Add TLS standardization for platform, mongo, gateway & redis roles#300
Add TLS standardization for platform, mongo, gateway & redis roles#300Amunagala-itential wants to merge 5 commits intoitential:feature/v4from
Conversation
Amunagala-itential
requested review from
Madias2222,
Nick-Andreano,
bill-minear,
kvelarde-itential and
steven-schattenberg-itential
| # ============================================================================ | ||
| # Backward Compatibility - Legacy Variable Names | ||
| # These maintain compatibility with existing templates | ||
| # ============================================================================ | ||
|
|
||
| # Legacy variables for templates (point to new paths) | ||
| gateway_ssl_cert_dest: "{{ gateway_https_cert_file }}" | ||
| gateway_ssl_key_dest: "{{ gateway_https_key_file }}" | ||
| gateway_ssl_rootca_dest: "{{ gateway_https_ca_file }}" |
There was a problem hiding this comment.
I don't think we need to provide backwards compatibility. Update the templates with the new variables.
There was a problem hiding this comment.
Since you are using the same tags for all tasks, use a task block and move the tags to the block.
| # and allows the use of invalid or self-signed certificates to connect. | ||
| platform_mongo_tls_allow_invalid_certificates: false |
There was a problem hiding this comment.
Should this be moved to the pki defaults file?
There was a problem hiding this comment.
I vote we keep it here. Ultimately, its used in the mongo config file template only.
| # ============================================================================ | ||
|
|
||
| # Source directory for HTTPS certificates (on Ansible controller) | ||
| platform_https_pki_src_dir: "/Users/ananth.munagala/deployer_checkins/PE-1386/certificates/platform" |
There was a problem hiding this comment.
I think this needs to change...
There was a problem hiding this comment.
This is why we do code reviews. :-)
| platform_https_pki_src_dir: "/Users/ananth.munagala/deployer_checkins/PE-1386/certificates/platform" | ||
|
|
||
| # Source directory for MongoDB certificates (on Ansible controller) | ||
| platform_mongodb_pki_src_dir: "/Users/ananth.munagala/deployer_checkins/PE-1386/certificates/platform" |
There was a problem hiding this comment.
Use block for tags
| | `gateway_https_cert_filename` | String | HTTPS certificate filename. | `{{ inventory_hostname }}.crt` | | ||
| | `gateway_https_key_filename` | String | HTTPS private key filename. | `{{ inventory_hostname }}.key` | | ||
| | `gateway_https_ca_filename` | String | HTTPS CA bundle filename. | `ca-bundle.crt` | | ||
| | `gateway_pki_src_dir` | String | Source directory for Gateway certificates (on Ansible controller). | (set in inventory) | |
There was a problem hiding this comment.
| | `gateway_pki_src_dir` | String | Source directory for Gateway certificates (on Ansible controller). | (set in inventory) | | |
| | `gateway_pki_src_dir` | String | Source directory for Gateway certificates (on Ansible controller). | MUST be set in inventory | |
| | `gateway_https_ca_filename` | String | HTTPS CA bundle filename. | `ca-bundle.crt` | | ||
| | `gateway_pki_src_dir` | String | Source directory for Gateway certificates (on Ansible controller). | (set in inventory) | | ||
| | `gateway_https_cert_file` | String | Deployed HTTPS certificate path. | `{{ gateway_pki_https_dir }}/{{ gateway_https_cert_filename }}` | | ||
| | `gateway_https_key_file` | String | Deployed HTTPS private key path. | `{{ gateway_pki_private_dir }}/{{ gateway_https_key_filename }}` | |
There was a problem hiding this comment.
I don't see gateway_pki_private_dir.
| certificates/ | ||
| ├── platform | ||
| │ ├── ca-bundle.crt | ||
| │ ├── ip-10-222-1-169.ec2.internal.crt | ||
| │ ├── ip-10-222-1-64.ec2.internal.crt | ||
| │ ├── ip-10-222-1-64.ec2.internal.key |
There was a problem hiding this comment.
This doesn't render correctly.
There was a problem hiding this comment.
I think it needs the ```
| certificates/ | ||
| ├── mongodb | ||
| │ ├── ca-bundle.crt | ||
| │ ├── hostname1.pem | ||
| │ ├── hostname2.pem | ||
| │ ├── hostname3.pem | ||
| │ ├── replica.key |
There was a problem hiding this comment.
Probably doesn't render correctly either.
| |----------|----------|---------------------| | ||
| | **Scenario 1** | Per-host certificates (most secure) | One unique cert per server | | ||
| | **Scenario 2** | Per-role certificates (simplified management) | One cert shared per role | | ||
| | **Scenario 3** | Single wildcard certificate (simplest) | One cert for everything | |
There was a problem hiding this comment.
I may be wrong, but a multi-domain cert and a wild-card cert aren't synonymous. You can have a MD cert with actual hostnames. Or you can have a MD wild-card cert. Maybe just call this "Multi-Domain certificate".
There was a problem hiding this comment.
Correct. A multi-domain cert can list many DNS or IPs in it, one file suitable for many servers. A wildcard cert uses a * in the DNS names, which also makes it suitable for many servers but its easier to spoof and depends on regex. I would call these multi-domain certs.
| ## Recommendations by Environment | ||
|
|
||
| ### Development/Testing | ||
| - **Use:** Scenario 3 (Wildcard) | ||
| - **Why:** Simplest, fastest to set up, easy to regenerate | ||
|
|
||
| ### Staging | ||
| - **Use:** Scenario 2 (Per-Role) | ||
| - **Why:** Balance of simplicity and security, mirrors production patterns | ||
|
|
||
| ### Production | ||
| - **Use:** Scenario 1 (Per-Host) | ||
| - **Why:** Best security, compliance requirements, limited blast radius |
There was a problem hiding this comment.
I'm not sure we want to provide recommendations.
There was a problem hiding this comment.
Agree. I have removed the recommendations section
| group: "{{ gateway_pki_group }}" | ||
| mode: "{{ gateway_pki_subdir_mode }}" | ||
| loop: | ||
| - "{{ gateway_pki_https_dir }}" |
There was a problem hiding this comment.
I don't think you need a loop here.
| # Set this in your inventory to point to your certificate directory | ||
| mongodb_pki_src_dir: "" | ||
|
|
||
| mongodb_ssl_root_dir: "{{ mongodb_pki_base_dir }}" |
There was a problem hiding this comment.
Remove and replace references with mongodb_pki_base_dir
| platform_pki_base_owner: root | ||
|
|
||
| # Group for PKI base directory | ||
| platform_pki_base_group: itential |
There was a problem hiding this comment.
| platform_pki_base_group: itential | |
| platform_pki_base_group: "{{ platform_group }}" |
| platform_pki_private_owner: root | ||
|
|
||
| # Group for private key files | ||
| platform_pki_private_group: itential |
There was a problem hiding this comment.
| platform_pki_private_group: itential | |
| platform_pki_private_group: "{{ platform_group }}" |
steven-schattenberg-itential
left a comment
steven-schattenberg-itential
left a comment
There was a problem hiding this comment.
There are also some changes I anticipate to set the appropriate SE Linux labels on files. We can address that separately.
| certificates/ | ||
| ├── platform | ||
| │ ├── ca-bundle.crt | ||
| │ ├── ip-10-222-1-169.ec2.internal.crt | ||
| │ ├── ip-10-222-1-64.ec2.internal.crt | ||
| │ ├── ip-10-222-1-64.ec2.internal.key |
There was a problem hiding this comment.
I think it needs the ```
| |----------|----------|---------------------| | ||
| | **Scenario 1** | Per-host certificates (most secure) | One unique cert per server | | ||
| | **Scenario 2** | Per-role certificates (simplified management) | One cert shared per role | | ||
| | **Scenario 3** | Single wildcard certificate (simplest) | One cert for everything | |
There was a problem hiding this comment.
Correct. A multi-domain cert can list many DNS or IPs in it, one file suitable for many servers. A wildcard cert uses a * in the DNS names, which also makes it suitable for many servers but its easier to spoof and depends on regex. I would call these multi-domain certs.
| ├── wildcard.crt ← One cert for everything | ||
| ├── wildcard.key |
| gateway_pki_owner: "{{ gateway_user }}" | ||
|
|
||
| # Group for PKI directories and files | ||
| gateway_pki_group: "{{ gateway_group }}" |
There was a problem hiding this comment.
I'm not sure what value these two vars provide. We should be opinionated in the tasks that create make these files and user the gateway_user and gateway_group. If that's not sufficient for customers then they can change it after.
There was a problem hiding this comment.
Agree, gateway_pki_owner and gateway_pki_group are just wrappers around gateway_user and gateway_group with no added value.
I have used gateway_user and gateway_group in the tasks directly.
| gateway_https_key_mode: "0600" | ||
|
|
||
| # HTTPS CA bundle permissions | ||
| gateway_https_ca_mode: "0644" |
There was a problem hiding this comment.
I'm not sure what values these provide either. Lets just set the permissions in the tasks and reduce the complexity here. Or move these vars where they can not be overridden.
| # and allows the use of invalid or self-signed certificates to connect. | ||
| platform_mongo_tls_allow_invalid_certificates: false |
There was a problem hiding this comment.
I vote we keep it here. Ultimately, its used in the mongo config file template only.
| # ============================================================================ | ||
|
|
||
| # Source directory for HTTPS certificates (on Ansible controller) | ||
| platform_https_pki_src_dir: "/Users/ananth.munagala/deployer_checkins/PE-1386/certificates/platform" |
There was a problem hiding this comment.
This is why we do code reviews. :-)
| platform_root_dir: "{{ platform_root_dir_default }}" | ||
| platform_config_dir: "{{ platform_config_dir_default }}" | ||
| platform_tls_dir: "{{ platform_tls_dir_default }}" | ||
| # platform_tls_dir: "{{ platform_tls_dir_default }}" |
There was a problem hiding this comment.
If we don't need it then remove it.
3 participants
PKI Standardization and Hostname-Based Certificate Support
Summary
Standardized PKI implementation across MongoDB, Redis, Platform, and Gateway roles with hostname-based certificate naming to support multi-server deployments with unique certificates per host.
Problem
Solution