Use the certificate role to create the cert and the key #78
Conversation
nhosoi
changed the title
|
[citest] |
README.md
Outdated
| You can also use the `certificate` role inside the `cockpit` role to create | ||
| certificates by providing `cockpit_certificates`. | ||
|
|
||
| Use this variable to generate certificate and private key for TLS encryption |
There was a problem hiding this comment.
| Use this variable to generate certificate and private key for TLS encryption | |
| Use the `cockpit_certificates` variable to generate certificate and private key for TLS encryption |
|
[citest] |
nhosoi
changed the title
|
[citest pending] |
|
@spetrosi, @martinpitt, all the CI tests have passed. Could you please review one more time? Thanks! |
|
Thanks a lot for your reviews, @spetrosi. |
README.md
Outdated
| @@ -170,6 +172,35 @@ You can also use `ca: self-sign` or `ca: local` depending on your certmonger usa | |||
|
|
|||
| Note that this does *not* work on RHEL/CentOS 7. | |||
|
|
|||
| #### Generate a new certificate in the role | |||
There was a problem hiding this comment.
I find this a bit nicer, and our role retains more control over what actually happens. So 👍 from me for moving to that approach.
But please let's actually move -- I find it confusing to offer "you can do it like this or that" in the README. Which one is better? (from the admin's POV). IMHO we should recommend just one approach.
The setype: hack is indeed obsolete. RHEL 8.6 has Cockpit 264, and CentOS 8 has something much newer. So we don't need this any more, neither with the "builtin" role.
There was a problem hiding this comment.
I find this a bit nicer, and our role retains more control over what actually happens. So +1 from me for moving to that approach.
But please let's actually move -- I find it confusing to offer "you can do it like this or that" in the README. Which one is better? (from the admin's POV). IMHO we should recommend just one approach.
The
setype:hack is indeed obsolete. RHEL 8.6 has Cockpit 264, and CentOS 8 has something much newer. So we don't need this any more, neither with the "builtin" role.
Hmmm, a good point... Maybe, we can say something like this?
### Generate a new certificate
Now you can do it in the cockpit role by providing the cockpit_certificates variable as follows
(in the nicer English, of course ;)
- name: Install cockpit with Cockpit web server certificate
include_role:
name: linux-system-roles.cockpit
vars:
cockpit_certificates:
- name: monger-cockpit
dns: ['localhost', 'www.example.com']
ca: ipa
group: cockpit-ws
If you already have a playbook using the certificate role and the cockpit role separately,
that's supported, too.
- name: Generate Cockpit web server certificate
include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: /etc/cockpit/ws-certs.d/monger-cockpit
dns: ['localhost', 'www.example.com']
ca: ipa
group: cockpit-ws
There was a problem hiding this comment.
Agreed -- documenting this new way as the primary method, and just giving this a fallback is fine.
|
[citest] |
|
Thanks a lot, @martinpitt. I've pushed a commit fixing the issues you found (I hope :). |
|
[citest] |
|
[citest pending] |
|
Thank you for your reviews and suggestions, @martinpitt and @spetrosi. |
- Introduce a variable cockpit_certificates to set the certificate_requests. - Add a test script tests_certificate_internal.yml. - Rename tests_certificate.yml to tests_certificate_external.yml. - Update README so that using the certificate role is recommended.
|
[citest] |
|
[citest pending] |
|
I believe all the CI tests have passed. @richm, @martinpitt, could you please review one more time (if needed) and merge this pr? Thanks, in advance. |
| - name: Create certificates | ||
| when: | ||
| - cockpit_certificates | length > 0 | ||
| - ansible_facts['os_family'] == 'RedHat' |
There was a problem hiding this comment.
The node in the readme says NOTE: This does *not* work on RHEL/CentOS 7. - do we need to add a condition for that e.g.
- ansible_facts['distribution_version'] is version('>=', '8')?
There was a problem hiding this comment.
Ahh, sorry. The note is not needed. The issue was if we try to generate the new cert directly in the target location /etc/cockpit/ws-certs.d like this:
cockpit_certificates:
- name: /etc/cockpit/ws-certs.d/cockpit_cert
<<snip>>
it fails due to this bug on RHEL/CentOS-7 with an invalid mode.
In this PR, it generates the private key and cert in the standard location and copies them to the directories Cockpit expects. So, it is free from the issue. And there's no problem running on RHEL/CentOS-7. (CI successfully passed on the platforms.) I'm removing the note. Thanks for finding it out, @richm!
Oops, the note is needed. It is for this example (located above in README), in which the full path /etc/cockpit/ws-certs.d/monger-cockpit is specified. THAT does not work on RHEL/CentOS 7.
- name: Generate Cockpit web server certificate
include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: /etc/cockpit/ws-certs.d/monger-cockpit
dns: ['localhost', 'www.example.com']
ca: ipa
group: cockpit-ws
Do we want to describe in a little more detailed manner something like this?
NOTE: This specifying the certificate location by full path does *not* work on RHEL/CentOS 7.
There was a problem hiding this comment.
Do we want to describe in a little more detailed manner something like this?
Yes - and - do we have a bz or some other issue tracker for this issue? Or maybe it is a "feature" of cockpit/certmonger?
|
[citest] |
These 2 issues were filed by @martinpitt against RHEL/CentOS-7 last year, which are still open. And as you suggested, I've added a condition - if the distribution is |
tasks/main.yml
Outdated
| include_role: | ||
| name: fedora.linux_system_roles.certificate | ||
| vars: | ||
| __cert_name: "{{ cockpit_certificates.0.name | basename }}" |
There was a problem hiding this comment.
Thank you, @richm. Removed it.
certificate on RHEL/CentOS-7.
|
[citest] |
[1.4.0] - 2022-11-01 -------------------- ### New Features - Use the firewall role and the selinux role from the cockpit role (linux-system-roles#76) Since cockpit_port is a public api of the cockpit role, define it in defaults/main.yml as null. - Introduce cockpit_manage_firewall to use the firewall role to manage the cockpit service. Default to false - means the firewall role is not used. - Add the test check task tasks/check_port.yml for verifying the ports status. - Add meta/collection-requirements.yml. - Introduce cockpit_manage_selinux to use the selinux role to manage the ports in the cockpit service. Assign websm_port_t to the cockpit service ports. Default to false - means the selinux role is not used. - Use the certificate role to create the cert and the key (linux-system-roles#78) - Introduce a variable cockpit_certificates to set the certificate_requests. - Update README so that using the certificate role is recommended. Add a check and README note for not supporting creating a self-signed certificate on RHEL/CentOS-7. ### Bug Fixes - none ### Other Changes - workflows: Add integration-tests for Ubuntu 22.04 (linux-system-roles#68) The current LTS 22.04 is the more interesting target. This detects bugs like [1]. Keep 20.04 running as well for the time being. [1] linux-system-roles/certificate#130 - Clone the certificate role in the temporary dir. (linux-system-roles#77) Signed-off-by: Rich Megginson <rmeggins@redhat.com>
[1.4.0] - 2022-11-01 -------------------- ### New Features - Use the firewall role and the selinux role from the cockpit role (#76) Since cockpit_port is a public api of the cockpit role, define it in defaults/main.yml as null. - Introduce cockpit_manage_firewall to use the firewall role to manage the cockpit service. Default to false - means the firewall role is not used. - Add the test check task tasks/check_port.yml for verifying the ports status. - Add meta/collection-requirements.yml. - Introduce cockpit_manage_selinux to use the selinux role to manage the ports in the cockpit service. Assign websm_port_t to the cockpit service ports. Default to false - means the selinux role is not used. - Use the certificate role to create the cert and the key (#78) - Introduce a variable cockpit_certificates to set the certificate_requests. - Update README so that using the certificate role is recommended. Add a check and README note for not supporting creating a self-signed certificate on RHEL/CentOS-7. ### Bug Fixes - none ### Other Changes - workflows: Add integration-tests for Ubuntu 22.04 (#68) The current LTS 22.04 is the more interesting target. This detects bugs like [1]. Keep 20.04 running as well for the time being. [1] linux-system-roles/certificate#130 - Clone the certificate role in the temporary dir. (#77) Signed-off-by: Rich Megginson <rmeggins@redhat.com> Signed-off-by: Rich Megginson <rmeggins@redhat.com>
I borrowed (again :) the mssql README in linux-system-roles/mssql#125 written by @spetrosi. Thanks, Sergei!
@spetrosi, @martinpitt , this is another piece of the effort to use other roles in the cockpit role. If you could review it, I'd greatly appreciate it.