From 61c757578f73760211f3d9f5092fc2f94e7b769d Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 29 Nov 2022 15:09:11 +0000 Subject: [PATCH 1/6] Swapping cert/key for rbac username/password --- etc/kayobe/pulp.yml | 65 +++++++++++++++++++++------------------------ 1 file changed, 30 insertions(+), 35 deletions(-) diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 41cd600d4..55d0e0384 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -23,11 +23,6 @@ stackhpc_release_pulp_url: "https://ark.stackhpc.com" stackhpc_release_pulp_username: stackhpc_release_pulp_password: -# Client certificates used to access StackHPC Ark repositories. -# They are trusted by the 'release' cert guard's CA. -stackhpc_release_pulp_client_cert: "{{ lookup('file', kayobe_config_path ~ '/ansible/certs/ark.stackhpc.com/client-cert.pem') | trim }}" -stackhpc_release_pulp_client_key: "{{ lookup('file', kayobe_config_path ~ '/ansible/certs/ark.stackhpc.com/client-key.pem') | trim }}" - # Content URL of the StackHPC Pulp service. stackhpc_release_pulp_content_url: "{{ stackhpc_release_pulp_url }}/pulp/content" @@ -44,8 +39,8 @@ stackhpc_pulp_repository_deb_repos: # Base Ubuntu Focal repositories - name: Ubuntu focal url: "{{ stackhpc_release_pulp_content_url }}/ubuntu/focal/{{ stackhpc_pulp_repo_ubuntu_focal_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" architectures: amd64 @@ -57,8 +52,8 @@ stackhpc_pulp_repository_deb_repos: - name: Ubuntu focal security url: "{{ stackhpc_release_pulp_content_url }}/ubuntu/focal-security/{{ stackhpc_pulp_repo_ubuntu_focal_security_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" architectures: amd64 @@ -71,8 +66,8 @@ stackhpc_pulp_repository_deb_repos: # Ubuntu Cloud Archive (UCA) repositories - name: Ubuntu Cloud Archive url: "{{ stackhpc_release_pulp_content_url }}/ubuntu-cloud-archive/{{ stackhpc_pulp_repo_ubuntu_cloud_archive_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" architectures: amd64 @@ -85,8 +80,8 @@ stackhpc_pulp_repository_deb_repos: # Third-party repositories - name: Docker CE for Ubuntu url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu/{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" architectures: amd64 @@ -193,8 +188,8 @@ stackhpc_pulp_repository_rpm_repos: # Base CentOS 8 Stream repositories - name: CentOS Stream 8 - AppStream url: "{{ stackhpc_release_pulp_content_url }}/centos/8-stream/AppStream/x86_64/os/{{ stackhpc_pulp_repo_centos_stream_8_appstream_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" sync_policy: mirror_complete @@ -202,8 +197,8 @@ stackhpc_pulp_repository_rpm_repos: required: "{{ stackhpc_pulp_sync_centos_stream8 | bool }}" - name: CentOS Stream 8 - BaseOS url: "{{ stackhpc_release_pulp_content_url }}/centos/8-stream/BaseOS/x86_64/os/{{ stackhpc_pulp_repo_centos_stream_8_baseos_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" sync_policy: mirror_complete @@ -211,8 +206,8 @@ stackhpc_pulp_repository_rpm_repos: required: "{{ stackhpc_pulp_sync_centos_stream8 | bool }}" - name: CentOS Stream 8 - Extras url: "{{ stackhpc_release_pulp_content_url }}/centos/8-stream/extras/x86_64/os/{{ stackhpc_pulp_repo_centos_stream_8_extras_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" sync_policy: mirror_complete @@ -222,40 +217,40 @@ stackhpc_pulp_repository_rpm_repos: # Base Rocky 8 repositories - name: Rocky Linux 8 - AppStream url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/AppStream/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_appstream_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand sync_policy: mirror_complete state: present required: "{{ stackhpc_pulp_sync_rocky_8 | bool }}" - name: Rocky Linux 8 - BaseOS url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/BaseOS/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_baseos_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand sync_policy: mirror_complete state: present required: "{{ stackhpc_pulp_sync_rocky_8 | bool }}" - name: Rocky Linux 8 - Extras url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/extras/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_extras_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand sync_policy: mirror_complete state: present required: "{{ stackhpc_pulp_sync_rocky_8 | bool }}" - name: Rocky Linux 8 - NFV url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/nfv/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_nfv_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand sync_policy: mirror_complete state: present required: "{{ stackhpc_pulp_sync_rocky_8 | bool }}" - name: Rocky Linux 8 - PowerTools url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/PowerTools/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_6_powertools_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand sync_policy: mirror_complete state: present @@ -264,8 +259,8 @@ stackhpc_pulp_repository_rpm_repos: # EPEL repositories - name: Extra Packages for Enterprise Linux 8 - x86_64 url: "{{ stackhpc_release_pulp_content_url }}/epel/8/Everything/x86_64/{{ stackhpc_pulp_repo_epel_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" sync_policy: mirror_content_only @@ -273,8 +268,8 @@ stackhpc_pulp_repository_rpm_repos: required: "{{ stackhpc_pulp_sync_el_8 | bool }}" - name: Extra Packages for Enterprise Linux Modular 8 - x86_64 url: "{{ stackhpc_release_pulp_content_url }}/epel/8/Modular/x86_64/{{ stackhpc_pulp_repo_epel_modular_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" sync_policy: mirror_complete @@ -284,8 +279,8 @@ stackhpc_pulp_repository_rpm_repos: # Third-party repositories - name: Docker CE for CentOS 8 url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/centos/8/x86_64/stable/{{ stackhpc_pulp_repo_docker_version }}" - client_cert: "{{ stackhpc_release_pulp_client_cert }}" - client_key: "{{ stackhpc_release_pulp_client_key }}" + remote_username: "{{ stackhpc_release_pulp_username }}" + remote_password: "{{ stackhpc_release_pulp_password }}" policy: on_demand proxy_url: "{{ pulp_proxy_url }}" sync_policy: mirror_complete From db726a291614fc45021aed443abae6ee76628913 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 29 Nov 2022 15:09:11 +0000 Subject: [PATCH 2/6] Updating requirements --- etc/kayobe/ansible/requirements.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index bd4d27e3f..c123d02f2 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -2,7 +2,13 @@ collections: - name: stackhpc.cephadm version: 1.10.0 - - name: stackhpc.pulp - version: 0.3.0 + - name: https://github.com/stackhpc/ansible-collection-pulp + version: api-update + type: git + - name: https://github.com/stackhpc/squeezer + type: git + version: rbac-utils + - name: community.crypto + version: 2.0.2 roles: - src: stackhpc.vxlan From 8ffde15b301aa4401b3e01ce061288b99d48401d Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 29 Nov 2022 15:27:14 +0000 Subject: [PATCH 3/6] Removing certificate references from docs --- doc/source/configuration/release-train.rst | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/doc/source/configuration/release-train.rst b/doc/source/configuration/release-train.rst index 9df55e232..599db3fbd 100644 --- a/doc/source/configuration/release-train.rst +++ b/doc/source/configuration/release-train.rst @@ -7,7 +7,7 @@ StackHPC provides packages and container images for OpenStack via `Ark Deployments should use a local `Pulp `__ repository server to synchronise content from Ark and serve it locally. Access to the -repositories on Ark is controlled via X.509 certificates issued by StackHPC. +repositories on Ark is controlled via user accounts issued by StackHPC. This configuration is a base, and should be merged with any existing Kayobe configuration. It currently provides the following: @@ -50,11 +50,6 @@ password: stackhpc_release_pulp_username: stackhpc_release_pulp_password: -The client certificate and private key issued by StackHPC should be stored in -``etc/kayobe/ansible/certs/ark.stackhpc.com/client-cert.pem`` and -``etc/kayobe/ansible/certs/ark.stackhpc.com/client-key.pem``, respectively, -with the private key encrypted via Ansible Vault. - The distribution name for the environment should be configured as either ``development`` or ``production`` via ``stackhpc_repo_distribution`` in ``etc/kayobe/stackhpc.yml``. From a8b6c08176a1d10e480f12d37768ae6abf34ea47 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Thu, 1 Dec 2022 10:52:11 +0000 Subject: [PATCH 4/6] Updating requirements --- etc/kayobe/ansible/requirements.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index c123d02f2..2719979b3 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -2,12 +2,8 @@ collections: - name: stackhpc.cephadm version: 1.10.0 - - name: https://github.com/stackhpc/ansible-collection-pulp - version: api-update - type: git - - name: https://github.com/stackhpc/squeezer - type: git - version: rbac-utils + - name: stackhpc.pulp + version: 0.4.0 - name: community.crypto version: 2.0.2 roles: From 676d612424f83c867595317442769a3e0f264a20 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Thu, 1 Dec 2022 15:08:09 +0000 Subject: [PATCH 5/6] Updating release train docs and deleting certs --- doc/source/configuration/release-train.rst | 27 +++++++++++++++++++ .../certs/ark.stackhpc.com/client-cert.pem | 0 .../certs/ark.stackhpc.com/client-key.pem | 0 etc/kayobe/ansible/requirements.yml | 2 -- 4 files changed, 27 insertions(+), 2 deletions(-) delete mode 100644 etc/kayobe/ansible/certs/ark.stackhpc.com/client-cert.pem delete mode 100644 etc/kayobe/ansible/certs/ark.stackhpc.com/client-key.pem diff --git a/doc/source/configuration/release-train.rst b/doc/source/configuration/release-train.rst index 599db3fbd..cf82e2689 100644 --- a/doc/source/configuration/release-train.rst +++ b/doc/source/configuration/release-train.rst @@ -148,3 +148,30 @@ with the push repository using the pulp CLI: (venv-pulp) [stack@seed ~]$ pulp --base-url http://:8080--username admin --password container distribution destroy --name stackhpc/centos-source-prometheus-jiralert Started background task /pulp/api/v3/tasks/1f0a474a-b7c0-44b4-9ef4-ed633077f4d8/ .Done. + +HTTP Error 404: Not Found +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If your login credentials are incorrect, or lack the required permissions, +you will see a 404 error during ``pulp-repo-sync.yml``: + +.. code-block:: console + + TASK [stackhpc.pulp.pulp_repository : Sync RPM remotes into repositories] **************************************************************************************************************************************** + An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Exception: Task failed to complete. (failed; 404, message='Not Found', url=URL('https://ark.stackhpc.com/pulp/content/centos/8-stream/BaseOS/x86_64/os/20211122T102435')) + failed: [localhost] (item=centos-stream-8-baseos-development) => changed=false + ansible_loop_var: item + item: + name: centos-stream-8-baseos-development + policy: on_demand + proxy_url: __omit_place_holder__d35452c39719f081229941a64fd2cdce1188a287 + remote_password: + remote_username: + required: true + state: present + sync_policy: mirror_complete + url: https://ark.stackhpc.com/pulp/content/centos/8-stream/BaseOS/x86_64/os/20211122T102435 + msg: Task failed to complete. (failed; 404, message='Not Found', url=URL('https://ark.stackhpc.com/pulp/content/centos/8-stream/BaseOS/x86_64/os/20211122T102435')) ''' + +The issue can be rectified by updating the ``stackhpc_release_pulp_username`` +and ``stackhpc_release_pulp_password`` variables diff --git a/etc/kayobe/ansible/certs/ark.stackhpc.com/client-cert.pem b/etc/kayobe/ansible/certs/ark.stackhpc.com/client-cert.pem deleted file mode 100644 index e69de29bb..000000000 diff --git a/etc/kayobe/ansible/certs/ark.stackhpc.com/client-key.pem b/etc/kayobe/ansible/certs/ark.stackhpc.com/client-key.pem deleted file mode 100644 index e69de29bb..000000000 diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 2719979b3..7f14e1e6d 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -4,7 +4,5 @@ collections: version: 1.10.0 - name: stackhpc.pulp version: 0.4.0 - - name: community.crypto - version: 2.0.2 roles: - src: stackhpc.vxlan From bbf7493b7bb6c8a7a00c9a58649da57f8f60738e Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Mon, 5 Dec 2022 13:27:16 +0000 Subject: [PATCH 6/6] Updating requirements, adjusting docs --- doc/source/configuration/release-train.rst | 5 ++--- etc/kayobe/ansible/requirements.yml | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/source/configuration/release-train.rst b/doc/source/configuration/release-train.rst index cf82e2689..20b43d674 100644 --- a/doc/source/configuration/release-train.rst +++ b/doc/source/configuration/release-train.rst @@ -41,9 +41,8 @@ Pulp startup. StackHPC Ark ------------ -The container image registry credentials issued by StackHPC should be -configured in ``etc/kayobe/pulp.yml``, using Ansible Vault to encrypt the -password: +The Ark pulp credentials issued by StackHPC should be configured in +``etc/kayobe/pulp.yml``, using Ansible Vault to encrypt the password: .. code-block:: yaml diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 7f14e1e6d..77aaa9f99 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -3,6 +3,6 @@ collections: - name: stackhpc.cephadm version: 1.10.0 - name: stackhpc.pulp - version: 0.4.0 + version: 0.4.1 roles: - src: stackhpc.vxlan