From d4af96685e7bfd10b061ae74f181ff30d045e07f Mon Sep 17 00:00:00 2001 From: Mohammed Naser Date: Thu, 30 May 2024 18:44:05 -0400 Subject: [PATCH] Enable setting CA for Venafi (#1254) --- doc/source/deploy/certificates.rst | 12 ++++++++++++ roles/cluster_issuer/defaults/main.yml | 1 + roles/cluster_issuer/tasks/type/venafi/main.yml | 8 ++++++++ roles/openstack_cli/templates/atmosphere.sh.j2 | 2 +- roles/openstack_cli/templates/openrc.j2 | 2 +- roles/openstacksdk/templates/clouds.yaml.j2 | 2 +- 6 files changed, 24 insertions(+), 3 deletions(-) diff --git a/doc/source/deploy/certificates.rst b/doc/source/deploy/certificates.rst index f99d4f021..8c351c6b4 100644 --- a/doc/source/deploy/certificates.rst +++ b/doc/source/deploy/certificates.rst @@ -216,6 +216,12 @@ you will need to configure the issuer. .. code-block:: yaml cluster_issuer_type: venafi + cluster_issuer_venafi_ca: | + -----BEGIN CERTIFICATE----- + MIIDBjCCAe4CCQDQ3Z0Z2Z0Z0jANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC + VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x + ... + -----END CERTIFICATE----- cluster_issuer_venafi_zone: cluster_issuer_venafi_tpp_url: cluster_issuer_venafi_tpp_ca_bundle: | @@ -225,6 +231,12 @@ you will need to configure the issuer. ... -----END CERTIFICATE----- +.. note:: + + If your issuer is an intermediate certificate, you will need to ensure that + the ``certificate`` key includes the full chain in the correct order of issuer, + intermediate(s), then root. + Authentication ~~~~~~~~~~~~~~ diff --git a/roles/cluster_issuer/defaults/main.yml b/roles/cluster_issuer/defaults/main.yml index 28ff0246e..1c6f4b58b 100644 --- a/roles/cluster_issuer/defaults/main.yml +++ b/roles/cluster_issuer/defaults/main.yml @@ -30,6 +30,7 @@ cluster_issuer_acme_cloudflare_email: "{{ cluster_issuer_acme_email }}" #cluster_issuer_acme_cloudflare_api_token: cluster_issuer_venafi_secret_name: cert-manager-venafi-credentials +# cluster_issuer_venafi_ca: # cluster_issuer_venafi_access_token: # cluster_issuer_venafi_username: # cluster_issuer_venafi_password: diff --git a/roles/cluster_issuer/tasks/type/venafi/main.yml b/roles/cluster_issuer/tasks/type/venafi/main.yml index 47f60d838..f05495195 100644 --- a/roles/cluster_issuer/tasks/type/venafi/main.yml +++ b/roles/cluster_issuer/tasks/type/venafi/main.yml @@ -64,3 +64,11 @@ caBundle: "{{ cluster_issuer_venafi_tpp_ca_bundle }}" credentialsRef: name: "{{ cluster_issuer_venafi_secret_name }}" + +- name: Copy CA certificate on host + ansible.builtin.copy: + content: "{{ cluster_issuer_venafi_ca }}" + dest: "{{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt" + mode: "0644" + notify: + - Update CA certificates on host diff --git a/roles/openstack_cli/templates/atmosphere.sh.j2 b/roles/openstack_cli/templates/atmosphere.sh.j2 index 00635a1ef..97176774c 100644 --- a/roles/openstack_cli/templates/atmosphere.sh.j2 +++ b/roles/openstack_cli/templates/atmosphere.sh.j2 @@ -1,7 +1,7 @@ alias osc='nerdctl run --rm --network host \ --volume $PWD:/opt --volume /tmp:/tmp \ --volume /etc/openstack:/etc/openstack:ro \ -{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %} +{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %} --volume {{ '/usr/local/share/ca-certificates/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' }} \ {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %} diff --git a/roles/openstack_cli/templates/openrc.j2 b/roles/openstack_cli/templates/openrc.j2 index a5d7acb3e..d8bed160e 100644 --- a/roles/openstack_cli/templates/openrc.j2 +++ b/roles/openstack_cli/templates/openrc.j2 @@ -11,7 +11,7 @@ export OS_PASSWORD="{{ openstack_helm_endpoints['identity']['auth']['admin']['pa export OS_PROJECT_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin -{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %} +{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %} export OS_CACERT=/usr/local/share/ca-certificates/atmosphere.crt {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %} export OS_CACERT=/etc/ssl/certs/ca-certificates.crt diff --git a/roles/openstacksdk/templates/clouds.yaml.j2 b/roles/openstacksdk/templates/clouds.yaml.j2 index 5b4787902..4de4d2290 100644 --- a/roles/openstacksdk/templates/clouds.yaml.j2 +++ b/roles/openstacksdk/templates/clouds.yaml.j2 @@ -8,7 +8,7 @@ clouds: user_domain_name: Default project_domain_name: Default region_name: "{{ openstack_helm_endpoints_keystone_region_name }}" -{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %} +{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %} cacert: "/usr/local/share/ca-certificates/atmosphere.crt" {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %} cacert: "/etc/ssl/certs/ca-certificates.crt"