--- # # Copyright (c) 2021-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # # This is an example inventory file to be used for # usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml # playbook. # # To run the playbook, the user would define an overrides file (as exemplified here) # providing the required variable settings and pass it on the ansible command-line as a parameter. # # Example ansible command: # ansible-playbook update_platform_certificates.yml \ # -i @my-inventory-file.yml \ # --extra-vars "target_list=localhost,subcloud1 mode=update" # Use target_list to target individual subclouds, or a comma-separated # list of subclouds such as 'subcloud1,subcloud2'. To target all online # subclouds at once use 'target_list=all_online_subclouds'. # # To target the system controller or standalone systems use 'target_list=localhost'. # It's recomended to have always at least localhost in the target_list, avoiding # the loss of consistency of the certificates between the hosts in DC systems. # # Note on the example parameters below : # # Parameter system_local_ca_cert will be the certificate that will be used as the # issuer for platform certificates (registry.local, https / rest-api, oidc) # # If system_local_ca_cert is an Intermediate CA (recommended), make sure that # system_root_ca_cert is the Root CA which is its Issuer. # # Please make sure that you use a system_root_ca_cert and system_local_ca_cert certificate # with a long duration. The playbook will fail if any of these CA certificates expire in # less than the default expected values in min years: # - For RCA, is 3 years; # - For ICA, is 1 year. # # If you wish to use a different value for CA duration you can override # it by setting a different value to validation parameters rca_duration/ica_duration. # Example: # 'rca_duration: 2' will result in the playbook only accepting RCAs expiring 2 or more # years from now. # # Please also make sure that duration and renewBefore are sensible values # considering the system_local_ca_cert remaining duration. # # See: https://docs.starlingx.io/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.html # all: vars: # If using an Intermediate CA for system_local_ca_cert (recommended), the value # for system_root_ca_cert needs to be the Root CA which is the Issuer of system_local_ca_cert system_root_ca_cert: # It's strongly recommended using an Intermediate CA for system_local_ca_cert # as that has the advantages of anchoring your certificates to your external Root CA. # However, it is possible to simply specify a Root CA for system_local_ca_cert. # For that, specify system_local_ca_cert and system_local_ca_key with values from your Root CA. # Note: system_local_ca_cert and system_root_ca_cert must be the same for that configuration. system_local_ca_cert: system_local_ca_key: # the ica_duration/rca_duration parameters are optional. If not specified, it defaults to 3 # for RCA and 1 for ICA. # It represents the number of years for the CA certificates expiration validity check. # It is not recommended to use short values for this parameter. # rca_duration: 3 # ica_duration: 1 children: # This will be applied to all online subclouds # Use the below example in hosts to override particulars for a subcloud such as passwords target_group: vars: system_platform_certificate: dns_domain: xyz.com duration: 2160h # 90d renewBefore: 360h # 15d subject_C: CA subject_ST: ontario subject_L: ottawa subject_O: myorganization subject_OU: engineering subject_CN: myorganization.com # SSH password to connect to all subclouds ansible_ssh_user: sysadmin ansible_ssh_pass: # Sudo password ansible_become_pass: # Add a child group, as exemplified below, if you need individual # overrides for specific subcloud hosts # Use the hosts section to add the list of hosts # Use the vars section to override target_group variables # such as the ssh password, for instance # Note that you can also override multiple hosts at once or # have multiple children groups if necessary # Example: # children: # different_password_group: # vars: # ansible_ssh_user: sysadmin # ansible_ssh_pass: # ansible_become_pass: # hosts: # subcloud1: # subcloud2: