parent
f148f69432
commit
bf8c72b85c
@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: Test koji_server_ca role
|
||||
ansible.builtin.include_role:
|
||||
name: msvsphere.ci.koji_server_ca
|
||||
rolespec_validate: true
|
@ -0,0 +1,16 @@
|
||||
---
|
||||
driver:
|
||||
name: vagrant
|
||||
|
||||
platforms:
|
||||
- name: msvsphere-9
|
||||
box: msvsphere/9
|
||||
memory: 1024
|
||||
cpus: 1
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
inventory:
|
||||
group_vars:
|
||||
all:
|
||||
koji_server_ca_fqdn: 'build.msvsphere.test'
|
@ -0,0 +1,63 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
vars:
|
||||
private_keys:
|
||||
- koji-ca.key
|
||||
- "{{ koji_server_ca_fqdn }}.key"
|
||||
|
||||
public_keys:
|
||||
- koji-ca.crt
|
||||
- "{{ koji_server_ca_fqdn }}.crt"
|
||||
- "{{ koji_server_ca_fqdn }}.chain.crt"
|
||||
|
||||
tasks:
|
||||
- name: Collect Koji CA private keys stats
|
||||
ansible.builtin.stat:
|
||||
path: "{{ ('/etc/pki/koji', item) | path_join }}"
|
||||
loop: "{{ private_keys }}"
|
||||
register: private_keys_stats
|
||||
|
||||
- name: Verify Koji CA private keys stats
|
||||
ansible.builtin.assert:
|
||||
that: |
|
||||
item.stat.exists and
|
||||
item.stat.mode == '0600' and
|
||||
item.stat.pw_name == 'root' and
|
||||
item.stat.gr_name == 'root'
|
||||
loop: "{{ private_keys_stats.results }}"
|
||||
|
||||
- name: Collect Koji CA public keys stats
|
||||
ansible.builtin.stat:
|
||||
path: "{{ ('/etc/pki/koji', item) | path_join }}"
|
||||
loop: "{{ public_keys }}"
|
||||
register: public_keys_stats
|
||||
|
||||
- name: Verify Koji CA public keys stats
|
||||
ansible.builtin.assert:
|
||||
that: |
|
||||
item.stat.exists and
|
||||
item.stat.mode == '0644' and
|
||||
item.stat.pw_name == 'root' and
|
||||
item.stat.gr_name == 'root'
|
||||
loop: "{{ public_keys_stats.results }}"
|
||||
|
||||
- name: Verify Koji certificate chain
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- openssl
|
||||
- verify
|
||||
- -CAfile
|
||||
- /etc/pki/koji/koji-ca.crt
|
||||
- -untrusted
|
||||
- "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"
|
||||
- "/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt"
|
||||
register: openssl_verify
|
||||
|
||||
- name: Check Koji certificate chain verification status
|
||||
ansible.builtin.assert:
|
||||
that: |
|
||||
openssl_verify.rc == 0 and
|
||||
openssl_verify.stdout == '/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt: OK'
|
@ -0,0 +1,46 @@
|
||||
# msvsphere.ci.koji_server_ca
|
||||
|
||||
An Ansible role that creates a Koji server CA and issues an HTTPS certificate.
|
||||
|
||||
For production Koji deployment it's recommended to use FreeIPA or other
|
||||
centralized certificate management system. This role is intended for
|
||||
development purposes.
|
||||
|
||||
The role creates the `/etc/pki/koji` directory and produces the following
|
||||
artifacts:
|
||||
|
||||
* `koji-ca.crt` - CA certificate.
|
||||
* `koji-ca.key` - CA private key.
|
||||
* `koji.msvsphere.test.key` - Koji server HTTPS certificate private key.
|
||||
* `build.msvsphere.test.csr` - Koji server HTTPS certificate signing request.
|
||||
* `build.msvsphere.test.crt` - Koji server HTTPS certificate.
|
||||
* `build.msvsphere.test.chain.crt` - Koji server HTTPS certificate chain.
|
||||
|
||||
Here `koji.msvsphere.test` is the `koji_server_ca_fqdn` value.
|
||||
|
||||
Also, the role will add the CA certificate to the list of trusted
|
||||
certificates.
|
||||
|
||||
## Variables
|
||||
|
||||
| Variable | Default value | Type | Description | Required |
|
||||
| -------- | ------------- | ---- | ----------- | -------- |
|
||||
| koji_server_ca_fqdn | | string | Koji server domain name. | yes |
|
||||
|
||||
## Example playbook
|
||||
|
||||
```yaml
|
||||
---
|
||||
- hosts: all
|
||||
roles:
|
||||
- role: msvsphere.ci.koji_server_ca
|
||||
koji_server_ca_fqdn: koji.msvsphere.test
|
||||
```
|
||||
|
||||
## License
|
||||
|
||||
MIT.
|
||||
|
||||
## Authors
|
||||
|
||||
* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)
|
@ -0,0 +1,11 @@
|
||||
---
|
||||
argument_specs:
|
||||
main:
|
||||
short_description: A role that creates a Koji server CA and issues an HTTPS certificate.
|
||||
author: Eugene Zamriy
|
||||
version_added: '0.1.2'
|
||||
options:
|
||||
koji_server_ca_fqdn:
|
||||
description: Koji server domain name.
|
||||
type: 'str'
|
||||
required: true
|
@ -0,0 +1,16 @@
|
||||
---
|
||||
galaxy_info:
|
||||
author: Eugene Zamriy
|
||||
description: A role that creates a Koji server CA and issues an HTTPS certificate
|
||||
company: Softline PJSC
|
||||
license: MIT
|
||||
min_ansible_version: 2.13
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- "9"
|
||||
galaxy_tags:
|
||||
- koji
|
||||
|
||||
dependencies:
|
||||
- role: msvsphere.ci.koji_tools
|
@ -0,0 +1,47 @@
|
||||
---
|
||||
- name: Create /etc/pki/koji directory
|
||||
ansible.builtin.file:
|
||||
path: /etc/pki/koji
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: Initialize Koji SSL CA
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/local/koji-tools/src/bin/koji-ssl-admin
|
||||
- new-ca
|
||||
- --common-name
|
||||
- "{{ koji_server_ca_fqdn }}"
|
||||
chdir: /etc/pki/koji
|
||||
creates: /etc/pki/koji/koji-ca.crt
|
||||
|
||||
- name: Generate Koji server key and CSR
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/local/koji-tools/src/bin/koji-ssl-admin
|
||||
- server-csr
|
||||
- "{{ koji_server_ca_fqdn }}"
|
||||
chdir: /etc/pki/koji
|
||||
creates: "/etc/pki/koji/{{ koji_server_ca_fqdn }}.csr"
|
||||
|
||||
- name: Sign Koji server CSR
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/local/koji-tools/src/bin/koji-ssl-admin
|
||||
- sign
|
||||
- "/etc/pki/koji/{{ koji_server_ca_fqdn }}.csr"
|
||||
chdir: /etc/pki/koji
|
||||
creates: "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"
|
||||
|
||||
- name: Add Koji SSL CA certificate to system
|
||||
ansible.builtin.file:
|
||||
src: /etc/pki/koji/koji-ca.crt
|
||||
dest: /etc/pki/ca-trust/source/anchors/koji-ca.crt
|
||||
state: link
|
||||
register: koji_server_ca_anchor
|
||||
|
||||
- name: Trust Koji SSL CA certificate
|
||||
command: update-ca-trust extract
|
||||
when: koji_server_ca_anchor.changed
|
Loading…
Reference in new issue