pulp_webserver: Add support for TLS configuration

Enable HTTPS by default when deploying a new pulp server. One can either specify the value of the certificate and the key. Or, if none available, can have the installer generating them. Support has been added for both nginx and apache. fixes #6845 https://pulp.plan.io/issues/6845 fixes #6847 https://pulp.plan.io/issues/6847 Co-Authored-By: Matthias Dellweg <mdellweg@redhat.com>
pulp · Jul 24, 2020 · 83e9b68 · 83e9b68
1 parent 4425208
commit 83e9b68
Show file tree

Hide file tree

Showing 32 changed files with 329 additions and 29 deletions.
diff --git a/CHANGES/6845.feature b/CHANGES/6845.feature
@@ -0,0 +1,2 @@
+Allow an installer user to configure Pulp to run with TLS enabled using custom provided
+certificates.
diff --git a/CHANGES/6845.removal b/CHANGES/6845.removal
@@ -0,0 +1 @@
+Installations will have https enabled by default. Users need to configure their CONTENT_ORIGIN accordingly.
diff --git a/CHANGES/6847.feature b/CHANGES/6847.feature
@@ -0,0 +1 @@
+Allow an installer user to configure Pulp to run with TLS enabled using self-signed certificates.
diff --git a/docs/quickstart.md b/docs/quickstart.md
@@ -59,7 +59,7 @@ vim install.yml
   vars:
     pulp_settings:
       secret_key: << YOUR SECRET HERE >>
-      content_origin: "http://{{ ansible_fqdn }}"
+      content_origin: "https://{{ ansible_fqdn }}"
     pulp_default_admin_password: << YOUR PASSWORD HERE >>
     pulp_install_plugins:
       # galaxy-ng: {}

diff --git a/molecule/packages-static/group_vars/all b/molecule/packages-static/group_vars/all
@@ -6,5 +6,5 @@ pulp_install_plugins:
   pulp-file:
 pulp_settings:
   secret_key: secret
-  content_origin: "http://{{ ansible_fqdn }}"
+  content_origin: "https://{{ ansible_fqdn }}"
 pulp_pkg_repo: "https://fedorapeople.org/groups/katello/releases/yum/nightly/pulpcore/el{{ ansible_distribution_major_version }}/x86_64/"
diff --git a/molecule/packages-upgrade/group_vars/all b/molecule/packages-upgrade/group_vars/all
@@ -6,6 +6,6 @@ pulp_install_plugins:
   pulp-file:
 pulp_settings:
   secret_key: secret
-  content_origin: "http://{{ ansible_fqdn }}"
+  content_origin: "https://{{ ansible_fqdn }}"
 pulp_pkg_repo: "https://fedorapeople.org/groups/katello/releases/yum/nightly/pulpcore/el{{ ansible_distribution_major_version }}/x86_64/"
 pulp_pkg_upgrade_all: true
diff --git a/molecule/release-static/group_vars/all b/molecule/release-static/group_vars/all
@@ -15,4 +15,4 @@ pulp_install_plugins:
   pulp-rpm: {}
 pulp_settings:
   secret_key: secret
-  content_origin: "http://{{ ansible_fqdn }}"
+  content_origin: "https://{{ ansible_fqdn }}"
diff --git a/molecule/release-upgrade/group_vars/all b/molecule/release-upgrade/group_vars/all
@@ -8,4 +8,4 @@ pulp_install_plugins:
     upgrade: true
 pulp_settings:
   secret_key: secret
-  content_origin: "http://{{ ansible_fqdn }}"
+  content_origin: "https://{{ ansible_fqdn }}"
diff --git a/molecule/scenario_resources/Dockerfile.j2 b/molecule/scenario_resources/Dockerfile.j2
@@ -12,9 +12,9 @@ ENV container docker
 
 {% if item.name.startswith('centos-7') -%}
 
-RUN yum install -y epel-release ;\
-yum makecache fast ;\
-yum update -y ;\
+RUN yum install -y epel-release &&\
+yum makecache fast &&\
+yum update -y &&\
 yum install -y \
   bash \
   firewalld \
@@ -26,8 +26,8 @@ yum install -y \
   sudo \
   which \
   yum-plugin-ovl \
-  ;\
-sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf ;\
+  &&\
+sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf &&\
 yum clean all
 {% elif item.name.startswith('debian') -%}
 
@@ -58,11 +58,11 @@ systemctl enable firewalld
 # fedora or centos-8
 
 # Pulp requires CentOS 8.2 or later. 8.2 is currently CentOS Stream.
-RUN grep -v "CentOS" /etc/redhat-release || dnf install -y centos-release-stream epel-release ;\
-dnf makecache ;\
-grep -v "CentOS Linux release 8.1." /etc/redhat-release || dnf update -y ;\
-grep -v "CentOS Linux release 8.1." /etc/redhat-release || dnf install -y centos-release-stream ;\
-dnf update -y ;\
+RUN grep -v "CentOS" /etc/redhat-release || dnf install -y centos-release-stream epel-release &&\
+dnf makecache &&\
+grep -v "CentOS Linux release 8.1." /etc/redhat-release || dnf update -y &&\
+grep -v "CentOS Linux release 8.1." /etc/redhat-release || dnf install -y centos-release-stream &&\
+dnf update -y &&\
 dnf --assumeyes install \
   bash \
   firewalld \
@@ -77,7 +77,7 @@ dnf --assumeyes install \
   selinux-policy-targeted \
   sudo \
   which \
-  ;\
+  &&\
 dnf clean all
 {%- endif %}
 

diff --git a/molecule/scenario_resources/tests/test_default.rb b/molecule/scenario_resources/tests/test_default.rb
@@ -8,3 +8,34 @@
     it { should be_enabled }
   end
 end
+
+'pulpcore-webserver' do |webserver|
+  describe port(80) do
+    it { should be_listening }
+  end
+
+  describe port(443) do
+    it { should be_listening }
+  end
+
+  describe http('http://localhost/pulp/api/v3/status',
+                 ssl_verify: false) do
+      its('status') { should eq 301 }
+    end
+  end
+
+  describe http('http://localhost/pulp/api/v3/status',
+                 ssl_verify: false, max_redirects: 1) do
+      its('status') { should eq 200 }
+      its('body') { should match /database_connection/ }
+    end
+  end
+
+  describe http('https://localhost/pulp/api/v3/status',
+                 ssl_verify: false) do
+      its('status') { should eq 200 }
+      its('body') { should match /database_connection/ }
+    end
+  end
+
+end
diff --git a/molecule/source-static/group_vars/all b/molecule/source-static/group_vars/all
@@ -30,4 +30,4 @@ developer_user_home: /var/lib/pulp
 developer_user: pulp
 pulp_settings:
   secret_key: secret
-  content_origin: "http://{{ ansible_fqdn }}"
+  content_origin: "https://{{ ansible_fqdn }}"
diff --git a/molecule/source-upgrade/group_vars/all b/molecule/source-upgrade/group_vars/all
@@ -16,4 +16,4 @@ developer_user_home: /var/lib/pulp
 developer_user: pulp
 pulp_settings:
   secret_key: secret
-  content_origin: "http://{{ ansible_fqdn }}"
+  content_origin: "https://{{ ansible_fqdn }}"
diff --git a/playbooks/example-source/group_vars/all b/playbooks/example-source/group_vars/all
@@ -30,4 +30,4 @@ developer_user_home: /var/lib/pulp
 developer_user: pulp
 pulp_settings:
   secret_key: secret
-  content_origin: "http://{{ ansible_fqdn }}"
+  content_origin: "https://{{ ansible_fqdn }}"
diff --git a/playbooks/example-use/group_vars/all b/playbooks/example-use/group_vars/all
@@ -15,4 +15,4 @@ pulp_install_plugins:
   # pulp-rpm: {}
 pulp_settings:
   secret_key: secret
-  content_origin: "http://{{ ansible_fqdn }}"
+  content_origin: "https://{{ ansible_fqdn }}"
diff --git a/roles/pulp_rpm_prerequisites/README.md b/roles/pulp_rpm_prerequisites/README.md
@@ -21,7 +21,7 @@ Here's an example playbook for using pulp_rpm_prerequisites as part of pulp_inst
         pulp_default_admin_password: << YOUR PASSWORD HERE >>
         pulp_settings:
           secret_key: << YOUR SECRET HERE >>
-          content_origin: "http://{{ ansible_fqdn }}"
+          content_origin: "https://{{ ansible_fqdn }}"
         pulp_install_plugins:
           pulp-rpm: {} #no need to set subvar prereq_role for pulp_rpm specifically
       roles:

diff --git a/roles/pulp_services/README.md b/roles/pulp_services/README.md
@@ -49,7 +49,7 @@ Here's an example playbook for using pulp_services in pulp_installer. It assumes
         pulp_default_admin_password: << YOUR PASSWORD FOR THE PULP APPLICATION HERE >>
         pulp_settings:
           secret_key: << YOUR SECRET HERE >>
-          content_origin: "http://webserver1.fqdn"
+          content_origin: "https://webserver1.fqdn"
           redis_host: redis1
           redis_port: 6380
           redis_password: << YOUR REDIS PASSWORD HERE >>

diff --git a/roles/pulp_webserver/README.md b/roles/pulp_webserver/README.md
@@ -6,6 +6,9 @@ Install, configure, start, and enable a web server.
 Currently, Nginx and Apache are supported. They are configured as a reverse proxy to the pulpcore-api
 and pulpcore-content Gunicorn processes.
 
+By default TLS will be enabled (with self-signed certificates if none are provided). An automatic
+redirect from http to https will take place.
+
 
 Variables
 ---------
@@ -14,6 +17,15 @@ Variables
   'nginx'.
 * `pulp_configure_firewall` Install and configure a firewall. Valid values are 'auto', 'firewalld',
   and 'none'. Defaults to 'auto' (which is the same as 'firewalld', but may change in the future).
+* `pulp_webserver_disable_https`: Whether or not HTTPS should be disabled. Defaults to `false`.
+* `pulp_webserver_tls_folder`: Path where to generate or drop the certificates. Defaults to
+  `pulp_config_dir`.
+* `pulp_webserver_httpd_servername`: Servername to use when deploying httpd. Defaults to
+  `ansible_fqdn`.
+* `pulp_webserver_ssl_cert`: Relative or absolute path to the TLS certificate one wants to
+   import.
+* `pulp_webserver_ssl_key`: Relative or absolute path to the TLS key one wants to
+   import.
 
 Plugin Webserver Configs
 ------------------------

diff --git a/roles/pulp_webserver/defaults/main.yml b/roles/pulp_webserver/defaults/main.yml
@@ -4,3 +4,7 @@ pulp_content_bind: '127.0.0.1:24816'
 pulp_api_bind: '127.0.0.1:24817'
 pulp_configure_firewall: auto
 pulp_user_home: '/var/lib/pulp'
+
+pulp_webserver_disable_https: false
+pulp_webserver_tls_folder: '{{ pulp_config_dir }}'
+pulp_webserver_httpd_servername: '{{ ansible_fqdn }}'
diff --git a/roles/pulp_webserver/handlers/main.yml b/roles/pulp_webserver/handlers/main.yml
@@ -6,9 +6,13 @@
     daemon_reload: true
   become: true
 
-- name: reload Apache
+- name: reload apache
   systemd:
     name: "{{ pulp_webserver_apache_service }}"
     state: reloaded
     daemon_reload: true
   become: true
+
+- name: update ca trust
+  command: "{{ pulp_webserver_trusted_root_certificates_update_bin }}"
+  become: true
diff --git a/roles/pulp_webserver/tasks/apache.yml b/roles/pulp_webserver/tasks/apache.yml
@@ -10,7 +10,7 @@
       template:
         src: pulp-vhost.conf.j2
         dest: "{{ pulp_webserver_apache_vhost_dir }}/pulp-vhost.conf"
-      notify: reload Apache
+      notify: reload apache
 
     - name: Enable Apache vhost files and mod files
       file:
@@ -23,7 +23,7 @@
         - src: ../mods-available/proxy.load
           dest: /etc/apache2/mods-enabled/proxy.load
       when: ansible_os_family == "Debian"
-      notify: reload Apache
+      notify: reload apache
 
     - name: Create directory for Pulp Apache snippets
       file:
@@ -41,7 +41,7 @@
         state: link
       loop: '{{ snippets.results }}'
       when: item.rc == 0
-      notify: reload Apache
+      notify: reload apache
 
     - name: Start and enable Apache
       systemd:

diff --git a/roles/pulp_webserver/tasks/firewalld.yml b/roles/pulp_webserver/tasks/firewalld.yml
@@ -19,4 +19,12 @@
         immediate: true
         state: enabled
 
+    - name: Accept connections on port 443
+      firewalld:
+        service: https
+        permanent: true
+        immediate: true
+        state: enabled
+      when: not pulp_webserver_disable_https | bool
+
   become: true
diff --git a/roles/pulp_webserver/tasks/generate_tls_certificates.yml b/roles/pulp_webserver/tasks/generate_tls_certificates.yml
@@ -0,0 +1,87 @@
+---
+- name: Ensure python-cryptography is installed
+  package:
+    name: '{{ pulp_webserver_python_cryptography }}'
+  become: true
+
+- name: Look for CA certificate
+  stat:
+    path: '{{ pulp_webserver_tls_folder }}/root.crt'
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
+  register: __pulp_webserver_ca_cert
+
+- name: Generate CA
+  block:
+    - name: Generate CA key
+      openssl_privatekey:
+        path: '{{ pulp_webserver_tls_folder }}/root.key'
+
+    - name: Generate CA CSR
+      openssl_csr:
+        path: '{{ pulp_webserver_tls_folder }}/root.csr'
+        privatekey_path: '{{ pulp_webserver_tls_folder }}/root.key'
+        common_name: '{{ pulp_webserver_httpd_servername }}'
+        organization_name: Pulp
+        country_name: US
+        basic_constraints: 'CA:TRUE'
+
+    - name: Generate CA certificate
+      openssl_certificate:
+        path: '{{ pulp_webserver_tls_folder }}/root.crt'
+        csr_path: '{{ pulp_webserver_tls_folder }}/root.csr'
+        privatekey_path: '{{ pulp_webserver_tls_folder }}/root.key'
+        provider: selfsigned
+  when: not __pulp_webserver_ca_cert.stat.exists
+
+- name: Look for webserver certificate
+  stat:
+    path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.crt'
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
+  register: __pulp_webserver_cert
+
+- name: Generate webserver certificate
+  block:
+    - name: Generate private keys
+      openssl_privatekey:
+        path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.key'
+        owner: root
+        group: "{{ pulp_group }}"
+
+    - name: Generate CSRs standalone
+      openssl_csr:
+        path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.csr'
+        privatekey_path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.key'
+        common_name: '{{ pulp_webserver_httpd_servername }}'
+        subject_alt_name: 'DNS:{{ pulp_webserver_httpd_servername }}'
+        key_usage:
+          - keyEncipherment
+          - dataEncipherment
+        extended_key_usage:
+          - serverAuth
+        owner: root
+        group: "{{ pulp_group }}"
+
+    - name: Generate certificates
+      openssl_certificate:
+        path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.crt'
+        csr_path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.csr'
+        privatekey_path: '{{ pulp_webserver_tls_folder }}/pulp_webserver.key'
+        provider: ownca
+        ownca_path: '{{ pulp_webserver_tls_folder }}/root.crt'
+        ownca_privatekey_path: '{{ pulp_webserver_tls_folder }}/root.key'
+        ownca_not_after: '+824d'
+        owner: root
+        group: "{{ pulp_group }}"
+  when: not __pulp_webserver_cert.stat.exists
+
+- name: Cleanup CSR files
+  file:
+    path: '{{ pulp_webserver_tls_folder }}/{{ item }}'
+    state: absent
+  loop:
+    - root.csr
+    - pulp_webserver.csr
diff --git a/roles/pulp_webserver/tasks/import_certificates.yml b/roles/pulp_webserver/tasks/import_certificates.yml
@@ -0,0 +1,18 @@
+---
+- name: Import specified TLS certificate
+  copy:
+    src: "{{ pulp_webserver_ssl_cert }}"
+    dest: "{{ pulp_webserver_tls_folder }}/pulp_webserver.crt"
+    owner: root
+    group: "{{ pulp_group }}"
+    mode: 0600
+  notify: reload {{ pulp_webserver_server }}
+
+- name: Import specified TLS private key
+  copy:
+    src: "{{ pulp_webserver_ssl_key }}"
+    dest: "{{ pulp_webserver_tls_folder }}/pulp_webserver.key"
+    owner: root
+    group: "{{ pulp_group }}"
+    mode: 0600
+  notify: reload {{ pulp_webserver_server }}