This repository has been archived by the owner on Jan 30, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pulp_webserver: Add support for TLS configuration
Enable HTTPS by default when deploying a new pulp server. One can either specify the value of the certificate and the key. Or, if none available, can have the installer generating them. Support has been added for both nginx and apache. fixes #6845 https://pulp.plan.io/issues/6845 fixes #6847 https://pulp.plan.io/issues/6847 Co-Authored-By: Matthias Dellweg <mdellweg@redhat.com>
- Loading branch information
Showing
32 changed files
with
329 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Allow an installer user to configure Pulp to run with TLS enabled using custom provided | ||
certificates. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Installations will have https enabled by default. Users need to configure their CONTENT_ORIGIN accordingly. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Allow an installer user to configure Pulp to run with TLS enabled using self-signed certificates. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
--- | ||
- name: Ensure python-cryptography is installed | ||
package: | ||
name: '{{ pulp_webserver_python_cryptography }}' | ||
become: true | ||
|
||
- name: Look for CA certificate | ||
stat: | ||
path: '{{ pulp_webserver_tls_folder }}/root.crt' | ||
get_attributes: false | ||
get_checksum: false | ||
get_mime: false | ||
register: __pulp_webserver_ca_cert | ||
|
||
- name: Generate CA | ||
block: | ||
- name: Generate CA key | ||
openssl_privatekey: | ||
path: '{{ pulp_webserver_tls_folder }}/root.key' | ||
|
||
- name: Generate CA CSR | ||
openssl_csr: | ||
path: '{{ pulp_webserver_tls_folder }}/root.csr' | ||
privatekey_path: '{{ pulp_webserver_tls_folder }}/root.key' | ||
common_name: '{{ pulp_webserver_httpd_servername }}' | ||
organization_name: Pulp | ||
country_name: US | ||
basic_constraints: 'CA:TRUE' | ||
|
||
- name: Generate CA certificate | ||
openssl_certificate: | ||
path: '{{ pulp_webserver_tls_folder }}/root.crt' | ||
csr_path: '{{ pulp_webserver_tls_folder }}/root.csr' | ||
privatekey_path: '{{ pulp_webserver_tls_folder }}/root.key' | ||
provider: selfsigned | ||
when: not __pulp_webserver_ca_cert.stat.exists | ||
|
||
- name: Look for webserver certificate | ||
stat: | ||
path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.crt' | ||
get_attributes: false | ||
get_checksum: false | ||
get_mime: false | ||
register: __pulp_webserver_cert | ||
|
||
- name: Generate webserver certificate | ||
block: | ||
- name: Generate private keys | ||
openssl_privatekey: | ||
path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.key' | ||
owner: root | ||
group: "{{ pulp_group }}" | ||
|
||
- name: Generate CSRs standalone | ||
openssl_csr: | ||
path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.csr' | ||
privatekey_path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.key' | ||
common_name: '{{ pulp_webserver_httpd_servername }}' | ||
subject_alt_name: 'DNS:{{ pulp_webserver_httpd_servername }}' | ||
key_usage: | ||
- keyEncipherment | ||
- dataEncipherment | ||
extended_key_usage: | ||
- serverAuth | ||
owner: root | ||
group: "{{ pulp_group }}" | ||
|
||
- name: Generate certificates | ||
openssl_certificate: | ||
path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.crt' | ||
csr_path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.csr' | ||
privatekey_path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.key' | ||
provider: ownca | ||
ownca_path: '{{ pulp_webserver_tls_folder }}/root.crt' | ||
ownca_privatekey_path: '{{ pulp_webserver_tls_folder }}/root.key' | ||
ownca_not_after: '+824d' | ||
owner: root | ||
group: "{{ pulp_group }}" | ||
when: not __pulp_webserver_cert.stat.exists | ||
|
||
- name: Cleanup CSR files | ||
file: | ||
path: '{{ pulp_webserver_tls_folder }}/{{ item }}' | ||
state: absent | ||
loop: | ||
- root.csr | ||
- pulp_webserver.csr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
--- | ||
- name: Import specified TLS certificate | ||
copy: | ||
src: "{{ pulp_webserver_ssl_cert }}" | ||
dest: "{{ pulp_webserver_tls_folder }}/pulp_webserver.crt" | ||
owner: root | ||
group: "{{ pulp_group }}" | ||
mode: 0600 | ||
notify: reload {{ pulp_webserver_server }} | ||
|
||
- name: Import specified TLS private key | ||
copy: | ||
src: "{{ pulp_webserver_ssl_key }}" | ||
dest: "{{ pulp_webserver_tls_folder }}/pulp_webserver.key" | ||
owner: root | ||
group: "{{ pulp_group }}" | ||
mode: 0600 | ||
notify: reload {{ pulp_webserver_server }} |
Oops, something went wrong.