From 1a93cfe6db4e5933be6b74897b8cbb81ffb14fa4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= <nicolas.masse@itix.fr>
Date: Wed, 15 May 2024 16:57:50 +0200
Subject: [PATCH] RPM packaging for custom CA

---
 ansible/build.yaml                     |  8 +++-
 ansible/templates/kiosk.toml.j2        |  4 ++
 imagebuilder/kiosk.toml                |  4 ++
 rpms/SOURCES/.gitignore                |  1 +
 rpms/SOURCES/custom-ca.crt             | 19 +++++++++
 rpms/SPECS/ca-certificates-custom.spec | 57 ++++++++++++++++++++++++++
 6 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 rpms/SOURCES/.gitignore
 create mode 100644 rpms/SOURCES/custom-ca.crt
 create mode 100644 rpms/SPECS/ca-certificates-custom.spec

diff --git a/ansible/build.yaml b/ansible/build.yaml
index d5e1fea..306df34 100644
--- a/ansible/build.yaml
+++ b/ansible/build.yaml
@@ -54,6 +54,11 @@
         spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
         rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
 
+    - name: Build the ca-certificates-custom RPM
+      ansible.builtin.shell: |
+        spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec
+        rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec
+
     - name: Ensure the VENDOR directory exists
       ansible.builtin.file:
         path: "{{ ansible_user_dir }}/rpmbuild/VENDOR"
@@ -86,7 +91,8 @@
 
     - name: Get built RPMS
       ansible.builtin.find:
-        path: "{{ ansible_user_dir }}/rpmbuild/RPMS/x86_64/"
+        path: "{{ ansible_user_dir }}/rpmbuild/RPMS/"
+        recurse: true
         patterns: "*.rpm"
       register: build_rpms
 
diff --git a/ansible/templates/kiosk.toml.j2 b/ansible/templates/kiosk.toml.j2
index 1992f8f..bfa1ba2 100644
--- a/ansible/templates/kiosk.toml.j2
+++ b/ansible/templates/kiosk.toml.j2
@@ -15,6 +15,10 @@ name = "cockpit"
 name = "microshift-manifests"
 version = "*"
 
+[[packages]]
+name = "ca-certificates-custom"
+version = "*"
+
 [[packages]]
 name = "cockpit-system"
 
diff --git a/imagebuilder/kiosk.toml b/imagebuilder/kiosk.toml
index 7973870..1347116 100644
--- a/imagebuilder/kiosk.toml
+++ b/imagebuilder/kiosk.toml
@@ -15,6 +15,10 @@ name = "cockpit"
 name = "microshift-manifests"
 version = "*"
 
+[[packages]]
+name = "ca-certificates-custom"
+version = "*"
+
 [[packages]]
 name = "cockpit-system"
 
diff --git a/rpms/SOURCES/.gitignore b/rpms/SOURCES/.gitignore
new file mode 100644
index 0000000..6ec41f8
--- /dev/null
+++ b/rpms/SOURCES/.gitignore
@@ -0,0 +1 @@
+custom-ca.key
diff --git a/rpms/SOURCES/custom-ca.crt b/rpms/SOURCES/custom-ca.crt
new file mode 100644
index 0000000..cc989d9
--- /dev/null
+++ b/rpms/SOURCES/custom-ca.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUM86tyWaDXwVh19euAQay1IUhlQ8wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJQ3VzdG9tIENBMB4XDTI0MDUxNTE0MTE1NloXDTI0MDYx
+NDE0MTE1NlowFDESMBAGA1UEAwwJQ3VzdG9tIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAj+BqXKaxWYjLBEP6vTG4XZ6UB/31TSi1rjPYlz7DoGzm
+DTzeVdUiQtV5S8olN8DFRNweRYauGTMvvddT9ZgFquMMe4pgnZp7HUB/qoEmIBRj
+HXqPeT6JYr4nN3eP8MbpYwDwj8uHBHgxkYDbdJJcNGaH982lpbNI8fDvyoDJSaNg
+t6cnNax9j5oUiZ2rWN2dMz2VXDLmsjZMsCUluD+PyYqQsqtKryAG1LgJoHwcO4G9
+dlamPi+bVVPEZTtoxiLDdLFnKKb63FVVbjq+2qbjoW7RcyFk1OBJewdkklmTIG9h
+eGhy+Svk+wxxOv50lRxPpr6SV3OsxIjcq3lSfIv6JwIDAQABo1MwUTAdBgNVHQ4E
+FgQUPsESEvv8B0AIcgnIWewaChcYPR0wHwYDVR0jBBgwFoAUPsESEvv8B0AIcgnI
+WewaChcYPR0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAdFHH
+2GDS8BLHzYtJGArwwaNJPBrL/3lBQCb1k1rjevFGDSiyr3q4UNrd33yxbJbRpAOR
+04VXbs+DtYyGWvn2J1/K22kTr/c+JE/FkYAvMOn1aNDZfNSCAEM//CcLh5/hYnGy
+lNRPdVSJW6PAkmEnHaonHFz2/5MPtTe1Wq7bOaZBP02YaYFquPh9uttZaXyasUfv
+xxAdBULsHBj7bhwHOW70smHlv0xstut0otzLPQlgUHjv7RkQA4WFuzAIk8XJ7AtE
+abQUJ6OSrnwopfcKf1moSFUFRgHM0Z9qfbOUnDTnSswxfDJpz7HBoAhpaODtSZr3
+pZBt84iZo4/iqwsphA==
+-----END CERTIFICATE-----
diff --git a/rpms/SPECS/ca-certificates-custom.spec b/rpms/SPECS/ca-certificates-custom.spec
new file mode 100644
index 0000000..8a4ddbe
--- /dev/null
+++ b/rpms/SPECS/ca-certificates-custom.spec
@@ -0,0 +1,57 @@
+Name:       ca-certificates-custom
+Version:    0.0.1
+Release:    rh1
+Summary:    Custom CA Certificates
+License:    BSD
+Source0:    custom-ca.crt
+Requires(post): ca-certificates
+Requires(postun): ca-certificates
+BuildArch:  noarch
+
+%description
+Custom CA certificates
+
+# We are evil, we have no changelog !
+%global source_date_epoch_from_changelog 0
+
+%prep
+##
+## If you do not have a real CA certificate, you can generate one with:
+##
+# openssl req -new -nodes -keyout custom-ca.key -out custom-ca.crt -x509 -subj '/CN=Custom CA'
+cp %{S:0} custom-ca.crt
+
+%build
+
+%install
+install -m 0644 -D custom-ca.crt %{buildroot}/etc/pki/ca-trust/source/anchors/custom-ca.crt
+
+%files
+%config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/custom-ca.crt
+
+%post
+##
+## You can verify the post script is working by running the following command
+## after the RPM installation:
+##
+#
+# user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+# Custom CA
+# user@localhost$ echo $?
+# 0
+#
+update-ca-trust extract
+
+%postun
+##
+## You can verify the postun script is working by running the following command
+## after the RPM un-installation:
+##
+#
+# user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+# user@localhost$ echo $?
+# 1
+#
+update-ca-trust extract
+
+%changelog