Adds koji_server_ca role

CHANGELOG.rst

@@ -5,6 +5,14 @@ msvsphere.ci Release Notes
 .. contents:: Topics
 
 
+v0.1.2
+======
+
+New Roles
+---------
+
+- msvsphere.ci.koji_server_ca - A role that creates a Koji server CA and issues an HTTPS certificate.
+
 v0.1.1
 ======
 

README.md

@@ -4,6 +4,7 @@ The MSVSphere OS CI/CD collection.
 
 ## Roles
 
+* [koji_server_ca](roles/koji_server_ca/README.md)
 * [koji_tools](roles/koji_tools/README.md)
 * [postgresql_server](roles/postgresql_server/README.md)
 

changelogs/.plugin-cache.yaml

@@ -1,5 +1,9 @@
 objects:
   role:
+    koji_server_ca:
+      description: A role that creates a Koji server CA and issues an HTTPS certificate.
+      name: koji_server_ca
+      version_added: 0.1.2
     koji_tools:
       description: A role that installs koji-tools.
       name: koji_tools
@@ -24,4 +28,4 @@ plugins:
   strategy: {}
   test: {}
   vars: {}
-version: 0.1.1
+version: 0.1.2

changelogs/changelog.yaml

@@ -18,3 +18,10 @@ releases:
         name: koji_tools
         namespace: null
     release_date: '2023-12-13'
+  0.1.2:
+    objects:
+      role:
+      - description: A role that creates a Koji server CA and issues an HTTPS certificate.
+        name: koji_server_ca
+        namespace: null
+    release_date: '2023-12-13'

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: msvsphere
 name: ci
-version: 0.1.1
+version: 0.1.2
 readme: README.md
 authors:
   - Eugene Zamriy <ezamriy@msvsphere-os.ru>

molecule/koji_server_ca/converge.yml

@@ -0,0 +1,11 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: true
+  become: true
+
+  tasks:
+    - name: Test koji_server_ca role
+      ansible.builtin.include_role:
+        name: msvsphere.ci.koji_server_ca
+        rolespec_validate: true

molecule/koji_server_ca/molecule.yml

@@ -0,0 +1,16 @@
+---
+driver:
+  name: vagrant
+
+platforms:
+  - name: msvsphere-9
+    box: msvsphere/9
+    memory: 1024
+    cpus: 1
+
+provisioner:
+  name: ansible
+  inventory:
+    group_vars:
+      all:
+        koji_server_ca_fqdn: 'build.msvsphere.test'

molecule/koji_server_ca/verify.yml

@@ -0,0 +1,63 @@
+---
+- name: Verify
+  hosts: all
+  become: true
+
+  vars:
+    private_keys:
+      - koji-ca.key
+      - "{{ koji_server_ca_fqdn }}.key"
+
+    public_keys:
+      - koji-ca.crt
+      - "{{ koji_server_ca_fqdn }}.crt"
+      - "{{ koji_server_ca_fqdn }}.chain.crt"
+
+  tasks:
+    - name: Collect Koji CA private keys stats
+      ansible.builtin.stat:
+        path: "{{ ('/etc/pki/koji', item) | path_join }}"
+      loop: "{{ private_keys }}"
+      register: private_keys_stats
+
+    - name: Verify Koji CA private keys stats
+      ansible.builtin.assert:
+        that: |
+          item.stat.exists and
+          item.stat.mode == '0600' and
+          item.stat.pw_name == 'root' and
+          item.stat.gr_name == 'root'
+      loop: "{{ private_keys_stats.results }}"
+
+    - name: Collect Koji CA public keys stats
+      ansible.builtin.stat:
+        path: "{{ ('/etc/pki/koji', item) | path_join }}"
+      loop: "{{ public_keys }}"
+      register: public_keys_stats
+
+    - name: Verify Koji CA public keys stats
+      ansible.builtin.assert:
+        that: |
+          item.stat.exists and
+          item.stat.mode == '0644' and
+          item.stat.pw_name == 'root' and
+          item.stat.gr_name == 'root'
+      loop: "{{ public_keys_stats.results }}"
+
+    - name: Verify Koji certificate chain
+      ansible.builtin.command:
+        argv:
+          - openssl
+          - verify
+          - -CAfile
+          - /etc/pki/koji/koji-ca.crt
+          - -untrusted
+          - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"
+          - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt"
+      register: openssl_verify
+
+    - name: Check Koji certificate chain verification status
+      ansible.builtin.assert:
+        that: |
+          openssl_verify.rc == 0 and
+          openssl_verify.stdout == '/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt: OK'

roles/koji_server_ca/README.md

@@ -0,0 +1,46 @@
+# msvsphere.ci.koji_server_ca
+
+An Ansible role that creates a Koji server CA and issues an HTTPS certificate.
+
+For production Koji deployment it's recommended to use FreeIPA or other
+centralized certificate management system. This role is intended for
+development purposes.
+
+The role creates the `/etc/pki/koji` directory and produces the following
+artifacts:
+
+* `koji-ca.crt` - CA certificate.
+* `koji-ca.key` - CA private key.
+* `koji.msvsphere.test.key` - Koji server HTTPS certificate private key.
+* `build.msvsphere.test.csr` - Koji server HTTPS certificate signing request.
+* `build.msvsphere.test.crt` - Koji server HTTPS certificate.
+* `build.msvsphere.test.chain.crt` - Koji server HTTPS certificate chain.
+
+Here `koji.msvsphere.test` is the `koji_server_ca_fqdn` value.
+
+Also, the role will add the CA certificate to the list of trusted
+certificates.
+
+## Variables
+
+| Variable | Default value | Type | Description | Required |
+| -------- | ------------- | ---- | ----------- | -------- |
+| koji_server_ca_fqdn | | string | Koji server domain name. | yes |
+
+## Example playbook
+
+```yaml
+---
+- hosts: all
+  roles:
+    - role: msvsphere.ci.koji_server_ca
+      koji_server_ca_fqdn: koji.msvsphere.test
+```
+
+## License
+
+MIT.
+
+## Authors
+
+* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)

roles/koji_server_ca/meta/argument_specs.yml

@@ -0,0 +1,11 @@
+---
+argument_specs:
+  main:
+    short_description: A role that creates a Koji server CA and issues an HTTPS certificate.
+    author: Eugene Zamriy
+    version_added: '0.1.2'
+    options:
+      koji_server_ca_fqdn:
+        description: Koji server domain name.
+        type: 'str'
+        required: true

roles/koji_server_ca/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Eugene Zamriy
+  description: A role that creates a Koji server CA and issues an HTTPS certificate
+  company: Softline PJSC
+  license: MIT
+  min_ansible_version: 2.13
+  platforms:
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - koji
+
+dependencies:
+  - role: msvsphere.ci.koji_tools

roles/koji_server_ca/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+- name: Create /etc/pki/koji directory
+  ansible.builtin.file:
+    path: /etc/pki/koji
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Initialize Koji SSL CA
+  ansible.builtin.command:
+    argv:
+      - /usr/local/koji-tools/src/bin/koji-ssl-admin
+      - new-ca
+      - --common-name
+      - "{{ koji_server_ca_fqdn }}"
+    chdir: /etc/pki/koji
+    creates: /etc/pki/koji/koji-ca.crt
+
+- name: Generate Koji server key and CSR
+  ansible.builtin.command:
+    argv:
+      - /usr/local/koji-tools/src/bin/koji-ssl-admin
+      - server-csr
+      - "{{ koji_server_ca_fqdn }}"
+    chdir: /etc/pki/koji
+    creates: "/etc/pki/koji/{{ koji_server_ca_fqdn }}.csr"
+
+- name: Sign Koji server CSR
+  ansible.builtin.command:
+    argv:
+      - /usr/local/koji-tools/src/bin/koji-ssl-admin
+      - sign
+      - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.csr"
+    chdir: /etc/pki/koji
+    creates: "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"
+
+- name: Add Koji SSL CA certificate to system
+  ansible.builtin.file:
+    src: /etc/pki/koji/koji-ca.crt
+    dest: /etc/pki/ca-trust/source/anchors/koji-ca.crt
+    state: link
+  register: koji_server_ca_anchor
+
+- name: Trust Koji SSL CA certificate
+  command: update-ca-trust extract
+  when: koji_server_ca_anchor.changed

roles/postgresql_server/README.md

@@ -5,7 +5,7 @@ An Ansible role that installs and configures a PostgreSQL server.
 ## Variables
 
 | Variable | Default value | Type | Description | Required |
-| -------- | ------------- | ---- |----------- | -------- |
+| -------- | ------------- | ---- | ----------- | -------- |
 | postgresql_major_version | "13" | string | PostgreSQL major version. For MSVSphere 9.x possible values are "13" and "15". | no |
 | postgresql_listen_address | | string | TCP/IP address(es) on which the server is to listen for connections. | no |
 | postgresql_max_connections | | integer | Maximum number of concurrent connections. | no |