[SECURESIGN-1478] Support user-supplied CA certs for Trillian (#80)

securesign · Nov 4, 2024 · 142d294 · 142d294
1 parent 161bbed
commit 142d294
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 3 deletions.
diff --git a/roles/tas_single_node/README.md b/roles/tas_single_node/README.md
@@ -30,6 +30,7 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti
 | tas_single_node_tsa_tink_hcvault_token | The authentication token for Hashicorp Vault API calls. | str |  |
 | tas_single_node_skip_os_install | Whether or not to skip the installation of the required operating system packages. Only use this option when all packages are already installed at the versions released for RHEL 9.2 or later. | bool |  `False`  |
 | tas_single_node_meta_issuers | The list of OIDC meta issuers allowed to authenticate Fulcio certificate requests. | list of dicts of 'tas_single_node_meta_issuers' options |  `[]`  |
+| tas_single_node_trillian_trusted_ca | Trusted CA certificate for Trillian, enabling secure TLS connections between the Trillian Logserver/Logsigner and the Trillian database. This CA certificate validates the authenticity of the Trillian database, ensuring encrypted and trusted data exchanges. | str |  |
 | tas_single_node_fulcio_server_image | Fulcio image | str |  `registry.redhat.io/rhtas/fulcio-rhel9@sha256:67495de82e2fcd2ab4ad0e53442884c392da1aa3f5dd56d9488a1ed5df97f513`  |
 | tas_single_node_trillian_log_server_image | Trillian log server image | str |  `registry.redhat.io/rhtas/trillian-logserver-rhel9@sha256:994a860e569f2200211b01f9919de11d14b86c669230184c4997f3d875c79208`  |
 | tas_single_node_logsigner_image | Trillian logsigner image | str |  `registry.redhat.io/rhtas/trillian-logsigner-rhel9@sha256:37028258a88bba4dfaadb59fc88b6efe9c119a808e212ad5214d65072abb29d0`  |

diff --git a/roles/tas_single_node/defaults/main.yml b/roles/tas_single_node/defaults/main.yml
@@ -40,6 +40,8 @@ tas_single_node_oidc_issuers: []
 
 tas_single_node_meta_issuers: []
 
+tas_single_node_trillian_trusted_ca: ""
+
 # When adding or altering names for our images, consult the mapping in /~https://github.com/securesign/structural-tests
 # To avoid breaking our structural tests
 

diff --git a/roles/tas_single_node/meta/argument_specs.yml b/roles/tas_single_node/meta/argument_specs.yml
@@ -237,6 +237,14 @@ argument_specs:
             type: "str"
             required: true
             version_added: "1.1.0"
+      tas_single_node_trillian_trusted_ca:
+        description: >
+          Trusted CA certificate for Trillian, enabling secure TLS connections between the Trillian Logserver/Logsigner and the Trillian database.
+          This CA certificate validates the authenticity of the Trillian database, ensuring encrypted and trusted data exchanges.
+        type: "str"
+        required: false
+        version_added: "1.1.1"
+        default: ""
       tas_single_node_fulcio_server_image:
         description: "Fulcio image"
         type: "str"

diff --git a/roles/tas_single_node/tasks/podman/trillian.yml b/roles/tas_single_node/tasks/podman/trillian.yml
@@ -18,6 +18,23 @@
         mysql-user: "{{ tas_single_node_trillian.mysql.user | b64encode }}"
   register: secret_result
 
+- name: Create Trillian CA certificate ConfigMap (with default empty value if not provided)
+  ansible.builtin.copy:
+    content: "{{ configmap_content | to_nice_yaml(indent=2) }}"
+    dest: "{{ tas_single_node_trillian_trusted_ca_configmap }}"
+    mode: "0600"
+  vars:
+    configmap_content:
+      kind: ConfigMap
+      apiVersion: v1
+      metadata:
+        name: "{{ tas_single_node_trillian_trusted_ca_configmap_name }}"
+        namespace: trillian-system
+      data:
+        trillian-trusted-ca.pem: |
+          {{ tas_single_node_trillian_trusted_ca }}
+  register: configmap_result
+
 - name: Build Trillian Database Manifest specs
   ansible.builtin.include_tasks: podman/install_manifest.yml
   vars:
@@ -37,9 +54,11 @@
       state: started
       systemd_file: trillian-signer
       network: "{{ tas_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/trillian/trillian-logsigner.yaml') | from_yaml }}"
+      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/trillian/trillian-logsigner.j2') | from_yaml }}"
       secret: "{{ tas_single_node_trillian_secret }}"
       secret_changed: "{{ secret_result.changed }}"
+      configmap: "{{ tas_single_node_trillian_trusted_ca_configmap }}"
+      configmap_changed: "{{ configmap_result.changed | default('false') }}"
 
 - name: Build Trillian Log Server Manifest specs
   ansible.builtin.include_tasks: podman/install_manifest.yml
@@ -48,6 +67,8 @@
       state: started
       systemd_file: trillian-server
       network: "{{ tas_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/trillian/trillian-logserver.yaml') | from_yaml }}"
+      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/trillian/trillian-logserver.j2') | from_yaml }}"
       secret: "{{ tas_single_node_trillian_secret }}"
       secret_changed: "{{ secret_result.changed }}"
+      configmap: "{{ tas_single_node_trillian_trusted_ca_configmap }}"
+      configmap_changed: "{{ configmap_result.changed | default('false') }}"
diff --git a/...anifests/trillian/trillian-logserver.yaml → .../manifests/trillian/trillian-logserver.j2 b/...anifests/trillian/trillian-logserver.yaml → .../manifests/trillian/trillian-logserver.j2
@@ -21,8 +21,19 @@ spec:
         app.kubernetes.io/component: trillian-logserver
         app.kubernetes.io/instance: scaffold
     spec:
+{% if tas_single_node_trillian_trusted_ca != "" %}
+      volumes:
+        - name: ca-trust
+          configMap:
+            name: {{ tas_single_node_trillian_trusted_ca_configmap_name }}
+{% endif %}
       containers:
         - name: trillian-trillian-logserver
+{% if tas_single_node_trillian_trusted_ca != "" %}
+          volumeMounts:
+            - name: ca-trust
+              mountPath: /var/run/configs/tas/ca-trust
+{% endif %}
           image: "{{ tas_single_node_trillian_log_server_image }}"
           imagePullPolicy: IfNotPresent
           args:
@@ -52,6 +63,10 @@ spec:
               value: "{{ tas_single_node_trillian.mysql.host }}"
             - name: MYSQL_PORT
               value: "{{ tas_single_node_trillian.mysql.port | quote }}"
+{% if tas_single_node_trillian_trusted_ca != "" %}
+            - name: SSL_CERT_DIR
+              value: "/var/run/configs/tas/ca-trust"
+{% endif %}
           ports:
             - containerPort: 8091
               protocol: TCP

diff --git a/...anifests/trillian/trillian-logsigner.yaml → .../manifests/trillian/trillian-logsigner.j2 b/...anifests/trillian/trillian-logsigner.yaml → .../manifests/trillian/trillian-logsigner.j2
@@ -32,8 +32,19 @@ spec:
           resources: {}
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
+{% if tas_single_node_trillian_trusted_ca != "" %}
+      volumes:
+        - name: ca-trust
+          configMap:
+            name: {{ tas_single_node_trillian_trusted_ca_configmap_name }}
+{% endif %}
       containers:
         - name: trillian-trillian-logsigner
+{% if tas_single_node_trillian_trusted_ca != "" %}
+          volumeMounts:
+            - name: ca-trust
+              mountPath: /var/run/configs/tas/ca-trust
+{% endif %}
           image: "{{ tas_single_node_trillian_log_signer_image }}"
           imagePullPolicy: IfNotPresent
           ports:
@@ -66,7 +77,11 @@ spec:
             - name: MYSQL_HOSTNAME
               value: "{{ tas_single_node_trillian.mysql.host }}"
             - name: MYSQL_PORT
-              value: "{{ tas_single_node_trillian.mysql.port | quote }})"
+              value: "{{ tas_single_node_trillian.mysql.port | quote }}"
+{% if tas_single_node_trillian_trusted_ca != "" %}
+            - name: SSL_CERT_DIR
+              value: "/var/run/configs/tas/ca-trust"
+{% endif %}
           resources: {}
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File

diff --git a/roles/tas_single_node/vars/main.yml b/roles/tas_single_node/vars/main.yml
@@ -82,6 +82,7 @@ tas_single_node_nginx_config: "{{ tas_single_node_kube_configmap_dir }}/nginx-co
 tas_single_node_apache_config: "{{ tas_single_node_kube_configmap_dir }}/apache-config.yaml"
 tas_single_node_nginx_certs_config: "{{ tas_single_node_kube_configmap_dir }}/nginx-certs.yaml"
 tas_single_node_trillian_secret: "{{ tas_single_node_kube_configmap_dir }}/trillian-secret.yaml"
+tas_single_node_trillian_trusted_ca_configmap: "{{ tas_single_node_kube_configmap_dir }}/trillian-trusted-ca-configmap.yaml"
 tas_single_node_tsa_secret: "{{ tas_single_node_kube_configmap_dir }}/tsa-secret.yaml"
 tas_single_node_systemd_directory: /etc/systemd/system
 
@@ -90,3 +91,6 @@ tas_single_node_remote_tsa_signer_private_key: "{{ tas_single_node_certs_dir }}/
 tas_single_node_remote_tsa_leaf_certificate: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_tsa_leaf_certificate_filename }}"
 tas_single_node_remote_tsa_certificate_chain: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_tsa_certificate_chain_filename }}"
 tas_single_node_remote_tsa_private_key: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_tsa_private_key_filename }}"
+
+# Secrets,Certs and Configuration names
+tas_single_node_trillian_trusted_ca_configmap_name: "trillian_trusted_ca"