Skip to content

Pulp tls update #1743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: stackhpc/2025.1
Choose a base branch
from
+146 −3
Open

Pulp tls update #1743

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8ad0f8a
feat: add support for enabling `Pulp` TLS
jackhodgkiss Nov 21, 2025
ad1fead
docs: add suggested changes
jackhodgkiss Nov 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions doc/source/configuration/openbao.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -460,6 +460,42 @@ Enable the required TLS variables in kayobe and kolla

kayobe overcloud host command run --command "systemctl restart kolla-nova_compute-container.service" --become --show-output -l compute

Pulp TLS
========

.. warning::

For clouds in production consider the impact of enabling TLS on specific hosts as Docker daemon will be restarted and this will disrupt deployments of Ceph Reef and older.
As Vault is deprecated and will be removed in future releases this process only works for OpenBao

To enable TLS for Pulp we first need to generate the certificates and the proceed to configure all hosts that use Pulp to add the root CA to their truststore.

1. Generate the certificate

.. code-block::

kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/pulp/pulp-generate-certificate.yml

2. Copy CA to truststore

.. code-block::

kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/deployment/copy-ca-to-hosts.yml

3. Enable TLS for Pulp

.. code-block::
:caption: $KAYOBE_CONFIG_PATH/pulp.yml

# Whether to enable TLS for Pulp.
pulp_enable_tls: true

4. Redeploy Pulp

.. code-block::

kayobe seed service reconfigure -t seed-deploy-containers -kt none

Barbican integration
====================

Expand Down
47 changes: 47 additions & 0 deletions etc/kayobe/ansible/deployment/copy-ca-to-hosts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
- name: Install certificate authorities and update trust
hosts: overcloud:seed:seed-hypervisor
# Avoid using facts because this may be used as a pre overcloud host
# configure hook, and we don't want to populate the fact cache (if one is in
# use) with the bootstrap user's context.
gather_facts: false
tags:
- install-ca
vars:
ansible_user: "{{ bootstrap_user }}"
# We can't assume that a virtualenv exists at this point, so use the system
# python interpreter.
ansible_python_interpreter: /usr/bin/python3
# Work around no known_hosts entry on first boot.
ansible_ssh_common_args: -o StrictHostKeyChecking=no
# Don't assume facts are present.
os_family: "{{ ansible_facts.os_family | default('Debian' if os_distribution == 'ubuntu' else 'RedHat') }}"
become: true
tasks:
- name: Install certificate authorities on RedHat based distributions
when: os_family == 'RedHat'
block:
- name: Copy certificate authorities on RedHat family systems (Rocky, RHEL, CentOS)
ansible.builtin.copy:
src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem"
dest: "/etc/pki/ca-trust/source/anchors/{{ item }}.crt"
mode: "0644"
loop:
- "OS-TLS-ROOT"

- name: Update CA trust on RedHat family systems
ansible.builtin.command: "update-ca-trust"

- name: Install certificate authorities on Debian based distributions
when: os_family == 'Debian'
block:
- name: Copy certificate authorities on Debian family systems (Ubuntu, Debian)
ansible.builtin.copy:
src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem"
dest: "/usr/local/share/ca-certificates/{{ item }}.crt"
mode: "0644"
loop:
- "OS-TLS-ROOT"

- name: Update CA trust on Debian family systems
ansible.builtin.command: "update-ca-certificates"
55 changes: 55 additions & 0 deletions etc/kayobe/ansible/pulp/pulp-generate-certificate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
- name: Generate certificates
hosts: seed
run_once: true
vars:
openbao_api_addr: http://127.0.0.1:8200
openbao_intermediate_ca_name: OS-TLS-INT
tasks:
- name: Assert that stackhpc_ca_secret_store is 'openbao'
ansible.builtin.assert:
that:
- stackhpc_ca_secret_store == "openbao"
fail_msg: "stackhpc_ca_secret_store must be 'openbao'"

- name: Include OpenBao keys
ansible.builtin.include_vars:
file: "{{ kayobe_env_config_path }}/openbao/seed-openbao-keys.json"
name: openbao_keys

- name: Issue Pulp certificate
hashivault_pki_cert_issue: # noqa: fqcn
url: "{{ openbao_api_addr }}"
ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
token: "{{ openbao_keys.root_token }}"
mount_point: "{{ openbao_intermediate_ca_name }}"
role: "{{ overcloud_openbao_pki_default_role_name }}"
common_name: "{{ inventory_hostname }}"
extra_params:
ip_sans: "{{ admin_oc_net_name | net_ip(inventory_hostname=groups['seed'][0]) }}"
register: pulp_certificate

- name: Ensure Pulp certificates directory exists
ansible.builtin.file:
path: "{{ kayobe_env_config_path }}/pulp/certificates"
state: directory
delegate_to: localhost

- name: Write certificate to file
no_log: true
ansible.builtin.copy:
dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt"
content: |
{{ pulp_certificate.data.certificate }}
{{ pulp_certificate.data.issuing_ca }}
mode: "0600"
delegate_to: localhost

- name: Write key to file
no_log: true
ansible.builtin.copy:
dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key"
content: |
{{ pulp_certificate.data.private_key }}
mode: "0600"
delegate_to: localhost
2 changes: 1 addition & 1 deletion etc/kayobe/container-engine.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ docker_registry: "{{ stackhpc_docker_registry }}"
docker_registry_insecure: "{{ 'https' not in stackhpc_repo_mirror_url }}"

# CA of docker registry
#docker_registry_ca:
docker_registry_ca: "{{ kayobe_env_config_path ~ '/openbao/OS-TLS-INT.crt' if pulp_enable_tls | bool else none }}"

# List of Docker registry mirrors.
#docker_registry_mirrors:
Expand Down
4 changes: 2 additions & 2 deletions etc/kayobe/pulp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ pulp_port: "{{ '443' if pulp_enable_tls | bool else '80' }}"
pulp_enable_tls: false

# Path to a TLS certificate to use when TLS is enabled.
#pulp_cert_path:
pulp_cert_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.crt' if pulp_enable_tls | bool else '' }}"

# Path to a TLS key to use when TLS is enabled.
#pulp_key_path:
pulp_key_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.key' if pulp_enable_tls | bool else '' }}"

###############################################################################
# Local Pulp access credentials
Expand Down
5 changes: 5 additions & 0 deletions releasenotes/notes/pulp-tls-105e47f0da602a25.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
features:
- |
Add playbooks and configuration to enable the easy deployment of Pulp with
TLS support in combination with certificates generated via OpenBao.
Loading