Skip to content

Switch from certificates to RBAC #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Dec 7, 2022
Merged

Switch from certificates to RBAC #262

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
61c7575
Swapping cert/key for rbac username/password
Alex-Welsh Nov 29, 2022
db726a2
Updating requirements
Alex-Welsh Nov 29, 2022
8ffde15
Removing certificate references from docs
Alex-Welsh Nov 29, 2022
a8b6c08
Updating requirements
Alex-Welsh Dec 1, 2022
676d612
Updating release train docs and deleting certs
Alex-Welsh Dec 1, 2022
bbf7493
Updating requirements, adjusting docs
Alex-Welsh Dec 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 30 additions & 9 deletions doc/source/configuration/release-train.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ StackHPC provides packages and container images for OpenStack via `Ark

Deployments should use a local `Pulp <https://pulpproject.org/>`__ repository
server to synchronise content from Ark and serve it locally. Access to the
repositories on Ark is controlled via X.509 certificates issued by StackHPC.
repositories on Ark is controlled via user accounts issued by StackHPC.

This configuration is a base, and should be merged with any existing Kayobe
configuration. It currently provides the following:
Expand Down Expand Up @@ -41,20 +41,14 @@ Pulp startup.
StackHPC Ark
------------

The container image registry credentials issued by StackHPC should be
configured in ``etc/kayobe/pulp.yml``, using Ansible Vault to encrypt the
password:
The Ark pulp credentials issued by StackHPC should be configured in
``etc/kayobe/pulp.yml``, using Ansible Vault to encrypt the password:

.. code-block:: yaml

stackhpc_release_pulp_username: <username>
stackhpc_release_pulp_password: <password>

The client certificate and private key issued by StackHPC should be stored in
``etc/kayobe/ansible/certs/ark.stackhpc.com/client-cert.pem`` and
``etc/kayobe/ansible/certs/ark.stackhpc.com/client-key.pem``, respectively,
with the private key encrypted via Ansible Vault.

The distribution name for the environment should be configured as either
``development`` or ``production`` via ``stackhpc_repo_distribution`` in
``etc/kayobe/stackhpc.yml``.
Expand Down Expand Up @@ -153,3 +147,30 @@ with the push repository using the pulp CLI:
(venv-pulp) [stack@seed ~]$ pulp --base-url http://<pulp server>:8080--username admin --password <password> container distribution destroy --name stackhpc/centos-source-prometheus-jiralert
Started background task /pulp/api/v3/tasks/1f0a474a-b7c0-44b4-9ef4-ed633077f4d8/
.Done.

HTTP Error 404: Not Found
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If your login credentials are incorrect, or lack the required permissions,
you will see a 404 error during ``pulp-repo-sync.yml``:

.. code-block:: console

TASK [stackhpc.pulp.pulp_repository : Sync RPM remotes into repositories] ****************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Exception: Task failed to complete. (failed; 404, message='Not Found', url=URL('https://ark.stackhpc.com/pulp/content/centos/8-stream/BaseOS/x86_64/os/20211122T102435'))
failed: [localhost] (item=centos-stream-8-baseos-development) => changed=false
ansible_loop_var: item
item:
name: centos-stream-8-baseos-development
policy: on_demand
proxy_url: __omit_place_holder__d35452c39719f081229941a64fd2cdce1188a287
remote_password: <password>
remote_username: <username>
required: true
state: present
sync_policy: mirror_complete
url: https://ark.stackhpc.com/pulp/content/centos/8-stream/BaseOS/x86_64/os/20211122T102435
msg: Task failed to complete. (failed; 404, message='Not Found', url=URL('https://ark.stackhpc.com/pulp/content/centos/8-stream/BaseOS/x86_64/os/20211122T102435')) '''

The issue can be rectified by updating the ``stackhpc_release_pulp_username``
and ``stackhpc_release_pulp_password`` variables
Empty file removed etc/kayobe/ansible/certs/ark.stackhpc.com/client-cert.pem
View file
Open in desktop
Empty file.
Empty file removed etc/kayobe/ansible/certs/ark.stackhpc.com/client-key.pem
View file
Open in desktop
Empty file.
2 changes: 1 addition & 1 deletion etc/kayobe/ansible/requirements.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@ collections:
- name: stackhpc.cephadm
version: 1.10.0
- name: stackhpc.pulp
version: 0.3.0
version: 0.4.1
roles:
- src: stackhpc.vxlan
65 changes: 30 additions & 35 deletions etc/kayobe/pulp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,6 @@ stackhpc_release_pulp_url: "https://ark.stackhpc.com"
stackhpc_release_pulp_username:
stackhpc_release_pulp_password:

# Client certificates used to access StackHPC Ark repositories.
# They are trusted by the 'release' cert guard's CA.
stackhpc_release_pulp_client_cert: "{{ lookup('file', kayobe_config_path ~ '/ansible/certs/ark.stackhpc.com/client-cert.pem') | trim }}"
stackhpc_release_pulp_client_key: "{{ lookup('file', kayobe_config_path ~ '/ansible/certs/ark.stackhpc.com/client-key.pem') | trim }}"

# Content URL of the StackHPC Pulp service.
stackhpc_release_pulp_content_url: "{{ stackhpc_release_pulp_url }}/pulp/content"

Expand All @@ -44,8 +39,8 @@ stackhpc_pulp_repository_deb_repos:
# Base Ubuntu Focal repositories
- name: Ubuntu focal
url: "{{ stackhpc_release_pulp_content_url }}/ubuntu/focal/{{ stackhpc_pulp_repo_ubuntu_focal_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
architectures: amd64
Expand All @@ -57,8 +52,8 @@ stackhpc_pulp_repository_deb_repos:

- name: Ubuntu focal security
url: "{{ stackhpc_release_pulp_content_url }}/ubuntu/focal-security/{{ stackhpc_pulp_repo_ubuntu_focal_security_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
architectures: amd64
Expand All @@ -71,8 +66,8 @@ stackhpc_pulp_repository_deb_repos:
# Ubuntu Cloud Archive (UCA) repositories
- name: Ubuntu Cloud Archive
url: "{{ stackhpc_release_pulp_content_url }}/ubuntu-cloud-archive/{{ stackhpc_pulp_repo_ubuntu_cloud_archive_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
architectures: amd64
Expand All @@ -85,8 +80,8 @@ stackhpc_pulp_repository_deb_repos:
# Third-party repositories
- name: Docker CE for Ubuntu
url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu/{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
architectures: amd64
Expand Down Expand Up @@ -193,26 +188,26 @@ stackhpc_pulp_repository_rpm_repos:
# Base CentOS 8 Stream repositories
- name: CentOS Stream 8 - AppStream
url: "{{ stackhpc_release_pulp_content_url }}/centos/8-stream/AppStream/x86_64/os/{{ stackhpc_pulp_repo_centos_stream_8_appstream_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
sync_policy: mirror_complete
state: present
required: "{{ stackhpc_pulp_sync_centos_stream8 | bool }}"
- name: CentOS Stream 8 - BaseOS
url: "{{ stackhpc_release_pulp_content_url }}/centos/8-stream/BaseOS/x86_64/os/{{ stackhpc_pulp_repo_centos_stream_8_baseos_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
sync_policy: mirror_complete
state: present
required: "{{ stackhpc_pulp_sync_centos_stream8 | bool }}"
- name: CentOS Stream 8 - Extras
url: "{{ stackhpc_release_pulp_content_url }}/centos/8-stream/extras/x86_64/os/{{ stackhpc_pulp_repo_centos_stream_8_extras_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
sync_policy: mirror_complete
Expand All @@ -222,40 +217,40 @@ stackhpc_pulp_repository_rpm_repos:
# Base Rocky 8 repositories
- name: Rocky Linux 8 - AppStream
url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/AppStream/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_appstream_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
sync_policy: mirror_complete
state: present
required: "{{ stackhpc_pulp_sync_rocky_8 | bool }}"
- name: Rocky Linux 8 - BaseOS
url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/BaseOS/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_baseos_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
sync_policy: mirror_complete
state: present
required: "{{ stackhpc_pulp_sync_rocky_8 | bool }}"
- name: Rocky Linux 8 - Extras
url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/extras/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_extras_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
sync_policy: mirror_complete
state: present
required: "{{ stackhpc_pulp_sync_rocky_8 | bool }}"
- name: Rocky Linux 8 - NFV
url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/nfv/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_nfv_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
sync_policy: mirror_complete
state: present
required: "{{ stackhpc_pulp_sync_rocky_8 | bool }}"
- name: Rocky Linux 8 - PowerTools
url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/PowerTools/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_6_powertools_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
sync_policy: mirror_complete
state: present
Expand All @@ -264,17 +259,17 @@ stackhpc_pulp_repository_rpm_repos:
# EPEL repositories
- name: Extra Packages for Enterprise Linux 8 - x86_64
url: "{{ stackhpc_release_pulp_content_url }}/epel/8/Everything/x86_64/{{ stackhpc_pulp_repo_epel_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
sync_policy: mirror_content_only
state: present
required: "{{ stackhpc_pulp_sync_el_8 | bool }}"
- name: Extra Packages for Enterprise Linux Modular 8 - x86_64
url: "{{ stackhpc_release_pulp_content_url }}/epel/8/Modular/x86_64/{{ stackhpc_pulp_repo_epel_modular_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
sync_policy: mirror_complete
Expand All @@ -284,8 +279,8 @@ stackhpc_pulp_repository_rpm_repos:
# Third-party repositories
- name: Docker CE for CentOS 8
url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/centos/8/x86_64/stable/{{ stackhpc_pulp_repo_docker_version }}"
client_cert: "{{ stackhpc_release_pulp_client_cert }}"
client_key: "{{ stackhpc_release_pulp_client_key }}"
remote_username: "{{ stackhpc_release_pulp_username }}"
remote_password: "{{ stackhpc_release_pulp_password }}"
policy: on_demand
proxy_url: "{{ pulp_proxy_url }}"
sync_policy: mirror_complete
Expand Down