From afb0805c6aa2cd6bcf20ea448c38851f232087bb Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Sun, 6 Jul 2025 08:56:17 +0200 Subject: [PATCH 1/2] Fix Open OnDemand capitalisationn --- ansible/fatimage.yml | 10 +++++----- ansible/monitoring.yml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml index ded3de31f..3c87f373c 100644 --- a/ansible/fatimage.yml +++ b/ansible/fatimage.yml @@ -120,7 +120,7 @@ when: "'openhpc' in group_names" # - import_playbook: portal.yml - - name: Open Ondemand server (packages) + - name: Open OnDemand server (packages) include_role: name: osc.ood tasks_from: install-package.yml @@ -128,20 +128,20 @@ when: "'openondemand' in group_names" # # FUTURE: install-apps.yml - this is git clones - - name: Open Ondemand server (apps) + - name: Open OnDemand server (apps) include_role: name: osc.ood tasks_from: install-apps.yml vars_from: "Rocky/{{ ansible_distribution_major_version }}.yml" when: "'openondemand' in group_names" - - name: Open Ondemand remote desktop + - name: Open OnDemand remote desktop import_role: name: openondemand tasks_from: vnc_compute.yml when: "'openondemand_desktop' in group_names" - - name: Open Ondemand jupyter node + - name: Open OnDemand jupyter node import_role: name: openondemand tasks_from: jupyter_compute.yml @@ -173,7 +173,7 @@ name: cloudalchemy.node_exporter when: "'node_exporter' in group_names" - - name: openondemand exporter + - name: Open OnDemand Prometheus exporter dnf: name: ondemand_exporter when: "'openondemand' in group_names" diff --git a/ansible/monitoring.yml b/ansible/monitoring.yml index d34a65f9d..877178fbb 100644 --- a/ansible/monitoring.yml +++ b/ansible/monitoring.yml @@ -37,7 +37,7 @@ - import_role: name: cloudalchemy.node_exporter -- name: Deploy OpenOndemand exporter +- name: Deploy Open OnDemand exporter hosts: openondemand become: true tags: From ccafe06750f82992fffb35458a969b4016c2da48 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 9 Jul 2025 17:01:27 +0200 Subject: [PATCH 2/2] Support Let's Encrypt for Open OnDemand --- README.md | 2 +- ansible/fatimage.yml | 6 ++++ ansible/roles/openondemand/README.md | 12 ++++++-- ansible/roles/openondemand/defaults/main.yml | 6 ++-- ansible/roles/openondemand/tasks/certbot.yml | 29 +++++++++++++++++++ ansible/roles/openondemand/tasks/main.yml | 4 +++ docs/openondemand.md | 4 +++ .../tofu/variables.tf | 1 + 8 files changed, 59 insertions(+), 5 deletions(-) create mode 100644 ansible/roles/openondemand/tasks/certbot.yml diff --git a/README.md b/README.md index a47afd4e4..10beab4e5 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Before starting ensure that: - You have an SSH keypair defined in OpenStack, with the private key available on the deploy host. - Created instances have access to internet (note proxies can be setup through the appliance if necessary). - Created instances have accurate/synchronised time (for VM instances this is usually provided by the hypervisor; if not or for bare metal instances it may be necessary to configure a time service via the appliance). -- Three security groups are present: ``default`` allowing intra-cluster communication, ``SSH`` allowing external access via SSH and ``HTTPS`` allowing access for Open OnDemand. +- Four security groups are present: ``default`` allowing intra-cluster communication, ``SSH`` allowing external access via SSH, and ``HTTP`` and ``HTTPS`` allowing access for Open OnDemand. ### Setup deploy host diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml index 3c87f373c..76d2ce055 100644 --- a/ansible/fatimage.yml +++ b/ansible/fatimage.yml @@ -135,6 +135,12 @@ vars_from: "Rocky/{{ ansible_distribution_major_version }}.yml" when: "'openondemand' in group_names" + - name: Open OnDemand certbot + import_role: + name: openondemand + tasks_from: certbot.yml + when: "'openondemand' in group_names" + - name: Open OnDemand remote desktop import_role: name: openondemand diff --git a/ansible/roles/openondemand/README.md b/ansible/roles/openondemand/README.md index 099276c7e..0c501b7da 100644 --- a/ansible/roles/openondemand/README.md +++ b/ansible/roles/openondemand/README.md @@ -46,8 +46,16 @@ No other authentication options are required for this method. ### SSL Certificates This role enables SSL on the Open Ondemand server, using the following self-signed certificate & key which are autogenerated by the `mod_ssl` package installed as part of the `ondemand-apache` package. Replace with your own keys if required. -- `openondemand_ssl_cert`: Optional. Default `/etc/pki/tls/certs/localhost.crt`. -- `openondemand_ssl_cert_key`: Optional. Default `/etc/pki/tls/private/localhost.key` +- `openondemand_ssl_cert`: Optional. Default `/etc/pki/tls/certs/localhost.crt` (unless `openondemand_certbot` is true). +- `openondemand_ssl_cert_key`: Optional. Default `/etc/pki/tls/private/localhost.key` (unless `openondemand_certbot` is true). + +Alternatively, you can generate a certificate from Let's Encrypt automatically by configuring the following variables: +- `openondemand_certbot`: Optional. Default is false. Set to true to request a certificate from Let's Encrypt. +- `openondemand_certbot_email`: Optional. Default is empty. Set to the admin email address if using Let's Encrypt. + +If using Let's Encrypt, leave `openondemand_ssl_cert` and `openondemand_ssl_cert_key` set to their default values. + +Note that this only generates the initial certificate for now: automated renewal is not yet implemented. ### Dashboard and application configuration - `openondemand_dashboard_docs_url`: Optional. URL of docs to show under Help in dashboard. Default `(undefined)`. diff --git a/ansible/roles/openondemand/defaults/main.yml b/ansible/roles/openondemand/defaults/main.yml index 23359f01c..8a6c64106 100644 --- a/ansible/roles/openondemand/defaults/main.yml +++ b/ansible/roles/openondemand/defaults/main.yml @@ -13,8 +13,10 @@ openondemand_oidc_remote_user_claim: preferred_username openondemand_oidc_scope: openid profile preferred_username # SSL Certificates -openondemand_ssl_cert: /etc/pki/tls/certs/localhost.crt -openondemand_ssl_cert_key: /etc/pki/tls/private/localhost.key +openondemand_certbot: false +openondemand_certbot_email: +openondemand_ssl_cert: "{{ '/etc/letsencrypt/live/' + openondemand_servername + '/fullchain.pem' if openondemand_certbot | bool else '/etc/pki/tls/certs/localhost.crt' }}" +openondemand_ssl_cert_key: "{{ '/etc/letsencrypt/live/' + openondemand_servername + '/privkey.pem' if openondemand_certbot | bool else '/etc/pki/tls/private/localhost.key' }}" # Dashboard and application config: openondemand_dashboard_docs_url: (undefined) diff --git a/ansible/roles/openondemand/tasks/certbot.yml b/ansible/roles/openondemand/tasks/certbot.yml new file mode 100644 index 000000000..0585c4078 --- /dev/null +++ b/ansible/roles/openondemand/tasks/certbot.yml @@ -0,0 +1,29 @@ +--- +- name: Install EPEL + tags: install + dnf: + name: epel-release + +- name: Install certbot + tags: install + dnf: + name: + - certbot + - python3-certbot-apache + +- block: + - name: Validate that server name is set + assert: + that: + - openondemand_servername | length > 0 + fail_msg: openondemand_servername must be set + + - name: Validate that email address is set + assert: + that: + - openondemand_certbot_email | length > 0 + fail_msg: openondemand_certbot_email must be set + + - name: Generate Let's Encrypt certificate + command: sudo certbot certonly --standalone -d {{ openondemand_servername }} -n -m {{ openondemand_certbot_email }} --agree-tos + when: appliances_mode == 'configure' diff --git a/ansible/roles/openondemand/tasks/main.yml b/ansible/roles/openondemand/tasks/main.yml index bd5706ecb..f0bd722d8 100644 --- a/ansible/roles/openondemand/tasks/main.yml +++ b/ansible/roles/openondemand/tasks/main.yml @@ -21,6 +21,10 @@ when: appliances_mode != 'configure' # can't set vars: from a dict hence the workaround above +- include_tasks: + file: certbot.yml + when: openondemand_certbot | bool + - include_tasks: file: pam_auth.yml when: openondemand_auth | lower == 'basic_pam' diff --git a/docs/openondemand.md b/docs/openondemand.md index 70a3bc642..1835d5b02 100644 --- a/docs/openondemand.md +++ b/docs/openondemand.md @@ -47,3 +47,7 @@ The appliance automatically configures Open OnDemand to proxy Grafana and adds a # Access By default the appliance authenticates against OOD with basic auth through PAM. When creating a new environment, a new user with username `demo_user` will be created. Its password is found under `vault_openondemand_default_user` in the appliance secrets store in `environments/{ENV}/inventory/group_vars/all/secrets.yml`. Other users can be defined by overriding the `basic_users_users` variable in your environment (templated into `environments/{ENV}/inventory/group_vars/all/basic_users.yml` by default). + +# Certificates + +The default configuration uses a self-signed certificate. Instead, you can bring your own certificate and key, or use Let's Encrypt to generate the initial certificate. See [../ansible/roles/openondemand/README.md](../ansible/roles/openondemand/README.md) for more details. diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf index 592119c39..6432f8fe9 100644 --- a/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf +++ b/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf @@ -259,6 +259,7 @@ variable "login_security_groups" { default = [ "default", # allow all in-cluster services "SSH", # access via ssh + "HTTP", # HTTP-01 challenge and redirect to HTTPS "HTTPS", # access OpenOndemand ] }