Skip to content

pass in the configured DB ca (if any) to the container #345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
evgeni wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

pass in the configured DB ca (if any) to the container #345

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f5a301e
pass in the configured DB ca (if any) to the container
evgeni Dec 2, 2025
7355577
Update foreman database SSL params to match the other roles
evgeni Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/roles/candlepin/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,14 @@
notify:
- Restart candlepin

- name: Create DB SSL cert
containers.podman.podman_secret:
state: present
name: candlepin-db-ca
data: "{{ lookup('ansible.builtin.file', candlepin_database_ssl_ca) if candlepin_database_ssl_ca else 'empty' }}"
Copy link
Member

@ehelms ehelms Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is creating an empty secret if there is no database SSL cert? Why not use a when conditional on the sercret?

Copy link
Member Author

@evgeni evgeni Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because then I need to also conditionally mount it, and that's painful ;)

notify:
- Restart candlepin

- name: Setup artemis
ansible.builtin.include_tasks:
file: artemis.yml
Expand Down Expand Up @@ -76,6 +84,7 @@
- 'candlepin-artemis-cert-roles-properties,target=/etc/tomcat/cert-roles.properties,mode=440,type=mount'
- 'candlepin-artemis-cert-users-properties,target=/etc/tomcat/cert-users.properties,mode=440,type=mount'
- 'candlepin-artemis-jaas-conf,target=/etc/tomcat/conf.d/jaas.conf,mode=440,type=mount'
- 'candlepin-db-ca,target=/etc/candlepin/certs/db-ca.crt,mode=0440,type=mount'
volumes:
- /var/log/candlepin:/var/log/candlepin:Z
- /var/log/tomcat:/var/log/tomcat:Z
Expand Down
2 changes: 1 addition & 1 deletion src/roles/candlepin/templates/candlepin.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jpa.config.hibernate.hbm2ddl.auto=validate
jpa.config.hibernate.connection.username={{ candlepin_database_user }}
jpa.config.hibernate.connection.password={{ candlepin_database_password }}
jpa.config.hibernate.connection.driver_class=org.postgresql.Driver
jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca }}{% endif %}
jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert=/etc/candlepin/certs/db-ca.crt{% endif %}


org.quartz.jobStore.misfireThreshold=60000
Expand Down
4 changes: 2 additions & 2 deletions src/roles/check_database_connection/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
user: "{{ foreman_database_user }}"
password: "{{ foreman_database_password }}"
dbname: "{{ foreman_database_name }}"
ca_cert: "{{ foreman_database_sslrootcert | default(omit) }}"
sslmode: "{{ foreman_database_sslmode | default(omit) }}"
ca_cert: "{{ foreman_database_ssl_ca | default(omit) }}"
sslmode: "{{ foreman_database_ssl_mode | default(omit) }}"

- name: Candlepin
host: "{{ candlepin_database_host }}"
Expand Down
4 changes: 2 additions & 2 deletions src/roles/foreman/defaults/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ foreman_database_user: foreman
foreman_database_host: localhost
foreman_database_port: 5432
foreman_database_pool: 9
foreman_database_sslmode: disable
foreman_database_sslrootcert:
foreman_database_ssl_mode: disable
foreman_database_ssl_ca:

foreman_url: "http://{{ ansible_facts['fqdn'] }}:3000"

Expand Down
14 changes: 13 additions & 1 deletion src/roles/foreman/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
containers.podman.podman_secret:
state: present
name: foreman-database-url
data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_sslmode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert={{ foreman_database_ssl_ca }}{% endif %}" # yamllint disable-line rule:line-length
data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_ssl_mode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert=/etc/foreman/db-ca.crt{% endif %}" # yamllint disable-line rule:line-length
notify:
- Restart foreman
- Restart dynflow-sidekiq@
Expand Down Expand Up @@ -84,6 +84,15 @@
- Restart foreman
- Restart dynflow-sidekiq@

- name: Create DB SSL cert
containers.podman.podman_secret:
state: present
name: foreman-db-ca
data: "{{ lookup('ansible.builtin.file', foreman_database_ssl_ca) if foreman_database_ssl_ca else 'empty' }}"
notify:
- Restart foreman
- Restart dynflow-sidekiq@

- name: Deploy Foreman Container
containers.podman.podman_container:
name: "foreman"
Expand All @@ -103,6 +112,7 @@
- 'foreman-ca-cert,type=mount,target=/etc/foreman/katello-default-ca.crt'
- 'foreman-client-cert,type=mount,target=/etc/foreman/client_cert.pem'
- 'foreman-client-key,type=mount,target=/etc/foreman/client_key.pem'
- 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt'
env:
FOREMAN_PUMA_THREADS_MIN: "{{ foreman_puma_threads_min }}"
FOREMAN_PUMA_THREADS_MAX: "{{ foreman_puma_threads_max }}"
Expand Down Expand Up @@ -135,6 +145,7 @@
- 'foreman-client-cert,type=mount,target=/etc/foreman/client_cert.pem'
- 'foreman-client-key,type=mount,target=/etc/foreman/client_key.pem'
- 'foreman-dynflow-worker-hosts-queue-yaml,type=mount,target=/etc/foreman/dynflow/worker-hosts-queue.yml'
- 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt'
env:
DYNFLOW_REDIS_URL: "redis://localhost:6379/6"
REDIS_PROVIDER: "DYNFLOW_REDIS_URL"
Expand Down Expand Up @@ -231,6 +242,7 @@
- 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER'
- 'foreman-seed-admin-password,type=env,target=SEED_ADMIN_PASSWORD'
- 'foreman-settings-yaml,type=mount,target=/etc/foreman/settings.yaml'
- 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt'

- name: Flush handlers to restart services
ansible.builtin.meta: flush_handlers
Expand Down
4 changes: 2 additions & 2 deletions src/roles/pulp/defaults/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,15 @@ pulp_database_user: pulp
pulp_database_host: localhost
pulp_database_port: 5432
pulp_database_ssl_mode: disabled
pulp_database_ssl_ca: None
pulp_database_ssl_ca:

pulp_settings_database_env:
PULP_DATABASES__default__NAME: "{{ pulp_database_name }}"
PULP_DATABASES__default__USER: "{{ pulp_database_user }}"
PULP_DATABASES__default__HOST: "{{ pulp_database_host }}"
PULP_DATABASES__default__PORT: "{{ pulp_database_port }}"
PULP_DATABASES__default__OPTIONS__sslmode: "{{ pulp_database_ssl_mode }}"
PULP_DATABASES__default__OPTIONS__sslrootcert: "{{ pulp_database_ssl_ca }}"
PULP_DATABASES__default__OPTIONS__sslrootcert: "/etc/pulp/certs/db-ca.crt"
PULP_ENABLED_PLUGINS: >-
{{ pulp_enabled_plugins }}

Expand Down
15 changes: 15 additions & 0 deletions src/roles/pulp/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,16 @@
- Restart pulp-content
- Restart pulp-worker

- name: Create DB SSL cert
containers.podman.podman_secret:
state: present
name: pulp-db-ca
data: "{{ lookup('ansible.builtin.file', pulp_database_ssl_ca) if pulp_database_ssl_ca else 'empty' }}"
notify:
- Restart pulp-api
- Restart pulp-content
- Restart pulp-worker

- name: Generate Django secret key
ansible.builtin.command: "bash -c 'openssl rand -base64 50 | tr -d \"\\n\" | tr \"+/\" \"-_\" > /var/lib/pulp/django_secret_key'"
args:
Expand Down Expand Up @@ -92,6 +102,7 @@
secrets:
- 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
- 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
- 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt'
- 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY'
env: "{{ pulp_settings_env }}"
quadlet_options:
Expand Down Expand Up @@ -122,6 +133,7 @@
secrets:
- 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
- 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
- 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt'
- 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY'
env: "{{ pulp_settings_env }}"
quadlet_options:
Expand Down Expand Up @@ -152,6 +164,7 @@
secrets:
- 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
- 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
- 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt'
- 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY'
env: "{{ pulp_settings_env }}"
quadlet_options:
Expand Down Expand Up @@ -202,6 +215,7 @@
secrets:
- 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
- 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
- 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt'
env: "{{ pulp_settings_database_env }}"

- name: Ensure Pulp admin user exists
Expand All @@ -215,6 +229,7 @@
secrets:
- 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
- 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
- 'pulp-db-ca,type=mount,target=/etc/pulp/certs/db-ca.crt'
env: "{{ pulp_settings_database_env }}"

- name: Flush handlers to restart services
Expand Down
6 changes: 3 additions & 3 deletions src/vars/database.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
database_host: localhost
database_port: 5432
database_ssl_mode: disable
database_ssl_ca: None
database_ssl_ca:

foreman_database_name: foreman
foreman_database_user: foreman
Expand All @@ -26,8 +26,8 @@ pulp_database_ssl_ca: "{{ database_ssl_ca }}"

foreman_database_host: "{{ database_host }}"
foreman_database_port: "{{ database_port }}"
foreman_database_sslmode: "{{ database_ssl_mode }}"
foreman_database_sslrootcert: "{{ database_ssl_ca }}"
foreman_database_ssl_mode: "{{ database_ssl_mode }}"
foreman_database_ssl_ca: "{{ database_ssl_ca }}"

postgresql_databases:
- name: "{{ candlepin_database_name }}"
Expand Down