From 546b58f51a14019e304d34db5db7ea71bdc8df3f Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Mon, 24 Feb 2025 14:23:49 -0500 Subject: [PATCH 1/3] Add role and playbook to generate a certs tarball Signed-off-by: Eric D. Helms --- .../certificate-bundle.yaml | 23 +++++++ .../certificate-bundle/metadata.obsah.yaml | 10 +++ src/roles/certificate_bundle/tasks/main.yml | 68 +++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 src/playbooks/certificate-bundle/certificate-bundle.yaml create mode 100644 src/playbooks/certificate-bundle/metadata.obsah.yaml create mode 100644 src/roles/certificate_bundle/tasks/main.yml diff --git a/src/playbooks/certificate-bundle/certificate-bundle.yaml b/src/playbooks/certificate-bundle/certificate-bundle.yaml new file mode 100644 index 00000000..32f6bf9f --- /dev/null +++ b/src/playbooks/certificate-bundle/certificate-bundle.yaml @@ -0,0 +1,23 @@ +--- +- name: Generate a certificate bundle for a hostname + hosts: + - quadlet + become: true + vars: + certificates_ca: false + certificates_hostnames: + - "{{ hostname }}" + certificate_source: default + roles: + - role: certificates + when: "certificate_source == 'default'" + - role: foreman_installer_certs + when: "certificate_source == 'installer'" + - role: certificate_bundle + vars: + certificate_bundle_hostname: "{{ hostname }}" + certificate_bundle_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt" + certificate_bundle_server_certificate: "{{ certificates_ca_directory }}/certs/{{ hostname }}.crt" + certificate_bundle_server_key: "{{ certificates_ca_directory }}/private/{{ hostname }}.key" + certificate_bundle_client_certificate: "{{ certificates_ca_directory }}/certs/{{ hostname }}-client.crt" + certificate_bundle_client_key: "{{ certificates_ca_directory }}/private/{{ hostname }}-client.key" diff --git a/src/playbooks/certificate-bundle/metadata.obsah.yaml b/src/playbooks/certificate-bundle/metadata.obsah.yaml new file mode 100644 index 00000000..0d07de95 --- /dev/null +++ b/src/playbooks/certificate-bundle/metadata.obsah.yaml @@ -0,0 +1,10 @@ +--- +help: | + Generate a certificate bundle + +variables: + hostname: + parameter: hostname + help: Hostname to generate a certificate bundle for that will be the common name. + certificate_source: + help: What certificate source is being used. diff --git a/src/roles/certificate_bundle/tasks/main.yml b/src/roles/certificate_bundle/tasks/main.yml new file mode 100644 index 00000000..e048c266 --- /dev/null +++ b/src/roles/certificate_bundle/tasks/main.yml @@ -0,0 +1,68 @@ +--- +- name: Create temporary directory + ansible.builtin.tempfile: + state: directory + suffix: certificate-build + register: build_directory + +- name: Create directory structure + ansible.builtin.file: + state: directory + path: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}" + mode: '0755' + +- name: Copy CA certificate + ansible.builtin.copy: + src: "{{ certificate_bundle_ca_certificate }}" + dest: "{{ build_directory.path }}/ssl-build/{{ item }}" + remote_src: true + mode: '0444' + loop: + - katello-server-ca.crt + - katello-default-ca.crt + +- name: Copy server certificate + ansible.builtin.copy: + src: "{{ certificate_bundle_server_certificate }}" + dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}" + remote_src: true + mode: '0444' + loop: + - apache.crt + - foreman-proxy.crt + +- name: Copy server key + ansible.builtin.copy: + src: "{{ certificate_bundle_server_key }}" + dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}" + remote_src: true + mode: '0440' + loop: + - apache.key + - foreman-proxy.key + +- name: Copy client certificate + ansible.builtin.copy: + src: "{{ certificate_bundle_client_certificate }}" + dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}" + remote_src: true + mode: '0444' + loop: + - foreman-proxy-client.crt + - puppet-client.crt + +- name: Copy client key + ansible.builtin.copy: + src: "{{ certificate_bundle_client_key }}" + dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}" + remote_src: true + mode: '0440' + loop: + - foreman-proxy-client.key + - puppet-client.key + +- name: Create tarball + community.general.archive: + path: "{{ build_directory.path }}/ssl-build" + dest: "/root/{{ certificate_bundle_hostname }}.tar.gz" + mode: '0640' From e162c424592296ee33eb032a2a7fffb5bb9a2ebe Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Mon, 24 Nov 2025 12:31:14 +0100 Subject: [PATCH 2/3] update variable usage --- src/playbooks/certificate-bundle/certificate-bundle.yaml | 3 ++- src/playbooks/certificate-bundle/metadata.obsah.yaml | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/playbooks/certificate-bundle/certificate-bundle.yaml b/src/playbooks/certificate-bundle/certificate-bundle.yaml index 32f6bf9f..f3a924f4 100644 --- a/src/playbooks/certificate-bundle/certificate-bundle.yaml +++ b/src/playbooks/certificate-bundle/certificate-bundle.yaml @@ -3,11 +3,12 @@ hosts: - quadlet become: true + vars_files: + - "../../vars/defaults.yml" vars: certificates_ca: false certificates_hostnames: - "{{ hostname }}" - certificate_source: default roles: - role: certificates when: "certificate_source == 'default'" diff --git a/src/playbooks/certificate-bundle/metadata.obsah.yaml b/src/playbooks/certificate-bundle/metadata.obsah.yaml index 0d07de95..b1488702 100644 --- a/src/playbooks/certificate-bundle/metadata.obsah.yaml +++ b/src/playbooks/certificate-bundle/metadata.obsah.yaml @@ -6,5 +6,6 @@ variables: hostname: parameter: hostname help: Hostname to generate a certificate bundle for that will be the common name. - certificate_source: - help: What certificate source is being used. + +include: + - _certificate_source From 05a6c94c9544121d88c1a476fb8e1dca33769957 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Mon, 24 Nov 2025 12:33:36 +0100 Subject: [PATCH 3/3] run certificate-bundle as part of tests --- .github/workflows/test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d09cfdb2..b1ebb790 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -75,6 +75,9 @@ jobs: - name: Run deployment run: | ./foremanctl deploy --certificate-source=${{ matrix.certificate_source }} --foreman-initial-admin-password=changeme + - name: Generate certificate bundle for second system + run: | + ./foremanctl certificate-bundle --certificate-source=${{ matrix.certificate_source }} proxy.example.com - name: Setup hammer run: | ./foremanctl setup-hammer