Provide server CA certs to agents (#96)

nelsonkopliku · web-flow · commit 13a1d5656971 · 2026-02-09T08:56:02.000+01:00
* Provide server CA certs to agents

* Improve variables
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -128,6 +128,8 @@ jobs:
             nginx_ssl_key_as_base64='true' \
             nginx_ssl_cert='${{ secrets.SSL_CERT }}' \
             nginx_ssl_key='${{ secrets.SSL_KEY }}' \
+            agent_server_ca_cert='${{ secrets.SERVER_CA_CERT }}' \
+            agent_server_ca_cert_as_base64='true' \
             install_method='${{ matrix.install_method }}'"
             --verbose
 
diff --git a/README.adoc b/README.adoc
@@ -678,6 +678,13 @@ per-role basis if appropriate.
   `trento_rabbitmq_vhost`>
 
 | agent_install_monitoring_dep | Whether to install monitoring dependencies like node_exporter or alloy | true
+
+| agent_server_ca_cert | CA certificate of the Trento server, used to verify the
+  server TLS certificate when connecting to it. This is required when ssl termination
+  is enabled on the server side and the TLS is signed by a non-public CA. | undefined
+
+| agent_server_ca_cert_as_base64 | Whether the `agent_server_ca_cert` variable is provided as a
+  base64 string | false
 |===
 
 *Postgres role*
diff --git a/roles/agent/defaults/main.yml b/roles/agent/defaults/main.yml
@@ -7,3 +7,5 @@ agent_rabbitmq_username: "{{ rabbitmq_username | default(trento_rabbitmq_usernam
 agent_rabbitmq_password: "{{ rabbitmq_password | default(trento_rabbitmq_password) }}" # `rabbimtq_password` for backwards-compatibility
 agent_rabbitmq_vhost: "{{ rabbitmq_vhost | default(trento_rabbitmq_vhost) }}" # `rabbimtq_vhost` for backwards-compatibility
 agent_install_monitoring_dep: true
+agent_server_ca_cert: "{{ undef() }}"
+agent_server_ca_cert_as_base64: false
diff --git a/roles/agent/tasks/main.yml b/roles/agent/tasks/main.yml
@@ -20,6 +20,19 @@
   notify:
     - Restart Trento agent
 
+- name: Add Server CA certificate PEM if provided
+  no_log: false
+  ansible.builtin.copy:
+    content: "{{ (agent_server_ca_cert | b64decode) if agent_server_ca_cert_as_base64 | bool else agent_server_ca_cert }}"
+    dest: "/etc/pki/trust/anchors/trento-server-ca.pem"
+    mode: "0644"
+  when: agent_server_ca_cert is defined
+
+- name: Update CA trust store
+  ansible.builtin.command: update-ca-certificates
+  when: agent_server_ca_cert is defined
+  changed_when: false
+
 - name: Start Trento agent service
   ansible.builtin.service:
     name: trento-agent
diff --git a/roles/web/tasks/rpm.yml b/roles/web/tasks/rpm.yml
@@ -22,7 +22,7 @@
 - name: Start trento-web service
   ansible.builtin.service:
     name: trento-web
-    state: started
+    state: restarted
     enabled: true
 
 - name: Wait for Web to be available
