generated from linux-system-roles/template
-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Initialize the keylime_server system role
This is an ansible role for configuring and deploying the server components for Keylime Remote Attestation. It currently supports Fedora 36+, CentOS Stream 9.1+ and RHEL 9.1+ Signed-off-by: Sergio Correia <scorreia@redhat.com>
- Loading branch information
1 parent
85cdcc0
commit 49004e3
Showing
32 changed files
with
1,073 additions
and
230 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
jobs: | ||
- job: tests | ||
trigger: pull_request | ||
targets: | ||
centos-stream-9-x86_64: | ||
distros: [RHEL-9.2.0-Nightly] | ||
use_internal_tf: True | ||
skip_build: true | ||
tf_extra_params: | ||
environments: | ||
- tmt: | ||
context: | ||
target_PR_branch: "main" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,99 +1,55 @@ | ||
# Role Name | ||
# keylime_server | ||
|
||
![template](https://github.com/linux-system-roles/template/workflows/tox/badge.svg) | ||
Ansible role for configuring and deploying the server components for Keylime Remote Attestation. | ||
|
||
A template for an ansible role that configures some GNU/Linux subsystem or | ||
service. A brief description of the role goes here. | ||
## Supported Distributions | ||
|
||
## Requirements | ||
|
||
Any prerequisites that may not be covered by Ansible itself or the role should | ||
be mentioned here. This includes platform dependencies not managed by the | ||
role, hardware requirements, external collections, etc. There should be a | ||
distinction between *control node* requirements (like collections) and | ||
*managed node* requirements (like special hardware, platform provisioning). | ||
|
||
|
||
### Collection requirements | ||
|
||
For instance, if the role depends on some collections and | ||
has a `meta/collection-requirements.yml` file for installing those | ||
dependencies, it should be mentioned here that the user should run | ||
|
||
``` | ||
ansible-galaxy collection install -vv -r meta/collection-requirements.yml | ||
``` | ||
|
||
on the *control node* before using the role. | ||
* RHEL-9.1+, CentOS Stream 9.1+ | ||
* Fedora 36+ | ||
|
||
## Role Variables | ||
|
||
A description of all input variables (i.e. variables that are defined in | ||
`defaults/main.yml`) for the role should go here as these form an API of the | ||
role. Each variable should have its own section e.g. | ||
|
||
### template_foo | ||
|
||
This variable is required. It is a string that lists the foo of the role. | ||
There is no default value. | ||
|
||
### template_bar | ||
|
||
This variable is optional. It is a boolean that tells the role to disable bar. | ||
The default value is `true`. | ||
|
||
Variables that are not intended as input, like variables defined in | ||
`vars/main.yml`, variables that are read from other roles and/or the global | ||
scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in | ||
mind that as these are probably not part of the role API they may change during | ||
the lifetime. | ||
|
||
Example of setting the variables: | ||
These are the variables that can be passed to the role: | ||
|
||
| **Variable** | **Default/Choices** | **Description** | | ||
|----------|-------------|------| | ||
`keylime_server_verifier_ip` | 127.0.0.1 | | ||
`keylime_server_verifier_port` | 8881 | | ||
`keylime_server_verifier_database_url` | | | ||
`keylime_server_verifier_tls_dir` | generate | | ||
`keylime_server_verifier_server_key` | default | | ||
`keylime_server_verifier_server_key_passphrase` | default | | ||
`keylime_server_verifier_server_cert` | default | | ||
`keylime_server_verifier_trusted_client_ca` | default | | ||
`keylime_server_verifier_client_key` | default | | ||
`keylime_server_verifier_client_key_passphrase` | default | | ||
`keylime_server_verifier_client_cert` | default | | ||
`keylime_server_verifier_trusted_server_ca` | default | | ||
`keylime_server_registrar_ip` | 127.0.0.1 | | ||
`keylime_server_registrar_port` | 8891 | | ||
`keylime_server_registrar_database_url` | sqlite | | ||
`keylime_server_registrar_tls_dir` | default | | ||
`keylime_server_registrar_server_key` | default | | ||
`keylime_server_registrar_server_key_passphrase` | default | | ||
`keylime_server_registrar_server_cert` | default | | ||
`keylime_server_registrar_trusted_client_ca` | default | | ||
|
||
|
||
## Example Playbooks | ||
|
||
```yaml | ||
template_foo: "oof" | ||
template_bar: false | ||
``` | ||
## Variables Exported by the Role | ||
This section is optional. Some roles may export variables for playbooks to | ||
use later. These are analogous to "return values" in Ansible modules. For | ||
example, if a role performs some action that will require a system reboot, but | ||
the user wants to defer the reboot, the role might set a variable like | ||
`template_reboot_needed: true` that the playbook can use to reboot at a more | ||
convenient time. | ||
|
||
Example: | ||
|
||
### template_reboot_needed | ||
|
||
Default `false` - if `true`, this means a reboot is needed to apply the changes | ||
made by the role | ||
|
||
## Example Playbook | ||
|
||
Including an example of how to use your role (for instance, with variables | ||
passed in as parameters) is always nice for users too: | ||
|
||
```yaml | ||
- name: Manage the template subsystem | ||
- name: Manage keylime servers | ||
hosts: all | ||
|
||
vars: | ||
template_foo: "foo foo!" | ||
template_bar: false | ||
keylime_server_verifier_ip: "{{ ansible_host }}" | ||
keylime_server_registrar_ip: "{{ ansible_host }}" | ||
|
||
roles: | ||
- linux-system-roles.template | ||
- linux-system-roles.keylime_server | ||
``` | ||
More examples can be provided in the [`examples/`](examples) directory. These | ||
can be useful, especially for documentation. | ||
|
||
## License | ||
Whenever possible, please prefer MIT. | ||
|
||
## Author Information | ||
|
||
An optional section for the role authors to include contact information, or a | ||
website (HTML is not allowed). | ||
MIT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,96 @@ | ||
# SPDX-License-Identifier: MIT | ||
--- | ||
# Here is the right place to put the role's input variables. | ||
# This file also serves as a documentation for such a variables. | ||
|
||
# Examples of role input variables: | ||
template_foo: foo | ||
template_bar: true | ||
# Verifier. | ||
keylime_server_verifier_ip: 127.0.0.1 | ||
keylime_server_verifier_port: 8881 | ||
# | ||
# An example of database_url value for using sqlite: | ||
# sqlite:////var/lib/keylime/cv_data.sqlite | ||
# An example of database_url value for using mysql: | ||
# mysql+pymysql://keylime:keylime@keylime_db:[port]/verifier?charset=utf8 | ||
# | ||
# If set as 'sqlite' keyword, will use the configuration set by the file located | ||
# at "/var/lib/keylime/cv_data.sqlite". | ||
keylime_server_verifier_database_url: sqlite | ||
keylime_server_verifier_tls_dir: generate | ||
|
||
# If set as 'default', 'server-private.pem' is used as value. | ||
keylime_server_verifier_server_key: default | ||
|
||
# Set the password used to decrypt the server private key file. | ||
# If 'tls_dir = generate', this password will also be used to protect the | ||
# generated server private key. | ||
# If left empty, the private key will not be encrypted. | ||
keylime_server_verifier_server_key_passphrase: default | ||
|
||
# The name of the file containing the Keylime verifier server certificate. | ||
# The file should be stored in the directory set in the 'tls_dir' option. | ||
# | ||
# If set as 'default', the value 'server-cert.crt' is used. | ||
keylime_server_verifier_server_cert: default | ||
|
||
# The list of trusted client CA certificates. | ||
# The files in the list should be stored in the directory set in the | ||
# 'keylime_server_verifier_tls_dir' option. | ||
# | ||
# If set as 'default', the value is set as '[cacert.crt]' | ||
keylime_server_verifier_trusted_client_ca: default | ||
|
||
# The name of the file containing the Keylime verifier client private key. | ||
# The file should be stored in the directory set in the 'tls_dir' option. | ||
# This private key is used by the Keylime verifier to connect to the other | ||
# services using TLS. | ||
# | ||
# If set as 'default', the value 'client-private.pem' is used. | ||
keylime_server_verifier_client_key: default | ||
|
||
# Set the password used to decrypt the client private key file. | ||
# If 'tls_dir = generate', this password will also be used to protect the | ||
# generated client private key. | ||
# If left empty, the private key will not be encrypted. | ||
keylime_server_verifier_client_key_passphrase: default | ||
|
||
# The name of the file containing the Keylime verifier client certificate. | ||
# The file should be stored in the directory set in the 'tls_dir' option. | ||
# This certificate is used by the Keylime verifier to connect to the other | ||
# services using TLS. | ||
# | ||
# If set as 'default', the 'client-cert.crt' value is used. | ||
keylime_server_verifier_client_cert: default | ||
|
||
# The list of trusted server CA certificates. | ||
# The files in the list should be stored in the directory set in the 'tls_dir' | ||
# option. | ||
# | ||
# If set as 'default', the value is set as '[cacert.crt]' | ||
keylime_server_verifier_trusted_server_ca: default | ||
|
||
# Registrar. | ||
|
||
# The registrar server IP address and port. | ||
keylime_server_registrar_ip: 127.0.0.1 | ||
keylime_server_registrar_port: 8890 | ||
|
||
# An example of database_url value for using sqlite: | ||
# sqlite:////var/lib/keylime/reg_data.sqlite | ||
# An example of database_url value for using mysql: | ||
# mysql+pymysql://keylime:keylime@keylime_db:[port]/registrar?charset=utf8 | ||
# | ||
# If set as 'sqlite' keyword, will use the configuration set by the file located | ||
# at "/var/lib/keylime/reg_data.sqlite". | ||
keylime_server_registrar_database_url: sqlite | ||
|
||
# If set as 'default', share the files with the verifier by using the | ||
# 'var/lib/keylime/cv_ca' directory, which should contain the files indicated by | ||
# the 'server_key', 'server_cert', and 'trusted_client_ca' options. | ||
keylime_server_registrar_tls_dir: default | ||
|
||
# If set as 'default', the value 'server-private.pem' is used. | ||
keylime_server_registrar_server_key: default | ||
# If left empty, the private key will not be encrypted. | ||
keylime_server_registrar_server_key_passphrase: default | ||
# If set as 'default', the value 'server-cert.crt' is used. | ||
keylime_server_registrar_server_cert: default | ||
# If set as 'default', the value is set as '[cacert.crt]' | ||
keylime_server_registrar_trusted_client_ca: default |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,10 @@ | ||
# SPDX-License-Identifier: MIT | ||
--- | ||
- name: Example template role invocation | ||
- name: Example keylime_server role invocation | ||
hosts: all | ||
vars: | ||
template_foo: example variable value | ||
template_bar: false | ||
keylime_server_verifier_ip: "{{ ansible_host }}" | ||
keylime_server_registrar_ip: "{{ ansible_host }}" | ||
|
||
roles: | ||
- linux-system-roles.template | ||
- linux-system-roles.keylime_server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
# SPDX-License-Identifier: MIT | ||
--- | ||
- name: Handler for template to restart services | ||
- name: Restart services | ||
service: | ||
name: "{{ item }}" | ||
state: restarted | ||
loop: "{{ __template_services }}" | ||
loop: "{{ __keylime_server_services }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,68 +1,24 @@ | ||
# SPDX-License-Identifier: MIT | ||
--- | ||
galaxy_info: | ||
# Replace with role's author name: | ||
author: John Doe <jdoe@corp.com> | ||
# Replace with the real description of what is role's purpose: | ||
description: Basic template for Linux system roles | ||
# Replace with the company the role's author is member of: | ||
company: John Doe, Inc. | ||
|
||
# If the issue tracker for your role is not on github, uncomment the next | ||
# line and provide a value | ||
# issue_tracker_url: http://example.com/issue/tracker | ||
|
||
# Some suggested licenses: | ||
# - BSD (default) | ||
# - MIT | ||
# - GPLv2 | ||
# - GPLv3 | ||
# - Apache | ||
# - CC-BY | ||
author: Sergio Correia <scorreia@redhat.com> | ||
description: > | ||
Ansible role for configuring Keylime attestation servers | ||
company: Red Hat, Inc. | ||
license: MIT | ||
|
||
min_ansible_version: "2.9" | ||
|
||
# Optionally specify the branch Galaxy will use when accessing the GitHub | ||
# repo for this role. During role install, if no tags are available, Galaxy | ||
# will use this branch. During import Galaxy will access files on this | ||
# branch. If Travis integration is configured, only notifications for this | ||
# branch will be accepted. Otherwise, in all cases, the repo's default branch | ||
# (usually main) will be used. | ||
# github_branch: | ||
|
||
# | ||
# platforms is a list of platforms, and each platform has a name and a list | ||
# of versions. | ||
# | ||
# platforms: | ||
# - name: Fedora | ||
# versions: | ||
# - all | ||
# - "25" | ||
# - name: SomePlatform | ||
# versions: | ||
# - all | ||
# - "1.0" | ||
# - "7" | ||
# - "99.99" | ||
platforms: | ||
# Replace the below with your platform list: | ||
- name: Fedora | ||
versions: | ||
- all | ||
- name: EL | ||
versions: | ||
- all | ||
- "9" | ||
|
||
galaxy_tags: [] | ||
# List tags for your role here, one per line. A tag is a keyword that | ||
# describes and categorizes the role. Users find roles by searching for tags. | ||
# Be sure to remove the '[]' above, if you add tags to this list. | ||
# | ||
# NOTE: A tag is limited to a single word comprised of alphanumeric | ||
# characters. Maximum 20 tags per role. | ||
galaxy_tags: | ||
- centos | ||
- fedora | ||
- redhat | ||
- keylime | ||
|
||
dependencies: [] | ||
# List your role dependencies here, one per line. Be sure to remove the '[]' | ||
# above, if you add dependencies to this list. |
Oops, something went wrong.