diff --git a/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2 b/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2 index 901ef4ecd..32cd4195f 100644 --- a/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2 +++ b/playbooks/roles/bifrost-create-vm-nodes/templates/redfish-emulator.conf.j2 @@ -12,3 +12,5 @@ SUSHY_EMULATOR_BOOT_LOADER_MAP = { SUSHY_EMULATOR_LISTEN_IP = '{{ redfish_emulator_host }}' SUSHY_EMULATOR_LISTEN_PORT = {{ redfish_emulator_port }} SUSHY_EMULATOR_STATE_DIR = '{{ redfish_emulator_state_dir }}' +# Sadly this is how real hardware works: +SUSHY_EMULATOR_VMEDIA_VERIFY_SSL = False diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index abd6a7c66..bdd3d69d1 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -14,6 +14,7 @@ http_boot_folder: /httpboot ironic_tftp_master_path: /var/lib/ironic/master_images staging_drivers_include: false file_url_port: "8080" +file_url_port_tls: "8083" ironicclient_source_install: false openstacksdk_source_install: false ironicinspector_source_install: true @@ -370,10 +371,12 @@ fact_gather_timeout: "{{ lookup('config', 'DEFAULT_GATHER_TIMEOUT', on_missing=' # Enable TLS support. enable_tls: false +vmedia_enable_tls: "{{ enable_tls }}" tls_root: /etc/bifrost tls_certificate_path: "{{ tls_root }}/bifrost.crt" ironic_private_key_path: /etc/ironic/ironic.pem ironic_inspector_private_key_path: /etc/ironic-inspector/inspector.pem +httpboot_private_key_path: /etc/nginx/httpboot.pem # Enable Ironic Prometheus Exporter enable_prometheus_exporter: false diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index 76157022c..cbbf587b3 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -33,6 +33,13 @@ - noauth_mode | bool - enable_keystone | bool +- name: "Fail if TLS is inconsistently configured" + fail: + msg: Setting vmedia_enable_tls to true requires also enable_tls. + when: + - not enable_tls | bool + - vmedia_enable_tls | bool + - name: "Setup firewalld" include_tasks: setup_firewalld.yml when: use_firewalld | bool @@ -163,6 +170,15 @@ dest_private_key_group: ironic when: enable_tls | bool +- name: "Generate vmedia TLS parameters" + include_role: + name: bifrost-tls + vars: + dest_private_key_path: "{{ httpboot_private_key_path }}" + dest_private_key_owner: "{{ nginx_user }}" + dest_private_key_group: "{{ nginx_user }}" + when: vmedia_enable_tls | bool + - name: "Populate keystone for Bifrost" include: keystone_setup.yml when: enable_keystone | bool @@ -396,6 +412,7 @@ - 68 - 69 - "{{ file_url_port }}" + - "{{ file_url_port_tls }}" - 6385 when: not use_firewalld | bool @@ -421,13 +438,14 @@ immediate: yes loop: - "{{ file_url_port }}" + - "{{ file_url_port_tls }}" - 6385 when: use_firewalld | bool - block: - name: "Allow nginx, ironic, inspector and IPA ports on SELinux" seport: - ports: "{{ file_url_port }},6385,5050,9999" + ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999" proto: tcp setype: http_port_t state: present diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 index 0174bd6bb..498c4be08 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 +++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 @@ -88,6 +88,9 @@ erase_devices_metadata_priority = 0 erase_devices_priority = 0 erase_devices_metadata_priority = 10 {% endif %} +{% if vmedia_enable_tls | bool %} +external_http_url = https://{{ internal_ip }}:{{ file_url_port_tls }}/ +{% endif %} [conductor] automated_clean = {{ cleaning | lower }} diff --git a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2 index e88749289..00d4cfe3d 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2 +++ b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2 @@ -2,7 +2,25 @@ server { listen {{ file_url_port }}; server_name {{ ansible_hostname }}; root {{ http_boot_folder }}; + location {{ http_boot_folder }}/ { alias {{ http_boot_folder }}/; } + {% if vmedia_enable_tls | bool %} + # Served only through TLS + location ~ ^/(redfish|ilo)/ { + deny all; + return 404; + } + {% endif %} } +{% if vmedia_enable_tls | bool %} +server { + listen {{ file_url_port_tls }} ssl http2; + server_name {{ ansible_hostname }}; + root {{ http_boot_folder }}; + + ssl_certificate {{ tls_certificate_path }}; + ssl_certificate_key {{ httpboot_private_key_path }}; +} +{% endif %} diff --git a/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml b/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml new file mode 100644 index 000000000..b9f406b93 --- /dev/null +++ b/releasenotes/notes/vmedia-tls-ffa56b7c0466b663.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + Virtual media images are now protected by TLS when TLS support is enabled. +upgrade: + - | + If ``enable_tls`` is ``true``, virtual media images for Redfish, + iDRAC-Redfish and iLO are now served via TLS using the Ironic's + TLS certificate. If this is not desired, set the new option + ``vmedia_enable_tls`` to ``false``. + + The new server's port can be configured via the new ``file_url_port_tls`` + option. diff --git a/zuul.d/bifrost-jobs.yaml b/zuul.d/bifrost-jobs.yaml index 0e1d9353e..4727883c1 100644 --- a/zuul.d/bifrost-jobs.yaml +++ b/zuul.d/bifrost-jobs.yaml @@ -118,6 +118,7 @@ parent: bifrost-integration-tinyipa-ubuntu-focal vars: boot_mode: uefi + enable_tls: true test_driver: redfish use_vmedia: true