RPM packaging for custom CA

ansible/build.yaml

@@ -54,6 +54,11 @@
         spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
         rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
 
+    - name: Build the ca-certificates-custom RPM
+      ansible.builtin.shell: |
+        spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec
+        rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec
+
     - name: Ensure the VENDOR directory exists
       ansible.builtin.file:
         path: "{{ ansible_user_dir }}/rpmbuild/VENDOR"
@@ -86,7 +91,8 @@
 
     - name: Get built RPMS
       ansible.builtin.find:
-        path: "{{ ansible_user_dir }}/rpmbuild/RPMS/x86_64/"
+        path: "{{ ansible_user_dir }}/rpmbuild/RPMS/"
+        recurse: true
         patterns: "*.rpm"
       register: build_rpms
 

ansible/templates/kiosk.toml.j2

@@ -15,6 +15,10 @@ name = "cockpit"
 name = "microshift-manifests"
 version = "*"
 
+[[packages]]
+name = "ca-certificates-custom"
+version = "*"
+
 [[packages]]
 name = "cockpit-system"
 

imagebuilder/kiosk.toml

@@ -15,6 +15,10 @@ name = "cockpit"
 name = "microshift-manifests"
 version = "*"
 
+[[packages]]
+name = "ca-certificates-custom"
+version = "*"
+
 [[packages]]
 name = "cockpit-system"
 

rpms/SOURCES/.gitignore

@@ -0,0 +1 @@
+custom-ca.key

rpms/SOURCES/custom-ca.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUM86tyWaDXwVh19euAQay1IUhlQ8wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJQ3VzdG9tIENBMB4XDTI0MDUxNTE0MTE1NloXDTI0MDYx
+NDE0MTE1NlowFDESMBAGA1UEAwwJQ3VzdG9tIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAj+BqXKaxWYjLBEP6vTG4XZ6UB/31TSi1rjPYlz7DoGzm
+DTzeVdUiQtV5S8olN8DFRNweRYauGTMvvddT9ZgFquMMe4pgnZp7HUB/qoEmIBRj
+HXqPeT6JYr4nN3eP8MbpYwDwj8uHBHgxkYDbdJJcNGaH982lpbNI8fDvyoDJSaNg
+t6cnNax9j5oUiZ2rWN2dMz2VXDLmsjZMsCUluD+PyYqQsqtKryAG1LgJoHwcO4G9
+dlamPi+bVVPEZTtoxiLDdLFnKKb63FVVbjq+2qbjoW7RcyFk1OBJewdkklmTIG9h
+eGhy+Svk+wxxOv50lRxPpr6SV3OsxIjcq3lSfIv6JwIDAQABo1MwUTAdBgNVHQ4E
+FgQUPsESEvv8B0AIcgnIWewaChcYPR0wHwYDVR0jBBgwFoAUPsESEvv8B0AIcgnI
+WewaChcYPR0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAdFHH
+2GDS8BLHzYtJGArwwaNJPBrL/3lBQCb1k1rjevFGDSiyr3q4UNrd33yxbJbRpAOR
+04VXbs+DtYyGWvn2J1/K22kTr/c+JE/FkYAvMOn1aNDZfNSCAEM//CcLh5/hYnGy
+lNRPdVSJW6PAkmEnHaonHFz2/5MPtTe1Wq7bOaZBP02YaYFquPh9uttZaXyasUfv
+xxAdBULsHBj7bhwHOW70smHlv0xstut0otzLPQlgUHjv7RkQA4WFuzAIk8XJ7AtE
+abQUJ6OSrnwopfcKf1moSFUFRgHM0Z9qfbOUnDTnSswxfDJpz7HBoAhpaODtSZr3
+pZBt84iZo4/iqwsphA==
+-----END CERTIFICATE-----

rpms/SPECS/ca-certificates-custom.spec

@@ -0,0 +1,57 @@
+Name:       ca-certificates-custom
+Version:    0.0.1
+Release:    rh1
+Summary:    Custom CA Certificates
+License:    BSD
+Source0:    custom-ca.crt
+Requires(post): ca-certificates
+Requires(postun): ca-certificates
+BuildArch:  noarch
+
+%description
+Custom CA certificates
+
+# We are evil, we have no changelog !
+%global source_date_epoch_from_changelog 0
+
+%prep
+##
+## If you do not have a real CA certificate, you can generate one with:
+##
+# openssl req -new -nodes -keyout custom-ca.key -out custom-ca.crt -x509 -subj '/CN=Custom CA'
+cp %{S:0} custom-ca.crt
+
+%build
+
+%install
+install -m 0644 -D custom-ca.crt %{buildroot}/etc/pki/ca-trust/source/anchors/custom-ca.crt
+
+%files
+%config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/custom-ca.crt
+
+%post
+##
+## You can verify the post script is working by running the following command
+## after the RPM installation:
+##
+#
+# user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+# Custom CA
+# user@localhost$ echo $?
+# 0
+#
+update-ca-trust extract
+
+%postun
+##
+## You can verify the postun script is working by running the following command
+## after the RPM un-installation:
+##
+#
+# user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+# user@localhost$ echo $?
+# 1
+#
+update-ca-trust extract
+
+%changelog