starlingx/ansible-playbooks
Code Issues Proposed changes

Setup https admin endpoint certificates for subcloud

Browse Source 
This commit updated ansible bootstrap to generate, install and
configure certificates for https enabled admin endpoints. This change
applies to subcloud of a DC system only.

The subcloud admin endpoint certificate has valid duration of 180 days
and renew before of 30 days.

Tests:
  - Successfully deploy subcloud by "dcmanager subcloud add"
  - Verify haproxy admin endpoint certificate is generated and
    installed properly in subcloud.
  - Verify DC admin endpoint root CA certificate is installed in
    subcloud's trusted CA cert list in subcloud.
  - Verify the haproxy admin endpoint certificate can be validiated by
    the DC endpoint root CA certificate successfully in subcloud.

Change-Id: Ib24d27ac4cafe345fb57ba906ea5baf0930af892
Story: 2007347
Task: 39465
Depends-On: https://review.opendev.org/#/c/720224/
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit is contained in:
Andy Ning
2020-04-08 09:42:10 -04:00
parent 4c3d97c18e
commit 3bb26d81d5
4 changed files with 145 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/templates/setup-sc-adminep-certs.yaml.j2 Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: null
name: {{ sc_adminep_ca_cert_ns }}
spec: {}
status: {}
---
apiVersion: v1
data:
tls.crt: {{ sc_ca_cert }}
tls.key: {{ sc_ca_key }}
kind: Secret
metadata:
name: {{ sc_adminep_ca_cert_secret }}
namespace: {{ sc_adminep_ca_cert_ns }}
type: kubernetes.io/tls
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: sc-intermediate-ca-adminep-issuer
namespace: {{ sc_adminep_ca_cert_ns }}
spec:
ca:
secretName: {{ sc_adminep_ca_cert_secret }}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: {{ sc_adminep_cert_secret }}
namespace: {{ sc_adminep_ca_cert_ns }}
spec:
secretName: {{ sc_adminep_cert_secret }}
duration: {{ sc_adminep_cert_duration }}
renewBefore: {{ sc_adminep_cert_renew_before }}
issuerRef:
name: sc-intermediate-ca-adminep-issuer
kind: Issuer
commonName: {{ controller_floating_address }}