85712e2fb9
Included a default entries for the fields:
- 'commonName' - default now is <cert_short_name>
- 'localities' - default now is <region>
- 'organization' - default now is 'starlingx'
Where:
<region> is the region name
<cert_short_name> is an internal proper name used for each of the
platform certs.
These fields can still be overridden by the user during bootstrap / CA
update. The override 'subject_prefix' is now removed.
Modified update_platform_certificates.yml playbook to delete/recreate
the leaf certificates instead of re-configuring it. In some cases,
just re-configuring would not change nested values in the Certificate
spec entries. Also, waited for the local OpenLDAP cert to be ready
before progressing, avoiding issues with remaining tasks caused by
delays in cert-manager.
Test plan:
PASS: Bootstrap system without overriding 'subject_L', 'subject_O'
or 'subject_CN'.
Verify that the default fields are included.
PASS: W/ default values, test Horizon access.
PASS: W/ default values, test access through remote CLI.
PASS: W/ default values, test pulling images from the local
registry externally (outside the system).
PASS: Update platform certificates overriding all 'subject_*' fields.
Verify that the overridden values are included in the
respective fields.
Story: 2009811
Task: 49831
Change-Id: I208c30a6eb2c60397d50e6ea411ee5994fa27f9a
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
108 lines
4.6 KiB
YAML
108 lines
4.6 KiB
YAML
---
|
|
#
|
|
# Copyright (c) 2021-2023 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# This is an example inventory file to be used for
|
|
# usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml
|
|
# playbook.
|
|
#
|
|
# To run the playbook, the user would define an overrides file (as exemplified here)
|
|
# providing the required variable settings and pass it on the ansible command-line as a parameter.
|
|
#
|
|
# Example ansible command:
|
|
# ansible-playbook update_platform_certificates.yml \
|
|
# -i @my-inventory-file.yml \
|
|
# --extra-vars "target_list=localhost,subcloud1 mode=update"
|
|
|
|
# Use target_list to target individual subclouds, or a comma-separated
|
|
# list of subclouds such as 'subcloud1,subcloud2'. To target all online
|
|
# subclouds at once use 'target_list=all_online_subclouds'.
|
|
#
|
|
# To target the system controller or standalone systems use 'target_list=localhost'.
|
|
# It's recomended to have always at least localhost in the target_list, avoiding
|
|
# the loss of consistency of the certificates between the hosts in DC systems.
|
|
#
|
|
# Note on the example parameters below :
|
|
#
|
|
# Parameter system_local_ca_cert will be the certificate that will be used as the
|
|
# issuer for platform certificates (registry.local, https / rest-api, oidc)
|
|
#
|
|
# If system_local_ca_cert is an Intermediate CA (recommended), make sure that
|
|
# system_root_ca_cert is the Root CA which is its Issuer.
|
|
#
|
|
# Please make sure that you use a system_root_ca_cert and system_local_ca_cert certificate
|
|
# with a long duration. The playbook will fail if any of these CA certificates expire in
|
|
# less than the default expected values in min years:
|
|
# - For RCA, is 3 years;
|
|
# - For ICA, is 1 year.
|
|
#
|
|
# If you wish to use a different value for CA duration you can override
|
|
# it by setting a different value to validation parameters rca_duration/ica_duration.
|
|
# Example:
|
|
# 'rca_duration: 2' will result in the playbook only accepting RCAs expiring 2 or more
|
|
# years from now.
|
|
#
|
|
# Please also make sure that duration and renewBefore are sensible values
|
|
# considering the system_local_ca_cert remaining duration.
|
|
#
|
|
# See: https://docs.starlingx.io/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.html
|
|
#
|
|
all:
|
|
vars:
|
|
# If using an Intermediate CA for system_local_ca_cert (recommended), the value
|
|
# for system_root_ca_cert needs to be the Root CA which is the Issuer of system_local_ca_cert
|
|
system_root_ca_cert: <base64_cert>
|
|
# It's strongly recommended using an Intermediate CA for system_local_ca_cert
|
|
# as that has the advantages of anchoring your certificates to your external Root CA.
|
|
# However, it is possible to simply specify a Root CA for system_local_ca_cert.
|
|
# For that, specify system_local_ca_cert and system_local_ca_key with values from your Root CA.
|
|
# Note: system_local_ca_cert and system_root_ca_cert must be the same for that configuration.
|
|
system_local_ca_cert: <base64_cert>
|
|
system_local_ca_key: <base64_key>
|
|
# the ica_duration/rca_duration parameters are optional. If not specified, it defaults to 3
|
|
# for RCA and 1 for ICA.
|
|
# It represents the number of years for the CA certificates expiration validity check.
|
|
# It is not recommended to use short values for this parameter.
|
|
# rca_duration: 3
|
|
# ica_duration: 1
|
|
|
|
children:
|
|
# This will be applied to all online subclouds
|
|
# Use the below example in hosts to override particulars for a subcloud such as passwords
|
|
target_group:
|
|
vars:
|
|
system_platform_certificate:
|
|
dns_domain: xyz.com
|
|
duration: 2160h # 90d
|
|
renewBefore: 360h # 15d
|
|
subject_C: CA
|
|
subject_ST: ontario
|
|
subject_L: ottawa
|
|
subject_O: myorganization
|
|
subject_OU: engineering
|
|
subject_CN: myorganization.com
|
|
# SSH password to connect to all subclouds
|
|
ansible_ssh_user: sysadmin
|
|
ansible_ssh_pass: <sysadmin-pwd>
|
|
# Sudo password
|
|
ansible_become_pass: <sysadmin-pwd>
|
|
# Add a child group, as exemplified below, if you need individual
|
|
# overrides for specific subcloud hosts
|
|
# Use the hosts section to add the list of hosts
|
|
# Use the vars section to override target_group variables
|
|
# such as the ssh password, for instance
|
|
# Note that you can also override multiple hosts at once or
|
|
# have multiple children groups if necessary
|
|
# Example:
|
|
# children:
|
|
# different_password_group:
|
|
# vars:
|
|
# ansible_ssh_user: sysadmin
|
|
# ansible_ssh_pass: <sysadmin-pwd>
|
|
# ansible_become_pass: <sysadmin-pwd>
|
|
# hosts:
|
|
# subcloud1:
|
|
# subcloud2:
|