Change default subject for platform certificates
Included a default entries for the fields:
- 'commonName' - default now is <cert_short_name>
- 'localities' - default now is <region>
- 'organization' - default now is 'starlingx'
Where:
<region> is the region name
<cert_short_name> is an internal proper name used for each of the
platform certs.
These fields can still be overridden by the user during bootstrap / CA
update. The override 'subject_prefix' is now removed.
Modified update_platform_certificates.yml playbook to delete/recreate
the leaf certificates instead of re-configuring it. In some cases,
just re-configuring would not change nested values in the Certificate
spec entries. Also, waited for the local OpenLDAP cert to be ready
before progressing, avoiding issues with remaining tasks caused by
delays in cert-manager.
Test plan:
PASS: Bootstrap system without overriding 'subject_L', 'subject_O'
or 'subject_CN'.
Verify that the default fields are included.
PASS: W/ default values, test Horizon access.
PASS: W/ default values, test access through remote CLI.
PASS: W/ default values, test pulling images from the local
registry externally (outside the system).
PASS: Update platform certificates overriding all 'subject_*' fields.
Verify that the overridden values are included in the
respective fields.
Story: 2009811
Task: 49831
Change-Id: I208c30a6eb2c60397d50e6ea411ee5994fa27f9a
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
This commit is contained in:
Marcelo Loebens
parent
351aa195f9
commit
85712e2fb9
@ -83,7 +83,6 @@ all:
|
||||
subject_O: myorganization
|
||||
subject_OU: engineering
|
||||
subject_CN: myorganization.com
|
||||
subject_prefix: starlingx
|
||||
# SSH password to connect to all subclouds
|
||||
ansible_ssh_user: sysadmin
|
||||
ansible_ssh_pass: <sysadmin-pwd>
|
||||
|
||||
@ -32,7 +32,6 @@ items:
|
||||
name: system-restapi-gui-certificate
|
||||
namespace: deployment
|
||||
spec:
|
||||
commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}"
|
||||
dnsNames:
|
||||
- "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}"
|
||||
duration: "{{ system_platform_certificate.duration | default(default.duration, true) }}"
|
||||
@ -55,7 +54,6 @@ items:
|
||||
name: system-registry-local-certificate
|
||||
namespace: deployment
|
||||
spec:
|
||||
commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}"
|
||||
dnsNames:
|
||||
- "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}"
|
||||
- registry.local
|
||||
@ -83,7 +81,6 @@ items:
|
||||
name: oidc-auth-apps-certificate
|
||||
namespace: kube-system
|
||||
spec:
|
||||
commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}"
|
||||
dnsNames:
|
||||
- "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}"
|
||||
duration: "{{ system_platform_certificate.duration | default(default.duration, true) }}"
|
||||
@ -111,7 +108,6 @@ items:
|
||||
name: system-openldap-local-certificate
|
||||
namespace: deployment
|
||||
spec:
|
||||
commonName: "{{ system_platform_certificate.subject_CN | default(short_certificate_name, true) }}"
|
||||
dnsNames:
|
||||
- "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}"
|
||||
- controller
|
||||
|
||||
@ -1,24 +1,37 @@
|
||||
{% if system_platform_certificate is defined %}
|
||||
commonName: "{{ system_platform_certificate.subject_CN | default(short_certificate_name) }}"
|
||||
subject:
|
||||
{% if system_platform_certificate.subject_C is defined %}
|
||||
{% if system_platform_certificate.subject_C is defined and system_platform_certificate.subject_C != '' %}
|
||||
countries:
|
||||
- "{{ system_platform_certificate.subject_C }}"
|
||||
{% endif %}
|
||||
{% if system_platform_certificate.subject_ST is defined %}
|
||||
{% if system_platform_certificate.subject_ST is defined and system_platform_certificate.subject_ST != '' %}
|
||||
provinces:
|
||||
- "{{ system_platform_certificate.subject_ST }}"
|
||||
{% endif %}
|
||||
{% if system_platform_certificate.subject_L is defined %}
|
||||
{% if system_platform_certificate.subject_L is defined and system_platform_certificate.subject_L != '' %}
|
||||
localities:
|
||||
- "{{ system_platform_certificate.subject_L }}"
|
||||
- "{{ system_platform_certificate.subject_prefix + ':' if system_platform_certificate.subject_prefix is defined else '' }}{{ clean_region_name }}:{{ short_certificate_name }}"
|
||||
{% elif system_platform_certificate.subject_L is not defined %}
|
||||
localities:
|
||||
- "{{ clean_region_name }}"
|
||||
{% endif %}
|
||||
{% if system_platform_certificate.subject_O is defined %}
|
||||
{% if system_platform_certificate.subject_O is defined and system_platform_certificate.subject_O != '' %}
|
||||
organizations:
|
||||
- "{{ system_platform_certificate.subject_O }}"
|
||||
{% elif system_platform_certificate.subject_O is not defined %}
|
||||
organizations:
|
||||
- "{{ default.subject_O }}"
|
||||
{% endif %}
|
||||
{% if system_platform_certificate.subject_OU is defined %}
|
||||
{% if system_platform_certificate.subject_OU is defined and system_platform_certificate.subject_OU != '' %}
|
||||
organizationalUnits:
|
||||
- "{{ system_platform_certificate.subject_OU }}"
|
||||
{% endif %}
|
||||
{% else %}
|
||||
commonName: "{{ short_certificate_name }}"
|
||||
subject:
|
||||
localities:
|
||||
- "{{ clean_region_name }}"
|
||||
organizations:
|
||||
- "{{ default.subject_O }}"
|
||||
{% endif %}
|
||||
|
||||
@ -10,3 +10,4 @@ default:
|
||||
dns_domain: 'starlingx.local'
|
||||
duration: '2160h' # 90d
|
||||
renewBefore: '360h' # 15d
|
||||
subject_O: 'starlingx'
|
||||
|
||||
@ -9,4 +9,3 @@ valid_subject_fieds:
|
||||
- subject_O
|
||||
- subject_OU
|
||||
- subject_CN
|
||||
- subject_prefix
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2021-2023 Wind River Systems, Inc.
|
||||
# Copyright (c) 2021-2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
@ -95,9 +95,18 @@
|
||||
vars:
|
||||
destination: "{{ cert_manager_spec_file }}"
|
||||
|
||||
# This list is composed of all certificates issued by the cluster issuer
|
||||
# plus the four platform ones we will always renew
|
||||
- name: Create a list of certificates that should be migrated to the new 'system-local-ca' issuer
|
||||
- name: Remove default leaf certificates (plus OIDC)
|
||||
include_role:
|
||||
name: common/delete-kubernetes-resources
|
||||
with_items:
|
||||
- { name: system-openldap-local-certificate, namespace: deployment, type: certificate }
|
||||
- { name: system-registry-local-certificate, namespace: deployment, type: certificate }
|
||||
- { name: system-restapi-gui-certificate, namespace: deployment, type: certificate }
|
||||
- { name: oidc-auth-apps-certificate, namespace: kube-system, type: certificate }
|
||||
|
||||
# This list is composed of other certificates issued by the cluster issuer
|
||||
# (i.e. not local REST API/GUI, OpenLDAP, Docker Registry or OIDC)
|
||||
- name: List other certificates that should be migrated to the new 'system-local-ca' issuer
|
||||
shell: |
|
||||
#Collecting certs previously issued by 'system-local-ca'
|
||||
{(kubectl get certificates -A \
|
||||
@ -105,31 +114,11 @@
|
||||
--no-headers=true |
|
||||
awk '$3 == "system-local-ca"' |
|
||||
awk '{ print "{name: "$1", namespace: "$2", type: secret}" }' |
|
||||
awk NF);
|
||||
|
||||
#Adding certs we will renew by default (if repeated, they will be filtered in renewal task)
|
||||
(printf "{name: system-openldap-local-certificate, namespace: deployment, type: secret}
|
||||
{name: system-registry-local-certificate, namespace: deployment, type: secret}
|
||||
{name: system-restapi-gui-certificate, namespace: deployment, type: secret}
|
||||
{name: oidc-auth-apps-certificate, namespace: kube-system, type: secret}\n")}
|
||||
awk NF)}
|
||||
environment:
|
||||
KUBECONFIG: /etc/kubernetes/admin.conf
|
||||
register: certs_to_renew
|
||||
|
||||
# This is a workaround for a problem found in upgrades (not really ideal)
|
||||
# It will cause warnings uppon applying the file
|
||||
- name: Remove 'last-applied-configuration' annotation from certs to avoid version problems after upgrades
|
||||
shell: |
|
||||
kubectl annotate certificate "{{ item.certificate }}" -n "{{ item.namespace }}" \
|
||||
kubectl.kubernetes.io/last-applied-configuration- || true
|
||||
environment:
|
||||
KUBECONFIG: /etc/kubernetes/admin.conf
|
||||
with_items:
|
||||
- { certificate: system-openldap-local-certificate, namespace: deployment }
|
||||
- { certificate: system-registry-local-certificate, namespace: deployment }
|
||||
- { certificate: system-restapi-gui-certificate, namespace: deployment }
|
||||
- { certificate: oidc-auth-apps-certificate, namespace: kube-system }
|
||||
|
||||
- name: Apply kubernetes yaml to create cert-manager clusterissuer and certificates
|
||||
command: kubectl apply -f "{{ cert_manager_spec_file }}"
|
||||
environment:
|
||||
@ -150,6 +139,13 @@
|
||||
name: common/delete-kubernetes-resources
|
||||
loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}"
|
||||
|
||||
- name: Wait for local OpenLDAP certificate to be Ready
|
||||
command: >-
|
||||
kubectl wait certificate -n deployment system-openldap-local-certificate
|
||||
--for=condition=Ready --timeout=90s
|
||||
environment:
|
||||
KUBECONFIG: /etc/kubernetes/admin.conf
|
||||
|
||||
- name: Update oidc-auth-apps in order to use new certificate
|
||||
include_tasks: reapply-oidc-auth-app.yml
|
||||
when: oidc_applied.stdout | bool
|
||||
|
||||
Loading…
Reference in New Issue
Block a user