Add role and playbook to generate a certs tarball

ehelms · ehelms · commit b6c101f3a2f0 · 2025-03-05T10:26:27.000-05:00
Signed-off-by: Eric D. Helms &lt;ericdhelms@gmail.com&gt;
diff --git a/playbooks/certificate-bundle.yaml b/playbooks/certificate-bundle.yaml
@@ -0,0 +1,18 @@
+- name: Generate a certificate bundle for a hostname
+  hosts:
+    - quadlet
+  become: true
+  vars:
+    certificates_ca: false
+    certificates_hostnames:
+      - "{{ hostname }}"
+  roles:
+    - certificates
+    - role: certificate_bundle
+      vars:
+        certificate_bundle_hostname: "{{ hostname }}"
+        certificate_bundle_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
+        certificate_bundle_server_certificate: "{{ certificates_ca_directory }}/certs/{{ hostname }}.crt"
+        certificate_bundle_server_key: "{{ certificates_ca_directory }}/private/{{ hostname }}.key"
+        certificate_bundle_client_certificate: "{{ certificates_ca_directory }}/certs/{{ hostname }}-client.crt"
+        certificate_bundle_client_key: "{{ certificates_ca_directory }}/private/{{ hostname }}-client.key"
diff --git a/roles/certificate_bundle/tasks/main.yml b/roles/certificate_bundle/tasks/main.yml
@@ -0,0 +1,67 @@
+---
+- name: Create temporary directory
+  ansible.builtin.tempfile:
+    state: directory
+    suffix: certificate-build
+  register: build_directory
+
+- name: Create directory structure
+  ansible.builtin.file:
+    state: directory
+    path: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}"
+    mode: '0755'
+
+- name: Copy CA certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_ca_certificate }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - katello-server-ca.crt
+    - katello-default-ca.crt
+
+- name: Copy server certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_server_certificate }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - apache.crt
+    - foreman-proxy.crt
+
+- name: Copy server key
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_server_key }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0440'
+  loop:
+    - apache.key
+    - foreman-proxy.key
+
+- name: Copy client certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_client_certificate }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - foreman-proxy-client.crt
+    - puppet-client.crt
+
+- name: Copy client key
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_client_key }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0440'
+  loop:
+    - foreman-proxy-client.key
+    - puppet-client.key
+
+- name: Create tarball
+  community.general.archive:
+    path: "{{ build_directory.path }}/ssl-build"
+    dest: "/root/{{ certificate_bundle_hostname }}.tar.gz"
