Awx-operator: ์ปจํ…Œ์ด๋„ˆ์— ์‚ฌ์„ค CA ์ถ”๊ฐ€

์— ๋งŒ๋“  2021๋…„ 06์›” 07์ผ  ยท  6์ฝ”๋ฉ˜ํŠธ  ยท  ์ถœ์ฒ˜: ansible/awx-operator

์•ˆ๋…•ํ•˜์„ธ์š”,
์‚ฌ์„ค CA๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ TLS ์‚ฌ์ดํŠธ์— ์•ก์„ธ์Šคํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋ ค๋ฉด AWX ์ปจํ…Œ์ด๋„ˆ์— CA ์ธ์ฆ์„œ๋ฅผ ์ถ”๊ฐ€ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. AWX ์—ฐ์‚ฐ์ž๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๊ทธ๋ ‡๊ฒŒ ํ•˜๋Š” ๊ธฐ๋ณธ ๋ฐฉ๋ฒ•์ด ์žˆ์Šต๋‹ˆ๊นŒ?

extra_volumes/ee_extra_volume_mounts๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ crt ํŒŒ์ผ์„ /etc/pki/ca-trust/source/anchors/์— ๊ฐ€์ ธ์™”์ง€๋งŒ update-ca-trust ์‹คํ–‰์ด ๋ˆ„๋ฝ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ž์ฒด CA๋ฅผ ์ถ”๊ฐ€ํ•˜๋Š” ๊ธฐ๋ณธ ๋ฐฉ๋ฒ•์ด ์žˆ์Šต๋‹ˆ๊นŒ?

ํ˜„์žฌ ์ด์— ๋Œ€ํ•œ ๋‘ ๊ฐ€์ง€ ์‚ฌ์šฉ ์‚ฌ๋ก€๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

  1. GIT์—์„œ ํ”„๋กœ์ ํŠธ ๊ฐ€์ ธ์˜ค๊ธฐ
  2. ์—ญํ• ์—์„œ "uri" ๋ชจ๋“ˆ ์‚ฌ์šฉ
    ๋ฏธ๋ฆฌ ๊ฐ์‚ฌํ•ฉ๋‹ˆ๋‹ค
    ์ตœ๋Œ€
bug in_progress
์ถœ์ฒ˜
picture suukit

๊ฐ€์žฅ ์œ ์šฉํ•œ ๋Œ“๊ธ€

์—ฌ๊ธฐ์—์„œ ์ž˜ ์ž‘๋™ํ•ฉ๋‹ˆ๋‹ค. ํ”ผ๋“œ๋ฐฑ์ด ๋Šฆ์–ด ์ฃ„์†กํ•ฉ๋‹ˆ๋‹ค!

picture suukit ์— 2021๋…„ 06์›” 22์ผ
🎉1 👍1

๋ชจ๋“  6 ๋Œ“๊ธ€

์ด ์ฃผ์„์€ ์‹คํ–‰ ํ™˜๊ฒฝ์„ ์‚ฌ์šฉ์ž ์ •์˜ํ•˜๋Š” ๋ช‡ ๊ฐ€์ง€ ๋ฐฉ๋ฒ•์„ ์„ค๋ช…ํ•ฉ๋‹ˆ๋‹ค. ansible-builder ๋Œ€ํ•œ ์ง์ ‘์ ์ธ ๊ฒฝํ—˜์€ ์—†์ง€๋งŒ "๊ณต์‹" EE(์ถ”๊ฐ€ ๋ณผ๋ฅจ ๋งˆ์šดํŒ…๊ณผ ํ•จ๊ป˜)์—์„œ ๋„์ปค ์ด๋ฏธ์ง€๋ฅผ ํŒŒ์ƒํ•˜๋Š” ๊ฒƒ๋งŒ์œผ๋กœ ์ถฉ๋ถ„ํ•ฉ๋‹ˆ๋‹ค.

AndrewSav picture AndrewSav ์— 2021๋…„ 06์›” 07์ผ

https://docs.openshift.com/container-platform/4.6/networking/configuring-a-custom-pki.html

tchellomello picture tchellomello ์— 2021๋…„ 06์›” 10์ผ

@suukit https://github.com/ansible/awx-operator/compare/devel...tchellomello :custom-ca?expand=1 ๋ถ„๊ธฐ์— ๋ช…์‹œ๋œ ๋ณ€๊ฒฝ ์‚ฌํ•ญ์„ ์‹œ๋„ํ•ด ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๊นŒ?

๋” ์‰ฝ๊ฒŒ ํ•˜๊ธฐ ์œ„ํ•ด ์ด ํ…Œ์ŠคํŠธ ์ด๋ฏธ์ง€๋ฅผ https://quay.io/repository/tchellomello/awx-operator?tab=tags quay.io/tchellomello/awx-operator:custom-ca ๊ฒŒ์‹œํ–ˆ์Šต๋‹ˆ๋‹ค.

๋”ฐ๋ผ์„œ ๊ธฐ๋ณธ์ ์œผ๋กœ ๋‹ค์Œ ๋‹จ๊ณ„๋ฅผ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  1. ์ด ํ…Œ์ŠคํŠธ POC๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ awx-operator ๋ฅผ ์—…๋ฐ์ดํŠธํ•˜์‹ญ์‹œ์˜ค(https://gist.github.com/tchellomello/e38c71248591034f8a7cc28421fe2245 ์ฐธ์กฐ).
$ kubectl apply -f https://gist.githubusercontent.com/tchellomello/e38c71248591034f8a7cc28421fe2245/raw/b8c1d657553d33d8ba75bb077b5960bb5abbca3c/awx-operator.yml
  1. ๋ชจ๋“  ๋ฒˆ๋“ค ์ธ์ฆ ๊ธฐ๊ด€์œผ๋กœ ๋น„๋ฐ€์„ ๋งŒ๋“ญ๋‹ˆ๋‹ค. ์•„๋ž˜ ๋‚ด ์˜ˆ๋ฅผ ์ฐธ์กฐํ•˜์‹ญ์‹œ์˜ค.

์ฐธ๊ณ  : ํ‚ค๋Š” bundle-ca.crt ์—ฌ์•ผ ํ•ฉ๋‹ˆ๋‹ค.

$ cat Toca_ROOT_CA.crt  Toca_Intermediate_CA.crt  > /tmp/bundle-ca.crt
$ kubectl create secret generic  awx-ssl-ca-custom  --from-file=bundle-ca.crt=/tmp/bundle-ca.crt
  1. ์—ฐ์‚ฐ์ž๊ฐ€ ์—…๋ฐ์ดํŠธ๋˜๋ฉด awx ์ข…๋ฅ˜๋ฅผ ์ˆ˜์ •ํ•˜์—ฌ ์ƒˆ ๋น„๋ฐ€์„ ๋งคํ•‘ํ•ฉ๋‹ˆ๋‹ค.
apiVersion: awx.ansible.com/v1beta1
kind: AWX
....
spec:
  bundle_cacert_secret: awx-ssl-ca-custom
....
 ```


So before applying this patch, you should see:

![image](https://user-images.githubusercontent.com/809840/121632422-f153e880-ca4e-11eb-8d83-c0179e326427.png)

```yaml
$  openssl  s_client -connect git.tatu.home:443 
CONNECTED(00000003)
[...SNIP...]

    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 18 71 bb 56 c4 6d 89 64-d0 df ac 2d fa cc 45 1e   .q.V.m.d...-..E.
    0010 - c0 71 c4 ba 50 ee 91 90-da d5 fe 8e 5e d1 a1 00   .q..P.......^...
    0020 - 57 8c 77 3b 09 e9 d5 fe-25 24 d5 bf d7 fd 76 bc   W.w;....%$....v.
    0030 - 1e a5 77 1b bd 3c bb 9b-25 df 48 a5 07 91 40 3b   ..w..<..%.H...@;
    0040 - d0 28 de e7 c6 4c 3c 12-51 d8 a0 0f ae 38 7a 44   .(...L<.Q....8zD
    0050 - 65 03 9a ac a7 82 e6 6f-be 2f 68 6c 6e 4e 11 55   e......o./hlnN.U
    0060 - d9 a6 85 9a ee 81 cd 63-51 65 58 8a 38 30 61 c8   .......cQeX.80a.
    0070 - d0 91 0c 1a 96 2b 1d 6c-c4 67 2a cf a2 05 a1 a0   .....+.l.g*.....
    0080 - ad                                                .

    Start Time: 1623388039
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)   <--- oops
    Extended master secret: no
    Max Early Data: 0

์ด ํŒจ์น˜๊ฐ€ ๋๋‚˜๋ฉด ๋‹ค์Œ์ด ํ‘œ์‹œ๋ฉ๋‹ˆ๋‹ค.

awx-ssl-ca-6cccf6577d-jzrk9   0/4     Pending             0          0s      <none>          <none>   <none>           <none>
awx-ssl-ca-6cccf6577d-jzrk9   0/4     Pending             0          0s      <none>          p70      <none>           <none>
awx-ssl-ca-6cccf6577d-jzrk9   0/4     Init:0/1            0          0s      <none>          p70      <none>           <none>
awx-ssl-ca-6cccf6577d-jzrk9   0/4     Init:0/1            0          1s      10.233.64.98    p70      <none>           <none>
awx-ssl-ca-6cccf6577d-jzrk9   0/4     PodInitializing     0          2s      10.233.64.98    p70      <none>           <none>
awx-ssl-ca-6cccf6577d-jzrk9   4/4     Running             0          4s      10.233.64.98    p70      <none>           <none>

image

๋˜ํ•œ ์ปจํ…Œ์ด๋„ˆ๋ฅผ ํ™•์ธํ•˜๋ฉด ์‚ฌ์šฉ์ž ์ง€์ • CA๊ฐ€ ์‹ ๋ขฐํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒƒ์œผ๋กœ ํ‘œ์‹œ๋˜์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

(py39) mdemello<strong i="11">@storm</strong> ~> kubectl iexec awx /bin/bash                                                                                                                                                                                     00:53:40
Namespace: default | Pod: โœ” awx-ssl-ca-6cccf6577d-jzrk9
Container: โœ” awx-ssl-ca-task
bash-4.4$ ls -la /etc/pki/ca-trust/source/anchors/bundle-ca.crt 
-rw-r--r--. 1 root root 4086 Jun 11 04:51 /etc/pki/ca-trust/source/anchors/bundle-ca.crt
bash-4.4$ trust list | grep -i toca
    label: TOCA ROOT CA
    label: Toca Intermediate Certificate Authority
bash-4.4$ openssl  s_client -connect git.tatu.home:443 
CONNECTED(00000003)
[...SNIP...]

    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 18 71 bb 56 c4 6d 89 64-d0 df ac 2d fa cc 45 1e   .q.V.m.d...-..E.
    0010 - 00 b2 67 b8 66 db 91 57-f8 85 92 e3 ef 61 4e 3f   ..g.f..W.....aN?
    0020 - 66 e2 64 01 45 b8 ab 7f-f8 84 7f 5e f6 2d e2 56   f.d.E......^.-.V
    0030 - d3 2c 4b 19 cb 93 19 74-c7 0b e3 7d 76 d8 cd f7   .,K....t...}v...
    0040 - 30 5a 87 23 27 34 d7 47-8e f5 c3 6c 41 81 7d 18   0Z.#'4.G...lA.}.
    0050 - 13 96 4e e7 76 3b 50 f0-fb 8d 9d df 4a 51 9d 36   ..N.v;P.....JQ.6
    0060 - 0e a9 1a 57 26 62 51 eb-f2 ec 24 56 93 5f 01 73   ...W&bQ...$V._.s
    0070 - 67 f5 a1 a7 38 e1 dc 5e-27 65 c6 24 f5 ff 2c dc   g...8..^'e.$..,.
    0080 - eb                                                .

    Start Time: 1623387247
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)    <----- yes
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

bash-4.4$ git clone https://git.tatu.home/mmello/test-ansible.git
Cloning into 'test-ansible'...
remote: Enumerating objects: 10, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 10 (delta 3), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (10/10), 1.81 KiB | 928.00 KiB/s, done.

๊ทธ๊ฒƒ์ด ๋‹น์‹ ์„ ์œ„ํ•ด ์ผํ–ˆ๋Š”์ง€ ์•Œ๋ ค์ฃผ์‹ญ์‹œ์˜ค.

tchellomello picture tchellomello ์— 2021๋…„ 06์›” 11์ผ

@tchellomello : ๊ฐ์‚ฌํ•ฉ๋‹ˆ๋‹ค

suukit picture suukit ์— 2021๋…„ 06์›” 11์ผ
👍1

์—ฌ๊ธฐ์—์„œ ์ž˜ ์ž‘๋™ํ•ฉ๋‹ˆ๋‹ค. ํ”ผ๋“œ๋ฐฑ์ด ๋Šฆ์–ด ์ฃ„์†กํ•ฉ๋‹ˆ๋‹ค!

suukit picture suukit ์— 2021๋…„ 06์›” 22์ผ
🎉1 👍1

์ด ์†”๋ฃจ์…˜์ด WinRM CA ์ธ์ฆ์„œ์— ์ž‘๋™ํ•ฉ๋‹ˆ๊นŒ? ์šด์˜์ž ๋˜๋Š” awx ๋ฌธ์ œ์ธ์ง€ ๋ชจ๋ฅด๊ธฐ ๋•Œ๋ฌธ์— awx์— ๋ฌธ์ œ๋ฅผ ์—ฝ๋‹ˆ๋‹ค.
https://github.com/ansible/awx/issues/10884

derhoeppi picture derhoeppi ์— 2021๋…„ 08์›” 16์ผ
์ด ํŽ˜์ด์ง€๊ฐ€ ๋„์›€์ด ๋˜์—ˆ๋‚˜์š”?
0 / 5 - 0 ๋“ฑ๊ธ‰

๊ด€๋ จ ๋ฌธ์ œ

tklsnk picture tklsnk  ยท  13์ฝ”๋ฉ˜ํŠธ
daenney picture daenney  ยท  6์ฝ”๋ฉ˜ํŠธ
bandwiches picture bandwiches  ยท  13์ฝ”๋ฉ˜ํŠธ
RylandDeGregory picture RylandDeGregory  ยท  6์ฝ”๋ฉ˜ํŠธ
howardjones picture howardjones  ยท  12์ฝ”๋ฉ˜ํŠธ