From 4f2fd6df32cc22e7d15e31c18b6cd304f718ccc9 Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Tue, 24 Aug 2021 19:43:19 +0200
Subject: [PATCH] Use TLS for virtual media when TLS is enabled

Virtual media images can potentially contain sensitive data, such as
password hashes or private keys. This change adds TLS to this traffic.

A new HTTP server is now started with Nginx, serving the same /httpboot
directory as the old one. If vmedia_enable_tls is true, the /redfish
and /ilo directories are only accessible through it.

One of the redfish-vmedia CI jobs has been switched to using TLS.

Change-Id: I024b81efdbebe08ddb5a20cd0d5e7ae61a180f1b
---
 .../templates/redfish-emulator.conf.j2        |  2 ++
 .../bifrost-ironic-install/defaults/main.yml  |  3 +++
 .../tasks/bootstrap.yml                       | 20 ++++++++++++++++++-
 .../templates/ironic.conf.j2                  |  3 +++
 .../nginx_conf.d_bifrost-httpboot.conf.j2     | 18 +++++++++++++++++
 .../notes/vmedia-tls-ffa56b7c0466b663.yaml    | 13 ++++++++++++
 zuul.d/bifrost-jobs.yaml                      |  1 +
 7 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml

diff --git a/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2 b/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2
index 901ef4ecd..32cd4195f 100644
--- a/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2
+++ b/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2
@@ -12,3 +12,5 @@ SUSHY_EMULATOR_BOOT_LOADER_MAP = {
 SUSHY_EMULATOR_LISTEN_IP = '{{ redfish_emulator_host }}'
 SUSHY_EMULATOR_LISTEN_PORT = {{ redfish_emulator_port }}
 SUSHY_EMULATOR_STATE_DIR = '{{ redfish_emulator_state_dir }}'
+# Sadly this is how real hardware works:
+SUSHY_EMULATOR_VMEDIA_VERIFY_SSL = False
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
index abd6a7c66..bdd3d69d1 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@@ -14,6 +14,7 @@ http_boot_folder: /httpboot
 ironic_tftp_master_path: /var/lib/ironic/master_images
 staging_drivers_include: false
 file_url_port: "8080"
+file_url_port_tls: "8083"
 ironicclient_source_install: false
 openstacksdk_source_install: false
 ironicinspector_source_install: true
@@ -370,10 +371,12 @@ fact_gather_timeout: "{{ lookup('config', 'DEFAULT_GATHER_TIMEOUT', on_missing='
 
 # Enable TLS support.
 enable_tls: false
+vmedia_enable_tls: "{{ enable_tls }}"
 tls_root: /etc/bifrost
 tls_certificate_path: "{{ tls_root }}/bifrost.crt"
 ironic_private_key_path: /etc/ironic/ironic.pem
 ironic_inspector_private_key_path: /etc/ironic-inspector/inspector.pem
+httpboot_private_key_path: /etc/nginx/httpboot.pem
 
 # Enable Ironic Prometheus Exporter
 enable_prometheus_exporter: false
diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
index 76157022c..cbbf587b3 100644
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@@ -33,6 +33,13 @@
     - noauth_mode | bool
     - enable_keystone | bool
 
+- name: "Fail if TLS is inconsistently configured"
+  fail:
+    msg: Setting vmedia_enable_tls to true requires also enable_tls.
+  when:
+    - not enable_tls | bool
+    - vmedia_enable_tls | bool
+
 - name: "Setup firewalld"
   include_tasks: setup_firewalld.yml
   when: use_firewalld | bool
@@ -163,6 +170,15 @@
     dest_private_key_group: ironic
   when: enable_tls | bool
 
+- name: "Generate vmedia TLS parameters"
+  include_role:
+    name: bifrost-tls
+  vars:
+    dest_private_key_path: "{{ httpboot_private_key_path }}"
+    dest_private_key_owner: "{{ nginx_user }}"
+    dest_private_key_group: "{{ nginx_user }}"
+  when: vmedia_enable_tls | bool
+
 - name: "Populate keystone for Bifrost"
   include: keystone_setup.yml
   when: enable_keystone | bool
@@ -396,6 +412,7 @@
     - 68
     - 69
     - "{{ file_url_port }}"
+    - "{{ file_url_port_tls }}"
     - 6385
   when: not use_firewalld | bool
 
@@ -421,13 +438,14 @@
     immediate: yes
   loop:
     - "{{ file_url_port }}"
+    - "{{ file_url_port_tls }}"
     - 6385
   when: use_firewalld | bool
 
 - block:
     - name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
       seport:
-        ports: "{{ file_url_port }},6385,5050,9999"
+        ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
         proto: tcp
         setype: http_port_t
         state: present
diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
index 0174bd6bb..498c4be08 100644
--- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
@@ -88,6 +88,9 @@ erase_devices_metadata_priority = 0
 erase_devices_priority = 0
 erase_devices_metadata_priority = 10
 {% endif %}
+{% if vmedia_enable_tls | bool %}
+external_http_url = https://{{ internal_ip }}:{{ file_url_port_tls }}/
+{% endif %}
 
 [conductor]
 automated_clean = {{ cleaning | lower }}
diff --git a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2
index e88749289..00d4cfe3d 100644
--- a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2
@@ -2,7 +2,25 @@ server {
         listen {{ file_url_port }};
         server_name {{ ansible_hostname }};
         root {{ http_boot_folder }};
+
         location {{ http_boot_folder }}/ {
                 alias {{ http_boot_folder }}/;
         }
+        {% if vmedia_enable_tls | bool %}
+        # Served only through TLS
+        location ~ ^/(redfish|ilo)/ {
+                deny all;
+                return 404;
+        }
+        {% endif %}
 }
+{% if vmedia_enable_tls | bool %}
+server {
+        listen {{ file_url_port_tls }} ssl http2;
+        server_name {{ ansible_hostname }};
+        root {{ http_boot_folder }};
+
+        ssl_certificate     {{ tls_certificate_path }};
+        ssl_certificate_key {{ httpboot_private_key_path }};
+}
+{% endif %}
diff --git a/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml b/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml
new file mode 100644
index 000000000..b9f406b93
--- /dev/null
+++ b/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Virtual media images are now protected by TLS when TLS support is enabled.
+upgrade:
+  - |
+    If ``enable_tls`` is ``true``, virtual media images for Redfish,
+    iDRAC-Redfish and iLO are now served via TLS using the Ironic's
+    TLS certificate. If this is not desired, set the new option
+    ``vmedia_enable_tls`` to ``false``.
+
+    The new server's port can be configured via the new ``file_url_port_tls``
+    option.
diff --git a/zuul.d/bifrost-jobs.yaml b/zuul.d/bifrost-jobs.yaml
index 0e1d9353e..4727883c1 100644
--- a/zuul.d/bifrost-jobs.yaml
+++ b/zuul.d/bifrost-jobs.yaml
@@ -118,6 +118,7 @@
     parent: bifrost-integration-tinyipa-ubuntu-focal
     vars:
       boot_mode: uefi
+      enable_tls: true
       test_driver: redfish
       use_vmedia: true