diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index ab0f3eaed..e0a03c95e 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -1,29 +1,47 @@ --- -- name: Copy CA certificate and update trust +- name: Install certificate authorities and update trust hosts: overcloud:seed:seed-hypervisor - become: true + # Avoid using facts because this may be used as a pre overcloud host + # configure hook, and we don't want to populate the fact cache (if one is in + # use) with the bootstrap user's context. + gather_facts: false + tags: + - install-ca vars: - cert_path: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem" - + ansible_user: "{{ bootstrap_user }}" + # We can't assume that a virtualenv exists at this point, so use the system + # python interpreter. + ansible_python_interpreter: /usr/bin/python3 + # Work around no known_hosts entry on first boot. + ansible_ssh_common_args: -o StrictHostKeyChecking=no + # Don't assume facts are present. + os_family: "{{ ansible_facts.os_family | default('Debian' if os_distribution == 'ubuntu' else 'RedHat') }}" + become: true tasks: - - name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS) - ansible.builtin.copy: - src: "{{ cert_path }}" - dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem" - mode: "0644" - when: ansible_facts.os_family == 'RedHat' + - name: Install certificate authorities on RedHat based distributions + when: os_family == 'RedHat' + block: + - name: Copy certificate authorities on RedHat family systems (Rocky, RHEL, CentOS) + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem" + dest: "/etc/pki/ca-trust/source/anchors/{{ item }}.crt" + mode: "0644" + loop: + - "OS-TLS-ROOT" - - name: Update CA trust on RedHat family systems - ansible.builtin.command: "update-ca-trust" - when: ansible_facts.os_family == 'RedHat' + - name: Update CA trust on RedHat family systems + ansible.builtin.command: "update-ca-trust" - - name: Copy certificate on Debian family systems (Ubuntu, Debian) - ansible.builtin.copy: - src: "{{ cert_path }}" - dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt" - mode: "0644" - when: ansible_facts.os_family == 'Debian' + - name: Install certificate authorities on Debian based distributions + when: os_family == 'Debian' + block: + - name: Copy certificate authorities on Debian family systems (Ubuntu, Debian) + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem" + dest: "/usr/local/share/ca-certificates/{{ item }}.crt" + mode: "0644" + loop: + - "OS-TLS-ROOT" - - name: Update CA trust on Debian family systems - ansible.builtin.command: "update-ca-certificates" - when: ansible_facts.os_family == 'Debian' + - name: Update CA trust on Debian family systems + ansible.builtin.command: "update-ca-certificates" diff --git a/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml b/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml new file mode 100644 index 000000000..ba7fecb9f --- /dev/null +++ b/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml @@ -0,0 +1,49 @@ +--- +- name: Generate certificates + hosts: seed + run_once: true + vars: + openbao_api_addr: http://127.0.0.1:8200 + openbao_intermediate_ca_name: OS-TLS-INT + tasks: + - name: Include OpenBao keys + ansible.builtin.include_vars: + file: "{{ kayobe_env_config_path }}/openbao/seed-openbao-keys.json" + name: openbao_keys + + - name: Issue a certificate Pulp + hashivault_pki_cert_issue: # noqa: fqcn + url: "{{ openbao_api_addr }}" + ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}" + token: "{{ openbao_keys.root_token }}" + mount_point: "{{ openbao_intermediate_ca_name }}" + role: "{{ overcloud_openbao_pki_default_role_name }}" + common_name: "{{ inventory_hostname }}" + extra_params: + ip_sans: "{{ admin_oc_net_name | net_ip(inventory_hostname=groups['seed'][0]) }}" + register: pulp_certificate + + - name: Ensure pulp certificates directory exists + ansible.builtin.file: + path: "{{ kayobe_env_config_path }}/pulp/certificates" + state: directory + delegate_to: localhost + + - name: Write certificate to file + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt" + content: | + {{ pulp_certificate.data.certificate }} + {{ pulp_certificate.data.issuing_ca }} + mode: "0600" + delegate_to: localhost + + - name: Write key to file + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key" + content: | + {{ pulp_certificate.data.private_key }} + mode: "0600" + delegate_to: localhost diff --git a/etc/kayobe/docker.yml b/etc/kayobe/docker.yml index 26fac1346..008754201 100644 --- a/etc/kayobe/docker.yml +++ b/etc/kayobe/docker.yml @@ -30,7 +30,7 @@ docker_registry: "{{ stackhpc_docker_registry }}" docker_registry_insecure: "{{ 'https' not in stackhpc_repo_mirror_url }}" # CA of docker registry -#docker_registry_ca: +docker_registry_ca: "{{ kayobe_env_config_path ~ '/openbao/OS-TLS-INT.crt' if pulp_enable_tls | bool else '' }}" # List of Docker registry mirrors. #docker_registry_mirrors: