diff --git a/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml b/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml index b52937ccb..07fd3c62f 100644 --- a/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml +++ b/examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml @@ -83,7 +83,6 @@ all: subject_O: myorganization subject_OU: engineering subject_CN: myorganization.com - subject_prefix: starlingx # SSH password to connect to all subclouds ansible_ssh_user: sysadmin ansible_ssh_pass: diff --git a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2 b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2 index e73b3a7cb..ea5dfefcf 100644 --- a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2 +++ b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2 @@ -32,7 +32,6 @@ items: name: system-restapi-gui-certificate namespace: deployment spec: - commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}" dnsNames: - "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}" duration: "{{ system_platform_certificate.duration | default(default.duration, true) }}" @@ -55,7 +54,6 @@ items: name: system-registry-local-certificate namespace: deployment spec: - commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}" dnsNames: - "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}" - registry.local @@ -83,7 +81,6 @@ items: name: oidc-auth-apps-certificate namespace: kube-system spec: - commonName: "{{ system_platform_certificate.subject_CN | default(oam_ip.stdout, true) }}" dnsNames: - "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}" duration: "{{ system_platform_certificate.duration | default(default.duration, true) }}" @@ -111,7 +108,6 @@ items: name: system-openldap-local-certificate namespace: deployment spec: - commonName: "{{ system_platform_certificate.subject_CN | default(short_certificate_name, true) }}" dnsNames: - "{{ clean_region_name }}.{{ system_platform_certificate.dns_domain | default(default.dns_domain, true) }}" - controller diff --git a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/subject_snippet.j2 b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/subject_snippet.j2 index adee4a1dd..5e63622ec 100644 --- a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/subject_snippet.j2 +++ b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/subject_snippet.j2 @@ -1,24 +1,37 @@ {% if system_platform_certificate is defined %} + commonName: "{{ system_platform_certificate.subject_CN | default(short_certificate_name) }}" subject: -{% if system_platform_certificate.subject_C is defined %} +{% if system_platform_certificate.subject_C is defined and system_platform_certificate.subject_C != '' %} countries: - "{{ system_platform_certificate.subject_C }}" {% endif %} -{% if system_platform_certificate.subject_ST is defined %} +{% if system_platform_certificate.subject_ST is defined and system_platform_certificate.subject_ST != '' %} provinces: - "{{ system_platform_certificate.subject_ST }}" {% endif %} -{% if system_platform_certificate.subject_L is defined %} +{% if system_platform_certificate.subject_L is defined and system_platform_certificate.subject_L != '' %} localities: - "{{ system_platform_certificate.subject_L }}" - - "{{ system_platform_certificate.subject_prefix + ':' if system_platform_certificate.subject_prefix is defined else '' }}{{ clean_region_name }}:{{ short_certificate_name }}" +{% elif system_platform_certificate.subject_L is not defined %} + localities: + - "{{ clean_region_name }}" {% endif %} -{% if system_platform_certificate.subject_O is defined %} +{% if system_platform_certificate.subject_O is defined and system_platform_certificate.subject_O != '' %} organizations: - "{{ system_platform_certificate.subject_O }}" +{% elif system_platform_certificate.subject_O is not defined %} + organizations: + - "{{ default.subject_O }}" {% endif %} -{% if system_platform_certificate.subject_OU is defined %} +{% if system_platform_certificate.subject_OU is defined and system_platform_certificate.subject_OU != '' %} organizationalUnits: - "{{ system_platform_certificate.subject_OU }}" {% endif %} +{% else %} + commonName: "{{ short_certificate_name }}" + subject: + localities: + - "{{ clean_region_name }}" + organizations: + - "{{ default.subject_O }}" {% endif %} diff --git a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/vars/main.yaml b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/vars/main.yaml index cfdc5e5a3..3627bdb36 100644 --- a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/vars/main.yaml +++ b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/vars/main.yaml @@ -10,3 +10,4 @@ default: dns_domain: 'starlingx.local' duration: '2160h' # 90d renewBefore: '360h' # 15d + subject_O: 'starlingx' diff --git a/playbookconfig/src/playbooks/roles/common/validate-cert-subject-fields/vars/main.yml b/playbookconfig/src/playbooks/roles/common/validate-cert-subject-fields/vars/main.yml index 96874dd98..7f3dc16b0 100644 --- a/playbookconfig/src/playbooks/roles/common/validate-cert-subject-fields/vars/main.yml +++ b/playbookconfig/src/playbooks/roles/common/validate-cert-subject-fields/vars/main.yml @@ -9,4 +9,3 @@ valid_subject_fieds: - subject_O - subject_OU - subject_CN -- subject_prefix diff --git a/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml index 88beeeffd..dbc7793c2 100644 --- a/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml +++ b/playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml @@ -1,6 +1,6 @@ --- # -# Copyright (c) 2021-2023 Wind River Systems, Inc. +# Copyright (c) 2021-2024 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -95,9 +95,18 @@ vars: destination: "{{ cert_manager_spec_file }}" - # This list is composed of all certificates issued by the cluster issuer - # plus the four platform ones we will always renew - - name: Create a list of certificates that should be migrated to the new 'system-local-ca' issuer + - name: Remove default leaf certificates (plus OIDC) + include_role: + name: common/delete-kubernetes-resources + with_items: + - { name: system-openldap-local-certificate, namespace: deployment, type: certificate } + - { name: system-registry-local-certificate, namespace: deployment, type: certificate } + - { name: system-restapi-gui-certificate, namespace: deployment, type: certificate } + - { name: oidc-auth-apps-certificate, namespace: kube-system, type: certificate } + + # This list is composed of other certificates issued by the cluster issuer + # (i.e. not local REST API/GUI, OpenLDAP, Docker Registry or OIDC) + - name: List other certificates that should be migrated to the new 'system-local-ca' issuer shell: | #Collecting certs previously issued by 'system-local-ca' {(kubectl get certificates -A \ @@ -105,31 +114,11 @@ --no-headers=true | awk '$3 == "system-local-ca"' | awk '{ print "{name: "$1", namespace: "$2", type: secret}" }' | - awk NF); - - #Adding certs we will renew by default (if repeated, they will be filtered in renewal task) - (printf "{name: system-openldap-local-certificate, namespace: deployment, type: secret} - {name: system-registry-local-certificate, namespace: deployment, type: secret} - {name: system-restapi-gui-certificate, namespace: deployment, type: secret} - {name: oidc-auth-apps-certificate, namespace: kube-system, type: secret}\n")} + awk NF)} environment: KUBECONFIG: /etc/kubernetes/admin.conf register: certs_to_renew - # This is a workaround for a problem found in upgrades (not really ideal) - # It will cause warnings uppon applying the file - - name: Remove 'last-applied-configuration' annotation from certs to avoid version problems after upgrades - shell: | - kubectl annotate certificate "{{ item.certificate }}" -n "{{ item.namespace }}" \ - kubectl.kubernetes.io/last-applied-configuration- || true - environment: - KUBECONFIG: /etc/kubernetes/admin.conf - with_items: - - { certificate: system-openldap-local-certificate, namespace: deployment } - - { certificate: system-registry-local-certificate, namespace: deployment } - - { certificate: system-restapi-gui-certificate, namespace: deployment } - - { certificate: oidc-auth-apps-certificate, namespace: kube-system } - - name: Apply kubernetes yaml to create cert-manager clusterissuer and certificates command: kubectl apply -f "{{ cert_manager_spec_file }}" environment: @@ -150,6 +139,13 @@ name: common/delete-kubernetes-resources loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}" + - name: Wait for local OpenLDAP certificate to be Ready + command: >- + kubectl wait certificate -n deployment system-openldap-local-certificate + --for=condition=Ready --timeout=90s + environment: + KUBECONFIG: /etc/kubernetes/admin.conf + - name: Update oidc-auth-apps in order to use new certificate include_tasks: reapply-oidc-auth-app.yml when: oidc_applied.stdout | bool