feat: refactor copy-ca-to-hosts playbook

jackhodgkiss · jackhodgkiss · commit 464cca2dfd27 · 2025-07-07T15:11:08.000+01:00
The playbook `copy-ca-to-hosts` has been refactored in a couple ways.
Firstly, the tasks for installing in either `RHEL` or `Debian` based
systems are placed in `blocks`. Secondly both the root and intermediate
certificate authority have added here to ensure the full chain is
available if required.
diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml
@@ -1,29 +1,34 @@
 ---
-- name: Copy CA certificate and update trust
+- name: Install certificate authorities and update trust
   hosts: overcloud:seed:seed-hypervisor
   become: true
-  vars:
-    cert_path: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem"
-
   tasks:
-    - name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS)
-      ansible.builtin.copy:
-        src: "{{ cert_path }}"
-        dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem"
-        mode: "0644"
+    - name: Install certificate authorities on RedHat based distributions
       when: ansible_facts.os_family == 'RedHat'
+      block:
+        - name: Copy certificate authorities on RedHat family systems (Rocky, RHEL, CentOS)
+          ansible.builtin.copy:
+            src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem"
+            dest: "/etc/pki/ca-trust/source/anchors/{{ item }}.crt"
+            mode: "0644"
+          loop:
+            - "OS-TLS-ROOT"
+            - "OS-TLS-INT"
 
-    - name: Update CA trust on RedHat family systems
-      ansible.builtin.command: "update-ca-trust"
-      when: ansible_facts.os_family == 'RedHat'
+        - name: Update CA trust on RedHat family systems
+          ansible.builtin.command: "update-ca-trust"
 
-    - name: Copy certificate on Debian family systems (Ubuntu, Debian)
-      ansible.builtin.copy:
-        src: "{{ cert_path }}"
-        dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt"
-        mode: "0644"
+    - name: Install certificate authorities on Debian based distributions
       when: ansible_facts.os_family == 'Debian'
+      block:
+        - name: Copy certificate authorities on Debian family systems (Ubuntu, Debian)
+          ansible.builtin.copy:
+            src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem"
+            dest: "/usr/local/share/ca-certificates/{{ item }}.crt"
+            mode: "0644"
+          loop:
+            - "OS-TLS-ROOT"
+            - "OS-TLS-INT"
 
-    - name: Update CA trust on Debian family systems
-      ansible.builtin.command: "update-ca-certificates"
-      when: ansible_facts.os_family == 'Debian'
+        - name: Update CA trust on Debian family systems
+          ansible.builtin.command: "update-ca-certificates"
