[SECURESIGN-1479] Trillian TLS: add external DB TLS CA certificate (#102

)
securesign · Dec 31, 2024 · e4f57f7 · e4f57f7
1 parent 9d406c2
commit e4f57f7
Show file tree

Hide file tree

Showing 7 changed files with 100 additions and 13 deletions.
diff --git a/molecule/check_creds.yml b/molecule/check_creds.yml
@@ -0,0 +1,10 @@
+---
+- name: Error out if registry username is not set
+  ansible.builtin.fail:
+    msg: "Username for registry.redhat.io is not set, please provide it via TAS_SINGLE_NODE_REGISTRY_USERNAME env variable"
+  when: tas_single_node_registry_username == ""
+
+- name: Error out if registry password is not set
+  ansible.builtin.fail:
+    msg: "Password for registry.redhat.io is not set, please provide it via TAS_SINGLE_NODE_REGISTRY_PASSWORD env variable"
+  when: tas_single_node_registry_password == ""
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -6,15 +6,8 @@
     - vars/vars.yml
     - vars/podman.yml
   tasks:
-    - name: Error out if registry username is not set
-      ansible.builtin.fail:
-        msg: "Username for registry.redhat.io is not set, please provide it via TAS_SINGLE_NODE_REGISTRY_USERNAME env variable"
-      when: tas_single_node_registry_username == ""
-
-    - name: Error out if registry password is not set
-      ansible.builtin.fail:
-        msg: "Password for registry.redhat.io is not set, please provide it via TAS_SINGLE_NODE_REGISTRY_PASSWORD env variable"
-      when: tas_single_node_registry_password == ""
+    - name: Ensure Registry credentials are set
+      ansible.builtin.include_tasks: ../check_creds.yml
 
     - name: Apply tas_single_node role
       ansible.builtin.include_role:

diff --git a/molecule/user_provided/converge.yml b/molecule/user_provided/converge.yml
diff --git a/molecule/user_provided/converge.yml b/molecule/user_provided/converge.yml
@@ -0,0 +1,21 @@
+---
+- name: Converge
+  hosts: molecule
+  gather_facts: true
+  vars_files:
+    - vars/vars.yml
+    - vars/podman.yml
+  tasks:
+    - name: Ensure Registry credentials are set
+      ansible.builtin.include_tasks: ../check_creds.yml
+
+    - name: Copy CA certificate content into tas_single_node_trillian_trusted_ca
+      ansible.builtin.slurp:
+        src: "/etc/mysql/ssl/ca-cert.pem"
+      register: ca_cert_content
+
+    - name: Apply tas_single_node role
+      ansible.builtin.include_role:
+        name: tas_single_node
+      vars:
+        tas_single_node_trillian_trusted_ca: "{{ ca_cert_content.content | b64decode }}"
diff --git a/molecule/user_provided/molecule.yml b/molecule/user_provided/molecule.yml
diff --git a/molecule/user_provided/molecule.yml b/molecule/user_provided/molecule.yml
@@ -0,0 +1,17 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: molecule/requirements.yml
+driver:
+  name: default
+platforms:
+  - name: instance
+    private_key_file_path: ~/.ssh/id_rsa
+    image_id: ami-0cd93da2da7f10cab
+    instance_type: m5.large
+    aws_key_name: CI-TEST
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "../../roles"
diff --git a/molecule/user_provided/prepare.yml b/molecule/user_provided/prepare.yml
@@ -61,11 +61,11 @@
       delay: 5
 
     - name: Import Trillian schema
-      shell: |
+      ansible.builtin.shell: |
         mysql -u root trillian < /tmp/schema.sql
  
     - name: Prepare MariaDB configuration
-      shell: |
+      ansible.builtin.shell: |
         mysql <<EOF
         ALTER USER 'root'@'localhost' IDENTIFIED BY 'rootpassword';
         GRANT ALL ON *.* to 'root'@'%' IDENTIFIED BY 'rootpassword' WITH GRANT OPTION;
@@ -80,3 +80,43 @@
         #- name: Set up a non-root sudoer to replicate a user environment
         #ansible.builtin.include_tasks: ../testing_user_setup.yaml
         #with_items: "{{ users }}" 
+
+    - name: Generate TLS certificates for MariaDB
+      ansible.builtin.shell: |
+        rm -rf /etc/mysql/ssl
+        mkdir -p /etc/mysql/ssl
+        openssl genrsa -out /etc/mysql/ssl/ca-key.pem 2048
+        openssl req -x509 -new -nodes -key /etc/mysql/ssl/ca-key.pem -sha256 -days 3650 -out /etc/mysql/ssl/ca-cert.pem -subj "/CN=CustomCA" \
+          -addext "subjectAltName=DNS:localhost,IP:{{ ansible_default_ipv4.address }}"
+        openssl genrsa -out /etc/mysql/ssl/server-key.pem 2048
+        openssl req -new -key /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem -subj "/CN=MySQLServer" \
+            -addext "subjectAltName=DNS:localhost,IP:{{ ansible_default_ipv4.address }}"
+        openssl x509 -req -in /etc/mysql/ssl/server-req.pem -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -CAcreateserial \
+            -out /etc/mysql/ssl/server-cert.pem -days 365 -sha256 -extfile <(printf "subjectAltName=DNS:localhost,IP:{{ ansible_default_ipv4.address }}")
+
+        chmod 600 /etc/mysql/ssl/*.pem
+        chown mysql:mysql /etc/mysql/ssl/*.pem
+      args:
+        creates: /etc/mysql/ssl/server-cert.pem
+
+    - name: Configure TLS for MariaDB
+      ansible.builtin.blockinfile:
+        path: /etc/my.cnf.d/mariadb-server.cnf
+        block: |
+          [mysqld]
+          skip-name-resolve
+          max_allowed_packet=64M
+          max_connections=200
+          wait_timeout=600
+          interactive_timeout=600
+          ssl-ca=/etc/mysql/ssl/ca-cert.pem
+          ssl-cert=/etc/mysql/ssl/server-cert.pem
+          ssl-key=/etc/mysql/ssl/server-key.pem
+      notify:
+        - Restart MariaDB
+
+  handlers:
+    - name: Restart MariaDB
+      ansible.builtin.service:
+        name: mariadb
+        state: restarted
diff --git a/roles/tas_single_node/templates/manifests/trillian/trillian-logserver.j2 b/roles/tas_single_node/templates/manifests/trillian/trillian-logserver.j2
@@ -40,6 +40,10 @@ spec:
             - --rpc_endpoint=0.0.0.0:{{ tas_single_node_trillian_logserver_port_rpc }}
             - --http_endpoint=0.0.0.0:{{ tas_single_node_trillian_logserver_port_http }}
             - --alsologtostderr
+{% if tas_single_node_trillian_trusted_ca != "" and not tas_single_node_trillian.database_deploy %}
+            - --mysql_tls_ca=/var/run/configs/tas/ca-trust/trillian-trusted-ca.pem
+            - --mysql_server_name={{ tas_single_node_trillian.mysql.host }}
+{% endif %}
           env:
             - name: MYSQL_USER
               valueFrom:

diff --git a/roles/tas_single_node/templates/manifests/trillian/trillian-logsigner.j2 b/roles/tas_single_node/templates/manifests/trillian/trillian-logsigner.j2
@@ -54,6 +54,10 @@ spec:
             - --http_endpoint=0.0.0.0:{{ tas_single_node_trillian_logserver_port_http }}
             - --force_master=true
             - --alsologtostderr
+{% if tas_single_node_trillian_trusted_ca != "" and not tas_single_node_trillian.database_deploy %}
+            - --mysql_tls_ca=/var/run/configs/tas/ca-trust/trillian-trusted-ca.pem
+            - --mysql_server_name={{ tas_single_node_trillian.mysql.host }}
+{% endif %}
           env:
             - name: MYSQL_USER
               valueFrom: