Avoid self-signed cert creation for HTTPS
REST API & Web Server TLS certificate (system-restapi-gui-certificate) is now being installed at bootstrap in fs to be used for HTTPS. This guarantees that the server-cert.pem is already present upon the first unlock of the system, removing the need to create a self-signed cert. The self-signed cert will only be created if the system-restapi-gui-certificate does not exist (test scenarios), to avoid hard failures when switching to HTTPS. Test plan: PASS: Deploy an AIO-SX. Verify: - system-restapi-gui-certificate TLS cert is correctly installed in /etc/ssl/private/server-cert.pem before unlocking the controller. - HTTPS is enabled and openstack public endpoints change into it after unlocking the controller. - The target certificates are issued by 'system-local-ca', and are managed by cert-manager. - The certificates in /etc/ssl/private are correct. - It's possible to log into the local Docker Registry. - Horizon is working as expected. PASS: Deploy an AIO-DX. After unlocking controller-1, SSH to it and verify that the Rest API / GUI certificate created during bootstrap is installed as the file '/etc/ssl/private/server-cert.pem'. Story: 2009811 Task: 48976 Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/902088 Change-Id: If9aa644898b179fbae2b5248c84c764199bb9b7c Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
This commit is contained in:
parent
01e8b85cf9
commit
f23b3f1a89
|
@ -2319,6 +2319,10 @@ CERT_MODE_TO_SECRET_NAME = {
|
|||
CERT_MODE_OPENLDAP: OPENLDAP_CERT_SECRET_NAME
|
||||
}
|
||||
|
||||
# Create RestAPI/GUI and Docker Registry certificates from bootstrap
|
||||
CREATE_PLATFORM_CERTIFICATES_IN_BOOTSTRAP = os.path.join(tsc.CONFIG_PATH,
|
||||
".create_platform_certificates")
|
||||
|
||||
# Storage associated networks
|
||||
SB_SUPPORTED_NETWORKS = {
|
||||
SB_TYPE_CEPH: [NETWORK_TYPE_MGMT, NETWORK_TYPE_CLUSTER_HOST]
|
||||
|
|
|
@ -2386,6 +2386,12 @@ def is_fqdn_ready_to_use():
|
|||
return False
|
||||
|
||||
|
||||
def is_platform_certificates_creation_enabled():
|
||||
"""Check if RestAPI/GUI and Docker Registry are to be created by bootstrap
|
||||
"""
|
||||
return os.path.isfile(constants.CREATE_PLATFORM_CERTIFICATES_IN_BOOTSTRAP)
|
||||
|
||||
|
||||
def is_std_system(dbapi):
|
||||
system = dbapi.isystem_get_one()
|
||||
return system.system_type == constants.TIS_STD_BUILD
|
||||
|
|
|
@ -8728,15 +8728,16 @@ class ConductorManager(service.PeriodicService):
|
|||
:param context: an admin context.
|
||||
"""
|
||||
personalities = [constants.CONTROLLER]
|
||||
system = self.dbapi.isystem_get_one()
|
||||
|
||||
if system.capabilities.get('https_enabled', False):
|
||||
certificates = self.dbapi.certificate_get_list()
|
||||
for certificate in certificates:
|
||||
if certificate.certtype == constants.CERT_MODE_SSL:
|
||||
break
|
||||
else:
|
||||
self._config_selfsigned_certificate(context)
|
||||
if not cutils.is_platform_certificates_creation_enabled():
|
||||
system = self.dbapi.isystem_get_one()
|
||||
if system.capabilities.get('https_enabled', False):
|
||||
certificates = self.dbapi.certificate_get_list()
|
||||
for certificate in certificates:
|
||||
if certificate.certtype == constants.CERT_MODE_SSL:
|
||||
break
|
||||
else:
|
||||
self._config_selfsigned_certificate(context)
|
||||
|
||||
config_dict = {
|
||||
"personalities": personalities,
|
||||
|
|
Loading…
Reference in New Issue