Rework platform certificates migration
Renamed the playbook to 'update_platform_certificates.yml', to reflect the intention behind moving forward (not only to migrate the platform certificates to cert-manager, but to be a easy way to update the local issuer (system-local-ca) CA certificates as well as the leaf certificates data. Moved the install of the RCA to the beginning of the execution, as several validations are made in the role and it's useful to have then fail if a problem is detected before issuing the leaf certificates. Updated the conditions for creating the certificates to issue the Rest API / GUI certificate (default behavior from now onward). Fixed the condition for having the Local OpenLDAP certificate (host role is not subcloud). Test plan: PASS: Deploy a system with the feature flag enabled in the localhost file ('create_platform_certificates'). Apply oidc. Execute the playbook using the new name ('update_platform_certificates.yml') in 'update' and 'check' modes. Observe that it works as expected. Checked: - The provided RCA is installed as Trusted CA; - The resulting certificates are correct; - Login in Local Docker Registry is working; - OIDC is working as expected; - Horizon is working as expected; - OpenLDAP is working as expected. Story: 2009811 Task: 48908 Change-Id: I9b928b1080a28bebb0362ac8d68be387bd4a67da Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
This commit is contained in:
parent
9e98dc1260
commit
b7c629b603
@ -5,22 +5,24 @@
|
|||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
#
|
#
|
||||||
# This is an example inventory file to be used for
|
# This is an example inventory file to be used for
|
||||||
# usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml
|
# usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml
|
||||||
# playbook.
|
# playbook.
|
||||||
#
|
#
|
||||||
# To run the playbook, the user would define an overrides file (as exemplified here)
|
# To run the playbook, the user would define an overrides file (as exemplified here)
|
||||||
# providing the required variable settings and pass it on the ansible command-line as a parameter.
|
# providing the required variable settings and pass it on the ansible command-line as a parameter.
|
||||||
#
|
#
|
||||||
# Example ansible command:
|
# Example ansible command:
|
||||||
# ansible-playbook migrate_platform_certificates_to_certmanager.yml \
|
# ansible-playbook update_platform_certificates.yml \
|
||||||
# -i @my-inventory-file.yml \
|
# -i @my-inventory-file.yml \
|
||||||
# --extra-vars "target_list=subcloud1 mode=update"
|
# --extra-vars "target_list=localhost,subcloud1 mode=update"
|
||||||
|
|
||||||
# Use target_list to target individual subclouds, or a comma-separated
|
# Use target_list to target individual subclouds, or a comma-separated
|
||||||
# list of subclouds such as 'subcloud1,subcloud2'. To target all online
|
# list of subclouds such as 'subcloud1,subcloud2'. To target all online
|
||||||
# subclouds at once use target_list=all_online_subclouds
|
# subclouds at once use 'target_list=all_online_subclouds'.
|
||||||
#
|
#
|
||||||
# To target the system controller or standalone systems use target_list=localhost
|
# To target the system controller or standalone systems use 'target_list=localhost'.
|
||||||
|
# It's recomended to have always at least localhost in the target_list, avoiding
|
||||||
|
# the loss of consistency of the certificates between the hosts in DC systems.
|
||||||
#
|
#
|
||||||
# Note on the example parameters below :
|
# Note on the example parameters below :
|
||||||
#
|
#
|
@ -59,7 +59,7 @@
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
Manual action required! On the subcloud, please update the expired certificates with
|
Manual action required! On the subcloud, please update the expired certificates with
|
||||||
`system certificate-install` or run
|
`system certificate-install` or run
|
||||||
/usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml
|
/usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml
|
||||||
playbook following the section Migrate Platform Certificates to Use Cert Manager of the
|
playbook following the section Migrate Platform Certificates to Use Cert Manager of the
|
||||||
docs.
|
docs.
|
||||||
when: restapi_cert_expiration.rc is defined and
|
when: restapi_cert_expiration.rc is defined and
|
||||||
|
@ -1,34 +0,0 @@
|
|||||||
---
|
|
||||||
#
|
|
||||||
# Copyright (c) 2021-2023 Wind River Systems, Inc.
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
|
||||||
#
|
|
||||||
# Check if https_enabled is enabled and if oidc-auth-apps is applied
|
|
||||||
# in order to determine which certificates need to be installed
|
|
||||||
#
|
|
||||||
- name: Check if system is https_enabled
|
|
||||||
shell: |
|
|
||||||
source /etc/platform/openrc
|
|
||||||
system show | grep https_enabled | awk '{ print $4 }'
|
|
||||||
register: https_enabled
|
|
||||||
|
|
||||||
- name: Check if oidc-auth-apps is applied
|
|
||||||
shell: |
|
|
||||||
source /etc/platform/openrc
|
|
||||||
system application-show oidc-auth-apps --column status --format value | \
|
|
||||||
awk '{ if ($0 == "applied") print "true"; else print "false"; }'
|
|
||||||
register: oidc_applied
|
|
||||||
|
|
||||||
- name: Check if openldap certificate exists
|
|
||||||
shell: |
|
|
||||||
source /etc/platform/openrc
|
|
||||||
system certificate-list | grep openldap | \
|
|
||||||
awk '{ if ($0 != "") print "true"; exit}'
|
|
||||||
register: openldap_certificate_exists
|
|
||||||
|
|
||||||
- set_fact:
|
|
||||||
install_oidc_auth_apps_certificate: "{{ true if oidc_applied.stdout | bool else false }}"
|
|
||||||
install_system_open_ldap_certificate: "{{ true if openldap_certificate_exists.stdout | bool else false }}"
|
|
||||||
install_system_registry_local_certificate: true
|
|
||||||
install_system_restapi_gui_certificate: "{{ true if https_enabled.stdout | bool else false }}"
|
|
@ -1,6 +1,6 @@
|
|||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
#
|
#
|
||||||
# Copyright (c) 2022 Wind River Systems, Inc.
|
# Copyright (c) 2022-2023 Wind River Systems, Inc.
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
#
|
#
|
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
#
|
||||||
|
# Copyright (c) 2021-2023 Wind River Systems, Inc.
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
#
|
||||||
|
# Define variables (flags) that will be used in certificate creation.
|
||||||
|
# Depending on the boolean value of the flags, the certificates will be
|
||||||
|
# issued by local cluster issuer using 'system-local-ca' secret.
|
||||||
|
# The platform certificates are:
|
||||||
|
# - OIDC-Auth-Apps (not required)
|
||||||
|
# - Local OpenLDAP (required for standalone and DC SystemController)
|
||||||
|
# - Docker Registry (required)
|
||||||
|
# - REST API / Web Server GUI (required)
|
||||||
|
#
|
||||||
|
- name: Check if oidc-auth-apps is applied
|
||||||
|
shell: |
|
||||||
|
source /etc/platform/openrc
|
||||||
|
system application-show oidc-auth-apps --column status --format value | \
|
||||||
|
awk '{ if ($0 == "applied") print "true"; else print "false"; }'
|
||||||
|
register: oidc_applied
|
||||||
|
|
||||||
|
- name: Get distributed_cloud role
|
||||||
|
shell: |
|
||||||
|
source /etc/platform/openrc
|
||||||
|
system show | grep distributed_cloud_role | awk '{ print $4 }'
|
||||||
|
register: dc_role
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
install_oidc_auth_apps_certificate: "{{ true if oidc_applied.stdout | bool else false }}"
|
||||||
|
install_system_open_ldap_certificate: "{{ true if dc_role.stdout != 'subcloud' else false }}"
|
||||||
|
install_system_registry_local_certificate: true
|
||||||
|
install_system_restapi_gui_certificate: true
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
#
|
#
|
||||||
# Copyright (c) 2021-2022 Wind River Systems, Inc.
|
# Copyright (c) 2021-2023 Wind River Systems, Inc.
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
#
|
#
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
#
|
#
|
||||||
# Copyright (c) 2021-2022 Wind River Systems, Inc.
|
# Copyright (c) 2021-2023 Wind River Systems, Inc.
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
#
|
#
|
@ -10,8 +10,8 @@
|
|||||||
# Before installing new certificates, a backup of old ones is saved to
|
# Before installing new certificates, a backup of old ones is saved to
|
||||||
# /home/sysadmin/certificates_backup/ in case they are needed
|
# /home/sysadmin/certificates_backup/ in case they are needed
|
||||||
#
|
#
|
||||||
# The ICA used as issuer of the certificates created, is also installed
|
# The RCA that signs the ICA that is used to issue the certificates created
|
||||||
# to the platform as a Trusted CA
|
# is also installed to the platform as a Trusted CA
|
||||||
#
|
#
|
||||||
# For oidc-auth-app certificate an application-apply is also performed
|
# For oidc-auth-app certificate an application-apply is also performed
|
||||||
# in order to restart the application with the new certificate
|
# in order to restart the application with the new certificate
|
||||||
@ -22,6 +22,16 @@
|
|||||||
include_tasks: check-for-management-alarms.yml
|
include_tasks: check-for-management-alarms.yml
|
||||||
when: ignore_alarms is undefined or ignore_alarms | bool == False
|
when: ignore_alarms is undefined or ignore_alarms | bool == False
|
||||||
|
|
||||||
|
- name: Install Root CA certificate as trusted by the platform
|
||||||
|
include_role:
|
||||||
|
name: common/verify-and-install-system-local-ca-certs
|
||||||
|
vars:
|
||||||
|
- install_rca: true
|
||||||
|
|
||||||
|
- name: Restart kube-apiserver to pick the new certificate
|
||||||
|
include_role:
|
||||||
|
name: common/restart-kube-apiserver
|
||||||
|
|
||||||
- name: Check certificates to be installed
|
- name: Check certificates to be installed
|
||||||
include_tasks: check-certificates-to-be-installed.yml
|
include_tasks: check-certificates-to-be-installed.yml
|
||||||
|
|
||||||
@ -140,16 +150,6 @@
|
|||||||
name: common/delete-kubernetes-resources
|
name: common/delete-kubernetes-resources
|
||||||
loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}"
|
loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}"
|
||||||
|
|
||||||
- name: Install certificates as system Trusted CA certificates
|
|
||||||
include_role:
|
|
||||||
name: common/verify-and-install-system-local-ca-certs
|
|
||||||
vars:
|
|
||||||
- install_rca: true
|
|
||||||
|
|
||||||
- name: Restart kube-apiserver to pick the new certificates
|
|
||||||
include_role:
|
|
||||||
name: common/restart-kube-apiserver
|
|
||||||
|
|
||||||
- name: Update oidc-auth-apps in order to use new certificate
|
- name: Update oidc-auth-apps in order to use new certificate
|
||||||
include_tasks: reapply-oidc-auth-app.yml
|
include_tasks: reapply-oidc-auth-app.yml
|
||||||
when: oidc_applied.stdout | bool
|
when: oidc_applied.stdout | bool
|
||||||
@ -227,22 +227,22 @@
|
|||||||
- {
|
- {
|
||||||
secret: system-registry-local-certificate,
|
secret: system-registry-local-certificate,
|
||||||
namespace: deployment,
|
namespace: deployment,
|
||||||
should_run: 'true'
|
should_run: "{{ install_system_registry_local_certificate }}"
|
||||||
}
|
}
|
||||||
- {
|
- {
|
||||||
secret: system-restapi-gui-certificate,
|
secret: system-restapi-gui-certificate,
|
||||||
namespace: deployment,
|
namespace: deployment,
|
||||||
should_run: "{{https_enabled.stdout}}"
|
should_run: "{{ install_system_restapi_gui_certificate }}"
|
||||||
}
|
}
|
||||||
- {
|
- {
|
||||||
secret: oidc-auth-apps-certificate,
|
secret: oidc-auth-apps-certificate,
|
||||||
namespace: kube-system,
|
namespace: kube-system,
|
||||||
should_run: "{{oidc_applied.stdout}}"
|
should_run: "{{ install_oidc_auth_apps_certificate }}"
|
||||||
}
|
}
|
||||||
- {
|
- {
|
||||||
secret: system-openldap-local-certificate,
|
secret: system-openldap-local-certificate,
|
||||||
namespace: deployment,
|
namespace: deployment,
|
||||||
should_run: "{{ true if openldap_certificate_exists.stdout | int == 0 else false }}"
|
should_run: "{{ install_system_open_ldap_certificate }}"
|
||||||
}
|
}
|
||||||
|
|
||||||
when: mode == 'check'
|
when: mode == 'check'
|
@ -13,18 +13,20 @@
|
|||||||
# To run the playbook, the user would define an overrides file that
|
# To run the playbook, the user would define an overrides file that
|
||||||
# provides the required variable settings, passing this on the ansible
|
# provides the required variable settings, passing this on the ansible
|
||||||
# command-line as a parameter.
|
# command-line as a parameter.
|
||||||
# (see migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml)
|
# (see update-platform-certificates-inventory-EXAMPLE.yml)
|
||||||
#
|
#
|
||||||
# Example command:
|
# Example command:
|
||||||
# ansible-playbook migrate_platform_certificates_to_certmanager.yml \
|
# ansible-playbook update_platform_certificates.yml \
|
||||||
# -i @migrate-platform-certificates-to-certmanager-inventory.yml \
|
# -i @update-platform-certificates-inventory.yml \
|
||||||
# --extra-vars "target_list=subcloud1 mode=update"
|
# --extra-vars "target_list=subcloud1 mode=update"
|
||||||
#
|
#
|
||||||
# Use target_list to target individual subclouds, or a comma-separated
|
# Use target_list to target individual subclouds, or a comma-separated
|
||||||
# list of subclouds such as 'subcloud1,subcloud2'. To target all online
|
# list of subclouds such as 'subcloud1,subcloud2'. To target all online
|
||||||
# subclouds at once use target_list=all_online_subclouds
|
# subclouds at once use target_list=all_online_subclouds
|
||||||
#
|
#
|
||||||
# To target the system controller or standalone systems use target_list=localhost
|
# To target the system controller or standalone systems use target_list=localhost.
|
||||||
|
# It's recomended to have always at least localhost in the target_list, avoiding
|
||||||
|
# the loss of consistency of the certificates between the hosts in DC systems.
|
||||||
#
|
#
|
||||||
|
|
||||||
- hosts: localhost
|
- hosts: localhost
|
||||||
@ -65,12 +67,12 @@
|
|||||||
- hosts: target_group
|
- hosts: target_group
|
||||||
gather_facts: no
|
gather_facts: no
|
||||||
vars_files:
|
vars_files:
|
||||||
- host_vars/migrate_platform_certificates_to_certmanager/default.yml
|
- host_vars/update_platform_certificates/default.yml
|
||||||
|
|
||||||
# for mode=check the output is too messy with free strategy
|
# for mode=check the output is too messy with free strategy
|
||||||
strategy: "{{ 'linear' if mode == 'check' else 'free' }}"
|
strategy: "{{ 'linear' if mode == 'check' else 'free' }}"
|
||||||
roles:
|
roles:
|
||||||
- migrate-platform-certificates-to-certmanager/migrate-certificates
|
- update-platform-certificates
|
||||||
|
|
||||||
# Ensures ICA is also installed in system controller
|
# Ensures ICA is also installed in system controller
|
||||||
# even when target_list contains only subclouds
|
# even when target_list contains only subclouds
|
||||||
@ -81,7 +83,7 @@
|
|||||||
gather_facts: no
|
gather_facts: no
|
||||||
tasks:
|
tasks:
|
||||||
- block:
|
- block:
|
||||||
- name: Install certificates as system Trusted CA certificates
|
- name: Install Root CA certificate as trusted by the platform
|
||||||
include_role:
|
include_role:
|
||||||
name: common/verify-and-install-system-local-ca-certs
|
name: common/verify-and-install-system-local-ca-certs
|
||||||
vars:
|
vars:
|
Loading…
Reference in New Issue
Block a user