Use TLS for virtual media when TLS is enabled

Virtual media images can potentially contain sensitive data, such as password hashes or private keys. This change adds TLS to this traffic. A new HTTP server is now started with Nginx, serving the same /httpboot directory as the old one. If vmedia_enable_tls is true, the /redfish and /ilo directories are only accessible through it. One of the redfish-vmedia CI jobs has been switched to using TLS. Change-Id: I024b81efdbebe08ddb5a20cd0d5e7ae61a180f1b
2021-08-24 19:43:19 +02:00 · 2021-08-24 19:43:19 +02:00 · 4f2fd6df32
commit 4f2fd6df32
parent 6cf3c7beb6
7 changed files with 59 additions and 1 deletions
--- a/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2
+++ b/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2
@ -12,3 +12,5 @@ SUSHY_EMULATOR_BOOT_LOADER_MAP = {
 SUSHY_EMULATOR_LISTEN_IP = '{{ redfish_emulator_host }}'
 SUSHY_EMULATOR_LISTEN_PORT = {{ redfish_emulator_port }}
 SUSHY_EMULATOR_STATE_DIR = '{{ redfish_emulator_state_dir }}'
+# Sadly this is how real hardware works:
+SUSHY_EMULATOR_VMEDIA_VERIFY_SSL = False
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@ -14,6 +14,7 @@ http_boot_folder: /httpboot
 ironic_tftp_master_path: /var/lib/ironic/master_images
 staging_drivers_include: false
 file_url_port: "8080"
+file_url_port_tls: "8083"
 ironicclient_source_install: false
 openstacksdk_source_install: false
 ironicinspector_source_install: true
@ -370,10 +371,12 @@ fact_gather_timeout: "{{ lookup('config', 'DEFAULT_GATHER_TIMEOUT', on_missing='

 # Enable TLS support.
 enable_tls: false
+vmedia_enable_tls: "{{ enable_tls }}"
 tls_root: /etc/bifrost
 tls_certificate_path: "{{ tls_root }}/bifrost.crt"
 ironic_private_key_path: /etc/ironic/ironic.pem
 ironic_inspector_private_key_path: /etc/ironic-inspector/inspector.pem
+httpboot_private_key_path: /etc/nginx/httpboot.pem

 # Enable Ironic Prometheus Exporter
 enable_prometheus_exporter: false
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -33,6 +33,13 @@
    - noauth_mode | bool
    - enable_keystone | bool

+- name: "Fail if TLS is inconsistently configured"
+  fail:
+    msg: Setting vmedia_enable_tls to true requires also enable_tls.
+  when:
+    - not enable_tls | bool
+    - vmedia_enable_tls | bool
+
 - name: "Setup firewalld"
  include_tasks: setup_firewalld.yml
  when: use_firewalld | bool
@ -163,6 +170,15 @@
    dest_private_key_group: ironic
  when: enable_tls | bool

+- name: "Generate vmedia TLS parameters"
+  include_role:
+    name: bifrost-tls
+  vars:
+    dest_private_key_path: "{{ httpboot_private_key_path }}"
+    dest_private_key_owner: "{{ nginx_user }}"
+    dest_private_key_group: "{{ nginx_user }}"
+  when: vmedia_enable_tls | bool
+
 - name: "Populate keystone for Bifrost"
  include: keystone_setup.yml
  when: enable_keystone | bool
@ -396,6 +412,7 @@
    - 68
    - 69
    - "{{ file_url_port }}"
+    - "{{ file_url_port_tls }}"
    - 6385
  when: not use_firewalld | bool

@ -421,13 +438,14 @@
    immediate: yes
  loop:
    - "{{ file_url_port }}"
+    - "{{ file_url_port_tls }}"
    - 6385
  when: use_firewalld | bool

 - block:
    - name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
      seport:
-        ports: "{{ file_url_port }},6385,5050,9999"
+        ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
        proto: tcp
        setype: http_port_t
        state: present
--- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
@ -88,6 +88,9 @@ erase_devices_metadata_priority = 0
 erase_devices_priority = 0
 erase_devices_metadata_priority = 10
 {% endif %}
+{% if vmedia_enable_tls | bool %}
+external_http_url = https://{{ internal_ip }}:{{ file_url_port_tls }}/
+{% endif %}

 [conductor]
 automated_clean = {{ cleaning | lower }}
--- a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2
@ -2,7 +2,25 @@ server {
        listen {{ file_url_port }};
        server_name {{ ansible_hostname }};
        root {{ http_boot_folder }};
+
        location {{ http_boot_folder }}/ {
                alias {{ http_boot_folder }}/;
        }
+        {% if vmedia_enable_tls | bool %}
+        # Served only through TLS
+        location ~ ^/(redfish|ilo)/ {
+                deny all;
+                return 404;
+        }
+        {% endif %}
 }
+{% if vmedia_enable_tls | bool %}
+server {
+        listen {{ file_url_port_tls }} ssl http2;
+        server_name {{ ansible_hostname }};
+        root {{ http_boot_folder }};
+
+        ssl_certificate     {{ tls_certificate_path }};
+        ssl_certificate_key {{ httpboot_private_key_path }};
+}
+{% endif %}
--- a/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml
+++ b/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Virtual media images are now protected by TLS when TLS support is enabled.
+upgrade:
+  - |
+    If ``enable_tls`` is ``true``, virtual media images for Redfish,
+    iDRAC-Redfish and iLO are now served via TLS using the Ironic's
+    TLS certificate. If this is not desired, set the new option
+    ``vmedia_enable_tls`` to ``false``.
+
+    The new server's port can be configured via the new ``file_url_port_tls``
+    option.
--- a/zuul.d/bifrost-jobs.yaml
+++ b/zuul.d/bifrost-jobs.yaml
@ -118,6 +118,7 @@
    parent: bifrost-integration-tinyipa-ubuntu-focal
    vars:
      boot_mode: uefi
+      enable_tls: true
      test_driver: redfish
      use_vmedia: true