Add role and playbook to generate a certs tarball

Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>

Author: ehelms

.github/workflows/test.yml

@@ -111,6 +111,9 @@ jobs:
       - name: Run deployment
         run: |
           ./foremanctl deploy --certificate-source=${{ matrix.certificate_source }} ${{ matrix.database == 'external' && '--database-mode=external --database-host=database.example.com --database-ssl-ca $(pwd)/.var/lib/foremanctl/db-ca.crt --database-ssl-mode verify-full' || '' }} --foreman-initial-admin-password=changeme --tuning development
+      - name: Generate certificate bundle for second system
+        run: |
+          ./foremanctl certificate-bundle --certificate-source=${{ matrix.certificate_source }} proxy.example.com
       - name: Add optional feature - hammer
         run: |
           ./foremanctl deploy --add-feature hammer

docs/certificates.md

@@ -65,6 +65,37 @@ foremanctl deploy \
 
 When CNAMEs are specified, certificates will include all names in the Subject Alternative Name field, allowing the same certificate to be valid for multiple hostnames.
 
+### Generating Certificate Bundles
+
+foremanctl can generate certificate bundles for additional hostnames (e.g. proxies). A certificate bundle is a tarball containing all the certificate files a host needs, structured in the format expected by foremanctl.
+
+```bash
+# Generate a certificate bundle using the default (self-signed) CA
+foremanctl certificate-bundle proxy.example.com
+
+# Generate a certificate bundle using installer certificates
+foremanctl certificate-bundle --certificate-source=installer proxy.example.com
+```
+
+The generated tarball is written to `/root/<hostname>.tar.gz` and contains:
+
+```
+ssl-build/
+├── katello-server-ca.crt
+├── katello-default-ca.crt
+└── <hostname>/
+    ├── <hostname>-apache.crt
+    ├── <hostname>-apache.key
+    ├── <hostname>-foreman-proxy.crt
+    ├── <hostname>-foreman-proxy.key
+    ├── <hostname>-foreman-proxy-client.crt
+    ├── <hostname>-foreman-proxy-client.key
+    ├── <hostname>-puppet-client.crt
+    └── <hostname>-puppet-client.key
+```
+
+The bundle uses the server certificate and key for both apache and foreman-proxy, and the client certificate and key for both foreman-proxy-client and puppet-client.
+
 ### Current Limitations
 
 - Cannot provide custom certificate files during deployment

src/playbooks/certificate-bundle/certificate-bundle.yaml

@@ -0,0 +1,24 @@
+---
+- name: Generate a certificate bundle for a hostname
+  hosts:
+    - quadlet
+  become: true
+  vars_files:
+    - "../../vars/defaults.yml"
+  vars:
+    certificates_ca: false
+    certificates_hostnames:
+      - "{{ hostname }}"
+  roles:
+    - role: certificates
+      when: "certificate_source == 'default'"
+    - role: foreman_installer_certificates
+      when: "certificate_source == 'installer'"
+    - role: certificate_bundle
+      vars:
+        certificate_bundle_hostname: "{{ hostname }}"
+        certificate_bundle_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
+        certificate_bundle_server_certificate: "{{ certificates_ca_directory }}/certs/{{ hostname }}.crt"
+        certificate_bundle_server_key: "{{ certificates_ca_directory }}/private/{{ hostname }}.key"
+        certificate_bundle_client_certificate: "{{ certificates_ca_directory }}/certs/{{ hostname }}-client.crt"
+        certificate_bundle_client_key: "{{ certificates_ca_directory }}/private/{{ hostname }}-client.key"

src/playbooks/certificate-bundle/metadata.obsah.yaml

@@ -0,0 +1,11 @@
+---
+help: |
+  Generate a certificate bundle
+
+variables:
+  hostname:
+    parameter: hostname
+    help: Hostname to generate a certificate bundle for that will be the common name.
+
+include:
+  - _certificate_source

src/roles/certificate_bundle/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+certificate_bundle_output_directory: /root

src/roles/certificate_bundle/tasks/main.yml

@@ -0,0 +1,68 @@
+---
+- name: Create temporary directory
+  ansible.builtin.tempfile:
+    state: directory
+    suffix: certificate-build
+  register: certificate_bundle_build_directory
+
+- name: Create directory structure
+  ansible.builtin.file:
+    state: directory
+    path: "{{ certificate_bundle_build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}"
+    mode: '0755'
+
+- name: Copy CA certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_ca_certificate }}"
+    dest: "{{ certificate_bundle_build_directory.path }}/ssl-build/{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - katello-server-ca.crt
+    - katello-default-ca.crt
+
+- name: Copy server certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_server_certificate }}"
+    dest: "{{ certificate_bundle_build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - apache.crt
+    - foreman-proxy.crt
+
+- name: Copy server key
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_server_key }}"
+    dest: "{{ certificate_bundle_build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0440'
+  loop:
+    - apache.key
+    - foreman-proxy.key
+
+- name: Copy client certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_client_certificate }}"
+    dest: "{{ certificate_bundle_build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - foreman-proxy-client.crt
+    - puppet-client.crt
+
+- name: Copy client key
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_client_key }}"
+    dest: "{{ certificate_bundle_build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0440'
+  loop:
+    - foreman-proxy-client.key
+    - puppet-client.key
+
+- name: Create tarball
+  community.general.archive:
+    path: "{{ certificate_bundle_build_directory.path }}/ssl-build"
+    dest: "{{ certificate_bundle_output_directory }}/{{ certificate_bundle_hostname }}.tar.gz"
+    mode: '0640'

tests/certificate_bundle_test.py

@@ -0,0 +1,68 @@
+import pytest
+
+
+HOSTNAME = 'proxy.example.com'
+TARBALL = f'/root/{HOSTNAME}.tar.gz'
+
+EXPECTED_CA_FILES = [
+    'ssl-build/katello-server-ca.crt',
+    'ssl-build/katello-default-ca.crt',
+]
+
+EXPECTED_SERVER_FILES = [
+    f'ssl-build/{HOSTNAME}/{HOSTNAME}-apache.crt',
+    f'ssl-build/{HOSTNAME}/{HOSTNAME}-apache.key',
+    f'ssl-build/{HOSTNAME}/{HOSTNAME}-foreman-proxy.crt',
+    f'ssl-build/{HOSTNAME}/{HOSTNAME}-foreman-proxy.key',
+]
+
+EXPECTED_CLIENT_FILES = [
+    f'ssl-build/{HOSTNAME}/{HOSTNAME}-foreman-proxy-client.crt',
+    f'ssl-build/{HOSTNAME}/{HOSTNAME}-foreman-proxy-client.key',
+    f'ssl-build/{HOSTNAME}/{HOSTNAME}-puppet-client.crt',
+    f'ssl-build/{HOSTNAME}/{HOSTNAME}-puppet-client.key',
+]
+
+
+@pytest.fixture(scope="module")
+def tarball_members(server):
+    result = server.run(f'tar tzf {TARBALL}')
+    assert result.succeeded, f'Tarball {TARBALL} not found. Run foremanctl certificate-bundle {HOSTNAME} before tests.'
+    return result.stdout.strip().splitlines()
+
+
+def test_tarball_created(server):
+    assert server.file(TARBALL).exists
+
+
+@pytest.mark.parametrize("expected_file", EXPECTED_CA_FILES)
+def test_tarball_contains_ca_certificate(tarball_members, expected_file):
+    assert expected_file in tarball_members
+
+
+@pytest.mark.parametrize("expected_file", EXPECTED_SERVER_FILES)
+def test_tarball_contains_server_certificate(tarball_members, expected_file):
+    assert expected_file in tarball_members
+
+
+@pytest.mark.parametrize("expected_file", EXPECTED_CLIENT_FILES)
+def test_tarball_contains_client_certificate(tarball_members, expected_file):
+    assert expected_file in tarball_members
+
+
+def test_server_certs_are_identical(server):
+    apache = server.run(f'tar xzf {TARBALL} -O ssl-build/{HOSTNAME}/{HOSTNAME}-apache.crt')
+    proxy = server.run(f'tar xzf {TARBALL} -O ssl-build/{HOSTNAME}/{HOSTNAME}-foreman-proxy.crt')
+    assert apache.stdout == proxy.stdout
+
+
+def test_client_certs_are_identical(server):
+    proxy_client = server.run(f'tar xzf {TARBALL} -O ssl-build/{HOSTNAME}/{HOSTNAME}-foreman-proxy-client.crt')
+    puppet_client = server.run(f'tar xzf {TARBALL} -O ssl-build/{HOSTNAME}/{HOSTNAME}-puppet-client.crt')
+    assert proxy_client.stdout == puppet_client.stdout
+
+
+def test_ca_certs_are_identical(server):
+    server_ca = server.run(f'tar xzf {TARBALL} -O ssl-build/katello-server-ca.crt')
+    default_ca = server.run(f'tar xzf {TARBALL} -O ssl-build/katello-default-ca.crt')
+    assert server_ca.stdout == default_ca.stdout