From 06f932ca8b4afb7673da67726de7153a49919b83 Mon Sep 17 00:00:00 2001 From: Vlad R Date: Thu, 9 May 2024 14:25:27 +0000 Subject: [PATCH 1/2] Added playbook that loads the AD1 root CA into the hosts and forces them to update the CA store + cleaned up inventory of old hosts --- dnaclab_linux/ad1.dnaclab.net.crt | 21 ++++++++++++++++++ dnaclab_linux/inventory.yml | 16 +++++--------- dnaclab_linux/prestage_root_ca.yaml | 33 +++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 11 deletions(-) create mode 100644 dnaclab_linux/ad1.dnaclab.net.crt create mode 100644 dnaclab_linux/prestage_root_ca.yaml diff --git a/dnaclab_linux/ad1.dnaclab.net.crt b/dnaclab_linux/ad1.dnaclab.net.crt new file mode 100644 index 0000000..5fc14e5 --- /dev/null +++ b/dnaclab_linux/ad1.dnaclab.net.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYzCCAkugAwIBAgIQOjH4SmsJLppClIB6CKuPKTANBgkqhkiG9w0BAQsFADBE +MRMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHZG5hY2xhYjEU +MBIGA1UEAxMLZG5hY2xhYi5uZXQwHhcNMjIwNDI4MTYyODMxWhcNMzIwNDI4MTYz +ODMwWjBEMRMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHZG5h +Y2xhYjEUMBIGA1UEAxMLZG5hY2xhYi5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDJiTcCiTFlBkDIe19uDPm/JWfM53v2BHlyQZadk2aNVq18ZHTC +2724X9gKG2qUWhdxVYyBgnz/EYra+kgsJdXMsiDWN+MbfOdD3Xs7MBPC1goujFVW +6n6dvi5JZarFJjvDhKLfuRUB61we6vfccZwE4PwSChaIWDoCJlpcRaHnKEgLxawh +/UpArEm2KRWfRMDloxXmVJkjZ1JKQF54iZbMRvGhyGpIEcwLG9ddetEvjmDK+FIU +4AKG356ktjvFQFOCp4U9CTnm0h+AwOem+Le6Q5qV8GKPEc9wTJjbkarsoEYd9doS +d2qrmHiSe/mpO52Fn1HZELnjH3yis4wpaxP3AgMBAAGjUTBPMAsGA1UdDwQEAwIB +hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSm6oQF7HWtEn8/zS61YUU7WEJ6 +5DAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAU3PZaenth8q3 +9O4HmcNR6+uPx3Ic4G6AgY6/rI1WSNnax9n76wvYBGd+DytOGLVhmzdW6U7udcUB +rn4mwKhiUa4LtvbZfSz7gycJ2f/l0Vqq2ebSWTM3D2L6leQKfy71USQ9u7oRNWHN +kmq8bzXrJ5NGCdMG4u+0848jqquD3wHZixvjHsCwZeKYDldnbZIvuOBQSh4N+YCV +jEgE2XULMYrxLSCh/01p1cl4It3Rb0/xR105cPlYEU6HyYQVctjdhgZAnanYAu+1 +HaQtKGeASlx+i7WftsMCOJuC3ddEF7yT9se3yeAGjioIjLUhlx+1yHcXzEVyFVQd +uzeSL2RGjA== +-----END CERTIFICATE----- diff --git a/dnaclab_linux/inventory.yml b/dnaclab_linux/inventory.yml index f91be53..69dc02d 100644 --- a/dnaclab_linux/inventory.yml +++ b/dnaclab_linux/inventory.yml @@ -3,8 +3,7 @@ all: children: services_hosts: hosts: - ubuntu.dnaclab.net: - staging.dnaclab.net: + services.dnaclab.net: developer_hosts: hosts: developer.dnaclab.net: @@ -17,12 +16,7 @@ all: backups.dnaclab.net: kubernetes: hosts: - 10.221.0.130: - 10.221.0.131: - 10.221.0.132: - kubernetes_dev: - hosts: - 172.16.1.130: - 172.16.1.131: - 172.16.1.132: - 172.16.1.133: + k8s-master.dnaclab.net: + k8s-worker1.dnaclab.net: + k8s-worker2.dnaclab.net: + diff --git a/dnaclab_linux/prestage_root_ca.yaml b/dnaclab_linux/prestage_root_ca.yaml new file mode 100644 index 0000000..d951bfb --- /dev/null +++ b/dnaclab_linux/prestage_root_ca.yaml @@ -0,0 +1,33 @@ +--- +- name: Prestage server(s) with the NCA FSA AD1 root CA and load it into SSL service + hosts: all + become: yes + vars_files: + - global_vars/main.yml + + tasks: + + - name: Copy AD1 root certificate to the shared SSL store + ansible.builtin.copy: + src: "./ad1.dnaclab.net.crt" + dest: /usr/local/share/ca-certificates/ + owner: root + group: root + mode: '0666' + + - name: Update the CA certificate store + ansible.builtin.command: update-ca-certificates + register: update_results + + - name: Print update results + ansible.builtin.debug: + var: update_results.stdout + + - name: Verify that certificates signed by AD1 can be verified now + ansible.builtin.shell: openssl s_client -connect gitlab.dnaclab.net:443 -showcerts Date: Fri, 10 May 2024 09:41:11 +0000 Subject: [PATCH 2/2] Added playbook that sets the netplan of the servers to only use the internal DNS --- dnaclab_linux/prestage_update_dns.yaml | 31 ++++++++++++++++++++++++++ dnaclab_linux/reboot.yml | 2 +- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 dnaclab_linux/prestage_update_dns.yaml diff --git a/dnaclab_linux/prestage_update_dns.yaml b/dnaclab_linux/prestage_update_dns.yaml new file mode 100644 index 0000000..63669bb --- /dev/null +++ b/dnaclab_linux/prestage_update_dns.yaml @@ -0,0 +1,31 @@ +--- +- name: Change the netplan configuration to only allow the internal DNS server + hosts: all + become: yes + vars_files: + - global_vars/main.yml + + tasks: + + - name: Check if the netplan configuration is present + ansible.builtin.stat: + path: /etc/netplan/00-installer-config.yaml + + - name: Set the new netplan to use only the internal DNS + ansible.builtin.command: netplan set ethernets.ens160.nameservers.addresses=[10.221.0.100] + + - name: Apply the new netplan + ansible.builtin.command: netplan apply + + - name: Restart the resolved service + ansible.builtin.command: systemctl restart systemd-resolved.service + + - name: Get currently configured DNS servers + ansible.builtin.command: netplan get ethernets.ens160.nameservers.addresses + register: dns_check + + - name: Validate that only the internal DNS is configured + ansible.builtin.debug: + msg: Change successfull! + when: dns_check.stdout == "- 10.221.0.100" + diff --git a/dnaclab_linux/reboot.yml b/dnaclab_linux/reboot.yml index d29a135..cef1974 100644 --- a/dnaclab_linux/reboot.yml +++ b/dnaclab_linux/reboot.yml @@ -1,6 +1,6 @@ --- - name: Reboots linux host and checks status - hosts: kubernetes_dev + hosts: kubernetes become: yes vars_files: - global_vars/main.yml