diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml index a3c1f88f..9398851e 100644 --- a/src/roles/candlepin/tasks/main.yml +++ b/src/roles/candlepin/tasks/main.yml @@ -47,6 +47,14 @@ notify: - Restart candlepin +- name: Create DB SSL cert + containers.podman.podman_secret: + state: present + name: candlepin-db-ca + data: "{{ lookup('ansible.builtin.file', candlepin_database_ssl_ca) if candlepin_database_ssl_ca else 'empty' }}" + notify: + - Restart candlepin + - name: Setup artemis ansible.builtin.include_tasks: file: artemis.yml @@ -76,6 +84,7 @@ - 'candlepin-artemis-cert-roles-properties,target=/etc/tomcat/cert-roles.properties,mode=440,type=mount' - 'candlepin-artemis-cert-users-properties,target=/etc/tomcat/cert-users.properties,mode=440,type=mount' - 'candlepin-artemis-jaas-conf,target=/etc/tomcat/conf.d/jaas.conf,mode=440,type=mount' + - 'candlepin-db-ca,target=/etc/candlepin/certs/db-ca.crt,mode=0440,type=mount' volumes: - /var/log/candlepin:/var/log/candlepin:Z - /var/log/tomcat:/var/log/tomcat:Z diff --git a/src/roles/candlepin/templates/candlepin.conf.j2 b/src/roles/candlepin/templates/candlepin.conf.j2 index 0a46138e..8a461c54 100644 --- a/src/roles/candlepin/templates/candlepin.conf.j2 +++ b/src/roles/candlepin/templates/candlepin.conf.j2 @@ -23,7 +23,7 @@ jpa.config.hibernate.hbm2ddl.auto=validate jpa.config.hibernate.connection.username={{ candlepin_database_user }} jpa.config.hibernate.connection.password={{ candlepin_database_password }} jpa.config.hibernate.connection.driver_class=org.postgresql.Driver -jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca }}{% endif %} +jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert=/etc/candlepin/certs/db-ca.crt{% endif %} org.quartz.jobStore.misfireThreshold=60000 diff --git a/src/roles/check_database_connection/tasks/main.yaml b/src/roles/check_database_connection/tasks/main.yaml index c0263cb5..8d855d08 100644 --- a/src/roles/check_database_connection/tasks/main.yaml +++ b/src/roles/check_database_connection/tasks/main.yaml @@ -8,8 +8,8 @@ user: "{{ foreman_database_user }}" password: "{{ foreman_database_password }}" dbname: "{{ foreman_database_name }}" - ca_cert: "{{ foreman_database_sslrootcert | default(omit) }}" - sslmode: "{{ foreman_database_sslmode | default(omit) }}" + ca_cert: "{{ foreman_database_ssl_ca | default(omit) }}" + sslmode: "{{ foreman_database_ssl_mode | default(omit) }}" - name: Candlepin host: "{{ candlepin_database_host }}" diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml index 05118761..d071a433 100644 --- a/src/roles/foreman/defaults/main.yaml +++ b/src/roles/foreman/defaults/main.yaml @@ -7,8 +7,8 @@ foreman_database_user: foreman foreman_database_host: localhost foreman_database_port: 5432 foreman_database_pool: 9 -foreman_database_sslmode: disable -foreman_database_sslrootcert: +foreman_database_ssl_mode: disable +foreman_database_ssl_ca: foreman_url: "http://{{ ansible_facts['fqdn'] }}:3000" diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index d2f8c061..ba4db684 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -8,7 +8,7 @@ containers.podman.podman_secret: state: present name: foreman-database-url - data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_sslmode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert={{ foreman_database_ssl_ca }}{% endif %}" # yamllint disable-line rule:line-length + data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_ssl_mode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert=/etc/foreman/db-ca.crt{% endif %}" # yamllint disable-line rule:line-length notify: - Restart foreman - Restart dynflow-sidekiq@ @@ -84,6 +84,15 @@ - Restart foreman - Restart dynflow-sidekiq@ +- name: Create DB SSL cert + containers.podman.podman_secret: + state: present + name: foreman-db-ca + data: "{{ lookup('ansible.builtin.file', foreman_database_ssl_ca) if foreman_database_ssl_ca else 'empty' }}" + notify: + - Restart foreman + - Restart dynflow-sidekiq@ + - name: Deploy Foreman Container containers.podman.podman_container: name: "foreman" @@ -103,6 +112,7 @@ - 'foreman-ca-cert,type=mount,target=/etc/foreman/katello-default-ca.crt' - 'foreman-client-cert,type=mount,target=/etc/foreman/client_cert.pem' - 'foreman-client-key,type=mount,target=/etc/foreman/client_key.pem' + - 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt' env: FOREMAN_PUMA_THREADS_MIN: "{{ foreman_puma_threads_min }}" FOREMAN_PUMA_THREADS_MAX: "{{ foreman_puma_threads_max }}" @@ -135,6 +145,7 @@ - 'foreman-client-cert,type=mount,target=/etc/foreman/client_cert.pem' - 'foreman-client-key,type=mount,target=/etc/foreman/client_key.pem' - 'foreman-dynflow-worker-hosts-queue-yaml,type=mount,target=/etc/foreman/dynflow/worker-hosts-queue.yml' + - 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt' env: DYNFLOW_REDIS_URL: "redis://localhost:6379/6" REDIS_PROVIDER: "DYNFLOW_REDIS_URL" @@ -231,6 +242,7 @@ - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER' - 'foreman-seed-admin-password,type=env,target=SEED_ADMIN_PASSWORD' - 'foreman-settings-yaml,type=mount,target=/etc/foreman/settings.yaml' + - 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt' - name: Flush handlers to restart services ansible.builtin.meta: flush_handlers diff --git a/src/roles/pulp/defaults/main.yaml b/src/roles/pulp/defaults/main.yaml index 72db8f6c..cdea5745 100644 --- a/src/roles/pulp/defaults/main.yaml +++ b/src/roles/pulp/defaults/main.yaml @@ -35,7 +35,7 @@ pulp_database_user: pulp pulp_database_host: localhost pulp_database_port: 5432 pulp_database_ssl_mode: disabled -pulp_database_ssl_ca: None +pulp_database_ssl_ca: pulp_settings_database_env: PULP_DATABASES__default__NAME: "{{ pulp_database_name }}" @@ -43,7 +43,7 @@ pulp_settings_database_env: PULP_DATABASES__default__HOST: "{{ pulp_database_host }}" PULP_DATABASES__default__PORT: "{{ pulp_database_port }}" PULP_DATABASES__default__OPTIONS__sslmode: "{{ pulp_database_ssl_mode }}" - PULP_DATABASES__default__OPTIONS__sslrootcert: "{{ pulp_database_ssl_ca }}" + PULP_DATABASES__default__OPTIONS__sslrootcert: "/etc/pulp/certs/db-ca.crt" PULP_ENABLED_PLUGINS: >- {{ pulp_enabled_plugins }} diff --git a/src/roles/pulp/tasks/main.yaml b/src/roles/pulp/tasks/main.yaml index 79b5d563..a63ba38e 100644 --- a/src/roles/pulp/tasks/main.yaml +++ b/src/roles/pulp/tasks/main.yaml @@ -40,6 +40,16 @@ - Restart pulp-content - Restart pulp-worker +- name: Create DB SSL cert + containers.podman.podman_secret: + state: present + name: pulp-db-ca + data: "{{ lookup('ansible.builtin.file', pulp_database_ssl_ca) if pulp_database_ssl_ca else 'empty' }}" + notify: + - Restart pulp-api + - Restart pulp-content + - Restart pulp-worker + - name: Generate Django secret key ansible.builtin.command: "bash -c 'openssl rand -base64 50 | tr -d \"\\n\" | tr \"+/\" \"-_\" > /var/lib/pulp/django_secret_key'" args: @@ -92,6 +102,7 @@ secrets: - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key' - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD' + - 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt' - 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY' env: "{{ pulp_settings_env }}" quadlet_options: @@ -122,6 +133,7 @@ secrets: - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key' - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD' + - 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt' - 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY' env: "{{ pulp_settings_env }}" quadlet_options: @@ -152,6 +164,7 @@ secrets: - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key' - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD' + - 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt' - 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY' env: "{{ pulp_settings_env }}" quadlet_options: @@ -202,6 +215,7 @@ secrets: - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key' - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD' + - 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt' env: "{{ pulp_settings_database_env }}" - name: Ensure Pulp admin user exists @@ -215,6 +229,7 @@ secrets: - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key' - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD' + - 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt' env: "{{ pulp_settings_database_env }}" - name: Flush handlers to restart services diff --git a/src/vars/database.yml b/src/vars/database.yml index 8061f626..3f4a73cd 100644 --- a/src/vars/database.yml +++ b/src/vars/database.yml @@ -2,7 +2,7 @@ database_host: localhost database_port: 5432 database_ssl_mode: disable -database_ssl_ca: None +database_ssl_ca: foreman_database_name: foreman foreman_database_user: foreman @@ -26,8 +26,8 @@ pulp_database_ssl_ca: "{{ database_ssl_ca }}" foreman_database_host: "{{ database_host }}" foreman_database_port: "{{ database_port }}" -foreman_database_sslmode: "{{ database_ssl_mode }}" -foreman_database_sslrootcert: "{{ database_ssl_ca }}" +foreman_database_ssl_mode: "{{ database_ssl_mode }}" +foreman_database_ssl_ca: "{{ database_ssl_ca }}" postgresql_databases: - name: "{{ candlepin_database_name }}"