Merge "Support adding a trusted CA certificate in ansible"

2019-06-20 20:28:00 +00:00 · 2019-06-20 20:28:00 +00:00 · 7a9bc2f330
parent b62150cd99 d4575518a7
commit 7a9bc2f330
4 changed files with 52 additions and 0 deletions
--- a/playbookconfig/playbookconfig/playbooks/bootstrap/host_vars/default.yml
+++ b/playbookconfig/playbookconfig/playbooks/bootstrap/host_vars/default.yml
@ -130,6 +130,22 @@ docker_registries:

 #is_secure_registry: True

+# Certificates
+# =================
+#
+# These values provide a means to install certificates onto the system.
+# For example the ssl_ca_cert parameter may be used to install a trusted CA to
+# the system. A trusted CA certificate will be required if the end user
+# configures a private docker registry that is signed by an unknown Certificate
+# Authority.
+#
+# The certificate value is the absolute path of the certificate file.
+# The certificate must be in PEM format.
+# The supported certificates are:
+#   - ssl_ca_cert
+#
+#ssl_ca_cert: /path/to/ssl_ca_cert_file
+
 # ADMIN CREDENTIALS
 # =================
 #
--- a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/tasks/main.yml
+++ b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/tasks/main.yml
@ -186,6 +186,34 @@

  when: save_config

+- block:
+  - name: Copy ssl_ca certificate
+    copy:
+     src: "{{ ssl_ca_cert }}"
+     dest: "{{ temp_ssl_ca }}"
+
+  - name: Remove ssl_ca complete flag
+    file:
+      path: "{{ ssl_ca_complete_flag }}"
+      state: absent
+
+  - name: Add ssl_ca certificate
+    shell: source /etc/platform/openrc; system certificate-install -m ssl_ca {{ temp_ssl_ca }}
+
+  - name: Wait for certificate install
+    wait_for:
+      path: "{{ ssl_ca_complete_flag }}"
+      state: present
+      timeout: 360
+      msg: Timeout waiting for ssl_ca certificate install
+
+  - name: Cleanup temporary certificate
+    file:
+      path: "{{ temp_ssl_ca }}"
+      state: absent
+
+  when: ssl_ca_cert is defined and ssl_ca_cert
+
 # PXE boot files
 - name: Set pxeboot files source if address allocation is dynamic
  set_fact:
--- a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/vars/main.yml
+++ b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/vars/main.yml
@ -3,3 +3,5 @@ keyring_workdir: /tmp/python_keyring
 docker_proxy_conf: /etc/systemd/system/docker.service.d/http-proxy.conf
 minimum_root_disk_size: 240
 default_security_feature: "nopti nospectre_v2"
+temp_ssl_ca: /tmp/ca_cert.pem
+ssl_ca_complete_flag: /etc/platform/.ssl_ca_complete
--- a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/validate-config/tasks/main.yml
+++ b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/validate-config/tasks/main.yml
@ -389,6 +389,12 @@
          (docker_images_archive_source is not none)


+- name: Check for ssl_ca_cert file
+  fail:
+    msg: "ssl_ca_cert file not found. ({{ ssl_ca_cert }})"
+  when: ssl_ca_cert is defined and (not ssl_ca_cert is file)
+
+
 # bootstrap_config ini file generation
 - block:
  - name: Create config workdir