Support Let's Encrypt for Open OnDemand

Author: priteau

README.md

@@ -33,7 +33,7 @@ Before starting ensure that:
 - You have an SSH keypair defined in OpenStack, with the private key available on the deploy host.
 - Created instances have access to internet (note proxies can be setup through the appliance if necessary).
 - Created instances have accurate/synchronised time (for VM instances this is usually provided by the hypervisor; if not or for bare metal instances it may be necessary to configure a time service via the appliance).
-- Three security groups are present: ``default`` allowing intra-cluster communication, ``SSH`` allowing external access via SSH and ``HTTPS`` allowing access for Open OnDemand.
+- Four security groups are present: ``default`` allowing intra-cluster communication, ``SSH`` allowing external access via SSH, and ``HTTP`` and ``HTTPS`` allowing access for Open OnDemand.
 
 ### Setup deploy host
 

ansible/fatimage.yml

@@ -130,6 +130,12 @@
         vars_from: "Rocky/{{ ansible_distribution_major_version }}.yml"
       when: "'openondemand' in group_names"
 
+    - name: Open OnDemand certbot
+      import_role:
+        name: openondemand
+        tasks_from: certbot.yml
+      when: "'openondemand' in group_names"
+
     - name: Open OnDemand remote desktop
       import_role:
         name: openondemand

ansible/roles/openondemand/README.md

@@ -46,8 +46,14 @@ No other authentication options are required for this method.
 
 ### SSL Certificates
 This role enables SSL on the Open Ondemand server, using the following self-signed certificate & key which are autogenerated by the `mod_ssl` package installed as part of the `ondemand-apache` package. Replace with your own keys if required.
-- `openondemand_ssl_cert`: Optional. Default `/etc/pki/tls/certs/localhost.crt`.
-- `openondemand_ssl_cert_key`: Optional. Default `/etc/pki/tls/private/localhost.key`
+- `openondemand_ssl_cert`: Optional. Default `/etc/pki/tls/certs/localhost.crt` (unless `openondemand_certbot` is true).
+- `openondemand_ssl_cert_key`: Optional. Default `/etc/pki/tls/private/localhost.key` (unless `openondemand_certbot` is true).
+
+Alternatively, you can generate a certificate from Let's Encrypt automatically by configuring the following variables:
+- `openondemand_certbot`: Optional. Default is false. Set to true to request a certificate from Let's Encrypt.
+- `openondemand_certbot_email`: Optional. Default is empty. Set to the admin email address if using Let's Encrypt.
+
+If using Let's Encrypt, leave `openondemand_ssl_cert` and `openondemand_ssl_cert_key` set to their default values.
 
 ### Dashboard and application configuration
 - `openondemand_dashboard_docs_url`: Optional. URL of docs to show under Help in dashboard. Default `(undefined)`.

ansible/roles/openondemand/defaults/main.yml

@@ -13,8 +13,10 @@ openondemand_oidc_remote_user_claim: preferred_username
 openondemand_oidc_scope: openid profile preferred_username
 
 # SSL Certificates
-openondemand_ssl_cert: /etc/pki/tls/certs/localhost.crt
-openondemand_ssl_cert_key: /etc/pki/tls/private/localhost.key
+openondemand_certbot: false
+openondemand_certbot_email:
+openondemand_ssl_cert: "{{ '/etc/letsencrypt/live/' + openondemand_servername + '/fullchain.pem' if openondemand_certbot | bool else '/etc/pki/tls/certs/localhost.crt' }}"
+openondemand_ssl_cert_key: "{{ '/etc/letsencrypt/live/' + openondemand_servername + '/privkey.pem' if openondemand_certbot | bool else '/etc/pki/tls/private/localhost.key' }}"
 
 # Dashboard and application config:
 openondemand_dashboard_docs_url: (undefined)

ansible/roles/openondemand/tasks/certbot.yml

@@ -0,0 +1,29 @@
+---
+- name: Install EPEL
+  tags: install
+  dnf:
+    name: epel-release
+
+- name: Install certbot
+  tags: install
+  dnf:
+    name:
+      - certbot
+      - python3-certbot-apache
+
+- block:
+    - name: Validate that server name is set
+      assert:
+        that:
+          - openondemand_servername | length > 0
+        fail_msg: openondemand_servername must be set
+
+    - name: Validate that email address is set
+      assert:
+        that:
+          - openondemand_certbot_email | length > 0
+        fail_msg: openondemand_certbot_email must be set
+
+    - name: Generate Let's Encrypt certificate
+      command: sudo certbot certonly --standalone -d {{ openondemand_servername }} -n -m {{ openondemand_certbot_email }} --agree-tos
+  when: appliances_mode == 'configure'

ansible/roles/openondemand/tasks/main.yml

@@ -21,6 +21,10 @@
   when: appliances_mode != 'configure'
   # can't set vars: from a dict hence the workaround above
 
+- include_tasks:
+    file: certbot.yml
+  when: openondemand_certbot | bool
+
 - include_tasks:
     file: pam_auth.yml
   when: openondemand_auth | lower == 'basic_pam'

docs/openondemand.md

@@ -47,3 +47,7 @@ The appliance automatically configures Open OnDemand to proxy Grafana and adds a
 
 # Access
 By default the appliance authenticates against OOD with basic auth through PAM. When creating a new environment, a new user with username `demo_user` will be created. Its password is found under `vault_openondemand_default_user` in the appliance secrets store in `environments/{ENV}/inventory/group_vars/all/secrets.yml`. Other users can be defined by overriding the `basic_users_users` variable in your environment (templated into `environments/{ENV}/inventory/group_vars/all/basic_users.yml` by default).
+
+# Certificates
+
+The default configuration uses using a self-signed certificate. Instead, you can bring your own certificate and key, or use Let's Encrypt. See [../ansible/roles/openondemand/README.md](../ansible/roles/openondemand/README.md) for more details.

environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf

@@ -259,6 +259,7 @@ variable "login_security_groups" {
     default = [
         "default",  # allow all in-cluster services
         "SSH",      # access via ssh
+        "HTTP",     # HTTP-01 challenge and redirect to HTTPS
         "HTTPS",    # access OpenOndemand
     ]
 }