Rework platform certificates migration

Renamed the playbook to 'update_platform_certificates.yml', to reflect
the intention behind moving forward (not only to migrate the platform
certificates to cert-manager, but to be a easy way to update the local
issuer (system-local-ca) CA certificates as well as the leaf
certificates data.

Moved the install of the RCA to the beginning of the execution, as
several validations are made in the role and it's useful to have
then fail if a problem is detected before issuing the leaf
certificates.

Updated the conditions for creating the certificates to issue the
Rest API / GUI certificate (default behavior from now onward). Fixed
the condition for having the Local OpenLDAP certificate (host role is
not subcloud).

Test plan:
PASS: Deploy a system with the feature flag enabled in the localhost
      file ('create_platform_certificates'). Apply oidc. Execute the
      playbook using the new name ('update_platform_certificates.yml')
      in 'update' and 'check' modes. Observe that it works as expected.
      Checked:
      - The provided RCA is installed as Trusted CA;
      - The resulting certificates are correct;
      - Login in Local Docker Registry is working;
      - OIDC is working as expected;
      - Horizon is working as expected;
      - OpenLDAP is working as expected.

Story: 2009811
Task: 48908

Change-Id: I9b928b1080a28bebb0362ac8d68be387bd4a67da
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
This commit is contained in:
Marcelo Loebens 2023-11-14 17:42:12 -04:00 committed by Marcelo de Castro Loebens
parent 9e98dc1260
commit b7c629b603
12 changed files with 69 additions and 66 deletions

View File

@ -5,22 +5,24 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
# This is an example inventory file to be used for # This is an example inventory file to be used for
# usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml # usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml
# playbook. # playbook.
# #
# To run the playbook, the user would define an overrides file (as exemplified here) # To run the playbook, the user would define an overrides file (as exemplified here)
# providing the required variable settings and pass it on the ansible command-line as a parameter. # providing the required variable settings and pass it on the ansible command-line as a parameter.
# #
# Example ansible command: # Example ansible command:
# ansible-playbook migrate_platform_certificates_to_certmanager.yml \ # ansible-playbook update_platform_certificates.yml \
# -i @my-inventory-file.yml \ # -i @my-inventory-file.yml \
# --extra-vars "target_list=subcloud1 mode=update" # --extra-vars "target_list=localhost,subcloud1 mode=update"
# Use target_list to target individual subclouds, or a comma-separated # Use target_list to target individual subclouds, or a comma-separated
# list of subclouds such as 'subcloud1,subcloud2'. To target all online # list of subclouds such as 'subcloud1,subcloud2'. To target all online
# subclouds at once use target_list=all_online_subclouds # subclouds at once use 'target_list=all_online_subclouds'.
# #
# To target the system controller or standalone systems use target_list=localhost # To target the system controller or standalone systems use 'target_list=localhost'.
# It's recomended to have always at least localhost in the target_list, avoiding
# the loss of consistency of the certificates between the hosts in DC systems.
# #
# Note on the example parameters below : # Note on the example parameters below :
# #

View File

@ -59,7 +59,7 @@
{% endif %} {% endif %}
Manual action required! On the subcloud, please update the expired certificates with Manual action required! On the subcloud, please update the expired certificates with
`system certificate-install` or run `system certificate-install` or run
/usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml /usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml
playbook following the section Migrate Platform Certificates to Use Cert Manager of the playbook following the section Migrate Platform Certificates to Use Cert Manager of the
docs. docs.
when: restapi_cert_expiration.rc is defined and when: restapi_cert_expiration.rc is defined and

View File

@ -1,34 +0,0 @@
---
#
# Copyright (c) 2021-2023 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# Check if https_enabled is enabled and if oidc-auth-apps is applied
# in order to determine which certificates need to be installed
#
- name: Check if system is https_enabled
shell: |
source /etc/platform/openrc
system show | grep https_enabled | awk '{ print $4 }'
register: https_enabled
- name: Check if oidc-auth-apps is applied
shell: |
source /etc/platform/openrc
system application-show oidc-auth-apps --column status --format value | \
awk '{ if ($0 == "applied") print "true"; else print "false"; }'
register: oidc_applied
- name: Check if openldap certificate exists
shell: |
source /etc/platform/openrc
system certificate-list | grep openldap | \
awk '{ if ($0 != "") print "true"; exit}'
register: openldap_certificate_exists
- set_fact:
install_oidc_auth_apps_certificate: "{{ true if oidc_applied.stdout | bool else false }}"
install_system_open_ldap_certificate: "{{ true if openldap_certificate_exists.stdout | bool else false }}"
install_system_registry_local_certificate: true
install_system_restapi_gui_certificate: "{{ true if https_enabled.stdout | bool else false }}"

View File

@ -1,6 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
# #
# Copyright (c) 2022 Wind River Systems, Inc. # Copyright (c) 2022-2023 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #

View File

@ -0,0 +1,33 @@
---
#
# Copyright (c) 2021-2023 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# Define variables (flags) that will be used in certificate creation.
# Depending on the boolean value of the flags, the certificates will be
# issued by local cluster issuer using 'system-local-ca' secret.
# The platform certificates are:
# - OIDC-Auth-Apps (not required)
# - Local OpenLDAP (required for standalone and DC SystemController)
# - Docker Registry (required)
# - REST API / Web Server GUI (required)
#
- name: Check if oidc-auth-apps is applied
shell: |
source /etc/platform/openrc
system application-show oidc-auth-apps --column status --format value | \
awk '{ if ($0 == "applied") print "true"; else print "false"; }'
register: oidc_applied
- name: Get distributed_cloud role
shell: |
source /etc/platform/openrc
system show | grep distributed_cloud_role | awk '{ print $4 }'
register: dc_role
- set_fact:
install_oidc_auth_apps_certificate: "{{ true if oidc_applied.stdout | bool else false }}"
install_system_open_ldap_certificate: "{{ true if dc_role.stdout != 'subcloud' else false }}"
install_system_registry_local_certificate: true
install_system_restapi_gui_certificate: true

View File

@ -1,6 +1,6 @@
--- ---
# #
# Copyright (c) 2021-2022 Wind River Systems, Inc. # Copyright (c) 2021-2023 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #

View File

@ -1,6 +1,6 @@
--- ---
# #
# Copyright (c) 2021-2022 Wind River Systems, Inc. # Copyright (c) 2021-2023 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #

View File

@ -10,8 +10,8 @@
# Before installing new certificates, a backup of old ones is saved to # Before installing new certificates, a backup of old ones is saved to
# /home/sysadmin/certificates_backup/ in case they are needed # /home/sysadmin/certificates_backup/ in case they are needed
# #
# The ICA used as issuer of the certificates created, is also installed # The RCA that signs the ICA that is used to issue the certificates created
# to the platform as a Trusted CA # is also installed to the platform as a Trusted CA
# #
# For oidc-auth-app certificate an application-apply is also performed # For oidc-auth-app certificate an application-apply is also performed
# in order to restart the application with the new certificate # in order to restart the application with the new certificate
@ -22,6 +22,16 @@
include_tasks: check-for-management-alarms.yml include_tasks: check-for-management-alarms.yml
when: ignore_alarms is undefined or ignore_alarms | bool == False when: ignore_alarms is undefined or ignore_alarms | bool == False
- name: Install Root CA certificate as trusted by the platform
include_role:
name: common/verify-and-install-system-local-ca-certs
vars:
- install_rca: true
- name: Restart kube-apiserver to pick the new certificate
include_role:
name: common/restart-kube-apiserver
- name: Check certificates to be installed - name: Check certificates to be installed
include_tasks: check-certificates-to-be-installed.yml include_tasks: check-certificates-to-be-installed.yml
@ -140,16 +150,6 @@
name: common/delete-kubernetes-resources name: common/delete-kubernetes-resources
loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}" loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}"
- name: Install certificates as system Trusted CA certificates
include_role:
name: common/verify-and-install-system-local-ca-certs
vars:
- install_rca: true
- name: Restart kube-apiserver to pick the new certificates
include_role:
name: common/restart-kube-apiserver
- name: Update oidc-auth-apps in order to use new certificate - name: Update oidc-auth-apps in order to use new certificate
include_tasks: reapply-oidc-auth-app.yml include_tasks: reapply-oidc-auth-app.yml
when: oidc_applied.stdout | bool when: oidc_applied.stdout | bool
@ -227,22 +227,22 @@
- { - {
secret: system-registry-local-certificate, secret: system-registry-local-certificate,
namespace: deployment, namespace: deployment,
should_run: 'true' should_run: "{{ install_system_registry_local_certificate }}"
} }
- { - {
secret: system-restapi-gui-certificate, secret: system-restapi-gui-certificate,
namespace: deployment, namespace: deployment,
should_run: "{{https_enabled.stdout}}" should_run: "{{ install_system_restapi_gui_certificate }}"
} }
- { - {
secret: oidc-auth-apps-certificate, secret: oidc-auth-apps-certificate,
namespace: kube-system, namespace: kube-system,
should_run: "{{oidc_applied.stdout}}" should_run: "{{ install_oidc_auth_apps_certificate }}"
} }
- { - {
secret: system-openldap-local-certificate, secret: system-openldap-local-certificate,
namespace: deployment, namespace: deployment,
should_run: "{{ true if openldap_certificate_exists.stdout | int == 0 else false }}" should_run: "{{ install_system_open_ldap_certificate }}"
} }
when: mode == 'check' when: mode == 'check'

View File

@ -13,18 +13,20 @@
# To run the playbook, the user would define an overrides file that # To run the playbook, the user would define an overrides file that
# provides the required variable settings, passing this on the ansible # provides the required variable settings, passing this on the ansible
# command-line as a parameter. # command-line as a parameter.
# (see migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml) # (see update-platform-certificates-inventory-EXAMPLE.yml)
# #
# Example command: # Example command:
# ansible-playbook migrate_platform_certificates_to_certmanager.yml \ # ansible-playbook update_platform_certificates.yml \
# -i @migrate-platform-certificates-to-certmanager-inventory.yml \ # -i @update-platform-certificates-inventory.yml \
# --extra-vars "target_list=subcloud1 mode=update" # --extra-vars "target_list=subcloud1 mode=update"
# #
# Use target_list to target individual subclouds, or a comma-separated # Use target_list to target individual subclouds, or a comma-separated
# list of subclouds such as 'subcloud1,subcloud2'. To target all online # list of subclouds such as 'subcloud1,subcloud2'. To target all online
# subclouds at once use target_list=all_online_subclouds # subclouds at once use target_list=all_online_subclouds
# #
# To target the system controller or standalone systems use target_list=localhost # To target the system controller or standalone systems use target_list=localhost.
# It's recomended to have always at least localhost in the target_list, avoiding
# the loss of consistency of the certificates between the hosts in DC systems.
# #
- hosts: localhost - hosts: localhost
@ -65,12 +67,12 @@
- hosts: target_group - hosts: target_group
gather_facts: no gather_facts: no
vars_files: vars_files:
- host_vars/migrate_platform_certificates_to_certmanager/default.yml - host_vars/update_platform_certificates/default.yml
# for mode=check the output is too messy with free strategy # for mode=check the output is too messy with free strategy
strategy: "{{ 'linear' if mode == 'check' else 'free' }}" strategy: "{{ 'linear' if mode == 'check' else 'free' }}"
roles: roles:
- migrate-platform-certificates-to-certmanager/migrate-certificates - update-platform-certificates
# Ensures ICA is also installed in system controller # Ensures ICA is also installed in system controller
# even when target_list contains only subclouds # even when target_list contains only subclouds
@ -81,7 +83,7 @@
gather_facts: no gather_facts: no
tasks: tasks:
- block: - block:
- name: Install certificates as system Trusted CA certificates - name: Install Root CA certificate as trusted by the platform
include_role: include_role:
name: common/verify-and-install-system-local-ca-certs name: common/verify-and-install-system-local-ca-certs
vars: vars: