pass in the configured DB ca (if any) to the container

Author: evgeni

src/roles/candlepin/tasks/main.yml

@@ -47,6 +47,14 @@
   notify:
     - Restart candlepin
 
+- name: Create DB SSL cert
+  containers.podman.podman_secret:
+    state: present
+    name: candlepin-db-ca
+    data: "{{ lookup('ansible.builtin.file', candlepin_database_ssl_ca) if candlepin_database_ssl_ca else 'empty' }}"
+  notify:
+    - Restart candlepin
+
 - name: Setup artemis
   ansible.builtin.include_tasks:
     file: artemis.yml
@@ -76,6 +84,7 @@
       - 'candlepin-artemis-cert-roles-properties,target=/etc/tomcat/cert-roles.properties,mode=440,type=mount'
       - 'candlepin-artemis-cert-users-properties,target=/etc/tomcat/cert-users.properties,mode=440,type=mount'
       - 'candlepin-artemis-jaas-conf,target=/etc/tomcat/conf.d/jaas.conf,mode=440,type=mount'
+      - 'candlepin-db-ca,target=/foremanctl-db-ca.crt,type=mount'
     volumes:
       - /var/log/candlepin:/var/log/candlepin:Z
       - /var/log/tomcat:/var/log/tomcat:Z

src/roles/candlepin/templates/candlepin.conf.j2

@@ -23,7 +23,7 @@ jpa.config.hibernate.hbm2ddl.auto=validate
 jpa.config.hibernate.connection.username={{ candlepin_database_user }}
 jpa.config.hibernate.connection.password={{ candlepin_database_password }}
 jpa.config.hibernate.connection.driver_class=org.postgresql.Driver
-jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca }}{% endif %}
+jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert=/foremanctl-db-ca.crt{% endif %}
 
 
 org.quartz.jobStore.misfireThreshold=60000

src/roles/foreman/tasks/main.yaml

@@ -8,7 +8,7 @@
   containers.podman.podman_secret:
     state: present
     name: foreman-database-url
-    data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_sslmode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert={{ foreman_database_ssl_ca }}{% endif %}" # yamllint disable-line rule:line-length
+    data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_sslmode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert=/etc/foreman/db-ca.crt{% endif %}" # yamllint disable-line rule:line-length
   notify:
     - Restart foreman
     - Restart dynflow-sidekiq@
@@ -84,6 +84,15 @@
     - Restart foreman
     - Restart dynflow-sidekiq@
 
+- name: Create DB SSL cert
+  containers.podman.podman_secret:
+    state: present
+    name: foreman-db-ca
+    data: "{{ lookup('ansible.builtin.file', foreman_database_ssl_ca) if foreman_database_ssl_ca else 'empty' }}"
+  notify:
+    - Restart foreman
+    - Restart dynflow-sidekiq@
+
 - name: Deploy Foreman Container
   containers.podman.podman_container:
     name: "foreman"
@@ -103,6 +112,7 @@
       - 'foreman-ca-cert,type=mount,target=/etc/foreman/katello-default-ca.crt'
       - 'foreman-client-cert,type=mount,target=/etc/foreman/client_cert.pem'
       - 'foreman-client-key,type=mount,target=/etc/foreman/client_key.pem'
+      - 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt'
     env:
       FOREMAN_PUMA_WORKERS: "{{ foreman_puma_workers }}"
       FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}"
@@ -133,6 +143,7 @@
       - 'foreman-client-cert,type=mount,target=/etc/foreman/client_cert.pem'
       - 'foreman-client-key,type=mount,target=/etc/foreman/client_key.pem'
       - 'foreman-dynflow-worker-hosts-queue-yaml,type=mount,target=/etc/foreman/dynflow/worker-hosts-queue.yml'
+      - 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt'
     env:
       DYNFLOW_REDIS_URL: "redis://localhost:6379/6"
       REDIS_PROVIDER: "DYNFLOW_REDIS_URL"
@@ -182,6 +193,7 @@
       - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER'
       - 'foreman-seed-admin-password,type=env,target=SEED_ADMIN_PASSWORD'
       - 'foreman-settings-yaml,type=mount,target=/etc/foreman/settings.yaml'
+      - 'foreman-db-ca,type=mount,target=/etc/foreman/db-ca.crt'
 
 - name: Flush handlers to restart services
   ansible.builtin.meta: flush_handlers

src/roles/pulp/defaults/main.yaml

@@ -35,15 +35,15 @@ pulp_database_user: pulp
 pulp_database_host: localhost
 pulp_database_port: 5432
 pulp_database_ssl_mode: disabled
-pulp_database_ssl_ca: None
+pulp_database_ssl_ca:
 
 pulp_settings_database_env:
   PULP_DATABASES__default__NAME: "{{ pulp_database_name }}"
   PULP_DATABASES__default__USER: "{{ pulp_database_user }}"
   PULP_DATABASES__default__HOST: "{{ pulp_database_host }}"
   PULP_DATABASES__default__PORT: "{{ pulp_database_port }}"
   PULP_DATABASES__default__OPTIONS__sslmode: "{{ pulp_database_ssl_mode }}"
-  PULP_DATABASES__default__OPTIONS__sslrootcert: "{{ pulp_database_ssl_ca }}"
+  PULP_DATABASES__default__OPTIONS__sslrootcert: "/foremanctl-db-ca.crt"
   PULP_ENABLED_PLUGINS: >-
     {{ pulp_enabled_plugins }}
 

src/roles/pulp/tasks/main.yaml

@@ -40,6 +40,16 @@
     - Restart pulp-content
     - Restart pulp-worker
 
+- name: Create DB SSL cert
+  containers.podman.podman_secret:
+    state: present
+    name: pulp-db-ca
+    data: "{{ lookup('ansible.builtin.file', pulp_database_ssl_ca) if pulp_database_ssl_ca else 'empty' }}"
+  notify:
+    - Restart pulp-api
+    - Restart pulp-content
+    - Restart pulp-worker
+
 - name: Generate Django secret key
   ansible.builtin.command: "bash -c 'openssl rand -base64 50 | tr -d \"\\n\" | tr \"+/\" \"-_\" > /var/lib/pulp/django_secret_key'"
   args:
@@ -92,6 +102,7 @@
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
+      - 'pulp-db-ca,type=mount,target=/foremanctl-db-ca.crt'
       - 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY'
     env: "{{ pulp_settings_env }}"
     quadlet_options:
@@ -122,6 +133,7 @@
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
+      - 'pulp-db-ca,type=mount,target=/foremanctl-db-ca.crt'
       - 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY'
     env: "{{ pulp_settings_env }}"
     quadlet_options:
@@ -152,6 +164,7 @@
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
+      - 'pulp-db-ca,type=mount,target=/foremanctl-db-ca.crt'
       - 'pulp-django-secret-key,type=env,target=PULP_SECRET_KEY'
     env: "{{ pulp_settings_env }}"
     quadlet_options:
@@ -202,6 +215,7 @@
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
+      - 'pulp-db-ca,type=mount,target=/foremanctl-db-ca.crt'
     env: "{{ pulp_settings_database_env }}"
 
 - name: Ensure Pulp admin user exists
@@ -215,6 +229,7 @@
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
+      - 'pulp-db-ca,type=mount,target=/foremanctl-db-ca.crt'
     env: "{{ pulp_settings_database_env }}"
 
 - name: Flush handlers to restart services

src/vars/database.yml

@@ -2,7 +2,7 @@
 database_host: localhost
 database_port: 5432
 database_ssl_mode: disable
-database_ssl_ca: None
+database_ssl_ca:
 
 foreman_database_name: foreman
 foreman_database_user: foreman