Support custom CAs by distributing a trust bundle (#618)

* Support custom CAs by distributing a trust bundle

* Disable TLS verification for 'zenith-client init' when custom CAs are specified

Author: Matt Pryor

playbooks/deploy.yml

@@ -20,8 +20,6 @@
       when: cloud_metrics_enabled
     - role: azimuth_cloud.azimuth_ops.clusterapi
       when: azimuth_kubernetes_enabled
-    - role: azimuth_cloud.azimuth_ops.awx
-      when: azimuth_clusters_enabled
     - role: azimuth_cloud.azimuth_ops.consul
       when: azimuth_apps_enabled or azimuth_clusters_enabled
     - role: azimuth_cloud.azimuth_ops.azimuth_caas_operator

playbooks/provision_cluster.yml

@@ -14,6 +14,9 @@
 - hosts: k3s
   tasks:
     - block:
+        - include_role:
+            name: azimuth_cloud.azimuth_ops.system_trust
+
         - include_role:
             name: azimuth_cloud.azimuth_ops.sysctl_inotify
 

roles/awx/defaults/main.yml

@@ -46,14 +46,7 @@ azimuth_ingress_tls_key: >-
   }}
 
 # Custom trust bundle for SSL verification
-azimuth_trust_bundle: |-
-  {%- if trust_bundle is defined %}
-  {%- for certificate in trust_bundle.values() %}
-  {{ certificate }}
-  {%- endfor %}
-  {%- endif %}
-# The name of the configmap into which the trust bundle should be placed
-azimuth_trust_bundle_configmap_name: "{{ trust_bundle_configmap_name | default('azimuth-trust-bundle') }}"
+azimuth_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
 
 # The Django secret key, used mainly for ensuring session cookies are not tampered with
 azimuth_secret_key: "{{ undef(hint = 'azimuth_secret_key is required') }}"
@@ -279,7 +272,17 @@ azimuth_apps_base_domain: >-
 azimuth_apps_verify_ssl: true
 #   Indicates whether SSL should be verified by clients when associating keys with the
 #   registrar using the external endpoint
-azimuth_apps_verify_ssl_clients: "{{ azimuth_apps_verify_ssl }}"
+#   By default, clients will verify SSL when Azimuth itself does
+#   The exception to this is when custom CAs are specified, as there is currently no mechanism
+#   for propagating the custom CAs into the trust store of the appliance
+azimuth_apps_verify_ssl_clients: >-
+  {{-
+    azimuth_apps_verify_ssl and
+    not (
+      (system_trust_extra_root_cas is defined and system_trust_extra_root_cas) or
+      (trust_bundle is defined and trust_bundle)
+    )
+  }}
 #   The external URL for the Zenith registrar
 azimuth_apps_registrar_external_url: >-
   {{-
@@ -347,12 +350,7 @@ azimuth_release_defaults:
       enabled: "{{ azimuth_ingress_tls_enabled }}"
       secretName: "{{ azimuth_ingress_tls_secret_name }}"
       annotations: "{{ azimuth_ingress_tls_annotations }}"
-  trustBundleConfigMapName: >-
-    {{-
-      azimuth_trust_bundle_configmap_name
-      if azimuth_trust_bundle
-      else None
-    }}
+  trustBundle: "{{ azimuth_trust_bundle }}"
   settings:
     secretKey: "{{ azimuth_secret_key }}"
     availableClouds: "{{ azimuth_linked_clouds }}"

roles/awx/tasks/main.yml

@@ -25,21 +25,6 @@
         tls.key: "{{ azimuth_ingress_tls_key }}"
   when: azimuth_ingress_tls_certificate
 
-- name: Install trust bundle
-  command: kubectl apply -f -
-  args:
-    stdin: "{{ azimuth_trust_bundle_configmap_definition | to_nice_yaml }}"
-  vars:
-    azimuth_trust_bundle_configmap_definition:
-      apiVersion: v1
-      kind: ConfigMap
-      metadata:
-        name: "{{ azimuth_trust_bundle_configmap_name }}"
-        namespace: "{{ azimuth_release_namespace }}"
-      data:
-        ca-certificates.crt: "{{ azimuth_trust_bundle }}"
-  when: azimuth_trust_bundle
-
 - name: Install Azimuth on target Kubernetes cluster
   kubernetes.core.helm:
     chart_ref: "{{ azimuth_chart_name }}"

roles/awx/templates/kustomization.yaml

@@ -12,6 +12,9 @@ azimuth_caas_operator_release_name: azimuth-caas-operator
 # The timeout to wait for operator to become ready
 azimuth_caas_operator_wait_timeout: 10m
 
+# Custom trust bundle for SSL verification
+azimuth_caas_operator_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
+
 # The ansible-runner image and tag to use
 # Leave blank to use the defaults
 azimuth_caas_operator_ansible_runner_image_repository:
@@ -63,6 +66,7 @@ azimuth_caas_operator_release_defaults:
           )
       }}
     globalExtraVars: "{{ azimuth_caas_operator_global_extravars }}"
+  trustBundle: "{{ azimuth_caas_operator_trust_bundle }}"
 azimuth_caas_operator_release_overrides: {}
 azimuth_caas_operator_release_values: >-
   {{-

roles/awx/templates/patch-delete-ns.yaml

@@ -13,6 +13,9 @@ azimuth_capi_operator_release_name: azimuth-capi-operator
 # The timeout to wait for CAPI operator to become ready
 azimuth_capi_operator_wait_timeout: 10m
 
+# Custom trust bundle for SSL verification
+azimuth_capi_operator_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
+
 # The timer interval to use for the CAPI operator
 azimuth_capi_operator_timer_interval: 60
 
@@ -39,7 +42,8 @@ azimuth_capi_operator_capi_helm_dns_nameservers:
 
 # Bundle of certificates that should be added to the system trustroots for provisioned clusters
 # E.g. for pulling containers from a registry with a custom CA chain
-azimuth_capi_operator_capi_helm_trust_bundle: "{{ trust_bundle | default({}) }}"
+azimuth_capi_operator_capi_helm_trust_bundle: >-
+  {{ system_trust_extra_root_cas | default(trust_bundle) | default({}) }}
 # The registry mirrors for provisioned clusters
 azimuth_capi_operator_capi_helm_registry_mirrors: >-
   {{-
@@ -494,6 +498,7 @@ azimuth_capi_operator_release_defaults:
   # Enable the metrics with the service monitor by default
   metrics:
     enabled: true
+  trustBundle: "{{ azimuth_capi_operator_trust_bundle }}"
 azimuth_capi_operator_release_overrides: {}
 azimuth_capi_operator_release_values: >-
   {{-