feat(conf): setup SSL certificate for Slurm-web

rezib · rezib · commit db9722502682 · 2025-11-19T17:37:37.000+01:00
Add SSL/TLS certificate for Slurm-web with internal CA.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to
 - conf:
   - Add pkgs.rackslab.io packages repositories by default.
   - Support GPU gres without model in Slurm configuration.
+  - Add SSL/TLS certificate for Slurm-web with internal CA.
 - cli: Add `deploy --update-os-image` option to force download of base OS image
   when already present on host.
 - lib: Add `deploy --update-os-image` option in bash-completion.
diff --git a/conf/bootstrap.yml b/conf/bootstrap.yml
@@ -20,6 +20,12 @@
     include_role:
       name: redis
       tasks_from: bootstrap
+  - name: Generate Slurm-web CA certificate
+    vars:
+      slurmweb_bootstrap: true  # used to skip role dependencies
+    include_role:
+      name: slurmweb
+      tasks_from: bootstrap
 
 - hosts: all
   connection: machinectl
diff --git a/conf/group_vars/all.yml b/conf/group_vars/all.yml
@@ -1,7 +1,7 @@
 # shared variables
 fhpc_local_ssh_dir: "{{ fhpc_cluster_state_dir }}/ssh"
 fhpc_local_ca_dir: "{{ fhpc_cluster_state_dir }}/ca"
-fhpc_ldap_server: "{{ groups['admin'][0] }}"
+fhpc_admin_server: "{{ groups['admin'][0] }}"
 fhpc_ldap_base: "dc=cluster,dc={{ fhpc_cluster }}"
 fhpc_primary_group: "{{ fhpc_groups[0].name }}"
 fhpc_slurm_with_jwt: false
@@ -16,20 +16,20 @@ common_ip_addresses: "{{ fhpc_addresses }}"
 common_cluster: "{{ fhpc_cluster }}"
 ssh_key_dir: "{{ fhpc_local_ssh_dir }}"
 ldap_local_ca_dir: "{{ fhpc_local_ca_dir }}"
-ldap_server_hostname: "{{ fhpc_ldap_server }}"
+ldap_server_hostname: "{{ fhpc_admin_server }}"
 ldap_local_admin_password_file: "{{ fhpc_cluster_state_dir }}/ldap/ldap.password"
 ldap_base: "dc=cluster,dc={{ fhpc_cluster }}"
 ldap_domain: "cluster.{{ fhpc_cluster }}"
 ldap_email_domain: "cluster.{{ fhpc_cluster }}"
 ldap_users: "{{ fhpc_users }}"
 ldap_groups: "{{ fhpc_groups }}"
 sssd_ldap_base: "{{ fhpc_ldap_base }}"
-sssd_ldap_server: "{{ fhpc_ldap_server }}"
+sssd_ldap_server: "{{ fhpc_admin_server }}"
 users_ssh_host_key_dir: "{{ fhpc_local_ssh_dir }}"
 users_defs: "{{ fhpc_users }}"
 users_group: "{{ fhpc_primary_group }}"
 slurm_emulator: "{{ fhpc_emulator_mode }}"
-slurm_server: "{{ groups['admin'][0] }}"
+slurm_server: "{{ fhpc_admin_server }}"
 # This hash associates slurm profiles in keys with a group of nodes on which the
 # the profile must be applied when slurm_emulator is false. When slurm_emulator
 # is true, all slurm profiles are applied on the single admin node.
@@ -52,6 +52,8 @@ slurm_restd_port: "{{ fhpc_slurmrestd_port }}"
 slurm_accounts: "{{ fhpc_groups }}"
 racksdb_database: "{{ fhpc_db }}"
 redis_local_password_file: "{{ fhpc_cluster_state_dir }}/redis/redis.password"
+slurmweb_local_ca_dir: "{{ fhpc_local_ca_dir }}"
+slurmweb_hostname: "{{ fhpc_admin_server }}"
 slurmweb_local_slurmrestd_jwt_key_file: "{{ fhpc_local_slurm_jwt_key }}"
 slurmweb_slurmrestd_uri: "{{ fhpc_slurmrestd_with_unix_socket | ternary('unix:' ~ fhpc_slurmrestd_socket, 'http://localhost:' ~ fhpc_slurmrestd_port ) }}"
 slurmweb_slurmrestd_auth: "{{ fhpc_slurm_with_jwt | ternary('jwt', 'local') }}"
@@ -73,14 +75,14 @@ slurmweb_agent_settings_defaults:
     password: "{{ lookup('ansible.builtin.file', redis_local_password_file) }}"
 slurmweb_gateway_settings_defaults:
   ui:
-    host: "http://{{ slurmweb_hostname }}.{{ fhpc_namespace }}"
+    host: "https://{{ slurmweb_hostname }}.{{ fhpc_namespace }}"
   agents:
-    url: "http://{{ slurmweb_hostname }}/{{ slurmweb_agent_subdir }}"
+    url: "https://{{ slurmweb_hostname }}/{{ slurmweb_agent_subdir }}"
   authentication:
     enabled: yes
   ldap:
-    uri: "ldaps://{{ fhpc_ldap_server }}/"
+    uri: "ldaps://{{ fhpc_admin_server }}/"
     user_base: "ou=people,{{ fhpc_ldap_base }}"
     group_base: "ou=groups,{{ fhpc_ldap_base }}"
-metrics_ldap_server: "{{ fhpc_ldap_server }}"
+metrics_ldap_server: "{{ fhpc_admin_server }}"
 metrics_ldap_search_base: "{{ fhpc_ldap_base }}"
diff --git a/conf/roles/slurmweb/defaults/main.yml b/conf/roles/slurmweb/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 slurmweb_enabled: false
+slurmweb_bootstrap: false
 slurmweb_hostname: "{{ inventory_hostname }}"
 slurmweb_http_server_names:
 - "{{ slurmweb_hostname }}"
@@ -16,3 +17,14 @@ slurmweb_agent_settings_defaults: {}
 slurmweb_gateway_settings_defaults: {}
 slurmweb_agent_settings: {}
 slurmweb_gateway_settings: {}
+slurmweb_local_ca_dir: ca  # dummy
+slurmweb_local_ca_password_file: "{{ slurmweb_local_ca_dir }}/ca.password"
+slurmweb_local_ca_key_file: "{{ slurmweb_local_ca_dir }}/key.pem"
+slurmweb_local_ca_cert_file: "{{ slurmweb_local_ca_dir }}/ca.crt"
+slurmweb_local_tls_key_file: "{{ slurmweb_local_ca_dir }}/key-slurmweb.pem"
+slurmweb_local_tls_cert_file: "{{ slurmweb_local_ca_dir }}/cert-slurmweb.crt"
+
+slurmweb_tls_dir: /etc/slurm-web/tls
+slurmweb_tls_ca_cert_file: "{{ slurmweb_tls_dir }}/ca.crt"
+slurmweb_tls_cert_file: "{{ slurmweb_tls_dir }}/cert.crt"
+slurmweb_tls_key_file: "{{ slurmweb_tls_dir }}/key.pem"
diff --git a/conf/roles/slurmweb/meta/main.yml b/conf/roles/slurmweb/meta/main.yml
@@ -3,4 +3,6 @@ dependencies:
   - role: nginx
     nginx_site_template: ../../slurmweb/templates/nginx.conf.j2
     nginx_site_filename: slurm-web
+    when: not slurmweb_bootstrap
   - role: redis
+    when: not slurmweb_bootstrap
diff --git a/conf/roles/slurmweb/tasks/bootstrap.yml b/conf/roles/slurmweb/tasks/bootstrap.yml
@@ -0,0 +1,30 @@
+---
+- name: Create local slurm-web CA certificate directory
+  ansible.builtin.file:
+    path: "{{ slurmweb_local_ca_dir }}"
+    state: directory
+    recurse: true
+
+- name: Create Slurm-web private key for TLS certificate
+  community.crypto.openssl_privatekey:
+    path: "{{ slurmweb_local_tls_key_file }}"
+
+- name: Create certificate signing request (CSR) for Slurm-web TLS certificate
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: "{{ slurmweb_local_tls_key_file }}"
+    common_name: "{{ slurmweb_hostname }}"
+    subject_alt_name:
+      - "DNS:{{ slurmweb_hostname }}"
+  register: csr
+
+- name: Sign Slurm-web certificate with internal CA
+  community.crypto.x509_certificate:
+    csr_content: "{{ csr.csr }}"
+    provider: ownca
+    ownca_path: "{{ slurmweb_local_ca_cert_file }}"
+    ownca_privatekey_path: "{{ slurmweb_local_ca_key_file }}"
+    ownca_privatekey_passphrase: "{{ lookup('ansible.builtin.file', slurmweb_local_ca_password_file) }}"
+    ownca_not_after: +365d  # valid for one year
+    ownca_not_before: "-1d"  # valid since yesterday
+    path: "{{ slurmweb_local_tls_cert_file }}"
+    force: true  # override possibly existing certificate
diff --git a/conf/roles/slurmweb/tasks/main.yml b/conf/roles/slurmweb/tasks/main.yml
@@ -89,6 +89,28 @@
   when:
   - slurmweb_slurmrestd_auth == 'local'
 
+- name: Create Slurm-web SSL directory
+  ansible.builtin.file:
+    path: "{{ slurmweb_tls_dir }}"
+    state: directory
+    recurse: true
+
+- name: Deploy Slurm-web TLS certificate
+  ansible.builtin.copy:
+    src: "{{ slurmweb_local_tls_cert_file }}"
+    dest: "{{ slurmweb_tls_cert_file }}"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Deploy Slurm-web TLS key
+  ansible.builtin.copy:
+    src: "{{ slurmweb_local_tls_key_file }}"
+    dest: "{{ slurmweb_tls_key_file }}"
+    owner: root
+    group: root
+    mode: 0600
+
 - name: Ensure Slurm-web uWGSI are started
   ansible.builtin.systemd_service:
     name: "slurm-web-{{ item }}-uwsgi"
diff --git a/conf/roles/slurmweb/templates/nginx.conf.j2 b/conf/roles/slurmweb/templates/nginx.conf.j2
@@ -4,6 +4,19 @@ server {
     listen [::]:80;
     server_name {{ slurmweb_http_server_names | join(' ') }};
 
+    # Redirect HTTP to HTTPS
+    return 301 https://$host$request_uri;
+}
+
+# {{ slurmweb_http_server_names | join(',')}}:443
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name {{ slurmweb_http_server_names | join(' ') }};
+
+    ssl_certificate {{ slurmweb_tls_cert_file }};
+    ssl_certificate_key {{ slurmweb_tls_key_file }};
+
     location / {
         include uwsgi_params;
         uwsgi_pass unix:/run/slurm-web-gateway/uwsgi.sock;
