From 6a3505a1a3bbaf27b336cc223430c630746b78a6 Mon Sep 17 00:00:00 2001 From: Antonio Costa Date: Mon, 11 Mar 2024 16:08:29 +0100 Subject: [PATCH 1/4] feat: playbook to update the letsencrypt certificate on the ocp cluster --- ansible/playbook/README.adoc | 82 +++++++++++++ .../update_letsencrypt_certificate.yml | 108 ++++++++++++++++++ collections/requirements.yml | 3 + requirements.txt | 3 + 4 files changed, 196 insertions(+) create mode 100644 ansible/playbook/update_letsencrypt_certificate.yml diff --git a/ansible/playbook/README.adoc b/ansible/playbook/README.adoc index 6134ad2f..f84701f7 100644 --- a/ansible/playbook/README.adoc +++ b/ansible/playbook/README.adoc @@ -1,5 +1,10 @@ = Ansible Playbooks +Antonio C. +:revdate: {docdate} +:icons: font +:icon-set: fas :toc: left +:toclevels: 3 :description: This document describes the implemented playbooks. == Playbooks @@ -147,6 +152,83 @@ For instance, to undo the previous host operation: ansible-playbook ansible/playbook/passstore_manage_host_groups.yml -e operation=remove -e group_name=k8s_115 -e vm_name=n01-k115 ``` +=== update_letsencrypt_certificate + +[.lead] +Updates the certificates for the openshift ingress console. + +.Playbook parameters +[%header,cols="25%,75%"] +|=== +| Variable | Description + +| `cluster_type` + +[.fuchsia]#string# + +a| Type of cluster where the certificate will be deployed into (target). + +* *kubernetes* +* *openshift => Default* + +| `site_name` + +[.fuchsia]#string# / [.red]#required# + +a| Name of the site that will be used to fetch the certificates from. + +The name of the site will be used to fetch the certificate from the + `snowdrop-site` namespace under the format of `-snowdrop-dev-tls`. + +| `source_host` + +[.fuchsia]#string# + +a| Name of the host that will be used to connect to the source cluster. + +*Default => `localhost`* + +| `source_kubeconfig` + +[.fuchsia]#string# + +a| `kubeconfig` file for the cluster running the license update feature. + +*Default => `${HOME}/.kube/config`* + +| `target_host` + +[.fuchsia]#string# + +a| Name of the host that will be used to connect to the source cluster. + +*Default => `localhost`* + +| `target_kubeconfig` + +[.fuchsia]#string# + +a| `kubeconfig` file for the cluster running the license update feature. + +*Default => `${HOME}/.kube/config`* + +|=== + +Sample execution of the `update_letsencrypt_certificate.yml` playbook. + +[source,bash] +---- +ansible-playbook ansible/playbook/update_letsencrypt_certificate.yml \ + -e source_kubeconfig=${HOME}/.kube/snowdrop-rhosp-snowdrop-k8s-config \ <1> + -e target_kubeconfig=${HOME}/.kube/rh-ocp-qshift-drp2b-config \ <2> + -e site_name=qshift <3> +---- +<1> `kubeconfig` file for the cluster running the certificate renewal. +<2> `kubeconfig` file for the cluster that requires the update. +<3> Name of the Openshift cluster + + + == Modules :leveloffset: +2 diff --git a/ansible/playbook/update_letsencrypt_certificate.yml b/ansible/playbook/update_letsencrypt_certificate.yml new file mode 100644 index 00000000..1c839904 --- /dev/null +++ b/ansible/playbook/update_letsencrypt_certificate.yml @@ -0,0 +1,108 @@ +--- +- name: "Get TLS information" + hosts: "{{ source_host | default(['localhost']) }}" + gather_facts: yes + + pre_tasks: + - name: "Check site_name variables" + assert: + that: lookup('varnames', 'site_name') | length > 0 + fail_msg: "site_name is not defined." + quiet: true + + - name: "Check cluster_type variables" + assert: + that: cluster_type is undefined or cluster_type == 'kubernetes' or cluster_type == 'openshift' + fail_msg: "cluster_type must either be kubernetes or openshift (default: openshift)" + quiet: true + + - name: Define Kubeconfig + ansible.builtin.set_fact: + kubeconfig_source: "{{ source_kubeconfig | default('~/.kube/config') }}" + target_cluster_type: "{{ cluster_type | default('openshift') }}" + + - name: Source kubeconfig file + ansible.builtin.debug: + var: kubeconfig_source + + tasks: + +# kubectl -n snowdrop-site get secret www-snowdrop-dev-tls -o json | jq -r '.data["^Cs.key"]' +# k get secret/qshift-snowdrop-dev-tls -n snowdrop-site -ojson | jq -r '.data."tls.crt"' | base64 -d > tls.crt +# k get secret/qshift-snowdrop-dev-tls -n snowdrop-site -ojson | jq -r '.data."tls.key"' | base64 -d > tls.key + - name: Get TLS secret + kubernetes.core.k8s_info: + kubeconfig: "{{ kubeconfig_source }}" + kind: Secret + name: "{{ site_name }}-snowdrop-dev-tls" + namespace: snowdrop-site + register: tls_info + + - name: Print TLS secret + ansible.builtin.debug: + var: tls_info + + - name: Get TLS certificate and key + ansible.builtin.set_fact: + tls_certificate: "{{ tls_info.resources[0].data['tls.crt'] | b64decode }}" + tls_key: "{{ tls_info.resources[0].data['tls.key'] | b64decode }}" + + - name: Print TLS data + ansible.builtin.debug: + msg: + - "{{ tls_certificate }}" + - "{{ tls_key }}" + +- name: "Update certificate on target" + hosts: "{{ target_host | default(['localhost']) }}" + gather_facts: yes + + pre_tasks: + - name: Define Kubeconfig + ansible.builtin.set_fact: + kubeconfig_target: "{{ target_kubeconfig | default('~/.kube/config') }}" + + tasks: + - name: Define target variables for OpenShift + ansible.builtin.set_fact: + target_namespace: openshift-ingress + target_secret_name: "{{ site_name }}-console" + when: target_cluster_type == 'openshift' + + - name: Define target variables for Kubernetes (TBD) + ansible.builtin.set_fact: + target_namespace: ingress-nginx + target_secret_name: "{{ site_name }}-console" + when: target_cluster_type == 'kubernetes' + +# k -n openshift-ingress delete secret/qshift-console + - name: Remove the ingress console secret + kubernetes.core.k8s: + kubeconfig: "{{ kubeconfig_target }}" + state: absent + api_version: v1 + kind: Secret + namespace: openshift-ingress + name: "{{ target_secret_name }}" + +# k -n openshift-ingress create secret tls qshift-console --cert=pki/tls.crt --key=pki/tls.key # --dry-run="client" -oyaml + - name: Create the ingress console secret + kubernetes.core.k8s: + kubeconfig: "{{ kubeconfig_target }}" + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ target_secret_name }}" + namespace: openshift-ingress + # labels: + # app: galaxy + # service: web + type: kubernetes.io/tls + data: + tls.crt: "{{ tls_certificate | b64encode }}" + tls.key: "{{ tls_key | b64encode }}" + +... +# ansible-playbook ansible/playbook/update_letsencrypt_certificate.yml -e source_kubeconfig=${HOME}/.kube/snowdrop-rhosp-snowdrop-k8s-config --check diff --git a/collections/requirements.yml b/collections/requirements.yml index ec41091e..f033f323 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -20,4 +20,7 @@ collections: - name: ansible.posix version: 1.5.4 + + - name: kubernetes.core + version: 2.4.1 ... diff --git a/requirements.txt b/requirements.txt index c36f1dd7..a72d2bd1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,3 +6,6 @@ yq ~= 3.2.2 #ansible >=7.0.0,<8.0.0 ansible ~= 8.0.0 ansible-lint +kubernetes >= 12.0.0 +PyYAML >= 3.11 +jsonpatch From d94ac8afb18c7d073343ea19513040a6f1912070 Mon Sep 17 00:00:00 2001 From: Antonio Costa Date: Mon, 11 Mar 2024 16:48:58 +0100 Subject: [PATCH 2/4] docs: improved the information for the sample --- ansible/playbook/README.adoc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ansible/playbook/README.adoc b/ansible/playbook/README.adoc index f84701f7..aa9f686f 100644 --- a/ansible/playbook/README.adoc +++ b/ansible/playbook/README.adoc @@ -219,16 +219,15 @@ Sample execution of the `update_letsencrypt_certificate.yml` playbook. [source,bash] ---- ansible-playbook ansible/playbook/update_letsencrypt_certificate.yml \ - -e source_kubeconfig=${HOME}/.kube/snowdrop-rhosp-snowdrop-k8s-config \ <1> - -e target_kubeconfig=${HOME}/.kube/rh-ocp-qshift-drp2b-config \ <2> + -e source_kubeconfig=${HOME}/.kube/snowdrop-k8s-config \ <1> + -e target_kubeconfig=${HOME}/.kube/qshift-ocp-cluster-config \ <2> -e site_name=qshift <3> ---- -<1> `kubeconfig` file for the cluster running the certificate renewal. -<2> `kubeconfig` file for the cluster that requires the update. +<1> `kubeconfig` file for the cluster running the certificate renewal. Can be obtained from the passwordstore using `pass show -c openstack/snowdrop-k8s/kubeconfig`. +<2> `kubeconfig` file for the cluster that requires the update. In the example we're using the `qshift` cluster which `kubeconfig` can also be obtained from the passwordstore using `pass show -c openstack/ocp-qshift-drp2b/kubeconfig`. <3> Name of the Openshift cluster - == Modules :leveloffset: +2 From 774f2c652ad89c2a2fb2c6e92da2a70332854318 Mon Sep 17 00:00:00 2001 From: Antonio Costa Date: Mon, 11 Mar 2024 17:02:34 +0100 Subject: [PATCH 3/4] docs: improved the information for the sample --- ansible/playbook/README.adoc | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/ansible/playbook/README.adoc b/ansible/playbook/README.adoc index aa9f686f..196f40d1 100644 --- a/ansible/playbook/README.adoc +++ b/ansible/playbook/README.adoc @@ -157,6 +157,34 @@ ansible-playbook ansible/playbook/passstore_manage_host_groups.yml -e operation= [.lead] Updates the certificates for the openshift ingress console. +[CAUTION] +==== +This playbook assumes that the prefix added to the secret updated by the + _Certificate Manager_ is the same name of the OpenShift cluster. + +For the sake of the examples the name used is `qshift`. + +[source,bash] +---- +$ kc --kubeconfig=${HOME}/.kube/snowdrop-k8s-config --namespace snowdrop-site get secret +NAME TYPE DATA AGE +... +qshift-snowdrop-dev-tls kubernetes.io/tls 2 96d +... +---- + +On the target OpenShift cluster the namespace and secret will be named + `openshift-ingress` and `` accordingly. + +[source,bash] +---- +$ kc -n openshift-ingress get secret +NAME TYPE DATA AGE +qshift-console kubernetes.io/tls 2 20d +---- + +==== + .Playbook parameters [%header,cols="25%,75%"] |=== From 781bb29f0cc3c552410921297f55f707be3c91ec Mon Sep 17 00:00:00 2001 From: Antonio Costa Date: Mon, 11 Mar 2024 17:03:05 +0100 Subject: [PATCH 4/4] docs: improved the information for the sample --- ansible/playbook/README.adoc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ansible/playbook/README.adoc b/ansible/playbook/README.adoc index 196f40d1..cc7f174f 100644 --- a/ansible/playbook/README.adoc +++ b/ansible/playbook/README.adoc @@ -6,6 +6,13 @@ Antonio C. :toc: left :toclevels: 3 :description: This document describes the implemented playbooks. +ifdef::env-github[] +:tip-caption: :bulb: +:note-caption: :information_source: +:important-caption: :heavy_exclamation_mark: +:caution-caption: :fire: +:warning-caption: :warning: +endif::[] == Playbooks