From b7c629b603d80c1f45abc647ca1246b54360e78b Mon Sep 17 00:00:00 2001 From: Marcelo Loebens Date: Tue, 14 Nov 2023 17:42:12 -0400 Subject: [PATCH] Rework platform certificates migration Renamed the playbook to 'update_platform_certificates.yml', to reflect the intention behind moving forward (not only to migrate the platform certificates to cert-manager, but to be a easy way to update the local issuer (system-local-ca) CA certificates as well as the leaf certificates data. Moved the install of the RCA to the beginning of the execution, as several validations are made in the role and it's useful to have then fail if a problem is detected before issuing the leaf certificates. Updated the conditions for creating the certificates to issue the Rest API / GUI certificate (default behavior from now onward). Fixed the condition for having the Local OpenLDAP certificate (host role is not subcloud). Test plan: PASS: Deploy a system with the feature flag enabled in the localhost file ('create_platform_certificates'). Apply oidc. Execute the playbook using the new name ('update_platform_certificates.yml') in 'update' and 'check' modes. Observe that it works as expected. Checked: - The provided RCA is installed as Trusted CA; - The resulting certificates are correct; - Login in Local Docker Registry is working; - OIDC is working as expected; - Horizon is working as expected; - OpenLDAP is working as expected. Story: 2009811 Task: 48908 Change-Id: I9b928b1080a28bebb0362ac8d68be387bd4a67da Signed-off-by: Marcelo Loebens --- ...atform-certificates-inventory-EXAMPLE.yml} | 12 ++++--- .../default.yml | 0 ...date-restapi-and-registry-certificates.yml | 2 +- .../check-certificates-to-be-installed.yml | 34 ------------------- .../files/merge_certificate_mounts.py | 2 +- .../check-certificates-to-be-installed.yml | 33 ++++++++++++++++++ .../tasks/check-for-management-alarms.yml | 2 +- .../tasks/get-certificates-summary.yml | 2 +- .../tasks/main.yml | 32 ++++++++--------- .../tasks/reapply-oidc-auth-app.yml | 0 .../vars/main.yaml | 0 ...r.yml => update_platform_certificates.yml} | 16 +++++---- 12 files changed, 69 insertions(+), 66 deletions(-) rename examples/{migrate/migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml => update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml} (89%) rename playbookconfig/src/playbooks/host_vars/{migrate_platform_certificates_to_certmanager => update-platform-certificates}/default.yml (100%) delete mode 100644 playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-certificates-to-be-installed.yml rename playbookconfig/src/playbooks/roles/{migrate-platform-certificates-to-certmanager/migrate-certificates => update-platform-certificates}/files/merge_certificate_mounts.py (97%) create mode 100644 playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-certificates-to-be-installed.yml rename playbookconfig/src/playbooks/roles/{migrate-platform-certificates-to-certmanager/migrate-certificates => update-platform-certificates}/tasks/check-for-management-alarms.yml (95%) rename playbookconfig/src/playbooks/roles/{migrate-platform-certificates-to-certmanager/migrate-certificates => update-platform-certificates}/tasks/get-certificates-summary.yml (94%) rename playbookconfig/src/playbooks/roles/{migrate-platform-certificates-to-certmanager/migrate-certificates => update-platform-certificates}/tasks/main.yml (94%) rename playbookconfig/src/playbooks/roles/{migrate-platform-certificates-to-certmanager/migrate-certificates => update-platform-certificates}/tasks/reapply-oidc-auth-app.yml (100%) rename playbookconfig/src/playbooks/roles/{migrate-platform-certificates-to-certmanager/migrate-certificates => update-platform-certificates}/vars/main.yaml (100%) rename playbookconfig/src/playbooks/{migrate_platform_certificates_to_certmanager.yml => update_platform_certificates.yml} (86%) diff --git a/examples/migrate/migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml b/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml similarity index 89% rename from examples/migrate/migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml rename to examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml index d732f9043..b52937ccb 100644 --- a/examples/migrate/migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml +++ b/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml @@ -5,22 +5,24 @@ # SPDX-License-Identifier: Apache-2.0 # # This is an example inventory file to be used for -# usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml +# usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml # playbook. # # To run the playbook, the user would define an overrides file (as exemplified here) # providing the required variable settings and pass it on the ansible command-line as a parameter. # # Example ansible command: -# ansible-playbook migrate_platform_certificates_to_certmanager.yml \ +# ansible-playbook update_platform_certificates.yml \ # -i @my-inventory-file.yml \ -# --extra-vars "target_list=subcloud1 mode=update" +# --extra-vars "target_list=localhost,subcloud1 mode=update" # Use target_list to target individual subclouds, or a comma-separated # list of subclouds such as 'subcloud1,subcloud2'. To target all online -# subclouds at once use target_list=all_online_subclouds +# subclouds at once use 'target_list=all_online_subclouds'. # -# To target the system controller or standalone systems use target_list=localhost +# To target the system controller or standalone systems use 'target_list=localhost'. +# It's recomended to have always at least localhost in the target_list, avoiding +# the loss of consistency of the certificates between the hosts in DC systems. # # Note on the example parameters below : # diff --git a/playbookconfig/src/playbooks/host_vars/migrate_platform_certificates_to_certmanager/default.yml b/playbookconfig/src/playbooks/host_vars/update-platform-certificates/default.yml similarity index 100% rename from playbookconfig/src/playbooks/host_vars/migrate_platform_certificates_to_certmanager/default.yml rename to playbookconfig/src/playbooks/host_vars/update-platform-certificates/default.yml diff --git a/playbookconfig/src/playbooks/roles/common/recover-subcloud-certificates/tasks/validate-restapi-and-registry-certificates.yml b/playbookconfig/src/playbooks/roles/common/recover-subcloud-certificates/tasks/validate-restapi-and-registry-certificates.yml index 93c794a63..602a7535a 100644 --- a/playbookconfig/src/playbooks/roles/common/recover-subcloud-certificates/tasks/validate-restapi-and-registry-certificates.yml +++ b/playbookconfig/src/playbooks/roles/common/recover-subcloud-certificates/tasks/validate-restapi-and-registry-certificates.yml @@ -59,7 +59,7 @@ {% endif %} Manual action required! On the subcloud, please update the expired certificates with `system certificate-install` or run - /usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml + /usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml playbook following the section Migrate Platform Certificates to Use Cert Manager of the docs. when: restapi_cert_expiration.rc is defined and diff --git a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-certificates-to-be-installed.yml b/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-certificates-to-be-installed.yml deleted file mode 100644 index f2f2a0146..000000000 --- a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-certificates-to-be-installed.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# -# Copyright (c) 2021-2023 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# -# Check if https_enabled is enabled and if oidc-auth-apps is applied -# in order to determine which certificates need to be installed -# -- name: Check if system is https_enabled - shell: | - source /etc/platform/openrc - system show | grep https_enabled | awk '{ print $4 }' - register: https_enabled - -- name: Check if oidc-auth-apps is applied - shell: | - source /etc/platform/openrc - system application-show oidc-auth-apps --column status --format value | \ - awk '{ if ($0 == "applied") print "true"; else print "false"; }' - register: oidc_applied - -- name: Check if openldap certificate exists - shell: | - source /etc/platform/openrc - system certificate-list | grep openldap | \ - awk '{ if ($0 != "") print "true"; exit}' - register: openldap_certificate_exists - -- set_fact: - install_oidc_auth_apps_certificate: "{{ true if oidc_applied.stdout | bool else false }}" - install_system_open_ldap_certificate: "{{ true if openldap_certificate_exists.stdout | bool else false }}" - install_system_registry_local_certificate: true - install_system_restapi_gui_certificate: "{{ true if https_enabled.stdout | bool else false }}" diff --git a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/files/merge_certificate_mounts.py b/playbookconfig/src/playbooks/roles/update-platform-certificates/files/merge_certificate_mounts.py similarity index 97% rename from playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/files/merge_certificate_mounts.py rename to playbookconfig/src/playbooks/roles/update-platform-certificates/files/merge_certificate_mounts.py index 087777658..4bb4da59b 100644 --- a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/files/merge_certificate_mounts.py +++ b/playbookconfig/src/playbooks/roles/update-platform-certificates/files/merge_certificate_mounts.py @@ -1,6 +1,6 @@ #!/usr/bin/python # -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2022-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # diff --git a/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-certificates-to-be-installed.yml b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-certificates-to-be-installed.yml new file mode 100644 index 000000000..b4639f3cb --- /dev/null +++ b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-certificates-to-be-installed.yml @@ -0,0 +1,33 @@ +--- +# +# Copyright (c) 2021-2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Define variables (flags) that will be used in certificate creation. +# Depending on the boolean value of the flags, the certificates will be +# issued by local cluster issuer using 'system-local-ca' secret. +# The platform certificates are: +# - OIDC-Auth-Apps (not required) +# - Local OpenLDAP (required for standalone and DC SystemController) +# - Docker Registry (required) +# - REST API / Web Server GUI (required) +# +- name: Check if oidc-auth-apps is applied + shell: | + source /etc/platform/openrc + system application-show oidc-auth-apps --column status --format value | \ + awk '{ if ($0 == "applied") print "true"; else print "false"; }' + register: oidc_applied + +- name: Get distributed_cloud role + shell: | + source /etc/platform/openrc + system show | grep distributed_cloud_role | awk '{ print $4 }' + register: dc_role + +- set_fact: + install_oidc_auth_apps_certificate: "{{ true if oidc_applied.stdout | bool else false }}" + install_system_open_ldap_certificate: "{{ true if dc_role.stdout != 'subcloud' else false }}" + install_system_registry_local_certificate: true + install_system_restapi_gui_certificate: true diff --git a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-for-management-alarms.yml b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-for-management-alarms.yml similarity index 95% rename from playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-for-management-alarms.yml rename to playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-for-management-alarms.yml index dc87f28a5..84d4aa3b2 100644 --- a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-for-management-alarms.yml +++ b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-for-management-alarms.yml @@ -1,6 +1,6 @@ --- # -# Copyright (c) 2021-2022 Wind River Systems, Inc. +# Copyright (c) 2021-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # diff --git a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/get-certificates-summary.yml b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/get-certificates-summary.yml similarity index 94% rename from playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/get-certificates-summary.yml rename to playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/get-certificates-summary.yml index 47dc8e38e..12b62d89b 100644 --- a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/get-certificates-summary.yml +++ b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/get-certificates-summary.yml @@ -1,6 +1,6 @@ --- # -# Copyright (c) 2021-2022 Wind River Systems, Inc. +# Copyright (c) 2021-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # diff --git a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/main.yml b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml similarity index 94% rename from playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/main.yml rename to playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml index 22664ddd3..88beeeffd 100644 --- a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/main.yml +++ b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml @@ -10,8 +10,8 @@ # Before installing new certificates, a backup of old ones is saved to # /home/sysadmin/certificates_backup/ in case they are needed # -# The ICA used as issuer of the certificates created, is also installed -# to the platform as a Trusted CA +# The RCA that signs the ICA that is used to issue the certificates created +# is also installed to the platform as a Trusted CA # # For oidc-auth-app certificate an application-apply is also performed # in order to restart the application with the new certificate @@ -22,6 +22,16 @@ include_tasks: check-for-management-alarms.yml when: ignore_alarms is undefined or ignore_alarms | bool == False + - name: Install Root CA certificate as trusted by the platform + include_role: + name: common/verify-and-install-system-local-ca-certs + vars: + - install_rca: true + + - name: Restart kube-apiserver to pick the new certificate + include_role: + name: common/restart-kube-apiserver + - name: Check certificates to be installed include_tasks: check-certificates-to-be-installed.yml @@ -140,16 +150,6 @@ name: common/delete-kubernetes-resources loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}" - - name: Install certificates as system Trusted CA certificates - include_role: - name: common/verify-and-install-system-local-ca-certs - vars: - - install_rca: true - - - name: Restart kube-apiserver to pick the new certificates - include_role: - name: common/restart-kube-apiserver - - name: Update oidc-auth-apps in order to use new certificate include_tasks: reapply-oidc-auth-app.yml when: oidc_applied.stdout | bool @@ -227,22 +227,22 @@ - { secret: system-registry-local-certificate, namespace: deployment, - should_run: 'true' + should_run: "{{ install_system_registry_local_certificate }}" } - { secret: system-restapi-gui-certificate, namespace: deployment, - should_run: "{{https_enabled.stdout}}" + should_run: "{{ install_system_restapi_gui_certificate }}" } - { secret: oidc-auth-apps-certificate, namespace: kube-system, - should_run: "{{oidc_applied.stdout}}" + should_run: "{{ install_oidc_auth_apps_certificate }}" } - { secret: system-openldap-local-certificate, namespace: deployment, - should_run: "{{ true if openldap_certificate_exists.stdout | int == 0 else false }}" + should_run: "{{ install_system_open_ldap_certificate }}" } when: mode == 'check' diff --git a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/reapply-oidc-auth-app.yml b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/reapply-oidc-auth-app.yml similarity index 100% rename from playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/reapply-oidc-auth-app.yml rename to playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/reapply-oidc-auth-app.yml diff --git a/playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/vars/main.yaml b/playbookconfig/src/playbooks/roles/update-platform-certificates/vars/main.yaml similarity index 100% rename from playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/vars/main.yaml rename to playbookconfig/src/playbooks/roles/update-platform-certificates/vars/main.yaml diff --git a/playbookconfig/src/playbooks/migrate_platform_certificates_to_certmanager.yml b/playbookconfig/src/playbooks/update_platform_certificates.yml similarity index 86% rename from playbookconfig/src/playbooks/migrate_platform_certificates_to_certmanager.yml rename to playbookconfig/src/playbooks/update_platform_certificates.yml index dbd2cf523..7bbbb2209 100644 --- a/playbookconfig/src/playbooks/migrate_platform_certificates_to_certmanager.yml +++ b/playbookconfig/src/playbooks/update_platform_certificates.yml @@ -13,18 +13,20 @@ # To run the playbook, the user would define an overrides file that # provides the required variable settings, passing this on the ansible # command-line as a parameter. -# (see migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml) +# (see update-platform-certificates-inventory-EXAMPLE.yml) # # Example command: -# ansible-playbook migrate_platform_certificates_to_certmanager.yml \ -# -i @migrate-platform-certificates-to-certmanager-inventory.yml \ +# ansible-playbook update_platform_certificates.yml \ +# -i @update-platform-certificates-inventory.yml \ # --extra-vars "target_list=subcloud1 mode=update" # # Use target_list to target individual subclouds, or a comma-separated # list of subclouds such as 'subcloud1,subcloud2'. To target all online # subclouds at once use target_list=all_online_subclouds # -# To target the system controller or standalone systems use target_list=localhost +# To target the system controller or standalone systems use target_list=localhost. +# It's recomended to have always at least localhost in the target_list, avoiding +# the loss of consistency of the certificates between the hosts in DC systems. # - hosts: localhost @@ -65,12 +67,12 @@ - hosts: target_group gather_facts: no vars_files: - - host_vars/migrate_platform_certificates_to_certmanager/default.yml + - host_vars/update_platform_certificates/default.yml # for mode=check the output is too messy with free strategy strategy: "{{ 'linear' if mode == 'check' else 'free' }}" roles: - - migrate-platform-certificates-to-certmanager/migrate-certificates + - update-platform-certificates # Ensures ICA is also installed in system controller # even when target_list contains only subclouds @@ -81,7 +83,7 @@ gather_facts: no tasks: - block: - - name: Install certificates as system Trusted CA certificates + - name: Install Root CA certificate as trusted by the platform include_role: name: common/verify-and-install-system-local-ca-certs vars: