Use TLS for virtual media when TLS is enabled

Virtual media images can potentially contain sensitive data, such as
password hashes or private keys. This change adds TLS to this traffic.

A new HTTP server is now started with Nginx, serving the same /httpboot
directory as the old one. If vmedia_enable_tls is true, the /redfish
and /ilo directories are only accessible through it.

One of the redfish-vmedia CI jobs has been switched to using TLS.

Change-Id: I024b81efdbebe08ddb5a20cd0d5e7ae61a180f1b

playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2

@@ -12,3 +12,5 @@ SUSHY_EMULATOR_BOOT_LOADER_MAP = {
 SUSHY_EMULATOR_LISTEN_IP = '{{ redfish_emulator_host }}'
 SUSHY_EMULATOR_LISTEN_PORT = {{ redfish_emulator_port }}
 SUSHY_EMULATOR_STATE_DIR = '{{ redfish_emulator_state_dir }}'
+# Sadly this is how real hardware works:
+SUSHY_EMULATOR_VMEDIA_VERIFY_SSL = False

playbooks/roles/bifrost-ironic-install/defaults/main.yml

@@ -14,6 +14,7 @@ http_boot_folder: /httpboot
 ironic_tftp_master_path: /var/lib/ironic/master_images
 staging_drivers_include: false
 file_url_port: "8080"
+file_url_port_tls: "8083"
 ironicclient_source_install: false
 openstacksdk_source_install: false
 ironicinspector_source_install: true
@@ -370,10 +371,12 @@ fact_gather_timeout: "{{ lookup('config', 'DEFAULT_GATHER_TIMEOUT', on_missing='
 
 # Enable TLS support.
 enable_tls: false
+vmedia_enable_tls: "{{ enable_tls }}"
 tls_root: /etc/bifrost
 tls_certificate_path: "{{ tls_root }}/bifrost.crt"
 ironic_private_key_path: /etc/ironic/ironic.pem
 ironic_inspector_private_key_path: /etc/ironic-inspector/inspector.pem
+httpboot_private_key_path: /etc/nginx/httpboot.pem
 
 # Enable Ironic Prometheus Exporter
 enable_prometheus_exporter: false

playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml

@@ -33,6 +33,13 @@
     - noauth_mode | bool
     - enable_keystone | bool
 
+- name: "Fail if TLS is inconsistently configured"
+  fail:
+    msg: Setting vmedia_enable_tls to true requires also enable_tls.
+  when:
+    - not enable_tls | bool
+    - vmedia_enable_tls | bool
+
 - name: "Setup firewalld"
   include_tasks: setup_firewalld.yml
   when: use_firewalld | bool
@@ -163,6 +170,15 @@
     dest_private_key_group: ironic
   when: enable_tls | bool
 
+- name: "Generate vmedia TLS parameters"
+  include_role:
+    name: bifrost-tls
+  vars:
+    dest_private_key_path: "{{ httpboot_private_key_path }}"
+    dest_private_key_owner: "{{ nginx_user }}"
+    dest_private_key_group: "{{ nginx_user }}"
+  when: vmedia_enable_tls | bool
+
 - name: "Populate keystone for Bifrost"
   include: keystone_setup.yml
   when: enable_keystone | bool
@@ -396,6 +412,7 @@
     - 68
     - 69
     - "{{ file_url_port }}"
+    - "{{ file_url_port_tls }}"
     - 6385
   when: not use_firewalld | bool
 
@@ -421,13 +438,14 @@
     immediate: yes
   loop:
     - "{{ file_url_port }}"
+    - "{{ file_url_port_tls }}"
     - 6385
   when: use_firewalld | bool
 
 - block:
     - name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
       seport:
-        ports: "{{ file_url_port }},6385,5050,9999"
+        ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
         proto: tcp
         setype: http_port_t
         state: present

playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2

@@ -88,6 +88,9 @@ erase_devices_metadata_priority = 0
 erase_devices_priority = 0
 erase_devices_metadata_priority = 10
 {% endif %}
+{% if vmedia_enable_tls | bool %}
+external_http_url = https://{{ internal_ip }}:{{ file_url_port_tls }}/
+{% endif %}
 
 [conductor]
 automated_clean = {{ cleaning | lower }}

playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2

@@ -2,7 +2,25 @@ server {
         listen {{ file_url_port }};
         server_name {{ ansible_hostname }};
         root {{ http_boot_folder }};
+
         location {{ http_boot_folder }}/ {
                 alias {{ http_boot_folder }}/;
         }
+        {% if vmedia_enable_tls | bool %}
+        # Served only through TLS
+        location ~ ^/(redfish|ilo)/ {
+                deny all;
+                return 404;
+        }
+        {% endif %}
 }
+{% if vmedia_enable_tls | bool %}
+server {
+        listen {{ file_url_port_tls }} ssl http2;
+        server_name {{ ansible_hostname }};
+        root {{ http_boot_folder }};
+
+        ssl_certificate     {{ tls_certificate_path }};
+        ssl_certificate_key {{ httpboot_private_key_path }};
+}
+{% endif %}

releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Virtual media images are now protected by TLS when TLS support is enabled.
+upgrade:
+  - |
+    If ``enable_tls`` is ``true``, virtual media images for Redfish,
+    iDRAC-Redfish and iLO are now served via TLS using the Ironic's
+    TLS certificate. If this is not desired, set the new option
+    ``vmedia_enable_tls`` to ``false``.
+
+    The new server's port can be configured via the new ``file_url_port_tls``
+    option.

zuul.d/bifrost-jobs.yaml

@@ -118,6 +118,7 @@
     parent: bifrost-integration-tinyipa-ubuntu-focal
     vars:
       boot_mode: uefi
+      enable_tls: true
       test_driver: redfish
       use_vmedia: true