Merge "Use TLS for virtual media when TLS is enabled"

2021-09-16 19:06:55 +00:00 · 2021-09-16 19:06:55 +00:00 · 28e1a96b40
commit 28e1a96b40
parent d6a11691f8 4f2fd6df32
7 changed files with 59 additions and 1 deletions
--- a/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2
+++ b/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2
@ -12,3 +12,5 @@ SUSHY_EMULATOR_BOOT_LOADER_MAP = {
 SUSHY_EMULATOR_LISTEN_IP = '{{ redfish_emulator_host }}'
 SUSHY_EMULATOR_LISTEN_PORT = {{ redfish_emulator_port }}
 SUSHY_EMULATOR_STATE_DIR = '{{ redfish_emulator_state_dir }}'
+# Sadly this is how real hardware works:
+SUSHY_EMULATOR_VMEDIA_VERIFY_SSL = False
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@ -14,6 +14,7 @@ http_boot_folder: /httpboot
 ironic_tftp_master_path: /var/lib/ironic/master_images
 staging_drivers_include: false
 file_url_port: "8080"
+file_url_port_tls: "8083"
 ironicclient_source_install: false
 openstacksdk_source_install: false
 ironicinspector_source_install: true
@ -371,10 +372,12 @@ fact_gather_timeout: "{{ lookup('config', 'DEFAULT_GATHER_TIMEOUT', on_missing='

 # Enable TLS support.
 enable_tls: false
+vmedia_enable_tls: "{{ enable_tls }}"
 tls_root: /etc/bifrost
 tls_certificate_path: "{{ tls_root }}/bifrost.crt"
 ironic_private_key_path: /etc/ironic/ironic.pem
 ironic_inspector_private_key_path: /etc/ironic-inspector/inspector.pem
+httpboot_private_key_path: /etc/nginx/httpboot.pem

 # Enable Ironic Prometheus Exporter
 enable_prometheus_exporter: false
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -33,6 +33,13 @@
    - noauth_mode | bool
    - enable_keystone | bool

+- name: "Fail if TLS is inconsistently configured"
+  fail:
+    msg: Setting vmedia_enable_tls to true requires also enable_tls.
+  when:
+    - not enable_tls | bool
+    - vmedia_enable_tls | bool
+
 - name: "Setup firewalld"
  include_tasks: setup_firewalld.yml
  when: use_firewalld | bool
@ -163,6 +170,15 @@
    dest_private_key_group: ironic
  when: enable_tls | bool

+- name: "Generate vmedia TLS parameters"
+  include_role:
+    name: bifrost-tls
+  vars:
+    dest_private_key_path: "{{ httpboot_private_key_path }}"
+    dest_private_key_owner: "{{ nginx_user }}"
+    dest_private_key_group: "{{ nginx_user }}"
+  when: vmedia_enable_tls | bool
+
 - name: "Populate keystone for Bifrost"
  include: keystone_setup.yml
  when: enable_keystone | bool
@ -396,6 +412,7 @@
    - 68
    - 69
    - "{{ file_url_port }}"
+    - "{{ file_url_port_tls }}"
    - 6385
  when: not use_firewalld | bool

@ -421,13 +438,14 @@
    immediate: yes
  loop:
    - "{{ file_url_port }}"
+    - "{{ file_url_port_tls }}"
    - 6385
  when: use_firewalld | bool

 - block:
    - name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
      seport:
-        ports: "{{ file_url_port }},6385,5050,9999"
+        ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
        proto: tcp
        setype: http_port_t
        state: present
--- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
@ -89,6 +89,9 @@ erase_devices_metadata_priority = 0
 erase_devices_priority = 0
 erase_devices_metadata_priority = 10
 {% endif %}
+{% if vmedia_enable_tls | bool %}
+external_http_url = https://{{ internal_ip }}:{{ file_url_port_tls }}/
+{% endif %}

 [conductor]
 automated_clean = {{ cleaning | lower }}
--- a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2
@ -2,7 +2,25 @@ server {
        listen {{ file_url_port }};
        server_name {{ ansible_hostname }};
        root {{ http_boot_folder }};
+
        location {{ http_boot_folder }}/ {
                alias {{ http_boot_folder }}/;
        }
+        {% if vmedia_enable_tls | bool %}
+        # Served only through TLS
+        location ~ ^/(redfish|ilo)/ {
+                deny all;
+                return 404;
+        }
+        {% endif %}
 }
+{% if vmedia_enable_tls | bool %}
+server {
+        listen {{ file_url_port_tls }} ssl http2;
+        server_name {{ ansible_hostname }};
+        root {{ http_boot_folder }};
+
+        ssl_certificate     {{ tls_certificate_path }};
+        ssl_certificate_key {{ httpboot_private_key_path }};
+}
+{% endif %}
--- a/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml
+++ b/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Virtual media images are now protected by TLS when TLS support is enabled.
+upgrade:
+  - |
+    If ``enable_tls`` is ``true``, virtual media images for Redfish,
+    iDRAC-Redfish and iLO are now served via TLS using the Ironic's
+    TLS certificate. If this is not desired, set the new option
+    ``vmedia_enable_tls`` to ``false``.
+
+    The new server's port can be configured via the new ``file_url_port_tls``
+    option.
--- a/zuul.d/bifrost-jobs.yaml
+++ b/zuul.d/bifrost-jobs.yaml
@ -118,6 +118,7 @@
    parent: bifrost-integration-tinyipa-ubuntu-focal
    vars:
      boot_mode: uefi
+      enable_tls: true
      test_driver: redfish
      use_vmedia: true