From bf8c72b85c4467d5b21036b048812c72240c761d Mon Sep 17 00:00:00 2001
From: Eugene Zamriy <ezamriy@msvsphere-os.ru>
Date: Wed, 13 Dec 2023 21:14:12 +0300
Subject: [PATCH] Adds koji_server_ca role

---
 CHANGELOG.rst                                |  8 +++
 README.md                                    |  1 +
 changelogs/.plugin-cache.yaml                |  6 +-
 changelogs/changelog.yaml                    |  7 +++
 galaxy.yml                                   |  2 +-
 molecule/koji_server_ca/converge.yml         | 11 ++++
 molecule/koji_server_ca/molecule.yml         | 16 +++++
 molecule/koji_server_ca/verify.yml           | 63 ++++++++++++++++++++
 roles/koji_server_ca/README.md               | 46 ++++++++++++++
 roles/koji_server_ca/meta/argument_specs.yml | 11 ++++
 roles/koji_server_ca/meta/main.yml           | 16 +++++
 roles/koji_server_ca/tasks/main.yml          | 47 +++++++++++++++
 roles/postgresql_server/README.md            |  2 +-
 13 files changed, 233 insertions(+), 3 deletions(-)
 create mode 100644 molecule/koji_server_ca/converge.yml
 create mode 100644 molecule/koji_server_ca/molecule.yml
 create mode 100644 molecule/koji_server_ca/verify.yml
 create mode 100644 roles/koji_server_ca/README.md
 create mode 100644 roles/koji_server_ca/meta/argument_specs.yml
 create mode 100644 roles/koji_server_ca/meta/main.yml
 create mode 100644 roles/koji_server_ca/tasks/main.yml

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 98fc28c..0d5267b 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -5,6 +5,14 @@ msvsphere.ci Release Notes
 .. contents:: Topics
 
 
+v0.1.2
+======
+
+New Roles
+---------
+
+- msvsphere.ci.koji_server_ca - A role that creates a Koji server CA and issues an HTTPS certificate.
+
 v0.1.1
 ======
 
diff --git a/README.md b/README.md
index 95f8120..b295d30 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@ The MSVSphere OS CI/CD collection.
 
 ## Roles
 
+* [koji_server_ca](roles/koji_server_ca/README.md)
 * [koji_tools](roles/koji_tools/README.md)
 * [postgresql_server](roles/postgresql_server/README.md)
 
diff --git a/changelogs/.plugin-cache.yaml b/changelogs/.plugin-cache.yaml
index 227b19f..d9b67b0 100644
--- a/changelogs/.plugin-cache.yaml
+++ b/changelogs/.plugin-cache.yaml
@@ -1,5 +1,9 @@
 objects:
   role:
+    koji_server_ca:
+      description: A role that creates a Koji server CA and issues an HTTPS certificate.
+      name: koji_server_ca
+      version_added: 0.1.2
     koji_tools:
       description: A role that installs koji-tools.
       name: koji_tools
@@ -24,4 +28,4 @@ plugins:
   strategy: {}
   test: {}
   vars: {}
-version: 0.1.1
+version: 0.1.2
diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml
index aea76d5..3bb1343 100644
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -18,3 +18,10 @@ releases:
         name: koji_tools
         namespace: null
     release_date: '2023-12-13'
+  0.1.2:
+    objects:
+      role:
+      - description: A role that creates a Koji server CA and issues an HTTPS certificate.
+        name: koji_server_ca
+        namespace: null
+    release_date: '2023-12-13'
diff --git a/galaxy.yml b/galaxy.yml
index c37351e..1b8e5a5 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
 namespace: msvsphere
 name: ci
-version: 0.1.1
+version: 0.1.2
 readme: README.md
 authors:
   - Eugene Zamriy <ezamriy@msvsphere-os.ru>
diff --git a/molecule/koji_server_ca/converge.yml b/molecule/koji_server_ca/converge.yml
new file mode 100644
index 0000000..21d76c0
--- /dev/null
+++ b/molecule/koji_server_ca/converge.yml
@@ -0,0 +1,11 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: true
+  become: true
+
+  tasks:
+    - name: Test koji_server_ca role
+      ansible.builtin.include_role:
+        name: msvsphere.ci.koji_server_ca
+        rolespec_validate: true
diff --git a/molecule/koji_server_ca/molecule.yml b/molecule/koji_server_ca/molecule.yml
new file mode 100644
index 0000000..41f4b17
--- /dev/null
+++ b/molecule/koji_server_ca/molecule.yml
@@ -0,0 +1,16 @@
+---
+driver:
+  name: vagrant
+
+platforms:
+  - name: msvsphere-9
+    box: msvsphere/9
+    memory: 1024
+    cpus: 1
+
+provisioner:
+  name: ansible
+  inventory:
+    group_vars:
+      all:
+        koji_server_ca_fqdn: 'build.msvsphere.test'
diff --git a/molecule/koji_server_ca/verify.yml b/molecule/koji_server_ca/verify.yml
new file mode 100644
index 0000000..579ef31
--- /dev/null
+++ b/molecule/koji_server_ca/verify.yml
@@ -0,0 +1,63 @@
+---
+- name: Verify
+  hosts: all
+  become: true
+
+  vars:
+    private_keys:
+      - koji-ca.key
+      - "{{ koji_server_ca_fqdn }}.key"
+
+    public_keys:
+      - koji-ca.crt
+      - "{{ koji_server_ca_fqdn }}.crt"
+      - "{{ koji_server_ca_fqdn }}.chain.crt"
+
+  tasks:
+    - name: Collect Koji CA private keys stats
+      ansible.builtin.stat:
+        path: "{{ ('/etc/pki/koji', item) | path_join }}"
+      loop: "{{ private_keys }}"
+      register: private_keys_stats
+
+    - name: Verify Koji CA private keys stats
+      ansible.builtin.assert:
+        that: |
+          item.stat.exists and
+          item.stat.mode == '0600' and
+          item.stat.pw_name == 'root' and
+          item.stat.gr_name == 'root'
+      loop: "{{ private_keys_stats.results }}"
+
+    - name: Collect Koji CA public keys stats
+      ansible.builtin.stat:
+        path: "{{ ('/etc/pki/koji', item) | path_join }}"
+      loop: "{{ public_keys }}"
+      register: public_keys_stats
+
+    - name: Verify Koji CA public keys stats
+      ansible.builtin.assert:
+        that: |
+          item.stat.exists and
+          item.stat.mode == '0644' and
+          item.stat.pw_name == 'root' and
+          item.stat.gr_name == 'root'
+      loop: "{{ public_keys_stats.results }}"
+
+    - name: Verify Koji certificate chain
+      ansible.builtin.command:
+        argv:
+          - openssl
+          - verify
+          - -CAfile
+          - /etc/pki/koji/koji-ca.crt
+          - -untrusted
+          - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"
+          - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt"
+      register: openssl_verify
+
+    - name: Check Koji certificate chain verification status
+      ansible.builtin.assert:
+        that: |
+          openssl_verify.rc == 0 and
+          openssl_verify.stdout == '/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt: OK'
diff --git a/roles/koji_server_ca/README.md b/roles/koji_server_ca/README.md
new file mode 100644
index 0000000..4deab8a
--- /dev/null
+++ b/roles/koji_server_ca/README.md
@@ -0,0 +1,46 @@
+# msvsphere.ci.koji_server_ca
+
+An Ansible role that creates a Koji server CA and issues an HTTPS certificate.
+
+For production Koji deployment it's recommended to use FreeIPA or other
+centralized certificate management system. This role is intended for
+development purposes.
+
+The role creates the `/etc/pki/koji` directory and produces the following
+artifacts:
+
+* `koji-ca.crt` - CA certificate.
+* `koji-ca.key` - CA private key.
+* `koji.msvsphere.test.key` - Koji server HTTPS certificate private key.
+* `build.msvsphere.test.csr` - Koji server HTTPS certificate signing request.
+* `build.msvsphere.test.crt` - Koji server HTTPS certificate.
+* `build.msvsphere.test.chain.crt` - Koji server HTTPS certificate chain.
+
+Here `koji.msvsphere.test` is the `koji_server_ca_fqdn` value.
+
+Also, the role will add the CA certificate to the list of trusted
+certificates.
+
+## Variables
+
+| Variable | Default value | Type | Description | Required |
+| -------- | ------------- | ---- | ----------- | -------- |
+| koji_server_ca_fqdn | | string | Koji server domain name. | yes |
+
+## Example playbook
+
+```yaml
+---
+- hosts: all
+  roles:
+    - role: msvsphere.ci.koji_server_ca
+      koji_server_ca_fqdn: koji.msvsphere.test
+```
+
+## License
+
+MIT.
+
+## Authors
+
+* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)
diff --git a/roles/koji_server_ca/meta/argument_specs.yml b/roles/koji_server_ca/meta/argument_specs.yml
new file mode 100644
index 0000000..b7bc60b
--- /dev/null
+++ b/roles/koji_server_ca/meta/argument_specs.yml
@@ -0,0 +1,11 @@
+---
+argument_specs:
+  main:
+    short_description: A role that creates a Koji server CA and issues an HTTPS certificate.
+    author: Eugene Zamriy
+    version_added: '0.1.2'
+    options:
+      koji_server_ca_fqdn:
+        description: Koji server domain name.
+        type: 'str'
+        required: true
diff --git a/roles/koji_server_ca/meta/main.yml b/roles/koji_server_ca/meta/main.yml
new file mode 100644
index 0000000..b057699
--- /dev/null
+++ b/roles/koji_server_ca/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Eugene Zamriy
+  description: A role that creates a Koji server CA and issues an HTTPS certificate
+  company: Softline PJSC
+  license: MIT
+  min_ansible_version: 2.13
+  platforms:
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - koji
+
+dependencies:
+  - role: msvsphere.ci.koji_tools
diff --git a/roles/koji_server_ca/tasks/main.yml b/roles/koji_server_ca/tasks/main.yml
new file mode 100644
index 0000000..9f35ef3
--- /dev/null
+++ b/roles/koji_server_ca/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+- name: Create /etc/pki/koji directory
+  ansible.builtin.file:
+    path: /etc/pki/koji
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Initialize Koji SSL CA
+  ansible.builtin.command:
+    argv:
+      - /usr/local/koji-tools/src/bin/koji-ssl-admin
+      - new-ca
+      - --common-name
+      - "{{ koji_server_ca_fqdn }}"
+    chdir: /etc/pki/koji
+    creates: /etc/pki/koji/koji-ca.crt
+
+- name: Generate Koji server key and CSR
+  ansible.builtin.command:
+    argv:
+      - /usr/local/koji-tools/src/bin/koji-ssl-admin
+      - server-csr
+      - "{{ koji_server_ca_fqdn }}"
+    chdir: /etc/pki/koji
+    creates: "/etc/pki/koji/{{ koji_server_ca_fqdn }}.csr"
+
+- name: Sign Koji server CSR
+  ansible.builtin.command:
+    argv:
+      - /usr/local/koji-tools/src/bin/koji-ssl-admin
+      - sign
+      - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.csr"
+    chdir: /etc/pki/koji
+    creates: "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"
+
+- name: Add Koji SSL CA certificate to system
+  ansible.builtin.file:
+    src: /etc/pki/koji/koji-ca.crt
+    dest: /etc/pki/ca-trust/source/anchors/koji-ca.crt
+    state: link
+  register: koji_server_ca_anchor
+
+- name: Trust Koji SSL CA certificate
+  command: update-ca-trust extract
+  when: koji_server_ca_anchor.changed
diff --git a/roles/postgresql_server/README.md b/roles/postgresql_server/README.md
index afaced5..115d008 100644
--- a/roles/postgresql_server/README.md
+++ b/roles/postgresql_server/README.md
@@ -5,7 +5,7 @@ An Ansible role that installs and configures a PostgreSQL server.
 ## Variables
 
 | Variable | Default value | Type | Description | Required |
-| -------- | ------------- | ---- |----------- | -------- |
+| -------- | ------------- | ---- | ----------- | -------- |
 | postgresql_major_version | "13" | string | PostgreSQL major version. For MSVSphere 9.x possible values are "13" and "15". | no |
 | postgresql_listen_address | | string | TCP/IP address(es) on which the server is to listen for connections. | no |
 | postgresql_max_connections | | integer | Maximum number of concurrent connections. | no |