diff --git a/src/playbooks/deploy/deploy.yaml b/src/playbooks/deploy/deploy.yaml index acf37dc7..93800929 100644 --- a/src/playbooks/deploy/deploy.yaml +++ b/src/playbooks/deploy/deploy.yaml @@ -32,6 +32,9 @@ foreman_client_certificate: "{{ client_certificate }}" foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456 foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456 + foreman_listen_stream: /run/httpd.foreman.sock + foreman_url: "https://{{ ansible_fqdn }}" + httpd_foreman_backend: "unix://{{ foreman_listen_stream }}|http://%{HTTP_HOST}/" httpd_server_ca_certificate: "{{ server_ca_certificate }}" httpd_client_ca_certificate: "{{ client_ca_certificate }}" httpd_server_certificate: "{{ server_certificate }}" diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml index 8868b2a0..b6582c5b 100644 --- a/src/roles/foreman/defaults/main.yaml +++ b/src/roles/foreman/defaults/main.yaml @@ -1,6 +1,8 @@ --- foreman_container_image: "quay.io/evgeni/foreman-rpm" foreman_container_tag: "nightly" +foreman_listen_stream: localhost:3000 +foreman_url: "http://{{ foreman_listen_stream }}" foreman_database_name: foreman foreman_database_user: foreman diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index c38c9a66..675b9979 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -46,6 +46,12 @@ name: foreman-client-key path: "{{ foreman_client_key }}" +- name: Deploy Foreman socket + ansible.builtin.template: + src: foreman.socket.j2 + dest: /etc/systemd/system/foreman.socket + mode: '0644' + - name: Deploy Foreman Container containers.podman.podman_container: name: "foreman" @@ -64,6 +70,8 @@ SEED_ADMIN_PASSWORD: changeme quadlet_options: - | + [Unit] + Requires=foreman.socket [Install] WantedBy=default.target @@ -119,7 +127,8 @@ - name: Wait for Foreman service to be accessible ansible.builtin.uri: - url: 'http://{{ ansible_hostname }}:3000/api/v2/ping' + url: '{{ foreman_url }}/api/v2/ping' + ca_path: '{{ ca_certificate }}' until: foreman_status.status == 200 retries: 60 delay: 5 @@ -137,7 +146,8 @@ - name: Wait for Foreman tasks to be ready ansible.builtin.uri: - url: 'http://{{ ansible_hostname }}:3000/api/v2/ping' + url: '{{ foreman_url }}/api/v2/ping' + ca_path: '{{ ca_certificate }}' until: foreman_tasks_status.json['results']['katello']['services']['foreman_tasks']['status'] == 'ok' retries: 60 delay: 5 @@ -149,6 +159,9 @@ theforeman.foreman.smart_proxy: name: "{{ ansible_fqdn }}" url: "https://{{ ansible_fqdn }}:9090" - server_url: "http://{{ ansible_fqdn }}:3000" + server_url: "{{ foreman_url }}" + # TODO: requires https://github.com/theforeman/foreman-ansible-modules/commit/03298a74e6096c370a932de37aa62dbece3f452f + validate_certs: false + #ca_path: '{{ ca_certificate }}' username: admin password: changeme diff --git a/src/roles/foreman/templates/foreman.socket.j2 b/src/roles/foreman/templates/foreman.socket.j2 new file mode 100644 index 00000000..a2b1d2dd --- /dev/null +++ b/src/roles/foreman/templates/foreman.socket.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=Foreman socket + +[Socket] +ListenStream={{ foreman_listen_stream }} +SocketUser=apache +SocketMode=0600 + +NoDelay=false +ReusePort=true +Backlog=1024 + +[Install] +WantedBy=sockets.target diff --git a/src/roles/foreman/templates/settings.yaml.j2 b/src/roles/foreman/templates/settings.yaml.j2 index 17bad384..d39f7941 100644 --- a/src/roles/foreman/templates/settings.yaml.j2 +++ b/src/roles/foreman/templates/settings.yaml.j2 @@ -1,4 +1,6 @@ --- +:foreman_url: {{ foreman_url }} + :ssl_certificate: /etc/foreman/client_cert.pem :ssl_ca_file: /etc/foreman/katello-default-ca.crt :ssl_priv_key: /etc/foreman/client_key.pem diff --git a/src/roles/foreman_proxy/templates/settings.yaml.j2 b/src/roles/foreman_proxy/templates/settings.yaml.j2 index 5cdf0667..01d02ed3 100644 --- a/src/roles/foreman_proxy/templates/settings.yaml.j2 +++ b/src/roles/foreman_proxy/templates/settings.yaml.j2 @@ -7,7 +7,7 @@ :trusted_hosts: - {{ ansible_fqdn }} -:foreman_url: http://{{ ansible_fqdn }}:3000 +:foreman_url: {{ foreman_url }} :foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem :foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem diff --git a/src/roles/httpd/defaults/main.yml b/src/roles/httpd/defaults/main.yml index 93399472..8361c753 100644 --- a/src/roles/httpd/defaults/main.yml +++ b/src/roles/httpd/defaults/main.yml @@ -1,4 +1,4 @@ httpd_ssl_dir: /etc/pki/httpd httpd_pulp_api_backend: http://localhost:24817 httpd_pulp_content_backend: http://localhost:24816 -httpd_foreman_backend: http://localhost:3000 +httpd_foreman_backend: http://localhost:3000/ diff --git a/src/roles/httpd/tasks/main.yml b/src/roles/httpd/tasks/main.yml index 727eff02..82d3bcb4 100644 --- a/src/roles/httpd/tasks/main.yml +++ b/src/roles/httpd/tasks/main.yml @@ -12,6 +12,13 @@ state: true persistent: true +# TODO: probably not the right boolean +- name: Set daemons_enable_cluster_mode so Apache can connect to unix sockets + ansible.posix.seboolean: + name: daemons_enable_cluster_mode + state: true + persistent: true + - name: Disable welcome page ansible.builtin.file: path: /etc/httpd/conf.d/welcome.conf diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 index 6b972413..5df92d02 100644 --- a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 +++ b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 @@ -70,8 +70,8 @@ ProxyPass /pulp ! ProxyPass /icons ! ProxyPass /server-status ! - ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 - ProxyPassReverse / {{ httpd_foreman_backend }}/ + ProxyPass / {{ httpd_foreman_backend }} retry=0 timeout=900 + ProxyPassReverse / {{ httpd_foreman_backend }} AddDefaultCharset UTF-8