certificate: true
install_system_restapi_gui_certificate: "{{ create_platform_certificates }}" install_system_restapi_gui_certificate: true
when: mode == 'bootstrap' when: mode == 'bootstrap'
- name: If upgrading, generate required certificates only if they don't exist - name: If upgrading, generate required certificates only if they don't exist
@ -40,8 +40,6 @@
set_fact: set_fact:
install_system_open_ldap_certificate: "{{ not (cert_exists.results[0].stdout | bool) install_system_open_ldap_certificate: "{{ not (cert_exists.results[0].stdout | bool)
and distributed_cloud_role != 'subcloud' }}" and distributed_cloud_role != 'subcloud' }}"
install_system_registry_local_certificate: "{{ not (cert_exists.results[1].stdout | bool) install_system_registry_local_certificate: "{{ not (cert_exists.results[1].stdout | bool) }}"
and create_platform_certificates }}" install_system_restapi_gui_certificate: "{{ not (cert_exists.results[2].stdout | bool) }}"
install_system_restapi_gui_certificate: "{{ not (cert_exists.results[2].stdout | bool)
and create_platform_certificates }}"
when: upgrade_in_progress when: upgrade_in_progress

14
playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
# #
# Copyright (c) 2022-2023 Wind River Systems, Inc. # Copyright (c) 2022-2024 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
@ -9,10 +9,6 @@
# kubernetes at a later step # kubernetes at a later step
# #
- name: Set create_platform_certificates if not defined
set_fact:
create_platform_certificates: "{{ create_platform_certificates | default(false) }}"
- name: Get distributed_cloud_role if not defined - name: Get distributed_cloud_role if not defined
shell: | shell: |
source /etc/platform/openrc source /etc/platform/openrc
@ -80,10 +76,10 @@
include_tasks: install-docker-registry-certificate.yml include_tasks: install-docker-registry-certificate.yml
- name: Signal that creation of RestAPI/GUI and Docker Registry at bootstrap is enabled - name: Signal that creation of RestAPI/GUI and Docker Registry at bootstrap is enabled
copy: file:
dest: "{{ platform_config_dir }}/{{ create_platform_certificates_flag_filename }}" path: "{{ platform_config_dir }}/{{ create_platform_certificates_flag_filename }}"
content: "" mode: 0644
state: touch
become: yes become: yes
when: create_platform_certificates
when: distributed_cloud_role != 'subcloud' or subcloud_local_ca_should_be_altered when: distributed_cloud_role != 'subcloud' or subcloud_local_ca_should_be_altered

3
playbookconfig/src/playbooks/vars/bootstrap/main.yml
View File

@ -1,5 +1,2 @@
--- ---
system_local_ca_overrides: false system_local_ca_overrides: false
# Temporary feature flag https://storyboard.openstack.org/#!/story/2009811
create_platform_certificates: false