starlingx/ansible-playbooks
Code Issues Proposed changes
ansible-playbooks/examples/migrate/migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml
Marcelo Loebens 0e10763eb7 Improved system-local-ca check and install 
Included support to check multiple ICAs bundled together (verifying
requirements for each one individually) and have override and default
variables for ICA or RCA expiration checks (default is 3 years for
both). Also, include check to verify if the ICA TLS cert/key match
each other.

Changed the behavior to only install the RCA as trusted (before we
installed both the ICA and the RCA). Also made the install optional
so the role can be used to verify the certificates in the first steps
of the bootstrap. With this, the user can fix the provided
certificates if a problem is detected without waiting until the end
of the bootstrap (where the installation of the RCA will be made).

Changed the naming to better reflect the intention of the role.

Test plan:
PASS: Perform cert-manager migration using:
      - RCA / single ICA;
      - RCA / multiple ICAs in files;
      - RCA / multiple ICAs with one with short expiration date
        (should fail with a message regarding the short expiration);
      - RCA / multiple ICAs with one with short expiration date but
        use override flag to allow short expiration date;
      - RCA with short expiration date / single ICA;
        (should fail with a message regarding the short expiration);
      - RCA with short expiration date but use override flag to allow
        short expiration date/ single ICA;

PASS: Deploy AIO-SX providing the CA certs for 'system-local-ca' and
      enable feature flag. ICA file should contain multiple bundled
      ICAs.The CAs provided must be within the expected expiration
      date. Verify:
      - HTTPS is enabled and openstack public endpoints change into it
        after unlocking the controller.
      - The target certificates are issued by 'system-local-ca', and
        are managed by cert-manager;
      - The 'system-local-ca' has the provided certs data.
      - The certificates in /etc/ssl/private are correct.
      - It's possible to log into the local Docker Registry.
      - Horizon is working as expected.

PASS: Deploy AIO-SX w/o providing the CA certs for 'system-local-ca'
      and enable feature flag. Verify:
      - HTTPS is enabled and openstack public endpoints change into it
        after unlocking the controller.
      - The target certificates are issued by 'system-local-ca', and
        are managed by cert-manager;
      - 'system-local-ca' has the Kubernetes Root CA data.
      - The certificates in /etc/ssl/private are correct.
      - It's possible to log into the local Docker Registry.
      - Horizon is working as expected.

PASS: Deploy AIO-SX providing the CA certs for 'system-local-ca' and
      enable feature flag. ICA file should contain multiple bundled
      ICAs. One of the ICAs provided must have a short expiration
      date. Verify installation fail at the beginning of bootstrap,
      under 'bootstrap/validate-config'.

PASS: Deploy AIO-SX providing the CA certs for 'system-local-ca' and
      enable feature flag. ICA file should contain multiple bundled
      ICAs. One of the ICAs provided must have a short expiration
      date. Provide 'ica_duration' override as to make the
      expiration after the fail limit. Verify that the bootstrap is
      successful.

PASS: Deploy AIO-SX providing the CA certs for 'system-local-ca' and
      enable feature flag. ICA file should contain the same RCA cert
      as in the RCA file. Verify bootstrap fail with a message that
      the ICA must have an ICA.

PASS: Deploy AIO-SX providing the CA certs for 'system-local-ca' and
      enable feature flag. ICA key file should contain a key that
      doesn't match the ICA cert provided. Verify bootstrap fail with
      a message that the ICA TLS cert/key pair must match.

Story: 2009811
Task: 48907

Change-Id: I6a835990a6e3606f5d716dd8ed7225cf60d4bbb9
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
2023-11-16 12:01:32 -04:00

107 lines
4.5 KiB
YAML
Raw Blame History

---
#
# Copyright (c) 2021-2023 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# This is an example inventory file to be used for
# usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml
# playbook.
#
# To run the playbook, the user would define an overrides file (as exemplified here)
# providing the required variable settings and pass it on the ansible command-line as a parameter.
#
# Example ansible command:
# ansible-playbook migrate_platform_certificates_to_certmanager.yml \
# -i @my-inventory-file.yml \
# --extra-vars "target_list=subcloud1 mode=update"
# Use target_list to target individual subclouds, or a comma-separated
# list of subclouds such as 'subcloud1,subcloud2'. To target all online
# subclouds at once use target_list=all_online_subclouds
#
# To target the system controller or standalone systems use target_list=localhost
#
# Note on the example parameters below :
#
# Parameter system_local_ca_cert will be the certificate that will be used as the
# issuer for platform certificates (registry.local, https / rest-api, oidc)
#
# If system_local_ca_cert is an Intermediate CA (recommended), make sure that
# system_root_ca_cert is the Root CA which is its Issuer.
#
# Please make sure that you use a system_root_ca_cert and system_local_ca_cert certificate
# with a long duration. The playbook will fail if any of these CA certificates expire in
# less than the default expected values in min years:
# - For RCA, is 3 years;
# - For ICA, is 1 year.
#
# If you wish to use a different value for CA duration you can override
# it by setting a different value to validation parameters rca_duration/ica_duration.
# Example:
# 'rca_duration: 2' will result in the playbook only accepting RCAs expiring 2 or more
# years from now.
#
# Please also make sure that duration and renewBefore are sensible values
# considering the system_local_ca_cert remaining duration.
#
# See: https://docs.starlingx.io/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.html
#
all:
vars:
# If using an Intermediate CA for system_local_ca_cert (recommended), the value
# for system_root_ca_cert needs to be the Root CA which is the Issuer of system_local_ca_cert
system_root_ca_cert: <base64_cert>
# It's strongly recommended using an Intermediate CA for system_local_ca_cert
# as that has the advantages of anchoring your certificates to your external Root CA.
# However, it is possible to simply specify a Root CA for system_local_ca_cert.
# For that, specify system_local_ca_cert and system_local_ca_key with values from your Root CA.
# Note: system_local_ca_cert and system_root_ca_cert must be the same for that configuration.
system_local_ca_cert: <base64_cert>
system_local_ca_key: <base64_key>
# the ica_duration/rca_duration parameters are optional. If not specified, it defaults to 3
# for RCA and 1 for ICA.
# It represents the number of years for the CA certificates expiration validity check.
# It is not recommended to use short values for this parameter.
# rca_duration: 3
# ica_duration: 1
children:
# This will be applied to all online subclouds
# Use the below example in hosts to override particulars for a subcloud such as passwords
target_group:
vars:
system_platform_certificate:
dns_domain: xyz.com
duration: 2160h # 90d
renewBefore: 360h # 15d
subject_C: CA
subject_ST: ontario
subject_L: ottawa
subject_O: myorganization
subject_OU: engineering
subject_CN: myorganization.com
subject_prefix: starlingx
# SSH password to connect to all subclouds
ansible_ssh_user: sysadmin
ansible_ssh_pass: <sysadmin-pwd>
# Sudo password
ansible_become_pass: <sysadmin-pwd>
# Add a child group, as exemplified below, if you need individual
# overrides for specific subcloud hosts
# Use the hosts section to add the list of hosts
# Use the vars section to override target_group variables
# such as the ssh password, for instance
# Note that you can also override multiple hosts at once or
# have multiple children groups if necessary
# Example:
# children:
# different_password_group:
# vars:
# ansible_ssh_user: sysadmin
# ansible_ssh_pass: <sysadmin-pwd>
# ansible_become_pass: <sysadmin-pwd>
# hosts:
# subcloud1:
# subcloud2:
View Git Blame Copy Permalink