From 85712e2fb920577bc49eb3eb13e60d5beff6045d Mon Sep 17 00:00:00 2001 From: Marcelo Loebens Date: Mon, 8 Apr 2024 17:02:32 -0400 Subject: [PATCH] Change default subject for platform certificates Included a default entries for the fields: - 'commonName' - default now is - 'localities' - default now is - 'organization' - default now is 'starlingx' Where: is the region name is an internal proper name used for each of the platform certs. These fields can still be overridden by the user during bootstrap / CA update. The override 'subject_prefix' is now removed. Modified update_platform_certificates.yml playbook to delete/recreate the leaf certificates instead of re-configuring it. In some cases, just re-configuring would not change nested values in the Certificate spec entries. Also, waited for the local OpenLDAP cert to be ready before progressing, avoiding issues with remaining tasks caused by delays in cert-manager. Test plan: PASS: Bootstrap system without overriding 'subject_L', 'subject_O' or 'subject_CN'. Verify that the default fields are included. PASS: W/ default values, test Horizon access. PASS: W/ default values, test access through remote CLI. PASS: W/ default values, test pulling images from the local registry externally (outside the system). PASS: Update platform certificates overriding all 'subject_*' fields. Verify that the overridden values are included in the respective fields. Story: 2009811 Task: 49831 Change-Id: I208c30a6eb2c60397d50e6ea411ee5994fa27f9a Signed-off-by: Marcelo Loebens --- ...latform-certificates-inventory-EXAMPLE.yml | 1 - .../templates/platform_certificates.yml.j2 | 4 -- .../templates/subject_snippet.j2 | 25 +++++++--- .../vars/main.yaml | 1 + .../vars/main.yml | 1 - .../tasks/main.yml | 46 +++++++++---------- 6 files changed, 41 insertions(+), 37 deletions(-) diff --git a/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml b/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml index b52937ccb..07fd3c62f 100644 --- a/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml +++ b/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml @@ -83,7 +83,6 @@ all: subject_O: myorganization subject_OU: engineering subject_CN: myorganization.com - subject_prefix: starlingx # SSH password to connect to all subclouds ansible_ssh_user: sysadmin ansible_ssh_pass: diff --git a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2 b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2 index e73b3a7cb..ea5dfefcf 100644 --- a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2 +++ b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2 @@ -32,7 +32,6 @@ items: name: system-restapi-gui-certificate namespace: deployment spec: - commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}" dnsNames: - "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}" duration: "{{ system_platform_certificate.duration | default(default.duration, true) }}" @@ -55,7 +54,6 @@ items: name: system-registry-local-certificate namespace: deployment spec: - commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}" dnsNames: - "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}" - registry.local @@ -83,7 +81,6 @@ items: name: oidc-auth-apps-certificate namespace: kube-system spec: - commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}" dnsNames: - "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}" duration: "{{ system_platform_certificate.duration | default(default.duration, true) }}" @@ -111,7 +108,6 @@ items: name: system-openldap-local-certificate namespace: deployment spec: - commonName: "{{ system_platform_certificate.subject_CN | default(short_certificate_name, true) }}" dnsNames: - "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}" - controller diff --git a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/subject_snippet.j2 b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/subject_snippet.j2 index adee4a1dd..5e63622ec 100644 --- a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/subject_snippet.j2 +++ b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/subject_snippet.j2 @@ -1,24 +1,37 @@ {% if system_platform_certificate is defined %} + commonName: "{{ system_platform_certificate.subject_CN | default(short_certificate_name) }}" subject: -{% if system_platform_certificate.subject_C is defined %} +{% if system_platform_certificate.subject_C is defined and system_platform_certificate.subject_C != '' %} countries: - "{{ system_platform_certificate.subject_C }}" {% endif %} -{% if system_platform_certificate.subject_ST is defined %} +{% if system_platform_certificate.subject_ST is defined and system_platform_certificate.subject_ST != '' %} provinces: - "{{ system_platform_certificate.subject_ST }}" {% endif %} -{% if system_platform_certificate.subject_L is defined %} +{% if system_platform_certificate.subject_L is defined and system_platform_certificate.subject_L != '' %} localities: - "{{ system_platform_certificate.subject_L }}" - - "{{ system_platform_certificate.subject_prefix + ':' if system_platform_certificate.subject_prefix is defined else '' }}{{ clean_region_name }}:{{ short_certificate_name }}" +{% elif system_platform_certificate.subject_L is not defined %} + localities: + - "{{ clean_region_name }}" {% endif %} -{% if system_platform_certificate.subject_O is defined %} +{% if system_platform_certificate.subject_O is defined and system_platform_certificate.subject_O != '' %} organizations: - "{{ system_platform_certificate.subject_O }}" +{% elif system_platform_certificate.subject_O is not defined %} + organizations: + - "{{ default.subject_O }}" {% endif %} -{% if system_platform_certificate.subject_OU is defined %} +{% if system_platform_certificate.subject_OU is defined and system_platform_certificate.subject_OU != '' %} organizationalUnits: - "{{ system_platform_certificate.subject_OU }}" {% endif %} +{% else %} + commonName: "{{ short_certificate_name }}" + subject: + localities: + - "{{ clean_region_name }}" + organizations: + - "{{ default.subject_O }}" {% endif %} diff --git a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/vars/main.yaml b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/vars/main.yaml index cfdc5e5a3..3627bdb36 100644 --- a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/vars/main.yaml +++ b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/vars/main.yaml @@ -10,3 +10,4 @@ default: dns_domain: 'starlingx.local' duration: '2160h' # 90d renewBefore: '360h' # 15d + subject_O: 'starlingx' diff --git a/playbookconfig/src/playbooks/roles/common/validate-cert-subject-fields/vars/main.yml b/playbookconfig/src/playbooks/roles/common/validate-cert-subject-fields/vars/main.yml index 96874dd98..7f3dc16b0 100644 --- a/playbookconfig/src/playbooks/roles/common/validate-cert-subject-fields/vars/main.yml +++ b/playbookconfig/src/playbooks/roles/common/validate-cert-subject-fields/vars/main.yml @@ -9,4 +9,3 @@ valid_subject_fieds: - subject_O - subject_OU - subject_CN -- subject_prefix diff --git a/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml index 88beeeffd..dbc7793c2 100644 --- a/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml +++ b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml @@ -1,6 +1,6 @@ --- # -# Copyright (c) 2021-2023 Wind River Systems, Inc. +# Copyright (c) 2021-2024 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -95,9 +95,18 @@ vars: destination: "{{ cert_manager_spec_file }}" - # This list is composed of all certificates issued by the cluster issuer - # plus the four platform ones we will always renew - - name: Create a list of certificates that should be migrated to the new 'system-local-ca' issuer + - name: Remove default leaf certificates (plus OIDC) + include_role: + name: common/delete-kubernetes-resources + with_items: + - { name: system-openldap-local-certificate, namespace: deployment, type: certificate } + - { name: system-registry-local-certificate, namespace: deployment, type: certificate } + - { name: system-restapi-gui-certificate, namespace: deployment, type: certificate } + - { name: oidc-auth-apps-certificate, namespace: kube-system, type: certificate } + + # This list is composed of other certificates issued by the cluster issuer + # (i.e. not local REST API/GUI, OpenLDAP, Docker Registry or OIDC) + - name: List other certificates that should be migrated to the new 'system-local-ca' issuer shell: | #Collecting certs previously issued by 'system-local-ca' {(kubectl get certificates -A \ @@ -105,31 +114,11 @@ --no-headers=true | awk '$3 == "system-local-ca"' | awk '{ print "{name: "$1", namespace: "$2", type: secret}" }' | - awk NF); - - #Adding certs we will renew by default (if repeated, they will be filtered in renewal task) - (printf "{name: system-openldap-local-certificate, namespace: deployment, type: secret} - {name: system-registry-local-certificate, namespace: deployment, type: secret} - {name: system-restapi-gui-certificate, namespace: deployment, type: secret} - {name: oidc-auth-apps-certificate, namespace: kube-system, type: secret}\n")} + awk NF)} environment: KUBECONFIG: /etc/kubernetes/admin.conf register: certs_to_renew - # This is a workaround for a problem found in upgrades (not really ideal) - # It will cause warnings uppon applying the file - - name: Remove 'last-applied-configuration' annotation from certs to avoid version problems after upgrades - shell: | - kubectl annotate certificate "{{ item.certificate }}" -n "{{ item.namespace }}" \ - kubectl.kubernetes.io/last-applied-configuration- || true - environment: - KUBECONFIG: /etc/kubernetes/admin.conf - with_items: - - { certificate: system-openldap-local-certificate, namespace: deployment } - - { certificate: system-registry-local-certificate, namespace: deployment } - - { certificate: system-restapi-gui-certificate, namespace: deployment } - - { certificate: oidc-auth-apps-certificate, namespace: kube-system } - - name: Apply kubernetes yaml to create cert-manager clusterissuer and certificates command: kubectl apply -f "{{ cert_manager_spec_file }}" environment: @@ -150,6 +139,13 @@ name: common/delete-kubernetes-resources loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}" + - name: Wait for local OpenLDAP certificate to be Ready + command: >- + kubectl wait certificate -n deployment system-openldap-local-certificate + --for=condition=Ready --timeout=90s + environment: + KUBECONFIG: /etc/kubernetes/admin.conf + - name: Update oidc-auth-apps in order to use new certificate include_tasks: reapply-oidc-auth-app.yml when: oidc_applied.stdout | bool