From 247c1d51441d4d61833b6593d529a9bde5154cca Mon Sep 17 00:00:00 2001 From: Martyn Gigg Date: Thu, 11 Jun 2026 08:48:44 +0100 Subject: [PATCH 1/2] Remove date-based directories for certificate requests. The requests are always the same --- {certs => infra/certs}/.gitignore | 0 {certs => infra/certs}/README.md | 0 .../analytics.isis.cclrc.ac.uk}/analytics_isis_cclrc_ac_uk.cnf | 0 .../dev-analytics_isis_cclrc_ac_uk.cnf | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename {certs => infra/certs}/.gitignore (100%) rename {certs => infra/certs}/README.md (100%) rename {certs/analytics.isis.cclrc.ac.uk/2025-06 => infra/certs/analytics.isis.cclrc.ac.uk}/analytics_isis_cclrc_ac_uk.cnf (100%) rename {certs/dev-analytics.isis.cclrc.ac.uk/2026-01 => infra/certs/dev-analytics.isis.cclrc.ac.uk}/dev-analytics_isis_cclrc_ac_uk.cnf (100%) diff --git a/certs/.gitignore b/infra/certs/.gitignore similarity index 100% rename from certs/.gitignore rename to infra/certs/.gitignore diff --git a/certs/README.md b/infra/certs/README.md similarity index 100% rename from certs/README.md rename to infra/certs/README.md diff --git a/certs/analytics.isis.cclrc.ac.uk/2025-06/analytics_isis_cclrc_ac_uk.cnf b/infra/certs/analytics.isis.cclrc.ac.uk/analytics_isis_cclrc_ac_uk.cnf similarity index 100% rename from certs/analytics.isis.cclrc.ac.uk/2025-06/analytics_isis_cclrc_ac_uk.cnf rename to infra/certs/analytics.isis.cclrc.ac.uk/analytics_isis_cclrc_ac_uk.cnf diff --git a/certs/dev-analytics.isis.cclrc.ac.uk/2026-01/dev-analytics_isis_cclrc_ac_uk.cnf b/infra/certs/dev-analytics.isis.cclrc.ac.uk/dev-analytics_isis_cclrc_ac_uk.cnf similarity index 100% rename from certs/dev-analytics.isis.cclrc.ac.uk/2026-01/dev-analytics_isis_cclrc_ac_uk.cnf rename to infra/certs/dev-analytics.isis.cclrc.ac.uk/dev-analytics_isis_cclrc_ac_uk.cnf From 8462044259ef7b3f140bd583b68837ca3a572380 Mon Sep 17 00:00:00 2001 From: Martyn Gigg Date: Thu, 11 Jun 2026 10:43:58 +0100 Subject: [PATCH 2/2] Replace hard-coded openssl CNF files with Ansible playbook. Ansible already has access to the keys and domain name. This avoid duplication and having to copy certificates around to generate new signing request files by hand. --- docs-devel/deployment/index.md | 4 +++ docs-devel/readme.md | 1 - infra/ansible/.gitignore | 1 + infra/ansible/site_csr.yml | 14 ++++++++ infra/certs/.gitignore | 2 -- infra/certs/README.md | 33 ------------------- .../analytics_isis_cclrc_ac_uk.cnf | 11 ------- .../dev-analytics_isis_cclrc_ac_uk.cnf | 11 ------- 8 files changed, 19 insertions(+), 58 deletions(-) create mode 100644 infra/ansible/site_csr.yml delete mode 100644 infra/certs/.gitignore delete mode 100644 infra/certs/README.md delete mode 100644 infra/certs/analytics.isis.cclrc.ac.uk/analytics_isis_cclrc_ac_uk.cnf delete mode 100644 infra/certs/dev-analytics.isis.cclrc.ac.uk/dev-analytics_isis_cclrc_ac_uk.cnf diff --git a/docs-devel/deployment/index.md b/docs-devel/deployment/index.md index 45a88220..f6e2e8fd 100644 --- a/docs-devel/deployment/index.md +++ b/docs-devel/deployment/index.md @@ -42,3 +42,7 @@ Once deployed the services are available at: | Lakekeeper UI | | | Superset (accelerator) | | | Superset (experiment_ops) | | + +## Certificates + +See [certificates](certificates.md) for details on certificate management. diff --git a/docs-devel/readme.md b/docs-devel/readme.md index cd1589a3..f609cff8 100644 --- a/docs-devel/readme.md +++ b/docs-devel/readme.md @@ -16,7 +16,6 @@ the future. ```text . -├── certs/ # Certificate request configurations used for HTTPS/SSL ├── docs/ # User-facing documentation site (MkDocs). See docs/src for content. ├── docs-devel/ # Developer documentation (this directory). ├── elt-common/ # Reusable Python package with common ELT helpers used by the warehouses diff --git a/infra/ansible/.gitignore b/infra/ansible/.gitignore index 9cf16516..5ca521da 100644 --- a/infra/ansible/.gitignore +++ b/infra/ansible/.gitignore @@ -4,3 +4,4 @@ condaenv/ galaxy_roles *.ini inventory.yml +*.csr diff --git a/infra/ansible/site_csr.yml b/infra/ansible/site_csr.yml new file mode 100644 index 00000000..462af265 --- /dev/null +++ b/infra/ansible/site_csr.yml @@ -0,0 +1,14 @@ +--- +- name: Generate certificate signing request + hosts: localhost + gather_facts: false + tasks: + - name: Generate an OpenSSL Certificate Signing Request + community.crypto.openssl_csr: + path: "{{ csr_out_path }}" + privatekey_content: "{{ vault_tls_key }}" + country_name: GB + state_or_province_name: Wiltshire + organization_name: UK Research and Innovation + organizational_unit_name: STFC + common_name: "{{ top_level_domain }}" diff --git a/infra/certs/.gitignore b/infra/certs/.gitignore deleted file mode 100644 index d1386810..00000000 --- a/infra/certs/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -*.csr -*.key diff --git a/infra/certs/README.md b/infra/certs/README.md deleted file mode 100644 index d0d7a809..00000000 --- a/infra/certs/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# Certificates - -The subdirectories contain the certificate request configurations for the -project, by domain. Each subdirectory is named as `/YYYY-MM` where `YYYY-MM` -is the date that the request was made. - -The keys and certificates are stored in a shared folder in Keeper and the latest -is stored in the Ansible vault. - -## Generate a new certificate request - -- Make a new directory named using the current year/month in the format above. -- Copy the previous certificate request configuration file (*.cnf) to the new directory - -The next step depends on whether you already have a key. If you have an existing key, run: - -```sh -openssl req -nodes -new -key [SERVER_NAME].key -out [SERVER_NAME].csr -config [SERVER_NAME].cnf -``` - -If you need to generate a new key, run: - -```sh -openssl req -nodes -new -newkey rsa:4096 -keyout [SERVER_NAME].key -out [SERVER_NAME].csr -config [SERVER_NAME].cnf -``` - -where `[SERVER_NAME]` should be replaced by the domain name of the server. - -## Installing the new certificate chain - -The certificate authority will return the certificate chain in a variety of different formats and -combinations. For use with our Traefik proxy select the "Certificate (w/ issuer after), PEM encoded" -bundle. Update the relevant Ansible vault with the new content. diff --git a/infra/certs/analytics.isis.cclrc.ac.uk/analytics_isis_cclrc_ac_uk.cnf b/infra/certs/analytics.isis.cclrc.ac.uk/analytics_isis_cclrc_ac_uk.cnf deleted file mode 100644 index 616d1c03..00000000 --- a/infra/certs/analytics.isis.cclrc.ac.uk/analytics_isis_cclrc_ac_uk.cnf +++ /dev/null @@ -1,11 +0,0 @@ -#################################################################### -[ req ] -distinguished_name = req_distinguished_name -prompt = no - -[ req_distinguished_name ] -C = GB -ST = Wiltshire -O = UK Research and Innovation -OU = STFC -CN = analytics.isis.cclrc.ac.uk diff --git a/infra/certs/dev-analytics.isis.cclrc.ac.uk/dev-analytics_isis_cclrc_ac_uk.cnf b/infra/certs/dev-analytics.isis.cclrc.ac.uk/dev-analytics_isis_cclrc_ac_uk.cnf deleted file mode 100644 index 7c5f0ed4..00000000 --- a/infra/certs/dev-analytics.isis.cclrc.ac.uk/dev-analytics_isis_cclrc_ac_uk.cnf +++ /dev/null @@ -1,11 +0,0 @@ -#################################################################### -[ req ] -distinguished_name = req_distinguished_name -prompt = no - -[ req_distinguished_name ] -C = GB -ST = Wiltshire -O = UK Research and Innovation -OU = STFC -CN = dev-analytics.isis.cclrc.ac.uk