From 27410af43195622060235acf9c40bfc166db09c6 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 14:57:03 +0100 Subject: [PATCH 1/6] feat: add playbook for generating `pulp` cert with `OpenBao` --- .../openbao-generate-pulp-certificate.yml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 etc/kayobe/ansible/openbao-generate-pulp-certificate.yml diff --git a/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml b/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml new file mode 100644 index 000000000..ba7fecb9f --- /dev/null +++ b/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml @@ -0,0 +1,49 @@ +--- +- name: Generate certificates + hosts: seed + run_once: true + vars: + openbao_api_addr: http://127.0.0.1:8200 + openbao_intermediate_ca_name: OS-TLS-INT + tasks: + - name: Include OpenBao keys + ansible.builtin.include_vars: + file: "{{ kayobe_env_config_path }}/openbao/seed-openbao-keys.json" + name: openbao_keys + + - name: Issue a certificate Pulp + hashivault_pki_cert_issue: # noqa: fqcn + url: "{{ openbao_api_addr }}" + ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}" + token: "{{ openbao_keys.root_token }}" + mount_point: "{{ openbao_intermediate_ca_name }}" + role: "{{ overcloud_openbao_pki_default_role_name }}" + common_name: "{{ inventory_hostname }}" + extra_params: + ip_sans: "{{ admin_oc_net_name | net_ip(inventory_hostname=groups['seed'][0]) }}" + register: pulp_certificate + + - name: Ensure pulp certificates directory exists + ansible.builtin.file: + path: "{{ kayobe_env_config_path }}/pulp/certificates" + state: directory + delegate_to: localhost + + - name: Write certificate to file + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt" + content: | + {{ pulp_certificate.data.certificate }} + {{ pulp_certificate.data.issuing_ca }} + mode: "0600" + delegate_to: localhost + + - name: Write key to file + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key" + content: | + {{ pulp_certificate.data.private_key }} + mode: "0600" + delegate_to: localhost From 464cca2dfd27ca47e8311b6dfb8af126f2f7a3ca Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 14:57:39 +0100 Subject: [PATCH 2/6] feat: refactor `copy-ca-to-hosts` playbook The playbook `copy-ca-to-hosts` has been refactored in a couple ways. Firstly, the tasks for installing in either `RHEL` or `Debian` based systems are placed in `blocks`. Secondly both the root and intermediate certificate authority have added here to ensure the full chain is available if required. --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 45 ++++++++++++++----------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index ab0f3eaed..e7135486a 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -1,29 +1,34 @@ --- -- name: Copy CA certificate and update trust +- name: Install certificate authorities and update trust hosts: overcloud:seed:seed-hypervisor become: true - vars: - cert_path: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem" - tasks: - - name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS) - ansible.builtin.copy: - src: "{{ cert_path }}" - dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem" - mode: "0644" + - name: Install certificate authorities on RedHat based distributions when: ansible_facts.os_family == 'RedHat' + block: + - name: Copy certificate authorities on RedHat family systems (Rocky, RHEL, CentOS) + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem" + dest: "/etc/pki/ca-trust/source/anchors/{{ item }}.crt" + mode: "0644" + loop: + - "OS-TLS-ROOT" + - "OS-TLS-INT" - - name: Update CA trust on RedHat family systems - ansible.builtin.command: "update-ca-trust" - when: ansible_facts.os_family == 'RedHat' + - name: Update CA trust on RedHat family systems + ansible.builtin.command: "update-ca-trust" - - name: Copy certificate on Debian family systems (Ubuntu, Debian) - ansible.builtin.copy: - src: "{{ cert_path }}" - dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt" - mode: "0644" + - name: Install certificate authorities on Debian based distributions when: ansible_facts.os_family == 'Debian' + block: + - name: Copy certificate authorities on Debian family systems (Ubuntu, Debian) + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem" + dest: "/usr/local/share/ca-certificates/{{ item }}.crt" + mode: "0644" + loop: + - "OS-TLS-ROOT" + - "OS-TLS-INT" - - name: Update CA trust on Debian family systems - ansible.builtin.command: "update-ca-certificates" - when: ansible_facts.os_family == 'Debian' + - name: Update CA trust on Debian family systems + ansible.builtin.command: "update-ca-certificates" From e42ad318e9cbe15b6e31157c0df3b104110aa411 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 15:16:59 +0100 Subject: [PATCH 3/6] fix: add missing `EOL` --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index 91fd635ba..e7135486a 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -31,4 +31,4 @@ - "OS-TLS-INT" - name: Update CA trust on Debian family systems - ansible.builtin.command: "update-ca-certificates" \ No newline at end of file + ansible.builtin.command: "update-ca-certificates" From 3d1c0a352ef69d3308e00fcbfdda38188ea5076b Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 16:29:53 +0100 Subject: [PATCH 4/6] feat: do not copy `OS-TLS-INT` This is not required as the pulp certificate can be verified with just `OS-TLS-INT` as the intermediate is provided by the `Pulp` server. Also the `OS-TLS-INT.pem` includes the private key. --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index e7135486a..9e3958c33 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -13,7 +13,6 @@ mode: "0644" loop: - "OS-TLS-ROOT" - - "OS-TLS-INT" - name: Update CA trust on RedHat family systems ansible.builtin.command: "update-ca-trust" @@ -28,7 +27,6 @@ mode: "0644" loop: - "OS-TLS-ROOT" - - "OS-TLS-INT" - name: Update CA trust on Debian family systems ansible.builtin.command: "update-ca-certificates" From 9c234ad28792eccd607e0ef9708e82bf79ad9472 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 16:37:57 +0100 Subject: [PATCH 5/6] feat: set docker `CA` if `Pulp` TLS is enabled --- etc/kayobe/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/docker.yml b/etc/kayobe/docker.yml index 26fac1346..008754201 100644 --- a/etc/kayobe/docker.yml +++ b/etc/kayobe/docker.yml @@ -30,7 +30,7 @@ docker_registry: "{{ stackhpc_docker_registry }}" docker_registry_insecure: "{{ 'https' not in stackhpc_repo_mirror_url }}" # CA of docker registry -#docker_registry_ca: +docker_registry_ca: "{{ kayobe_env_config_path ~ '/openbao/OS-TLS-INT.crt' if pulp_enable_tls | bool else '' }}" # List of Docker registry mirrors. #docker_registry_mirrors: From 854d6ff3353f036b73658b99697937554799a3cf Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 21:06:49 +0100 Subject: [PATCH 6/6] feat: support using `copy-ca-to-hosts` as hook --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index 9e3958c33..e0a03c95e 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -1,10 +1,25 @@ --- - name: Install certificate authorities and update trust hosts: overcloud:seed:seed-hypervisor + # Avoid using facts because this may be used as a pre overcloud host + # configure hook, and we don't want to populate the fact cache (if one is in + # use) with the bootstrap user's context. + gather_facts: false + tags: + - install-ca + vars: + ansible_user: "{{ bootstrap_user }}" + # We can't assume that a virtualenv exists at this point, so use the system + # python interpreter. + ansible_python_interpreter: /usr/bin/python3 + # Work around no known_hosts entry on first boot. + ansible_ssh_common_args: -o StrictHostKeyChecking=no + # Don't assume facts are present. + os_family: "{{ ansible_facts.os_family | default('Debian' if os_distribution == 'ubuntu' else 'RedHat') }}" become: true tasks: - name: Install certificate authorities on RedHat based distributions - when: ansible_facts.os_family == 'RedHat' + when: os_family == 'RedHat' block: - name: Copy certificate authorities on RedHat family systems (Rocky, RHEL, CentOS) ansible.builtin.copy: @@ -18,7 +33,7 @@ ansible.builtin.command: "update-ca-trust" - name: Install certificate authorities on Debian based distributions - when: ansible_facts.os_family == 'Debian' + when: os_family == 'Debian' block: - name: Copy certificate authorities on Debian family systems (Ubuntu, Debian) ansible.builtin.copy: