Qa FreeIPA CA certificate generation

2025-08-14 23:50:01 +03:00
parent ce83125591
commit 18a1e94100
7 changed files with 135 additions and 246 deletions
--- a/roles/rproxy/tasks/addconfig.yml
+++ b/roles/rproxy/tasks/addconfig.yml
@@ -8,95 +8,61 @@

 - name: Generate certificates for {{  rproxy_service_name  }}
  block:
-    - name: "Generate {{  rproxy_service_name  }}.key"
-      community.crypto.openssl_privatekey: 
-        path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.key"
-        size: "2048"
+    - name: Create CNAME dns record
+      community.general.ipa_dnsrecord:
+        ipa_user: "{{ ansible_user }}"
+        ipa_pass: "{{ ansible_password }}"
+        zone_name: "{{ ansible_facts['domain'] }}"
+        record_name: "{{  rproxy_service_name  }}"
+        record_type: 'CNAME'
+        record_value: "{{ ansible_facts['hostname'] }}"
+        state: present

-    - name: "Generate {{  rproxy_service_name  }}.csr"
-      community.crypto.openssl_csr:
-        path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.csr"
-        privatekey_path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.key"
-        country_name: "RU"
-        state_or_province_name: "RU"
-        locality_name: "MSK"
-        organization_name: "{{ ansible_domain }}"
-        organizational_unit_name: "IT"
-        common_name: "{{  rproxy_service_name  }}.{{ ansible_facts['domain'] }}"
-        email_address: "admin@{{ ansible_domain }}"
-        subject_alt_name: "DNS:{{  rproxy_service_name  }}.{{ ansible_facts['domain'] }},DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
-        key_usage:
-          - digitalSignature
-          - nonRepudiation
-          - keyEncipherment
-          - dataEncipherment
-        extended_key_usage:
-          - serverAuth
-
-    - name: "Generate {{  rproxy_service_name  }}.crt"
-      community.crypto.x509_certificate:
-        csr_path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.csr"
-        path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.crt"
-        privatekey_path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.key"
-        provider: ownca
-        ownca_create_subject_key_identifier: always_create
-        ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
-        ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
-        ownca_not_after: "+365d"
-
-    - name: Create fullchain certificate
+    - name: Kinit
      ansible.builtin.shell:
-        cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.crt'
+        cmd: "echo '{{ ansible_password }}' | kinit"
+      become: false
+      become_user: "{{ ansible_user }}"

-    - name: Delete csr
+    - name: Create SPN for HTTP
+      ansible.builtin.shell:
+        cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} --skip-host-check"
+      become: false
+      become_user: "{{ ansible_user }}"
+      ignore_errors: true
+
+    - name: Request certificate via ipa-getcert
+      ansible.builtin.command: >
+        ipa-getcert request
+        -f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
+        -k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
+        -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
+        -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
+
+    # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
+
+    - name: Wait for certificate to appear
+      ansible.builtin.wait_for:
+        path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
+        timeout: 60
+
+    - name: Change certificate permissions
      ansible.builtin.file:
-        path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.csr"
-        state: absent
+        path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
+        mode: "0744"

- name: Restart rproxy
-  block:
-    - name: Restart container
-      containers.podman.podman_container:
-        name: rproxy
-        image: "docker.io/library/nginx:{{ rproxy_version }}"
-        state: started
-        restart: true
-        ports:
-            - "443:443"
-            - "80:80"
-            - "9000:9000"
-        volumes:
-          - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
-          - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
-          - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
-          - '{{ repo_data_dir }}:/repo:z,rw'
-          - "/etc/localtime:/etc/localtime:ro"
-        privileged: true
-        security_opt:
-          - "label=disable"
-        log_driver: journald
-        generate_systemd:
-          path: /etc/systemd/system/
-          restart_policy: always
-          stop_timeout: 120
-          names: true
+    - name: Wait for certificate key to appear
+      ansible.builtin.wait_for:
+        path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
+        timeout: 60

-    - name: Daemon reload
-      ansible.builtin.shell:
-        cmd: systemctl daemon-reload
+    - name: Change certificate key permissions
+      ansible.builtin.file:
+        path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
+        mode: "0744"

-    - name: Enable rproxy service
-      ansible.builtin.systemd:
-        name: "container-rproxy.service"
-        state: started
-        enabled: yes
-
- name: Create CNAME dns record
-  community.general.ipa_dnsrecord:
-    ipa_user: "{{ ansible_user }}"
-    ipa_pass: "{{ ansible_password }}"
-    zone_name: "{{ ansible_facts['domain'] }}"
-    record_name: "{{  rproxy_service_name  }}"
-    record_type: 'CNAME'
-    record_value: "{{ ansible_facts['hostname'] }}"
-    state: present
+- name: Restart rproxy service
+  ansible.builtin.systemd:
+    name: "container-rproxy.service"
+    state: restarted
+    enabled: yes
--- a/roles/rproxy/tasks/dockerrepo.yml
+++ b/roles/rproxy/tasks/dockerrepo.yml
@@ -23,50 +23,48 @@

 - name: Create certificates for image repository
  block:
-    - name: "Generate dockerrepo.key"
-      community.crypto.openssl_privatekey: 
-        path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
-        size: "2048"
-
-    - name: "Generate server.csr"
-      community.crypto.openssl_csr:
-        path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
-        privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
-        country_name: "RU"
-        state_or_province_name: "RU"
-        locality_name: "MSK"
-        organization_name: "{{ ansible_domain }}"
-        organizational_unit_name: "IT"
-        common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
-        email_address: "admin@{{ ansible_domain }}"
-        subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
-        key_usage:
-          - digitalSignature
-          - nonRepudiation
-          - keyEncipherment
-          - dataEncipherment
-        extended_key_usage:
-          - serverAuth
-
-    - name: "Generate server.crt"
-      community.crypto.x509_certificate:
-        csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
-        path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt"
-        privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
-        provider: ownca
-        ownca_create_subject_key_identifier: always_create
-        ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
-        ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
-        ownca_not_after: "+365d"
-
-    - name: Create fullchain certificate
+    - name: Kinit
      ansible.builtin.shell:
-        cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt'
+        cmd: "echo '{{ ansible_password }}' | kinit"
+      become: false
+      become_user: "{{ ansible_user }}"

-    - name: Delete csr
+    - name: Create SPN for HTTP
+      ansible.builtin.shell:
+        cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
+      become: false
+      become_user: "{{ ansible_user }}"
+      ignore_errors: true
+
+    - name: Request certificate via ipa-getcert
+      ansible.builtin.command: >
+        ipa-getcert request
+        -f {{ rproxy_dir }}/certs/dockerrepo.crt
+        -k {{ rproxy_dir }}/certs/dockerrepo.key
+        -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
+        -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
+
+    # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
+
+    - name: Wait for certificate to appear
+      ansible.builtin.wait_for:
+        path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
+        timeout: 60
+
+    - name: Change certificate permissions
      ansible.builtin.file:
-        path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
-        state: absent
+        path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
+        mode: "0744"
+
+    - name: Wait for certificate key to appear
+      ansible.builtin.wait_for:
+        path: "{{ rproxy_dir }}/certs/dockerrepo.key"
+        timeout: 60
+
+    - name: Change certificate key permissions
+      ansible.builtin.file:
+        path: "{{ rproxy_dir }}/certs/dockerrepo.key"
+        mode: "0744"

 - name: Start image repository
  block:
--- a/roles/rproxy/tasks/repo.yml
+++ b/roles/rproxy/tasks/repo.yml
@@ -14,85 +14,52 @@

 - name: Create https certificates for repository
  block:
-    - name: "Generate repo.key"
-      community.crypto.openssl_privatekey: 
-        path: "{{ rproxy_dir }}/certs/repo.key"
-        size: "2048"
+    - name: Kinit
+      ansible.builtin.shell:
+        cmd: "echo '{{ ansible_password }}' | kinit"
+      become: false
+      become_user: "{{ ansible_user }}"

-    - name: "Generate server.csr"
-      community.crypto.openssl_csr:
-        path: "{{ rproxy_dir }}/certs/repo.csr"
-        privatekey_path: "{{ rproxy_dir }}/certs/repo.key"
-        country_name: "RU"
-        state_or_province_name: "RU"
-        locality_name: "MSK"
-        organization_name: "{{ ansible_domain }}"
-        organizational_unit_name: "IT"
-        common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
-        email_address: "admin@{{ ansible_domain }}"
-        subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:repo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
-        key_usage:
-          - digitalSignature
-          - nonRepudiation
-          - keyEncipherment
-          - dataEncipherment
-        extended_key_usage:
-          - serverAuth
+    - name: Create SPN for HTTP
+      ansible.builtin.shell:
+        cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
+      become: false
+      become_user: "{{ ansible_user }}"
+      ignore_errors: true

-    - name: "Generate server.crt"
-      community.crypto.x509_certificate:
-        csr_path: "{{ rproxy_dir }}/certs/repo.csr"
+    - name: Request certificate via ipa-getcert
+      ansible.builtin.command: >
+        ipa-getcert request
+        -f {{ rproxy_dir }}/certs/repo.crt
+        -k {{ rproxy_dir }}/certs/repo.key
+        -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
+        -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
+        -F {{ rproxy_dir }}/certs/RootCA.crt
+
+    # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
+
+    - name: Wait for certificate to appear
+      ansible.builtin.wait_for:
        path: "{{ rproxy_dir }}/certs/repo.crt"
-        privatekey_path: "{{ rproxy_dir }}/certs/repo.key"
-        provider: ownca
-        ownca_create_subject_key_identifier: always_create
-        ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
-        ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
-        ownca_not_after: "+365d"
+        timeout: 60

-    - name: Create fullchain certificate
-      ansible.builtin.shell:
-        cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt'
-
-    - name: Delete csr
+    - name: Change certificate permissions
      ansible.builtin.file:
-        path: "{{ rproxy_dir }}/certs/repo.csr"
-        state: absent
+        path: "{{ rproxy_dir }}/certs/repo.crt"
+        mode: "0744"

- name: Restart rproxy
-  block:
-    - name: Restart container
-      containers.podman.podman_container:
-        name: rproxy
-        image: "docker.io/library/nginx:{{ rproxy_version }}"
-        state: started
-        restart: true
-        ports:
-            - "443:443"
-            - "80:80"
-            - "9000:9000"
-        volumes:
-          - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
-          - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
-          - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
-          - '{{ repo_data_dir }}:/repo:z,rw'
-          - "/etc/localtime:/etc/localtime:ro"
-        privileged: true
-        security_opt:
-          - "label=disable"
-        log_driver: journald
-        generate_systemd:
-          path: /etc/systemd/system/
-          restart_policy: always
-          stop_timeout: 120
-          names: true
+    - name: Wait for certificate key to appear
+      ansible.builtin.wait_for:
+        path: "{{ rproxy_dir }}/certs/repo.key"
+        timeout: 60

-    - name: Daemon reload
-      ansible.builtin.shell:
-        cmd: systemctl daemon-reload
+    - name: Change certificate key permissions
+      ansible.builtin.file:
+        path: "{{ rproxy_dir }}/certs/repo.key"
+        mode: "0744"

-    - name: Enable rproxy service
-      ansible.builtin.systemd:
-        name: "container-rproxy.service"
-        state: started
-        enabled: yes
+- name: Restart rproxy service
+  ansible.builtin.systemd:
+    name: "container-rproxy.service"
+    state: restarted
+    enabled: yes
--- a/roles/rproxy/tasks/rproxy.yml
+++ b/roles/rproxy/tasks/rproxy.yml
@@ -36,16 +36,6 @@
        src: files/nginx.conf
        dest: "{{ rproxy_dir }}/nginx.conf"

-    - name: Copy RootCA certificate
-      ansible.builtin.copy:
-        src: files/RootCA.crt
-        dest: '{{ rproxy_dir }}/certs/RootCA.crt'
-    
-    - name: Copy RootCA key
-      ansible.builtin.copy:
-        src: files/RootCA.key
-        dest: '{{ rproxy_dir }}/certs/RootCA.key'
-
 - name: Install rproxy
  block:
    - name: Pull rproxy image
@@ -83,12 +73,9 @@
          stop_timeout: 120
          names: true

-    - name: Daemon reload
-      ansible.builtin.shell:
-        cmd: systemctl daemon-reload
-
    - name: Enable rproxy service
      ansible.builtin.systemd:
        name: "container-rproxy.service"
        state: started
-        enabled: yes
+        enabled: yes
+        daemon_reload: yes
--- a/roles/rproxy/vars/main.yml
+++ b/roles/rproxy/vars/main.yml
@@ -1,6 +1,6 @@
 ansible_python_interpreter: /usr/bin/python3
 rproxy_dir: /opt/rproxy
-rproxy_version: latest
+rproxy_version: 1.29.0
 data_dir: /opt/data
 repo_data_dir: /opt/data/repo
 dockerrepo_dir: /opt/dockerrepo