foremanctl/playbooks/3-stage-deploy.yaml at 5588299abd0137477c06eca6591bfb9684f4f86f · ehelms/foremanctl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
- name: Generate certificates
  become: true
  hosts:
    - quadlet
  vars_files:
    - "../vars/{{ certificate_source }}_certificates.yml"
  vars:
    certificate_source: default
    certificates_hostnames:
      - "{{ ansible_fqdn }}"
      - localhost
    certificates_ca_password: "CHANGEME"
  roles:
    - role: certificates
      when: "certificate_source == 'default'"
    - role: certificate_checks
      vars:
        certificate_checks_certificate: "{{ server_certificate }}"
        certificate_checks_key: "{{ server_key }}"
        certificate_checks_ca: "{{ ca_certificate }}"

- name: Install server
  become: true
  hosts:
    - quadlet
  vars_files:
    - "../vars/{{ certificate_source }}_certificates.yml"
    - "../vars/images.yml"
  vars:
    certificate_source: default
    candlepin_db_password: "CHANGEME"
    candlepin_keystore_password: "CHANGEME"
    candlepin_oauth_secret: "CHANGEME"
    candlepin_ca_key_password: "{{ ca_key_password }}"
    candlepin_ca_key: "{{ ca_key }}"
    candlepin_ca_certificate: "{{ ca_certificate }}"
    candlepin_tomcat_key: "{{ localhost_key }}"
    candlepin_tomcat_certificate: "{{ localhost_certificate }}"
    candlepin_client_key: "{{ client_key }}"
    candlepin_client_certificate: "{{ client_certificate }}"
    foreman_ca_certificate: "{{ ca_certificate }}"
    foreman_client_key: "{{ client_key }}"
    foreman_client_certificate: "{{ client_certificate }}"
    foreman_db_password: "CHANGEME"
    foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456
    foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
    httpd_server_ca_certificate: "{{ ca_certificate }}"
    httpd_client_ca_certificate: "{{ ca_certificate }}"
    httpd_server_certificate: "{{ server_certificate }}"
    httpd_server_key: "{{ server_key }}"
    pulp_db_password: "CHANGEME"
    pulp_content_origin: "https://{{ ansible_fqdn }}"
    pulp_pulp_url: "https://{{ ansible_fqdn }}"
    postgresql_restarted_state: started
    postgresql_databases:
      - name: candlepin
        owner: candlepin
      - name: foreman
        owner: foreman
      - name: pulp
        owner: pulp
    postgresql_users:
      - name: candlepin
        password: "{{ candlepin_db_password }}"
      - name: foreman
        password: "{{ foreman_db_password }}"
      - name: pulp
        password: "{{ pulp_db_password }}"
    postgresql_hba_entries:
      - { type: local, database: all, user: postgres, auth_method: ident }
      - { type: local, database: all, user: all, auth_method: ident }
      - { type: host, database: all, user: postgres, address: '127.0.0.1/32', auth_method: md5 }
      - { type: host, database: all, user: postgres, address: '0.0.0.0/0', auth_method: reject }
      - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
      - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
  roles:
    - geerlingguy.postgresql
    - redis
    - candlepin
    - httpd
    - pulp
    - foreman

- name: Install smart-proxy
  become: true
  hosts:
    - quadlet
  vars_files:
    - "../vars/{{ certificate_source }}_certificates.yml"
  vars:
    certificate_source: default
    foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456
    foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
  pre_tasks:
    - name: Enable foreman-installer PR 1016 Copr repo
      community.general.copr:
        host: copr.fedorainfracloud.org
        state: enabled
        name: packit/theforeman-foreman-installer-1016
        chroot: rhel-9-x86_64

    - ansible.builtin.include_role:
        name: theforeman.operations.puppet_repositories
      vars:
        foreman_puppet_repositories_version: "8"

    - ansible.builtin.include_role:
        name: theforeman.operations.foreman_repositories
      vars:
        foreman_repositories_version: nightly
        foreman_repositories_katello_version: nightly

    - name: Install foreman-proxy
      package:
        name: foreman-proxy

    - name: Deploy default certificates
      ansible.builtin.copy:
        src: "{{ item.value }}"
        dest: "{{ item.key }}"
        remote_src: true
        owner: foreman-proxy
        group: foreman-proxy
        mode: 440
      loop: "{{ certs | dict2items }}"
      vars:
        certs:
          '/etc/foreman-proxy/foreman_ssl_ca.pem': "{{ ca_certificate }}"
          '/etc/foreman-proxy/foreman_ssl_cert.pem': "{{ client_certificate }}"
          '/etc/foreman-proxy/foreman_ssl_key.pem': "{{ client_key }}"
          '/etc/foreman-proxy/ssl_ca.pem': "{{ ca_certificate }}"
          '/etc/foreman-proxy/ssl_cert.pem': "{{ server_certificate }}"
          '/etc/foreman-proxy/ssl_key.pem': "{{ server_key }}"
  roles:
    - role: theforeman.operations.installer
      vars:
        foreman_installer_scenario: katello
        foreman_installer_package: foreman-installer-katello
        foreman_installer_options:
          - '--foreman-proxy-oauth-consumer-key {{ foreman_oauth_consumer_key }}'
          - '--foreman-proxy-oauth-consumer-secret {{ foreman_oauth_consumer_secret }}'
          - '--no-enable-katello'
          - '--tuning development'