azimuth-cloud · mkjpryor · Oct 22, 2024 · Sep 6, 2024 · Sep 13, 2024
diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
@@ -20,8 +20,6 @@
       when: cloud_metrics_enabled
     - role: azimuth_cloud.azimuth_ops.clusterapi
       when: azimuth_kubernetes_enabled
-    - role: azimuth_cloud.azimuth_ops.awx
-      when: azimuth_clusters_enabled
     - role: azimuth_cloud.azimuth_ops.consul
       when: azimuth_apps_enabled or azimuth_clusters_enabled
     - role: azimuth_cloud.azimuth_ops.azimuth_caas_operator

diff --git a/playbooks/provision_cluster.yml b/playbooks/provision_cluster.yml
@@ -14,6 +14,9 @@
 - hosts: k3s
   tasks:
     - block:
+        - include_role:
+            name: azimuth_cloud.azimuth_ops.system_trust
+
         - include_role:
             name: azimuth_cloud.azimuth_ops.sysctl_inotify
 

diff --git a/roles/awx/defaults/main.yml b/roles/awx/defaults/main.yml
diff --git a/roles/awx/tasks/main.yml b/roles/awx/tasks/main.yml
diff --git a/roles/awx/templates/kustomization.yaml b/roles/awx/templates/kustomization.yaml
diff --git a/roles/awx/templates/patch-delete-ns.yaml b/roles/awx/templates/patch-delete-ns.yaml
diff --git a/roles/azimuth/defaults/main.yml b/roles/azimuth/defaults/main.yml
@@ -46,14 +46,7 @@ azimuth_ingress_tls_key: >-
   }}
 
 # Custom trust bundle for SSL verification
-azimuth_trust_bundle: |-
-  {%- if trust_bundle is defined %}
-  {%- for certificate in trust_bundle.values() %}
-  {{ certificate }}
-  {%- endfor %}
-  {%- endif %}
-# The name of the configmap into which the trust bundle should be placed
-azimuth_trust_bundle_configmap_name: "{{ trust_bundle_configmap_name | default('azimuth-trust-bundle') }}"
+azimuth_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
 
 # The Django secret key, used mainly for ensuring session cookies are not tampered with
 azimuth_secret_key: "{{ undef(hint = 'azimuth_secret_key is required') }}"
@@ -279,7 +272,17 @@ azimuth_apps_base_domain: >-
 azimuth_apps_verify_ssl: true
 #   Indicates whether SSL should be verified by clients when associating keys with the
 #   registrar using the external endpoint
-azimuth_apps_verify_ssl_clients: "{{ azimuth_apps_verify_ssl }}"
+#   By default, clients will verify SSL when Azimuth itself does
+#   The exception to this is when custom CAs are specified, as there is currently no mechanism
+#   for propagating the custom CAs into the trust store of the appliance
+azimuth_apps_verify_ssl_clients: >-
+  {{-
+    azimuth_apps_verify_ssl and
+    not (
+      (system_trust_extra_root_cas is defined and system_trust_extra_root_cas) or
+      (trust_bundle is defined and trust_bundle)
+    )
+  }}
 #   The external URL for the Zenith registrar
 azimuth_apps_registrar_external_url: >-
   {{-
@@ -347,12 +350,7 @@ azimuth_release_defaults:
       enabled: "{{ azimuth_ingress_tls_enabled }}"
       secretName: "{{ azimuth_ingress_tls_secret_name }}"
       annotations: "{{ azimuth_ingress_tls_annotations }}"
-  trustBundleConfigMapName: >-
-    {{-
-      azimuth_trust_bundle_configmap_name
-      if azimuth_trust_bundle
-      else None
-    }}
+  trustBundle: "{{ azimuth_trust_bundle }}"
   settings:
     secretKey: "{{ azimuth_secret_key }}"
     availableClouds: "{{ azimuth_linked_clouds }}"

diff --git a/roles/azimuth/tasks/main.yml b/roles/azimuth/tasks/main.yml
@@ -25,21 +25,6 @@
         tls.key: "{{ azimuth_ingress_tls_key }}"
   when: azimuth_ingress_tls_certificate
 
-- name: Install trust bundle
-  command: kubectl apply -f -
-  args:
-    stdin: "{{ azimuth_trust_bundle_configmap_definition | to_nice_yaml }}"
-  vars:
-    azimuth_trust_bundle_configmap_definition:
-      apiVersion: v1
-      kind: ConfigMap
-      metadata:
-        name: "{{ azimuth_trust_bundle_configmap_name }}"
-        namespace: "{{ azimuth_release_namespace }}"
-      data:
-        ca-certificates.crt: "{{ azimuth_trust_bundle }}"
-  when: azimuth_trust_bundle
-
 - name: Install Azimuth on target Kubernetes cluster
   kubernetes.core.helm:
     chart_ref: "{{ azimuth_chart_name }}"

diff --git a/roles/azimuth_caas_operator/defaults/main.yml b/roles/azimuth_caas_operator/defaults/main.yml
@@ -12,6 +12,9 @@ azimuth_caas_operator_release_name: azimuth-caas-operator
 # The timeout to wait for operator to become ready
 azimuth_caas_operator_wait_timeout: 10m
 
+# Custom trust bundle for SSL verification
+azimuth_caas_operator_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
+
 # The ansible-runner image and tag to use
 # Leave blank to use the defaults
 azimuth_caas_operator_ansible_runner_image_repository:
@@ -63,6 +66,7 @@ azimuth_caas_operator_release_defaults:
           )
       }}
     globalExtraVars: "{{ azimuth_caas_operator_global_extravars }}"
+  trustBundle: "{{ azimuth_caas_operator_trust_bundle }}"
 azimuth_caas_operator_release_overrides: {}
 azimuth_caas_operator_release_values: >-
   {{-

diff --git a/roles/azimuth_capi_operator/defaults/main.yml b/roles/azimuth_capi_operator/defaults/main.yml
@@ -13,6 +13,9 @@ azimuth_capi_operator_release_name: azimuth-capi-operator
 # The timeout to wait for CAPI operator to become ready
 azimuth_capi_operator_wait_timeout: 10m
 
+# Custom trust bundle for SSL verification
+azimuth_capi_operator_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
+
 # The timer interval to use for the CAPI operator
 azimuth_capi_operator_timer_interval: 60
 
@@ -39,7 +42,8 @@ azimuth_capi_operator_capi_helm_dns_nameservers:
 
 # Bundle of certificates that should be added to the system trustroots for provisioned clusters
 # E.g. for pulling containers from a registry with a custom CA chain
-azimuth_capi_operator_capi_helm_trust_bundle: "{{ trust_bundle | default({}) }}"
+azimuth_capi_operator_capi_helm_trust_bundle: >-
+  {{ system_trust_extra_root_cas | default(trust_bundle) | default({}) }}
 # The registry mirrors for provisioned clusters
 azimuth_capi_operator_capi_helm_registry_mirrors: >-
   {{-
@@ -494,6 +498,7 @@ azimuth_capi_operator_release_defaults:
   # Enable the metrics with the service monitor by default
   metrics:
     enabled: true
+  trustBundle: "{{ azimuth_capi_operator_trust_bundle }}"
 azimuth_capi_operator_release_overrides: {}
 azimuth_capi_operator_release_values: >-
   {{-

diff --git a/roles/azimuth_identity_operator/defaults/main.yml b/roles/azimuth_identity_operator/defaults/main.yml
@@ -13,6 +13,9 @@ azimuth_identity_operator_release_name: azimuth-identity-operator
 # The timeout to wait for CAPI operator to become ready
 azimuth_identity_operator_wait_timeout: 10m
 
+# Custom trust bundle for SSL verification
+azimuth_identity_operator_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
+
 #####
 # TLS settings
 #####
@@ -188,6 +191,7 @@ azimuth_identity_operator_release_defaults:
   # Enable the metrics with the service monitor by default
   metrics:
     enabled: true
+  trustBundle: "{{ azimuth_identity_operator_trust_bundle }}"
 azimuth_identity_operator_release_overrides: {}
 azimuth_identity_operator_release_values: >-
   {{-

diff --git a/roles/capi_cluster/defaults/main.yml b/roles/capi_cluster/defaults/main.yml
@@ -24,14 +24,14 @@ capi_cluster_cloud_name: "{{ lookup('env', 'OS_CLOUD') or 'openstack' }}"
 # The OpenStack Cluster API provider requires the project ID to be present in the clouds file
 capi_cluster_openstack_project_id: "{{ undef(hint = 'capi_cluster_openstack_project_id is required') }}"
 
-# The CA certificate to use to validate OpenStack connections
-# If not given, then connections are not verified
+# Use the system CA bundle to verify OpenStack connections if no explicit cert is given
+# Note that the system CA bundle will contain any custom CAs that were specified
 capi_cluster_openstack_ca_cert_file:
 capi_cluster_openstack_ca_cert: >-
   {{-
     lookup('file', capi_cluster_openstack_ca_cert_file)
     if capi_cluster_openstack_ca_cert_file
-    else None
+    else (system_trust_ca_bundle | default(''))
   }}
 
 # The Kubernetes version of the cluster and the id of the matching image
@@ -63,7 +63,8 @@ capi_cluster_ssh_keypair: >-
 
 # Bundle of certificates that should be added to the system trustroots of cluster nodes
 # E.g. if using a registry with a custom CA chain
-capi_cluster_trust_bundle: "{{ trust_bundle | default({}) }}"
+capi_cluster_trust_bundle: >-
+  {{ system_trust_extra_root_cas | default(trust_bundle) | default({}) }}
 
 # The registry mirrors for the cluster
 # NOTE: This cannot depend on Harbor as it isn't deployed yet!

diff --git a/roles/certmanager/defaults/main.yml b/roles/certmanager/defaults/main.yml
@@ -14,12 +14,7 @@ certmanager_wait_timeout: 10m
 
 # The trust bundle to use in the cert-manager containers
 # If empty, the default trust bundle will be used
-certmanager_trust_bundle: |-
-  {%- if trust_bundle is defined %}
-  {%- for certificate in trust_bundle.values() %}
-  {{ certificate }}
-  {%- endfor %}
-  {%- endif %}
+certmanager_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
 certmanager_trust_bundle_configmap_name: "{{ trust_bundle_configmap_name | default('certmanager-trust-bundle') }}"
 
 # Indicates whether the monitoring should be enabled

diff --git a/roles/clusterapi/defaults/main.yml b/roles/clusterapi/defaults/main.yml
@@ -130,9 +130,20 @@ clusterapi_addon_provider_release_name: cluster-api-addon-provider
 # The timeout to wait for the Cluster API addon provider to become ready
 clusterapi_addon_provider_wait_timeout: 30m
 
+# The trust bundle to use with the Cluster API addon provider
+# This allows for pulling charts from places using a custom CA for TLS
+clusterapi_addon_provider_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
+
 # The values for the Cluster API addon provider deployment
 # The defaults are sufficient for most use cases
-clusterapi_addon_provider_release_values: {}
+clusterapi_addon_provider_release_defaults:
+  trustBundle: "{{ clusterapi_addon_provider_trust_bundle }}"
+clusterapi_addon_provider_release_overrides: {}
+clusterapi_addon_provider_release_values: >-
+  {{-
+    clusterapi_addon_provider_release_defaults |
+      combine(clusterapi_addon_provider_release_overrides, recursive = True)
+  }}
 
 # Helm chart information for the Cluster API janitor
 clusterapi_janitor_openstack_chart_repo: https://azimuth-cloud.github.io/cluster-api-janitor-openstack

diff --git a/roles/harbor/defaults/main.yml b/roles/harbor/defaults/main.yml
@@ -12,6 +12,10 @@ harbor_release_name: harbor
 # The timeout to wait for Harbor to become ready
 harbor_wait_timeout: 10m
 
+# Custom trust bundle for SSL verification
+harbor_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
+harbor_trust_bundle_secret_name: "{{ harbor_release_name }}-trust-bundle"
+
 # The Harbor admin password and secret key
 harbor_admin_password: "{{ undef(hint = 'harbor_admin_password is not set') }}"
 harbor_secret_key: "{{ undef(hint = 'harbor_secret_key is not set') }}"
@@ -99,6 +103,12 @@ harbor_persistence_pvc_trivy_size: 5Gi
 
 # The values for the Harbor release
 harbor_release_defaults:
+  caBundleSecretName: >-
+    {{
+      harbor_trust_bundle_secret_name
+      if harbor_trust_bundle
+      else None
+    }}
   externalURL: "{{ harbor_external_url }}"
   harborAdminPassword: "{{ harbor_admin_password }}"
   secretKey: "{{ harbor_secret_key }}"
@@ -154,7 +164,7 @@ harbor_release_values: >-
   }}
 
 # Path to a CA file to use when talking to the Harbor API
-harbor_ca_path:
+harbor_ca_path: /etc/ssl/certs/ca-certificates.crt
 # Whether or not to validate SSL certificates when talking to the Harbor API
 harbor_validate_certs: yes