stackhpc · technowhizz · Dec 12, 2024 · Dec 13, 2024 · Feb 21, 2025 · Feb 24, 2025
@@ -375,6 +375,47 @@ Enable the required TLS variables in kayobe and kolla
 
       kayobe overcloud host command run --command "systemctl restart kolla-nova_compute-container.service" --become --show-output -l compute
 
+Pulp TLS with Vault
+===================
+.. warning::
+
+   These steps are intended for enabling TLS for pulp on an existing deployment as on a new deployment the overcloud vaults may not be up at this point.
+
+To enable TLS for pulp using vault generated certificates, we first need to generate the certificates using vault and then configure the seed + seed-hypervisor + overcloud nodes to add the root CA to their trust.
+
+1. Run the playbook which will generate the certificates and add the root CA to the seed + seed-hypervisor + overcloud nodes
+
+   .. code-block::
+
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-pulp-tls.yml
+
+2. Encrypt the generated private key with ansible-vault (use the correct path to your vault password file).
+
+   .. code-block::
+
+      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/pulp/certificates/pulp.key
+
+   Or if environments are being used
+
+   .. code-block::
+
+      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/pulp/certificates/pulp.key
+
+3. Next, enable TLS for pulp in pulp.yml
+
+   .. code-block::
+
+      # Whether to enable TLS for Pulp.
+      pulp_enable_tls: true
+
+4. Redeploy pulp
+
+   .. code-block::
+
+      kayobe seed service reconfigure -t seed-deploy-containers -kt none
+
+You should now have pulp running with TLS enabled using the certificates generated by vault.
+
 Barbican integration
 ====================
 

@@ -0,0 +1,29 @@
+---
+- name: Copy CA certificate and update trust
+  hosts: overcloud:seed:seed-hypervisor
+  become: true
+  vars:
+    cert_path: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem"
+
+  tasks:
+    - name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS)
+      ansible.builtin.copy:
+        src: "{{ cert_path }}"
+        dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem"
+        mode: "0644"
+      when: ansible_facts.os_family == 'RedHat'
+
+    - name: Update CA trust on RedHat family systems
+      ansible.builtin.command: "update-ca-trust"
+      when: ansible_facts.os_family == 'RedHat'
+
+    - name: Copy certificate on Debian family systems (Ubuntu, Debian)
+      ansible.builtin.copy:
+        src: "{{ cert_path }}"
+        dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt"
+        mode: "0644"
+      when: ansible_facts.os_family == 'Debian'
+
+    - name: Update CA trust on Debian family systems
+      ansible.builtin.command: "update-ca-certificates"
+      when: ansible_facts.os_family == 'Debian'
@@ -0,0 +1,54 @@
+---
+- name: Generate TLS certificate for pulp
+  hosts: controllers
+  run_once: true
+  vars:
+    vault_api_addr: "https://{{ internal_net_name | net_ip(groups['controllers'][0]) }}:8200"
+    vault_intermediate_ca_name: "OS-TLS-INT"
+  tasks:
+    - name: Include Vault keys
+      ansible.builtin.include_vars:
+        file: "{{ kayobe_env_config_path }}/vault/overcloud-vault-keys.json"
+        name: vault_keys
+
+    - name: Issue a certificate for pulp TLS  # noqa: fqcn
+      hashivault_pki_cert_issue:
+        url: "{{ vault_api_addr }}"
+        ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
+        token: "{{ vault_keys.root_token }}"
+        mount_point: "{{ vault_intermediate_ca_name }}"
+        role: "{{ overcloud_vault_pki_internal_tls_role_name }}"
+        common_name: ""
+        verify: false
+        extra_params:
+          ip_sans: "{{ lookup('vars', admin_oc_net_name ~ '_ips')[groups.seed.0] }}"
+      register: pulp_cert
+      environment:
+        https_proxy: ''
+
+    - name: Ensure pulp certificates directory exists
+      ansible.builtin.file:
+        path: "{{ kayobe_env_config_path }}/pulp/certificates"
+        state: directory
+      delegate_to: localhost
+
+    - name: Copy pulp TLS certificate (including intermediate)
+      no_log: true
+      ansible.builtin.copy:
+        dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt"
+        content: |
+          {{ pulp_cert.data.certificate }}
+          {{ pulp_cert.data.issuing_ca }}
+        mode: 0600
+      delegate_to: localhost
+
+    - name: Copy pulp private key
+      no_log: true
+      ansible.builtin.copy:
+        dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key"
+        content: "{{ pulp_cert.data.private_key }}"
+        mode: 0600
+      delegate_to: localhost
+
+- name: Copy CA to hosts playbook
+  import_playbook: copy-ca-to-hosts.yml
@@ -14,10 +14,10 @@ pulp_port: "{{ '443' if pulp_enable_tls | bool else '80' }}"
 pulp_enable_tls: false
 
 # Path to a TLS certificate to use when TLS is enabled.
-#pulp_cert_path:
+pulp_cert_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.crt' if pulp_enable_tls | bool else '' }}"
 
 # Path to a TLS key to use when TLS is enabled.
-#pulp_key_path:
+pulp_key_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.key' if pulp_enable_tls | bool else '' }}"
 
 ###############################################################################
 # Local Pulp access credentials

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Playbooks have been added to allow for the configuration of Pulp with TLS
+    using certificates generated from vault. Instructions have been added to
+    the docs.