From 7492c9553253a9c0cc163e95a7de681b6e270fdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Wed, 5 Dec 2018 20:37:46 +0100 Subject: [PATCH 01/16] initial test setup and teardown for ssl based on https://github.com/Tendrl/documentation/wiki/Enabling-Https-on-tendrl-server --- test_setup.minimal_default_ssl.yml | 83 +++++++++++++++++++++++++++ test_teardown.minimal_default_ssl.yml | 46 +++++++++++++++ 2 files changed, 129 insertions(+) create mode 100644 test_setup.minimal_default_ssl.yml create mode 100644 test_teardown.minimal_default_ssl.yml diff --git a/test_setup.minimal_default_ssl.yml b/test_setup.minimal_default_ssl.yml new file mode 100644 index 00000000..1ec2ceac --- /dev/null +++ b/test_setup.minimal_default_ssl.yml @@ -0,0 +1,83 @@ +--- +# =============================================== +# Setup of HTTPS for Tendrl UI, API and Grafana +# =============================================== +# +# Based on upstream wiki: +# https://github.com/Tendrl/documentation/wiki/Enabling-Https-on-tendrl-server +# Some code reused from: +# https://github.com/Tendrl/tendrl-ansible/pull/46/files + +# TODO: move something into a role, so that we can have multiple ssl playbooks +# such as with redirect, with QE CA certs ... + +- hosts: usm_server + remote_user: root + vars: + httpd_server_name: "{{ inventory_hostname }}" + httpd_ip_address: "{{ ansible_default_ipv4.address }}" + handlers: + - name: restart httpd + service: name=httpd state=restarted + tasks: + + - debug: + var: httpd_server_name + + - debug: + var: httpd_ip_address + + - name: Install mod_ssl package + yum: + name: mod_ssl + state: latest + + - name: Initialize new tendrl-ssl.conf file based on sample conf file + copy: + src: /etc/httpd/conf.d/tendrl-ssl.conf.sample + remote_src: True + dest: /etc/httpd/conf.d/tendrl-ssl.conf + + - name: Replace ssl_virtualhost_ip with the correct ip address + lineinfile: + path: /etc/httpd/conf.d/tendrl-ssl.conf + regexp: '^' + line: "" + notify: + - restart httpd + + - name: Adjust ServerName + lineinfile: + path: /etc/httpd/conf.d/tendrl-ssl.conf + insertafter: '' + regexp: '^ *ServerName .*' + line: " ServerName {{ httpd_server_name }}" + state: present + notify: + - restart httpd + + - name: Run apachectl configtest to validate new configuration + command: apachectl -t + changed_when: False + register: apachectl_configtest + + - name: Recheck result of config validation (based on previous task) + assert: + that: + - apachectl_configtest.stderr == 'Syntax OK' + - apachectl_configtest.stdout == '' + + - name: Open port for https in firewalld + firewalld: + service=https + zone=public permanent=true state=enabled immediate=true + + - name: Disable http service in firewalld (for better testing) + firewalld: + service=http + zone=public permanent=true state=disabled immediate=true + + - name: Close port 80 in firewalld (for better testing) + firewalld: + port="80/tcp" + zone=public permanent=true state=disabled immediate=true diff --git a/test_teardown.minimal_default_ssl.yml b/test_teardown.minimal_default_ssl.yml new file mode 100644 index 00000000..ad7b7435 --- /dev/null +++ b/test_teardown.minimal_default_ssl.yml @@ -0,0 +1,46 @@ +--- +# ================================================== +# Teardown of HTTPS for Tendrl UI, API and Grafana +# ================================================== +# +# Based on upstream wiki: +# https://github.com/Tendrl/documentation/wiki/Enabling-Https-on-tendrl-server + +- hosts: usm_server + remote_user: root + handlers: + - name: restart httpd + service: name=httpd state=restarted + tasks: + + - name: Remove tendrl-ssl.conf file + file: + path: /etc/httpd/conf.d/tendrl-ssl.conf + state: absent + notify: restart httpd + + - name: Remove mod_ssl package + yum: + name: mod_ssl + state: absent + + - name: Run apachectl configtest to validate new configuration + command: apachectl -t + changed_when: False + register: apachectl_configtest + + - name: Recheck result of config validation (based on previous task) + assert: + that: + - apachectl_configtest.stderr == 'Syntax OK' + - apachectl_configtest.stdout == '' + + - name: Disable https service in firewalld + firewalld: + service=https + zone=public permanent=true state=disabled immediate=true + + - name: Enable http service in firewalld + firewalld: + service=http + zone=public permanent=true state=enabled immediate=true From 96577fa0f41b252c56579cacb9c0f1cfd5c56cd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Thu, 6 Dec 2018 15:52:46 +0100 Subject: [PATCH 02/16] create tendrl-httpd-ssl role --- roles/tendrl-httpd-ssl/README.rst | 21 +++++ roles/tendrl-httpd-ssl/handlers/main.yml | 6 ++ roles/tendrl-httpd-ssl/tasks/main.yml | 62 ++++++++++++++ test_setup.minimal_default_ssl.yml | 83 ------------------- test_setup.tendrl_httpd_ssl_selfsigned.yml | 17 ++++ ....yml => test_teardown.tendrl_httpd_ssl.yml | 5 +- 6 files changed, 109 insertions(+), 85 deletions(-) create mode 100644 roles/tendrl-httpd-ssl/README.rst create mode 100644 roles/tendrl-httpd-ssl/handlers/main.yml create mode 100644 roles/tendrl-httpd-ssl/tasks/main.yml delete mode 100644 test_setup.minimal_default_ssl.yml create mode 100644 test_setup.tendrl_httpd_ssl_selfsigned.yml rename test_teardown.minimal_default_ssl.yml => test_teardown.tendrl_httpd_ssl.yml (87%) diff --git a/roles/tendrl-httpd-ssl/README.rst b/roles/tendrl-httpd-ssl/README.rst new file mode 100644 index 00000000..214a7ce8 --- /dev/null +++ b/roles/tendrl-httpd-ssl/README.rst @@ -0,0 +1,21 @@ +=============================================== + Setup of HTTPS for Tendrl UI, API and Grafana +=============================================== + +This role configures apache to use ssl for Tendrl Web, API and Grafana. + +Based on upstream wiki: `Enabling Https on tendrl server +`_ + +See also overview of tendrl ssl related upstream work: `SSL Configuration for +Tendrl +`_ + +Some code was reused from: +https://github.com/Tendrl/tendrl-ansible/pull/46/files + +Variables +========= + +* ``httpd_ip_address``: public ip address of WA server, where the web is hosted +* ``httpd_server_name``: ``ServerName`` of the Tendrl Web diff --git a/roles/tendrl-httpd-ssl/handlers/main.yml b/roles/tendrl-httpd-ssl/handlers/main.yml new file mode 100644 index 00000000..14fb9e36 --- /dev/null +++ b/roles/tendrl-httpd-ssl/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart httpd + service: + name=httpd + state=restarted diff --git a/roles/tendrl-httpd-ssl/tasks/main.yml b/roles/tendrl-httpd-ssl/tasks/main.yml new file mode 100644 index 00000000..3d3f202c --- /dev/null +++ b/roles/tendrl-httpd-ssl/tasks/main.yml @@ -0,0 +1,62 @@ +--- + +- debug: + var: httpd_server_name + +- debug: + var: httpd_ip_address + +- name: Install mod_ssl package + yum: + name: mod_ssl + state: latest + +- name: Initialize new tendrl-ssl.conf file based on sample conf file + copy: + src: /etc/httpd/conf.d/tendrl-ssl.conf.sample + remote_src: True + dest: /etc/httpd/conf.d/tendrl-ssl.conf + +- name: Replace ssl_virtualhost_ip with the correct ip address + lineinfile: + path: /etc/httpd/conf.d/tendrl-ssl.conf + regexp: '^' + line: "" + notify: + - restart httpd + +- name: Adjust ServerName + lineinfile: + path: /etc/httpd/conf.d/tendrl-ssl.conf + insertafter: '' + regexp: '^ *ServerName .*' + line: " ServerName {{ httpd_server_name }}" + state: present + notify: + - restart httpd + +- name: Run apachectl configtest to validate new configuration + command: apachectl -t + changed_when: False + register: apachectl_configtest + +- name: Recheck result of config validation (based on previous task) + assert: + that: + - apachectl_configtest.stderr == 'Syntax OK' + - apachectl_configtest.stdout == '' + +- name: Open port for https in firewalld + firewalld: + service=https + zone=public permanent=true state=enabled immediate=true + +- name: Disable http service in firewalld (for proper testing) + firewalld: + service=http + zone=public permanent=true state=disabled immediate=true + +- name: Close port 80 in firewalld (for proper testing) + firewalld: + port="80/tcp" + zone=public permanent=true state=disabled immediate=true diff --git a/test_setup.minimal_default_ssl.yml b/test_setup.minimal_default_ssl.yml deleted file mode 100644 index 1ec2ceac..00000000 --- a/test_setup.minimal_default_ssl.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -# =============================================== -# Setup of HTTPS for Tendrl UI, API and Grafana -# =============================================== -# -# Based on upstream wiki: -# https://github.com/Tendrl/documentation/wiki/Enabling-Https-on-tendrl-server -# Some code reused from: -# https://github.com/Tendrl/tendrl-ansible/pull/46/files - -# TODO: move something into a role, so that we can have multiple ssl playbooks -# such as with redirect, with QE CA certs ... - -- hosts: usm_server - remote_user: root - vars: - httpd_server_name: "{{ inventory_hostname }}" - httpd_ip_address: "{{ ansible_default_ipv4.address }}" - handlers: - - name: restart httpd - service: name=httpd state=restarted - tasks: - - - debug: - var: httpd_server_name - - - debug: - var: httpd_ip_address - - - name: Install mod_ssl package - yum: - name: mod_ssl - state: latest - - - name: Initialize new tendrl-ssl.conf file based on sample conf file - copy: - src: /etc/httpd/conf.d/tendrl-ssl.conf.sample - remote_src: True - dest: /etc/httpd/conf.d/tendrl-ssl.conf - - - name: Replace ssl_virtualhost_ip with the correct ip address - lineinfile: - path: /etc/httpd/conf.d/tendrl-ssl.conf - regexp: '^' - line: "" - notify: - - restart httpd - - - name: Adjust ServerName - lineinfile: - path: /etc/httpd/conf.d/tendrl-ssl.conf - insertafter: '' - regexp: '^ *ServerName .*' - line: " ServerName {{ httpd_server_name }}" - state: present - notify: - - restart httpd - - - name: Run apachectl configtest to validate new configuration - command: apachectl -t - changed_when: False - register: apachectl_configtest - - - name: Recheck result of config validation (based on previous task) - assert: - that: - - apachectl_configtest.stderr == 'Syntax OK' - - apachectl_configtest.stdout == '' - - - name: Open port for https in firewalld - firewalld: - service=https - zone=public permanent=true state=enabled immediate=true - - - name: Disable http service in firewalld (for better testing) - firewalld: - service=http - zone=public permanent=true state=disabled immediate=true - - - name: Close port 80 in firewalld (for better testing) - firewalld: - port="80/tcp" - zone=public permanent=true state=disabled immediate=true diff --git a/test_setup.tendrl_httpd_ssl_selfsigned.yml b/test_setup.tendrl_httpd_ssl_selfsigned.yml new file mode 100644 index 00000000..61952164 --- /dev/null +++ b/test_setup.tendrl_httpd_ssl_selfsigned.yml @@ -0,0 +1,17 @@ +--- +# =============================================== +# Setup of HTTPS for Tendrl UI, API and Grafana +# =============================================== +# +# This is **minimal setup**, which **uses default local ssl certs** provided by +# mod_ssl rpm package. + +- hosts: usm_server + remote_user: root + handlers: + - name: restart httpd + service: name=httpd state=restarted + roles: + - role: tendrl-httpd-ssl + httpd_server_name: "{{ inventory_hostname }}" + httpd_ip_address: "{{ ansible_default_ipv4.address }}" diff --git a/test_teardown.minimal_default_ssl.yml b/test_teardown.tendrl_httpd_ssl.yml similarity index 87% rename from test_teardown.minimal_default_ssl.yml rename to test_teardown.tendrl_httpd_ssl.yml index ad7b7435..b0a10ab2 100644 --- a/test_teardown.minimal_default_ssl.yml +++ b/test_teardown.tendrl_httpd_ssl.yml @@ -3,8 +3,9 @@ # Teardown of HTTPS for Tendrl UI, API and Grafana # ================================================== # -# Based on upstream wiki: -# https://github.com/Tendrl/documentation/wiki/Enabling-Https-on-tendrl-server +# This just removes any SSL Tendrl configuration (no matter if default local +# self signed certs or actuall CA is used) and configures Tendrl to use plain +# http again. - hosts: usm_server remote_user: root From f449afeb9f4254c737c1b690c5476d87952480b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Thu, 6 Dec 2018 16:09:53 +0100 Subject: [PATCH 03/16] httpd ssl: specify different cert files if needed --- roles/tendrl-httpd-ssl/README.rst | 2 ++ roles/tendrl-httpd-ssl/tasks/main.yml | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/roles/tendrl-httpd-ssl/README.rst b/roles/tendrl-httpd-ssl/README.rst index 214a7ce8..b790dfc1 100644 --- a/roles/tendrl-httpd-ssl/README.rst +++ b/roles/tendrl-httpd-ssl/README.rst @@ -19,3 +19,5 @@ Variables * ``httpd_ip_address``: public ip address of WA server, where the web is hosted * ``httpd_server_name``: ``ServerName`` of the Tendrl Web +* ``httpd_ssl_certificate_key_file``: ``SLCertificateFile`` of the Tendrl Web +* ``httpd_ssl_certificate_file``: ``SSLCertificateKeyFile`` of the Tendrl Web diff --git a/roles/tendrl-httpd-ssl/tasks/main.yml b/roles/tendrl-httpd-ssl/tasks/main.yml index 3d3f202c..377464d6 100644 --- a/roles/tendrl-httpd-ssl/tasks/main.yml +++ b/roles/tendrl-httpd-ssl/tasks/main.yml @@ -35,6 +35,28 @@ notify: - restart httpd +# +# Specify different cert files if needed +# + +- name: Configure SSL certificate files + lineinfile: + path: /etc/httpd/conf.d/tendrl-ssl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - regexp: '^ *SSLCertificateFile .*' + line: ' SSLCertificateFile {{ httpd_ssl_certificate_file }}' + - regexp: '^ *SSLCertificateKeyFile .*' + line: ' SSLCertificateKeyFile {{ httpd_ssl_certificate_key_file }}' + when: httpd_ssl_certificate_key_file is defined and httpd_ssl_certificate_file is defined + notify: + - restart httpd + +# +# Config validation +# + - name: Run apachectl configtest to validate new configuration command: apachectl -t changed_when: False @@ -46,6 +68,10 @@ - apachectl_configtest.stderr == 'Syntax OK' - apachectl_configtest.stdout == '' +# +# Firewall +# + - name: Open port for https in firewalld firewalld: service=https From 501bf5cb840989e7edf944d64a9866757df33c4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Thu, 6 Dec 2018 16:12:14 +0100 Subject: [PATCH 04/16] drop handler --- test_setup.tendrl_httpd_ssl_selfsigned.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/test_setup.tendrl_httpd_ssl_selfsigned.yml b/test_setup.tendrl_httpd_ssl_selfsigned.yml index 61952164..5afd8696 100644 --- a/test_setup.tendrl_httpd_ssl_selfsigned.yml +++ b/test_setup.tendrl_httpd_ssl_selfsigned.yml @@ -8,9 +8,6 @@ - hosts: usm_server remote_user: root - handlers: - - name: restart httpd - service: name=httpd state=restarted roles: - role: tendrl-httpd-ssl httpd_server_name: "{{ inventory_hostname }}" From 7bbe9c0c78743a19dd5e2c814947afc5e0cddbcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Thu, 13 Dec 2018 20:51:26 +0100 Subject: [PATCH 05/16] httpd ssl: don't restart httpd, reload is enough --- roles/tendrl-httpd-ssl/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tendrl-httpd-ssl/handlers/main.yml b/roles/tendrl-httpd-ssl/handlers/main.yml index 14fb9e36..f037ebdc 100644 --- a/roles/tendrl-httpd-ssl/handlers/main.yml +++ b/roles/tendrl-httpd-ssl/handlers/main.yml @@ -3,4 +3,4 @@ - name: restart httpd service: name=httpd - state=restarted + state=reloaded From ee02f97f8bfad8e3b2697d00564c5b8ea5a1afb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Thu, 13 Dec 2018 21:06:26 +0100 Subject: [PATCH 06/16] httpd ssl: move defaults to the role --- roles/tendrl-httpd-ssl/README.rst | 2 ++ roles/tendrl-httpd-ssl/defaults/main.yml | 3 +++ test_setup.tendrl_httpd_ssl_selfsigned.yml | 2 -- 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 roles/tendrl-httpd-ssl/defaults/main.yml diff --git a/roles/tendrl-httpd-ssl/README.rst b/roles/tendrl-httpd-ssl/README.rst index b790dfc1..7242346d 100644 --- a/roles/tendrl-httpd-ssl/README.rst +++ b/roles/tendrl-httpd-ssl/README.rst @@ -18,6 +18,8 @@ Variables ========= * ``httpd_ip_address``: public ip address of WA server, where the web is hosted + (default value provided in the role is valid for standard usmqe environment) * ``httpd_server_name``: ``ServerName`` of the Tendrl Web + (default value provided in the role is valid for standard usmqe environment) * ``httpd_ssl_certificate_key_file``: ``SLCertificateFile`` of the Tendrl Web * ``httpd_ssl_certificate_file``: ``SSLCertificateKeyFile`` of the Tendrl Web diff --git a/roles/tendrl-httpd-ssl/defaults/main.yml b/roles/tendrl-httpd-ssl/defaults/main.yml new file mode 100644 index 00000000..70182641 --- /dev/null +++ b/roles/tendrl-httpd-ssl/defaults/main.yml @@ -0,0 +1,3 @@ +--- +httpd_server_name: "{{ inventory_hostname }}" +httpd_ip_address: "{{ ansible_default_ipv4.address }}" diff --git a/test_setup.tendrl_httpd_ssl_selfsigned.yml b/test_setup.tendrl_httpd_ssl_selfsigned.yml index 5afd8696..7c9ae63a 100644 --- a/test_setup.tendrl_httpd_ssl_selfsigned.yml +++ b/test_setup.tendrl_httpd_ssl_selfsigned.yml @@ -10,5 +10,3 @@ remote_user: root roles: - role: tendrl-httpd-ssl - httpd_server_name: "{{ inventory_hostname }}" - httpd_ip_address: "{{ ansible_default_ipv4.address }}" From 4282f2e066b1b1f321fb52d0ea55d11eb5df42b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Tue, 18 Dec 2018 16:56:40 +0100 Subject: [PATCH 07/16] tendrl-httpd-ssl: http to https redirection --- roles/tendrl-httpd-ssl/tasks/main.yml | 31 +++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/roles/tendrl-httpd-ssl/tasks/main.yml b/roles/tendrl-httpd-ssl/tasks/main.yml index 377464d6..0c7876ad 100644 --- a/roles/tendrl-httpd-ssl/tasks/main.yml +++ b/roles/tendrl-httpd-ssl/tasks/main.yml @@ -53,6 +53,37 @@ notify: - restart httpd +# +# Automatic redirect of all http urls to https +# + +- name: Configure SSL redirect in tendrl.conf + lineinfile: + path: /etc/httpd/conf.d/tendrl.conf + regexp: ' *#? *Redirect permanent / https://.*/' + line: " Redirect permanent / https://{{ httpd_ip_address }}/" + notify: + - restart httpd + +- name: Comment out DocumentRoot, ProxyPass and ProxyPassReverse in tendrl.conf + lineinfile: + path: /etc/httpd/conf.d/tendrl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - regexp: ' *#?DocumentRoot /var/www/tendrl' + line: ' #DocumentRoot /var/www/tendrl' + - regexp: ' *#?ProxyPass "/api" http://127.0.0.1:9292/' + line: ' #ProxyPass "/api" http://127.0.0.1:9292/' + - regexp: ' *#?ProxyPassReverse "/api" http://127.0.0.1:9292/' + line: ' #ProxyPassReverse "/api" http://127.0.0.1:9292/' + - regexp: ' *#?ProxyPass /grafana http://127.0.0.1:3000' + line: ' #ProxyPass /grafana http://127.0.0.1:3000' + - regexp: ' *#?ProxyPassReverse /grafana http://127.0.0.1:3000/grafana' + line: ' #ProxyPassReverse /grafana http://127.0.0.1:3000/grafana' + notify: + - restart httpd + # # Config validation # From a76e5423c867bfbd0d0498f46003fcfb7246adf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Tue, 22 Jan 2019 21:09:54 +0100 Subject: [PATCH 08/16] tendrl-httpd-ssl: clarify README --- roles/tendrl-httpd-ssl/README.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/tendrl-httpd-ssl/README.rst b/roles/tendrl-httpd-ssl/README.rst index 7242346d..cc70907e 100644 --- a/roles/tendrl-httpd-ssl/README.rst +++ b/roles/tendrl-httpd-ssl/README.rst @@ -21,5 +21,7 @@ Variables (default value provided in the role is valid for standard usmqe environment) * ``httpd_server_name``: ``ServerName`` of the Tendrl Web (default value provided in the role is valid for standard usmqe environment) -* ``httpd_ssl_certificate_key_file``: ``SLCertificateFile`` of the Tendrl Web -* ``httpd_ssl_certificate_file``: ``SSLCertificateKeyFile`` of the Tendrl Web +* ``httpd_ssl_certificate_key_file``: ``SLCertificateFile`` of the Tendrl Web, + if not specified, default self signed one is used +* ``httpd_ssl_certificate_file``: ``SSLCertificateKeyFile`` of the Tendrl Web, + if not specified, default self signed one is used From d98d7a817290e69778f50b1613c12fba9e66dbc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Tue, 22 Jan 2019 21:49:01 +0100 Subject: [PATCH 09/16] tendrl-httpd-ssl: more control variables --- roles/tendrl-httpd-ssl/README.rst | 4 ++++ roles/tendrl-httpd-ssl/defaults/main.yml | 2 ++ roles/tendrl-httpd-ssl/tasks/main.yml | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/roles/tendrl-httpd-ssl/README.rst b/roles/tendrl-httpd-ssl/README.rst index cc70907e..cf69625a 100644 --- a/roles/tendrl-httpd-ssl/README.rst +++ b/roles/tendrl-httpd-ssl/README.rst @@ -25,3 +25,7 @@ Variables if not specified, default self signed one is used * ``httpd_ssl_certificate_file``: ``SSLCertificateKeyFile`` of the Tendrl Web, if not specified, default self signed one is used +* ``tendrl_https_redirection``: should we redirect http request to https? + (default True) +* ``tendrl_https_disable_port_80``: should we disable http port for better + testing? (default False) diff --git a/roles/tendrl-httpd-ssl/defaults/main.yml b/roles/tendrl-httpd-ssl/defaults/main.yml index 70182641..b0ba2f70 100644 --- a/roles/tendrl-httpd-ssl/defaults/main.yml +++ b/roles/tendrl-httpd-ssl/defaults/main.yml @@ -1,3 +1,5 @@ --- httpd_server_name: "{{ inventory_hostname }}" httpd_ip_address: "{{ ansible_default_ipv4.address }}" +tendrl_https_redirection: True +tendrl_https_disable_port_80: False diff --git a/roles/tendrl-httpd-ssl/tasks/main.yml b/roles/tendrl-httpd-ssl/tasks/main.yml index 0c7876ad..1ea3ac97 100644 --- a/roles/tendrl-httpd-ssl/tasks/main.yml +++ b/roles/tendrl-httpd-ssl/tasks/main.yml @@ -62,6 +62,7 @@ path: /etc/httpd/conf.d/tendrl.conf regexp: ' *#? *Redirect permanent / https://.*/' line: " Redirect permanent / https://{{ httpd_ip_address }}/" + when: tendrl_https_redirection == True notify: - restart httpd @@ -81,6 +82,7 @@ line: ' #ProxyPass /grafana http://127.0.0.1:3000' - regexp: ' *#?ProxyPassReverse /grafana http://127.0.0.1:3000/grafana' line: ' #ProxyPassReverse /grafana http://127.0.0.1:3000/grafana' + when: tendrl_https_redirection == True notify: - restart httpd @@ -112,8 +114,10 @@ firewalld: service=http zone=public permanent=true state=disabled immediate=true + when: tendrl_https_disable_port_80 == True - name: Close port 80 in firewalld (for proper testing) firewalld: port="80/tcp" zone=public permanent=true state=disabled immediate=true + when: tendrl_https_disable_port_80 == True From 75d76ca4c5e1f0a20e6aac7d795e375777ea6929 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Tue, 22 Jan 2019 22:22:24 +0100 Subject: [PATCH 10/16] tendrl-httpd-ssl: fix teardown --- roles/tendrl-httpd-ssl/tasks/main.yml | 7 +++++++ test_teardown.tendrl_httpd_ssl.yml | 20 ++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/roles/tendrl-httpd-ssl/tasks/main.yml b/roles/tendrl-httpd-ssl/tasks/main.yml index 1ea3ac97..e11685f1 100644 --- a/roles/tendrl-httpd-ssl/tasks/main.yml +++ b/roles/tendrl-httpd-ssl/tasks/main.yml @@ -57,6 +57,13 @@ # Automatic redirect of all http urls to https # +- name: Backup tendrl.conf (for easy teardown) + copy: + src: /etc/httpd/conf.d/tendrl.conf + dest: /etc/httpd/conf.d/tendrl.conf.usmqe_backup + remote_src: yes + backup: yes + - name: Configure SSL redirect in tendrl.conf lineinfile: path: /etc/httpd/conf.d/tendrl.conf diff --git a/test_teardown.tendrl_httpd_ssl.yml b/test_teardown.tendrl_httpd_ssl.yml index b0a10ab2..a3a6cb47 100644 --- a/test_teardown.tendrl_httpd_ssl.yml +++ b/test_teardown.tendrl_httpd_ssl.yml @@ -20,6 +20,26 @@ state: absent notify: restart httpd + - name: Restore tendrl.conf from backup + copy: + src: /etc/httpd/conf.d/tendrl.conf.usmqe_backup + dest: /etc/httpd/conf.d/tendrl.conf + remote_src: yes + backup: yes + notify: restart httpd + + - name: Run rpm -qV tendrl-api-httpd to validate config file restoration + command: rpm -qV tendrl-api-httpd + changed_when: False + register: rpm_qv_tendrl_api_httpd + failed_when: rpm_qv_tendrl_api_httpd.rc > 1 + + - name: Recheck result of config file restoration (based on previous task) + assert: + that: + - (rpm_qv_tendrl_api_httpd.rc == 0) or (rpm_qv_tendrl_api_httpd.stdout == '.......T. c /etc/httpd/conf.d/tendrl.conf') + - rpm_qv_tendrl_api_httpd.stderr == '' + - name: Remove mod_ssl package yum: name: mod_ssl From 15ece31bb48bf7c869ffd9f38e5e0293700facb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Wed, 23 Jan 2019 10:23:43 +0100 Subject: [PATCH 11/16] tendrl-httpd-ssl: test setup for QE SSL CA --- qe_ssl_certs.yml | 9 --------- test_setup.tendrl_httpd_ssl_qeca.yml | 29 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 9 deletions(-) delete mode 100644 qe_ssl_certs.yml create mode 100644 test_setup.tendrl_httpd_ssl_qeca.yml diff --git a/qe_ssl_certs.yml b/qe_ssl_certs.yml deleted file mode 100644 index 8dc416db..00000000 --- a/qe_ssl_certs.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# -# obtain ssl certs on all servers -# - -- hosts: usm_server:usm_nodes:usm_client - remote_user: root - roles: - - {role: qe-ssl-cert, ssl_cert_name: "server"} diff --git a/test_setup.tendrl_httpd_ssl_qeca.yml b/test_setup.tendrl_httpd_ssl_qeca.yml new file mode 100644 index 00000000..1189f868 --- /dev/null +++ b/test_setup.tendrl_httpd_ssl_qeca.yml @@ -0,0 +1,29 @@ +--- +# =============================================================== +# Setup of HTTPS for Tendrl UI, API and Grafana using QE SSL CA +# =============================================================== +# +# This is real world use case which doesn't use self signed SSL certs, but +# instead it: +# +# * generates new SSL certificate for httpd on Tendrl server +# * sings this new cert with QE SSL CA +# * SSL key and cert for http is different from SSL key and cert used for +# etcd client server auth (but it's signed by the same QE SSL CA) +# +# Browsers and clients of QE team have this QE CA imported, so that there +# should be no warning about unknown SSL certificate, and accessing Tendrl +# via https should just work. + +- hosts: usm_server + remote_user: root + vars: + tendrl_ssl_cert_name: "tendrl-grafana-http" + roles: + - role: qe-ssl-cert + ssl_cert_name: "{{ tendrl_ssl_cert_name }}" + ssl_owner: "apache" + ssl_group: "apache" + - role: tendrl-httpd-ssl + httpd_ssl_certificate_key_file: "/etc/pki/tls/private/{{ tendrl_ssl_cert_name }}.key" + httpd_ssl_certificate_file: "/etc/pki/tls/certs/{{ tendrl_ssl_cert_name }}.crt" From 93ef4ab8ffbb489c8474b4020b75f763eacb1564 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Wed, 23 Jan 2019 18:06:52 +0100 Subject: [PATCH 12/16] deploy QE CA on client and qe-server --- qe_server.yml | 1 + qe_server_jenkins.yml | 1 + roles/qe-server/meta/main.yml | 1 + roles/qe-ssl-ca/README.rst | 12 +++++++++++ roles/qe-ssl-ca/tasks/main.yml | 30 ++++++++++++++++++++++++++++ test_setup.tendrl_httpd_ssl_qeca.yml | 9 +++++++++ 6 files changed, 54 insertions(+) create mode 100644 roles/qe-ssl-ca/README.rst create mode 100644 roles/qe-ssl-ca/tasks/main.yml diff --git a/qe_server.yml b/qe_server.yml index f0da1960..80d9aecd 100644 --- a/qe_server.yml +++ b/qe_server.yml @@ -10,6 +10,7 @@ - { role: epel, epel_enabled: 1 } - rh-python36 - tendrl-ansible.gluster-gdeploy-copr + - qe-ssl-ca - qe-server - name: Prepare test environment of usmqe user diff --git a/qe_server_jenkins.yml b/qe_server_jenkins.yml index 67f19e11..e1bdc78a 100644 --- a/qe_server_jenkins.yml +++ b/qe_server_jenkins.yml @@ -10,6 +10,7 @@ - epel - rh-python36 - tendrl-ansible.gluster-gdeploy-copr + - qe-ssl-ca - qe-server tasks: - name: Add jenkins user into usmqe group diff --git a/roles/qe-server/meta/main.yml b/roles/qe-server/meta/main.yml index aa45c549..2f663f48 100644 --- a/roles/qe-server/meta/main.yml +++ b/roles/qe-server/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - { role: epel, epel_enabled: 1, qe_not_production_testing_server: True} - { role: rh-python36 } + - { role: qe-ssl-ca } diff --git a/roles/qe-ssl-ca/README.rst b/roles/qe-ssl-ca/README.rst new file mode 100644 index 00000000..b5af9112 --- /dev/null +++ b/roles/qe-ssl-ca/README.rst @@ -0,0 +1,12 @@ +================= + QE SSL CA Setup +================= + +This role downloads OpenSSL Certificate Authority file of QE team and imports +it into system so that it's trusted on the machine by default. + +The role is expected to be used on qe-server and client machine only. + +Mandatory ansible variables: + +* ``ca_usmqe_cert_url`` is url of QE CA cert file diff --git a/roles/qe-ssl-ca/tasks/main.yml b/roles/qe-ssl-ca/tasks/main.yml new file mode 100644 index 00000000..f3e5effd --- /dev/null +++ b/roles/qe-ssl-ca/tasks/main.yml @@ -0,0 +1,30 @@ +--- + +- name: Make sure openssl is installed + yum: + name: openssl + state: present + +- name: Make sure anchors directory exists + file: + path: /etc/pki/ca-trust/source/anchors + state: directory + +- name: Check that mandatory variables are defined + assert: + that: + - ca_usmqe_cert_url is defined + msg: > + You need to define all mandatory ansible variables to run this + playbook, see README file for guidance. + +- name: Get QE CA cert file + get_url: + url: "{{ ca_usmqe_cert_url }}" + dest: "/etc/pki/ca-trust/source/anchors/ca-usmqe.crt" + mode: "{{ ssl_cert_perm }}" + register: ca_trust + +- name: Run update-ca-trust extract + command: update-ca-trust extract + when: ca_trust.changed diff --git a/test_setup.tendrl_httpd_ssl_qeca.yml b/test_setup.tendrl_httpd_ssl_qeca.yml index 1189f868..2ca10e3e 100644 --- a/test_setup.tendrl_httpd_ssl_qeca.yml +++ b/test_setup.tendrl_httpd_ssl_qeca.yml @@ -27,3 +27,12 @@ - role: tendrl-httpd-ssl httpd_ssl_certificate_key_file: "/etc/pki/tls/private/{{ tendrl_ssl_cert_name }}.key" httpd_ssl_certificate_file: "/etc/pki/tls/certs/{{ tendrl_ssl_cert_name }}.crt" + +# For client machine to be able to communicate with Tendrl over https without +# any problems, QE CA cert file (which signed the just deployed Tendrl httpd +# cert) is imported on the client. + +- hosts: usm_client + remote_user: root + roles: + - role: qe-ssl-ca From 0ebeccde1a2f8dff91a2c0965d79246ace5c7e28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Wed, 23 Jan 2019 19:22:26 +0100 Subject: [PATCH 13/16] qe fix: redirect to hostname instead of ip addr --- roles/tendrl-httpd-ssl/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tendrl-httpd-ssl/tasks/main.yml b/roles/tendrl-httpd-ssl/tasks/main.yml index e11685f1..c37c0cac 100644 --- a/roles/tendrl-httpd-ssl/tasks/main.yml +++ b/roles/tendrl-httpd-ssl/tasks/main.yml @@ -68,7 +68,7 @@ lineinfile: path: /etc/httpd/conf.d/tendrl.conf regexp: ' *#? *Redirect permanent / https://.*/' - line: " Redirect permanent / https://{{ httpd_ip_address }}/" + line: " Redirect permanent / https://{{ httpd_server_name }}/" when: tendrl_https_redirection == True notify: - restart httpd From a25495cbed4d1a7a41935b811600e0518e6d5a59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Wed, 23 Jan 2019 19:26:23 +0100 Subject: [PATCH 14/16] qe fix: SSL certs needs to be changed in ssl.conf Without this change, Tendrl web interfaces were still served using the default localhost cert. See section 14.1.10. Using an Existing Key and Certificate of RHEL 7 System Administrator's Guide[1] which suggests to edit /etc/httpd/conf.d/ssl.conf in this case. [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-Web_Servers --- roles/tendrl-httpd-ssl/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tendrl-httpd-ssl/tasks/main.yml b/roles/tendrl-httpd-ssl/tasks/main.yml index c37c0cac..545b200e 100644 --- a/roles/tendrl-httpd-ssl/tasks/main.yml +++ b/roles/tendrl-httpd-ssl/tasks/main.yml @@ -41,7 +41,7 @@ - name: Configure SSL certificate files lineinfile: - path: /etc/httpd/conf.d/tendrl-ssl.conf + path: /etc/httpd/conf.d/ssl.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: From 8c4b0df9cea88be6d748cdc515e357c4dac2f436 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Wed, 23 Jan 2019 19:30:51 +0100 Subject: [PATCH 15/16] qe-ssl-ca: add missing defaults file --- roles/qe-ssl-ca/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 roles/qe-ssl-ca/defaults/main.yml diff --git a/roles/qe-ssl-ca/defaults/main.yml b/roles/qe-ssl-ca/defaults/main.yml new file mode 100644 index 00000000..91b231d4 --- /dev/null +++ b/roles/qe-ssl-ca/defaults/main.yml @@ -0,0 +1,2 @@ +--- +ssl_cert_perm: "0644" From abf76e18043da65dc7c835d9e5e2956f0249b29b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Bukatovi=C4=8D?= Date: Wed, 23 Jan 2019 19:43:33 +0100 Subject: [PATCH 16/16] fix bug in teardown procedure --- roles/tendrl-httpd-ssl/tasks/main.yml | 1 + test_teardown.tendrl_httpd_ssl.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/tendrl-httpd-ssl/tasks/main.yml b/roles/tendrl-httpd-ssl/tasks/main.yml index 545b200e..85110d98 100644 --- a/roles/tendrl-httpd-ssl/tasks/main.yml +++ b/roles/tendrl-httpd-ssl/tasks/main.yml @@ -63,6 +63,7 @@ dest: /etc/httpd/conf.d/tendrl.conf.usmqe_backup remote_src: yes backup: yes + force: no - name: Configure SSL redirect in tendrl.conf lineinfile: diff --git a/test_teardown.tendrl_httpd_ssl.yml b/test_teardown.tendrl_httpd_ssl.yml index a3a6cb47..d12cbb83 100644 --- a/test_teardown.tendrl_httpd_ssl.yml +++ b/test_teardown.tendrl_httpd_ssl.yml @@ -26,6 +26,7 @@ dest: /etc/httpd/conf.d/tendrl.conf remote_src: yes backup: yes + force: yes notify: restart httpd - name: Run rpm -qV tendrl-api-httpd to validate config file restoration