Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[patch] Improvements to handling of files with multiple certificates #1097

Merged
merged 15 commits into from
Nov 27, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions ibm/mas_devops/common_tasks/get_ingress_cert.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
- name: Clear private_root_ca_name fact
ansible.builtin.set_fact:
private_root_ca_name: ""
include_cluster_ingress_cert_chain: "{{ lookup('env', 'INCLUDE_CLUSTER_INGRESS_CERT_CHAIN') | default('false', True) | bool }}"

- name: "Lookup Proxy: cluster"
kubernetes.core.k8s_info:
Expand Down Expand Up @@ -55,7 +56,12 @@
ansible.builtin.set_fact:
cluster_ingress_tls_crt_full: "{{ private_root_ca_bundle_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}"

# We only want the first part of this certificate, I don't know why, but this is what works
# We only want the first part of this certificate, I don't know why, but this is what works - if needed, set include_cluster_ingress_cert_chain == true to have entire cert chain
- name: "Get private ingress certificate"
ansible.builtin.set_fact:
cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt_full[0] }}"
cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt_full if (include_cluster_ingress_cert_chain) else cluster_ingress_tls_crt_full[0] }}"

- name: "Format to list all certificates in the chain"
ansible.builtin.set_fact:
cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | join('') }}"
when: cluster_ingress_tls_crt | type_debug == 'list' and cluster_ingress_tls_crt | length > 0
6 changes: 6 additions & 0 deletions ibm/mas_devops/roles/cos/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,12 @@ List of comma separated key=value pairs for setting custom labels on instance sp
- Environment Variable: `CUSTOM_LABELS`
- Default Value: None

### include_cluster_ingress_cert_chain
Optional. When set to `True`, includes the complete certificates chain in the generated MAS configuration, when a trusted certificate authority is found in your cluster's ingress.

- Optional
- Environment Variable: `INCLUDE_CLUSTER_INGRESS_CERT_CHAIN`
- Default: `False`

Example Playbook
----------------
Expand Down
3 changes: 1 addition & 2 deletions ibm/mas_devops/roles/cos/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,12 @@ cos_service: "cloud-object-storage"
mas_instance_id: "{{ lookup('env', 'MAS_INSTANCE_ID') }}"
mas_config_dir: "{{ lookup('env', 'MAS_CONFIG_DIR') }}"


# OpenShift Container Storage Object Storage (ocs)
# ---------------------------------------------------------------------------------------------------------------------


# IBM Cloud Object Storage (ibm)
# ---------------------------------------------------------------------------------------------------------------------
ibmcos_include_isrg_root_cert: "{{ lookup('env', 'IBMCOS_INCLUDE_ISRG_ROOT_CERT') | default('true', true) | bool }}" # mainly needed for IBM Cloud hosted services
ibmcloud_apikey: "{{ lookup('env', 'IBMCLOUD_APIKEY') }}"
ibmcloud_resourcegroup: "{{ lookup('env', 'IBMCLOUD_RESOURCEGROUP') | default('Default', true) }}"
ibmcos_resourcegroup: "{{ lookup('env', 'IBMCOS_RESOURCEGROUP') | default(ibmcloud_resourcegroup, true) }}"
Expand Down
25 changes: 11 additions & 14 deletions ibm/mas_devops/roles/cos/tasks/providers/ocs/provision.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@
msg:
- "OCS Cluster is available .... {{ ocsavailable }}"


# 2. Create the object store
# -----------------------------------------------------------------------------
- name: "ocs/objectstorage : Create objectstore in OSC Cluster"
Expand All @@ -32,7 +31,6 @@
apply: yes
definition: "{{ lookup('template', 'templates/ocs/object.yaml') }}"


# 3. Create the object User
# -----------------------------------------------------------------------------
- name: "ocs/objectstorage : Create objectstore User"
Expand All @@ -52,23 +50,21 @@
retries: 10 # Approximately 10 minutes before we give up
delay: 60 # 1 minute


# 4. Set up the domain name for object storage route
# -----------------------------------------------------------------------------
- name: "ocs/objectstorage :Get cluster subdomain"
- name: "ocs/objectstorage : Get cluster subdomain"
when: ocsavailable is defined and ocsavailable
kubernetes.core.k8s_info:
api_version: config.openshift.io/v1
kind: Ingress
name: cluster
register: _cluster_subdomain

- name: "ocs/objectstorage :Configure domain"
- name: "ocs/objectstorage : Configure domain"
when: ocsavailable is defined and ocsavailable
set_fact:
cos_domain: "rgw-openshift-storage.{{ _cluster_subdomain.resources[0].spec.domain }}"


# 5. Create route for cos
# -----------------------------------------------------------------------------
- name: "ocs/objectstorage : Create objectstore route"
Expand All @@ -77,10 +73,9 @@
apply: yes
definition: "{{ lookup('template', 'templates/ocs/rgw.yaml') }}"


# 6. Query the object User crdential
# -----------------------------------------------------------------------------
- name: "ocs/objectstorage :Lookup if cos user secret is there"
- name: "ocs/objectstorage : Lookup if cos user secret is there"
when: ocsavailable is defined and ocsavailable
kubernetes.core.k8s_info:
api_version: v1
Expand All @@ -89,7 +84,6 @@
namespace: "openshift-storage"
register: objectuserSecret


# 7. Query the tls for object route
# -----------------------------------------------------------------------------
- name: "ocs/objectstorage : Lookup the default cluster ingress secret"
Expand All @@ -100,9 +94,14 @@
# is necessary :)
- name: "ocs/objectstorage : Set COS cert variable"
set_fact:
ocscos_certs: "{{ cluster_ingress_tls_crt | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
ocscos_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}"

# Load uds_certs template to dynamically set as many uds certificates as identified
- set_fact:
ocscos_certs: "{{ lookup('ansible.builtin.template', 'templates/ocs/ocs-certs.yml.j2') }}"
when: ocscos_tls_crt | length > 0

- name: "ocs/objectstorage :Query cos secret based on existing secret/cm"
- name: "ocs/objectstorage : Query cos secret based on existing secret/cm"
when:
- ocsavailable is defined and ocsavailable
- objectuserSecret.resources| length != 0
Expand All @@ -111,7 +110,6 @@
ocscos_username: "{{ objectuserSecret.resources[0]['data']['AccessKey']| b64decode }}"
ocscos_password: "{{ objectuserSecret.resources[0]['data']['SecretKey']| b64decode }}"


# 8. Provide debug information and create coscfg.yml
# -----------------------------------------------------------------------------
- name: "ocs/objectstorage : Debug information"
Expand All @@ -127,7 +125,6 @@
fail:
msg: "we didn't get the cos info here in ocs cluster."


# 9. Write ObjectStorageCfg to disk
# -----------------------------------------------------------------------------
- name: "ocs/objectstorage : Copy objectstorageCfg to filesytem"
Expand All @@ -139,4 +136,4 @@
ansible.builtin.template:
src: ocs/objectstoragecfg.yml.j2
dest: "{{ mas_config_dir }}/cos-ocs-system.yml"
mode: '664'
mode: "664"
15 changes: 7 additions & 8 deletions ibm/mas_devops/roles/cos/templates/ocs/objectstoragecfg.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,12 @@ spec:
url: "{{ ocscos_url }}"
credentials:
secretName: ocscos-credentials-system
certificates:
- alias: cospart1
crt: |
{{ ocscos_certs[0] | indent(8) }}
- alias: cospart2
crt: |
{{ ocscos_certs[1] | indent(8) }}
- alias: isrg-root-x1 # default root certificate used by Let's Encrypt
{% if ocscos_certs is defined and ocscos_certs | length > 0 %}
certificates:
{{ ocscos_certs | indent(width=4, first=False) }}
{%- endif %}
{% if ocscos_certs is defined and ocscos_certs | length > 0 and ibmcos_include_isrg_root_cert == true %}
- alias: isrgrootx1 # default root certificate used by Let's Encrypt
crt: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
Expand Down Expand Up @@ -74,3 +72,4 @@ spec:
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
{%- endif %}
5 changes: 5 additions & 0 deletions ibm/mas_devops/roles/cos/templates/ocs/ocs-certs.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{% for crt in ocscos_tls_crt %}
- alias: "part{{ loop.index }}"
crt: |
{{ crt | indent(width=4, first=False) }}
{% endfor %}
7 changes: 7 additions & 0 deletions ibm/mas_devops/roles/dro/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,13 @@ For examples refer to the [BestEfforts reference configuration in the MAS CLI](h
- Environment Variable: `MAS_POD_TEMPLATES_DIR`
- Default: None

### include_cluster_ingress_cert_chain
Optional. When set to `True`, includes the complete certificates chain in the generated MAS configuration, when a trusted certificate authority is found in your cluster's ingress.

- Optional
- Environment Variable: `INCLUDE_CLUSTER_INGRESS_CERT_CHAIN`
- Default: `False`

Example Playbook
-------------------------------------------------------------------------------

Expand Down
1 change: 1 addition & 0 deletions ibm/mas_devops/roles/dro/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ dro_contact:
last_name: "{{ lookup('env', 'DRO_CONTACT_LASTNAME') }}"

ibm_entitlement_key: "{{ lookup('env', 'IBM_ENTITLEMENT_KEY') }}"
dro_include_isrg_root_cert: "{{ lookup('env', 'DRO_INCLUDE_ISRG_ROOT_CERT') | default('true', true) | bool }}" # mainly needed for IBM Cloud hosted services

# Custom Labels
# -----------------------------------------------------------------------------
Expand Down
6 changes: 6 additions & 0 deletions ibm/mas_devops/roles/dro/tasks/gencfg/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@
- name: "udscfg : Set UDS cert variable"
set_fact:
dro_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
no_log: true

# Load uds_certs template to dynamically set as many uds certificates as identified
- set_fact:
dro_certs: "{{ lookup('ansible.builtin.template', 'templates/dro-certs.yml.j2') }}"
when: dro_tls_crt | length > 0

- name: "gencfg : Fail if dro_tls_crt has not been provided"
assert:
Expand Down
17 changes: 7 additions & 10 deletions ibm/mas_devops/roles/dro/templates/bascfg.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -37,16 +37,12 @@ spec:
lastName: "{{ dro_contact.last_name }}"
credentials:
secretName: dro-apikey
certificates:
- alias: part1
crt: |
{{ dro_tls_crt[0] | indent(8) }}
{% if dro_tls_crt | length > 1 %}
- alias: part2
crt: |
{{ dro_tls_crt[1] | indent(8) }}
{% endif %}
- alias: isrg-root-x1 # default root certificate used by Let's Encrypt
{% if dro_certs is defined and dro_certs | length > 0 %}
certificates:
{{ dro_certs | indent(width=4, first=False) }}
{%- endif %}
{% if dro_certs is defined and dro_certs | length > 0 and dro_include_isrg_root_cert == true %}
- alias: isrgrootx1 # default root certificate used by Let's Encrypt
crt: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
Expand Down Expand Up @@ -79,6 +75,7 @@ spec:
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
{%- endif %}
{% if ibm_mas_bascfg_pod_templates is defined %}
podTemplates: {{ ibm_mas_bascfg_pod_templates }}
{% endif %}
5 changes: 5 additions & 0 deletions ibm/mas_devops/roles/dro/templates/dro-certs.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{% for crt in dro_tls_crt %}
- alias: "part{{ loop.index }}"
crt: |
{{ crt | indent(width=4, first=False) }}
{% endfor %}
16 changes: 10 additions & 6 deletions ibm/mas_devops/roles/gencfg_jdbc/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
---

# 1. Check for undefined properties that do not have a default
# -----------------------------------------------------------------------------
- name: "Fail if mas_instance_id is not provided"
Expand Down Expand Up @@ -39,7 +38,6 @@
fail_msg: "db_pem_file property is required"
when: ssl_enabled == true


# 2. Provide debug information
# -----------------------------------------------------------------------------
- name: "Configure namespace"
Expand Down Expand Up @@ -68,7 +66,7 @@
- mas_config_dir is defined
- mas_config_dir != ""
template: src=vars/jdbccfg/{{ mas_config_scope }}.yml.j2
dest=/tmp/{{ mas_config_scope }}.yml
dest=/tmp/{{ mas_config_scope }}.yml

# 4. Load JDBCCfg yml definition
# -----------------------------------------------------------------------------
Expand All @@ -83,11 +81,17 @@
# 5. Read file information
# -----------------------------------------------------------------------------
- name: Read DB Certificate file
set_fact:
db_pem: "{{ lookup('file', db_pem_file) }}"
when:
- db_pem_file is defined
- ssl_enabled == true
set_fact:
jdbc_tls_crt: "{{ lookup('file', db_pem_file) | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
no_log: true

# Load jdbc_certs template to dynamically set as many jdbc certificates as identified
- set_fact:
jdbc_certs: "{{ lookup('ansible.builtin.template', 'templates/jdbc-certs.yml.j2') }}"
when: jdbc_tls_crt | length > 0

# 6. Generate JDBCcfg for MAS configuration
# -----------------------------------------------------------------------------
Expand All @@ -98,4 +102,4 @@
ansible.builtin.template:
src: jdbccfg.yml.j2
dest: "{{ mas_config_dir }}/jdbc.yml"
mode: '664'
mode: "664"
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{% for crt in jdbc_tls_crt %}
- alias: "part{{ loop.index }}"
crt: |
{{ crt | indent(width=4, first=False) }}
{% endfor %}
9 changes: 3 additions & 6 deletions ibm/mas_devops/roles/gencfg_jdbc/templates/jdbccfg.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,7 @@ spec:
{% endif %}
credentials:
secretName: "jdbc-{{ db_instance_id | lower }}-credentials"
{% if ssl_enabled | bool %}
{% if ssl_enabled | bool and jdbc_certs is defined and jdbc_certs | length > 0 %}
certificates:
- alias: "{{ db_instance_id | lower }}"
crt: |
{{ db_pem | indent(8) }}
{% endif %}

{{ jdbc_certs | indent(width=4, first=False) }}
{%- endif %}
13 changes: 9 additions & 4 deletions ibm/mas_devops/roles/gencfg_mongo/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,16 @@

# 5. Read file information
# -----------------------------------------------------------------------------
- name: Read Mongo CA PEM file
- name: Read Mongo Certificate file
when: mongodb_ca_pem_local_file
set_fact:
mongo_ca_pem: "{{ lookup('file', mongodb_ca_pem_local_file) }}"
when:
- mongodb_ca_pem_local_file is defined
mongo_tls_crt: "{{ lookup('file', mongodb_ca_pem_local_file) | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
no_log: true

# Load mongo_certs template to dynamically set as many mongo certificates as identified
- set_fact:
mongo_certs: "{{ lookup('ansible.builtin.template', 'templates/mongo-certs.yml.j2') }}"
when: mongo_tls_crt | length > 0

- name: "Create MAS MongoCfg"
when:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{% for crt in mongo_tls_crt %}
- alias: "part{{ loop.index }}"
crt: |
{{ crt | indent(width=4, first=False) }}
{% endfor %}
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ spec:
secretName: mongodb-{{mas_instance_id|lower}}-admin
hosts:
{{ mongodb_hosts | indent(6) }}
certificates:
- alias: ca
crt: |
{{ mongo_ca_pem | indent(8) }}
{%- if mongo_certs is defined and mongo_certs | length > 0 %}
certificates:
{{ mongo_certs | indent(width=6, first=False) }}
{%- endif %}
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@
- "Catalog source ....................... {{ kafka_source }}"
- "Catalog source namespace .............. {{ kafka_source_namespace }}"
- "Current Kafka Version ................. {{ kafka_current_version }}"
- "Target Kafka Version .................. {{ kafka_version }} "
- "Target Kafka Version .................. {{ kafka_version }}"

# 4. Determine if upgrade is needed and perform it
# -----------------------------------------------------------------------------
Expand Down
7 changes: 7 additions & 0 deletions ibm/mas_devops/roles/uds/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,13 @@ For examples refer to the [BestEfforts reference configuration in the MAS CLI](h
- Environment Variable: `MAS_POD_TEMPLATES_DIR`
- Default: None

### include_cluster_ingress_cert_chain
Optional. When set to `True`, includes the complete certificates chain in the generated MAS configuration, when a trusted certificate authority is found in your cluster's ingress.

- Optional
- Environment Variable: `INCLUDE_CLUSTER_INGRESS_CERT_CHAIN`
- Default: `False`

Example Playbook
-------------------------------------------------------------------------------

Expand Down
1 change: 1 addition & 0 deletions ibm/mas_devops/roles/uds/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ cluster_name: "{{ lookup('env', 'CLUSTER_NAME')}}"
uds_endpoint_url: "{{ lookup('env', 'UDS_ENDPOINT_URL') }}"
uds_tls_crt: "{{ lookup('env', 'UDS_TLS_CERT') }}"
uds_tls_crt_local_file_path: "{{ lookup('env', 'UDS_TLS_CERT_LOCAL_FILE_PATH') }}"
uds_include_isrg_root_cert: "{{ lookup('env', 'UDS_INCLUDE_ISRG_ROOT_CERT') | default('true', true) | bool }}" # mainly needed for IBM Cloud hosted services
uds_api_key: "{{ lookup('env', 'UDS_API_KEY') }}"

# Custom Labels
Expand Down
Loading
Loading