|
2 | 2 | --- |
3 | 3 | - name: Ensure required packages are installed |
4 | 4 | ansible.builtin.package: |
5 | | - name: "{{ __trustee_server_trustee_packages }}" |
| 5 | + name: "{{ __trustee_attestation_server_trustee_packages }}" |
6 | 6 | state: present |
7 | | - use: "{{ (__trustee_server_is_ostree | d(false)) | |
| 7 | + use: "{{ (__trustee_attestation_server_is_ostree | d(false)) | |
8 | 8 | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" |
9 | 9 |
|
10 | 10 | - name: Ensure quadlet install directory exists |
11 | 11 | ansible.builtin.file: |
12 | | - path: "{{ trustee_server_quadlet_install_dir }}" |
| 12 | + path: "{{ trustee_attestation_server_quadlet_install_dir }}" |
13 | 13 | state: directory |
14 | 14 | mode: "0755" |
15 | 15 |
|
16 | 16 | - name: Create a temporary directory for the quadlet repository |
17 | 17 | ansible.builtin.tempfile: |
18 | 18 | state: directory |
19 | | - register: __trustee_server_quadlet_repo_dir |
| 19 | + register: __trustee_attestation_server_quadlet_repo_dir |
20 | 20 |
|
21 | 21 | - name: Download Trustee Server quadlet files from GitHub repository |
22 | 22 | ansible.builtin.git: |
23 | | - repo: "{{ trustee_server_quadlet_repo_url }}" |
24 | | - dest: "{{ __trustee_server_quadlet_repo_dir.path }}" |
25 | | - version: "{{ trustee_server_quadlet_repo_branch }}" |
| 23 | + repo: "{{ trustee_attestation_server_quadlet_repo_url }}" |
| 24 | + dest: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}" |
| 25 | + version: "{{ trustee_attestation_server_quadlet_repo_branch }}" |
26 | 26 | depth: 1 |
27 | 27 | force: true |
28 | 28 | register: quadlet_repo_download |
29 | 29 |
|
30 | 30 | - name: Find Trustee Server quadlet files in repository |
31 | 31 | ansible.builtin.find: |
32 | | - paths: "{{ __trustee_server_quadlet_repo_dir.path }}/{{ trustee_server_quadlet_repo_path }}" |
| 32 | + paths: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/{{ trustee_attestation_server_quadlet_repo_path }}" |
33 | 33 | patterns: |
34 | 34 | - "*.container" |
35 | 35 | - "*.volume" |
|
40 | 40 |
|
41 | 41 | - name: Fail if no Trustee Server quadlet files found |
42 | 42 | ansible.builtin.fail: |
43 | | - msg: "No quadlet files found in {{ trustee_server_quadlet_repo_url }}/{{ trustee_server_quadlet_repo_path }}" |
| 43 | + msg: "No quadlet files found in {{ trustee_attestation_server_quadlet_repo_url }}/{{ trustee_attestation_server_quadlet_repo_path }}" |
44 | 44 | when: quadlet_files_found.files | length == 0 |
45 | 45 |
|
46 | 46 | - name: Copy Trustee Server quadlet files to install directory |
47 | 47 | ansible.builtin.copy: |
48 | 48 | src: "{{ item.path }}" |
49 | | - dest: "{{ trustee_server_quadlet_install_dir }}/{{ item.path | basename }}" |
| 49 | + dest: "{{ trustee_attestation_server_quadlet_install_dir }}/{{ item.path | basename }}" |
50 | 50 | mode: "0644" |
51 | 51 | remote_src: true |
52 | 52 | force: true |
|
55 | 55 |
|
56 | 56 | - name: Stat repository configs directory |
57 | 57 | ansible.builtin.stat: |
58 | | - path: "{{ __trustee_server_quadlet_repo_dir.path }}/configs" |
| 58 | + path: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/configs" |
59 | 59 | register: __repo_configs_dir |
60 | 60 |
|
61 | 61 | - name: Copy Trustee Server config files to config directory |
62 | 62 | ansible.builtin.copy: |
63 | | - src: "{{ __trustee_server_quadlet_repo_dir.path }}/configs/" |
64 | | - dest: "{{ trustee_attestation_server_config_dir }}/" |
| 63 | + src: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}/configs/" |
| 64 | + dest: "{{ __trustee_attestation_server_config_dir }}/" |
65 | 65 | mode: "0644" |
66 | 66 | remote_src: true |
67 | 67 | force: true |
|
70 | 70 | - name: Generate certificates for all components |
71 | 71 | ansible.builtin.shell: | |
72 | 72 | # Trustee Server SSL |
73 | | - if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.crt ]; then |
74 | | - openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ trustee_attestation_server_config_dir }}/kbs/server.key \ |
| 73 | + if [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/server.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/server.crt ]; then |
| 74 | + openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ __trustee_attestation_server_config_dir }}/kbs/server.key \ |
75 | 75 | -subj "/CN=$(hostname -f)/O=Red Hat" \ |
76 | 76 | -addext "basicConstraints=CA:FALSE" \ |
77 | 77 | -addext "keyUsage=digitalSignature,keyEncipherment" \ |
78 | 78 | -addext "extendedKeyUsage=serverAuth" \ |
79 | 79 | -addext "subjectAltName=DNS:$(hostname -f)" \ |
80 | | - -out {{ trustee_attestation_server_config_dir }}/kbs/server.crt |
| 80 | + -out {{ __trustee_attestation_server_config_dir }}/kbs/server.crt |
81 | 81 | fi |
82 | 82 | # KBS authentication key pair |
83 | | - if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.pub ]; then |
84 | | - openssl genpkey -algorithm ed25519 -out {{ trustee_attestation_server_config_dir }}/kbs/auth.key |
85 | | - openssl pkey -in {{ trustee_attestation_server_config_dir }}/kbs/auth.key -pubout -out {{ trustee_attestation_server_config_dir }}/kbs/auth.pub |
| 83 | + if [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/kbs/auth.pub ]; then |
| 84 | + openssl genpkey -algorithm ed25519 -out {{ __trustee_attestation_server_config_dir }}/kbs/auth.key |
| 85 | + openssl pkey -in {{ __trustee_attestation_server_config_dir }}/kbs/auth.key -pubout -out {{ __trustee_attestation_server_config_dir }}/kbs/auth.pub |
86 | 86 | fi |
87 | 87 | # Attestation Service token signer key pair |
88 | | - if [ ! -f {{ trustee_attestation_server_config_dir }}/as/token.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/as/token.crt ]; then |
89 | | - openssl ecparam -name prime256v1 -genkey -noout -out {{ trustee_attestation_server_config_dir }}/as/token.key |
90 | | - openssl req -new -x509 -key {{ trustee_attestation_server_config_dir }}/as/token.key \ |
91 | | - -out {{ trustee_attestation_server_config_dir }}/as/token.crt -days 3550 \ |
| 88 | + if [ ! -f {{ __trustee_attestation_server_config_dir }}/as/token.key ] || [ ! -f {{ __trustee_attestation_server_config_dir }}/as/token.crt ]; then |
| 89 | + openssl ecparam -name prime256v1 -genkey -noout -out {{ __trustee_attestation_server_config_dir }}/as/token.key |
| 90 | + openssl req -new -x509 -key {{ __trustee_attestation_server_config_dir }}/as/token.key \ |
| 91 | + -out {{ __trustee_attestation_server_config_dir }}/as/token.crt -days 3550 \ |
92 | 92 | -subj "/CN=as-token-signer/O=Red Hat" |
93 | | - mkdir -p {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs |
94 | | - cp {{ trustee_attestation_server_config_dir }}/as/token.crt {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt |
| 93 | + mkdir -p {{ __trustee_attestation_server_config_dir }}/kbs/trusted_certs |
| 94 | + cp {{ __trustee_attestation_server_config_dir }}/as/token.crt {{ __trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt |
95 | 95 | fi |
96 | 96 | changed_when: true |
97 | 97 |
|
|
108 | 108 |
|
109 | 109 | - name: Get the installed Trustee Server pod name |
110 | 110 | ansible.builtin.find: |
111 | | - paths: "{{ trustee_server_quadlet_install_dir }}" |
| 111 | + paths: "{{ trustee_attestation_server_quadlet_install_dir }}" |
112 | 112 | patterns: "*.pod" |
113 | 113 | register: __trustee_attestation_server_pod_name |
114 | 114 |
|
115 | | -- name: Append Trustee Server services to the list of services to restart |
116 | | - set_fact: |
117 | | - __trustee_attestation_server_services: >- |
118 | | - {{ __trustee_attestation_server_services | default([]) + [__trustee_attestation_server_pod_name.files[0].path | basename | replace('.pod', '-pod')] }} |
| 115 | +- name: Enable and start Trustee Server services |
| 116 | + ansible.builtin.systemd: |
| 117 | + name: "{{ __trustee_attestation_server_pod_name.files[0].path | basename | replace('.pod', '-pod.service') }}" |
| 118 | + enabled: true |
| 119 | + state: restarted |
| 120 | + daemon_reload: true |
119 | 121 | when: __trustee_attestation_server_pod_name.files | length > 0 |
120 | | - changed_when: true |
121 | | - notify: Handler for trustee_attestation_server to restart services |
| 122 | + failed_when: false |
122 | 123 |
|
123 | 124 | # TODO keep the server.crt and DNS names in the role variables |
124 | 125 |
|
125 | 126 | - name: Clean up temporary repository directory |
126 | 127 | ansible.builtin.file: |
127 | | - path: "{{ __trustee_server_quadlet_repo_dir.path }}" |
| 128 | + path: "{{ __trustee_attestation_server_quadlet_repo_dir.path }}" |
128 | 129 | state: absent |
0 commit comments