From 1a93cfe6db4e5933be6b74897b8cbb81ffb14fa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Wed, 15 May 2024 16:57:50 +0200 Subject: [PATCH 1/2] RPM packaging for custom CA --- ansible/build.yaml | 8 +++- ansible/templates/kiosk.toml.j2 | 4 ++ imagebuilder/kiosk.toml | 4 ++ rpms/SOURCES/.gitignore | 1 + rpms/SOURCES/custom-ca.crt | 19 +++++++++ rpms/SPECS/ca-certificates-custom.spec | 57 ++++++++++++++++++++++++++ 6 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 rpms/SOURCES/.gitignore create mode 100644 rpms/SOURCES/custom-ca.crt create mode 100644 rpms/SPECS/ca-certificates-custom.spec diff --git a/ansible/build.yaml b/ansible/build.yaml index d5e1fea..306df34 100644 --- a/ansible/build.yaml +++ b/ansible/build.yaml @@ -54,6 +54,11 @@ spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec + - name: Build the ca-certificates-custom RPM + ansible.builtin.shell: | + spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec + rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec + - name: Ensure the VENDOR directory exists ansible.builtin.file: path: "{{ ansible_user_dir }}/rpmbuild/VENDOR" @@ -86,7 +91,8 @@ - name: Get built RPMS ansible.builtin.find: - path: "{{ ansible_user_dir }}/rpmbuild/RPMS/x86_64/" + path: "{{ ansible_user_dir }}/rpmbuild/RPMS/" + recurse: true patterns: "*.rpm" register: build_rpms diff --git a/ansible/templates/kiosk.toml.j2 b/ansible/templates/kiosk.toml.j2 index 1992f8f..bfa1ba2 100644 --- a/ansible/templates/kiosk.toml.j2 +++ b/ansible/templates/kiosk.toml.j2 @@ -15,6 +15,10 @@ name = "cockpit" name = "microshift-manifests" version = "*" +[[packages]] +name = "ca-certificates-custom" +version = "*" + [[packages]] name = "cockpit-system" diff --git a/imagebuilder/kiosk.toml b/imagebuilder/kiosk.toml index 7973870..1347116 100644 --- a/imagebuilder/kiosk.toml +++ b/imagebuilder/kiosk.toml @@ -15,6 +15,10 @@ name = "cockpit" name = "microshift-manifests" version = "*" +[[packages]] +name = "ca-certificates-custom" +version = "*" + [[packages]] name = "cockpit-system" diff --git a/rpms/SOURCES/.gitignore b/rpms/SOURCES/.gitignore new file mode 100644 index 0000000..6ec41f8 --- /dev/null +++ b/rpms/SOURCES/.gitignore @@ -0,0 +1 @@ +custom-ca.key diff --git a/rpms/SOURCES/custom-ca.crt b/rpms/SOURCES/custom-ca.crt new file mode 100644 index 0000000..cc989d9 --- /dev/null +++ b/rpms/SOURCES/custom-ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAfGgAwIBAgIUM86tyWaDXwVh19euAQay1IUhlQ8wDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAwwJQ3VzdG9tIENBMB4XDTI0MDUxNTE0MTE1NloXDTI0MDYx +NDE0MTE1NlowFDESMBAGA1UEAwwJQ3VzdG9tIENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAj+BqXKaxWYjLBEP6vTG4XZ6UB/31TSi1rjPYlz7DoGzm +DTzeVdUiQtV5S8olN8DFRNweRYauGTMvvddT9ZgFquMMe4pgnZp7HUB/qoEmIBRj +HXqPeT6JYr4nN3eP8MbpYwDwj8uHBHgxkYDbdJJcNGaH982lpbNI8fDvyoDJSaNg +t6cnNax9j5oUiZ2rWN2dMz2VXDLmsjZMsCUluD+PyYqQsqtKryAG1LgJoHwcO4G9 +dlamPi+bVVPEZTtoxiLDdLFnKKb63FVVbjq+2qbjoW7RcyFk1OBJewdkklmTIG9h +eGhy+Svk+wxxOv50lRxPpr6SV3OsxIjcq3lSfIv6JwIDAQABo1MwUTAdBgNVHQ4E +FgQUPsESEvv8B0AIcgnIWewaChcYPR0wHwYDVR0jBBgwFoAUPsESEvv8B0AIcgnI +WewaChcYPR0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAdFHH +2GDS8BLHzYtJGArwwaNJPBrL/3lBQCb1k1rjevFGDSiyr3q4UNrd33yxbJbRpAOR +04VXbs+DtYyGWvn2J1/K22kTr/c+JE/FkYAvMOn1aNDZfNSCAEM//CcLh5/hYnGy +lNRPdVSJW6PAkmEnHaonHFz2/5MPtTe1Wq7bOaZBP02YaYFquPh9uttZaXyasUfv +xxAdBULsHBj7bhwHOW70smHlv0xstut0otzLPQlgUHjv7RkQA4WFuzAIk8XJ7AtE +abQUJ6OSrnwopfcKf1moSFUFRgHM0Z9qfbOUnDTnSswxfDJpz7HBoAhpaODtSZr3 +pZBt84iZo4/iqwsphA== +-----END CERTIFICATE----- diff --git a/rpms/SPECS/ca-certificates-custom.spec b/rpms/SPECS/ca-certificates-custom.spec new file mode 100644 index 0000000..8a4ddbe --- /dev/null +++ b/rpms/SPECS/ca-certificates-custom.spec @@ -0,0 +1,57 @@ +Name: ca-certificates-custom +Version: 0.0.1 +Release: rh1 +Summary: Custom CA Certificates +License: BSD +Source0: custom-ca.crt +Requires(post): ca-certificates +Requires(postun): ca-certificates +BuildArch: noarch + +%description +Custom CA certificates + +# We are evil, we have no changelog ! +%global source_date_epoch_from_changelog 0 + +%prep +## +## If you do not have a real CA certificate, you can generate one with: +## +# openssl req -new -nodes -keyout custom-ca.key -out custom-ca.crt -x509 -subj '/CN=Custom CA' +cp %{S:0} custom-ca.crt + +%build + +%install +install -m 0644 -D custom-ca.crt %{buildroot}/etc/pki/ca-trust/source/anchors/custom-ca.crt + +%files +%config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/custom-ca.crt + +%post +## +## You can verify the post script is working by running the following command +## after the RPM installation: +## +# +# user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem +# Custom CA +# user@localhost$ echo $? +# 0 +# +update-ca-trust extract + +%postun +## +## You can verify the postun script is working by running the following command +## after the RPM un-installation: +## +# +# user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem +# user@localhost$ echo $? +# 1 +# +update-ca-trust extract + +%changelog From 28102f92320e6e6ebddaf22fa5d3be95f42f516c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Wed, 15 May 2024 21:04:34 +0200 Subject: [PATCH 2/2] inject device specific kickstart into iso --- ansible/build-iso.yaml | 30 +++++++++++++++++++++++++++++ ansible/build.yaml | 24 +++++------------------ ansible/group_vars/all/config.yaml | 1 - ansible/group_vars/all/devices.yaml | 10 ++++++++++ ansible/templates/kiosk.ks.j2 | 6 +++--- 5 files changed, 48 insertions(+), 23 deletions(-) create mode 100644 ansible/build-iso.yaml create mode 100644 ansible/group_vars/all/devices.yaml diff --git a/ansible/build-iso.yaml b/ansible/build-iso.yaml new file mode 100644 index 0000000..f693ada --- /dev/null +++ b/ansible/build-iso.yaml @@ -0,0 +1,30 @@ +- debug: + msg: "Injecting Kickstart of {{ device.hostname }} into ISO..." + +- name: Create kiosk.ks from template + ansible.builtin.template: + src: "kiosk.ks.j2" + dest: "{{ tmp.path }}/kiosk-{{ device.hostname }}.ks" + +- name: Validate kiosk.ks using ksvalidator + ansible.builtin.command: + cmd: "ksvalidator {{ tmp.path }}/kiosk-{{ device.hostname }}.ks" + +- name: Create new kiosk.iso file + ansible.builtin.command: + cmd: "mkksiso -r 'inst.ks' --ks {{ tmp.path }}/kiosk-{{ device.hostname }}.ks {{ tmp.path }}/{{ compose_id }}.iso {{ tmp.path }}/kiosk.iso" + +- name: Copy new ISO to /var/www + copy: + src: "{{ tmp.path }}/kiosk.iso" + dest: "{{ www_location }}/kiosk-{{ device.hostname }}.iso" + remote_src: true + become: true + +- name: Cleanup + ansible.builtin.file: + path: '{{ item }}' + state: absent + loop: + - "{{ tmp.path }}/kiosk.iso" + - "{{ tmp.path }}/kiosk-{{ device.hostname }}.ks" diff --git a/ansible/build.yaml b/ansible/build.yaml index 306df34..a96c30c 100644 --- a/ansible/build.yaml +++ b/ansible/build.yaml @@ -257,25 +257,11 @@ compose_id: "{{ compose_id }}" dest: "{{ tmp.path }}/{{ compose_id }}.iso" - - name: Create kiosk.ks from template - ansible.builtin.template: - src: "kiosk.ks.j2" - dest: "{{ tmp.path }}/kiosk.ks" - - - name: Validate kiosk.ks using ksvalidator - ansible.builtin.command: - cmd: "ksvalidator {{ tmp.path }}/kiosk.ks" - - - name: Create new kiosk.iso file - ansible.builtin.command: - cmd: "mkksiso -r 'inst.ks' --ks {{ tmp.path }}/kiosk.ks {{ tmp.path }}/{{ compose_id }}.iso {{ tmp.path }}/kiosk.iso" - - - name: Copy new ISO to /var/www - copy: - src: "{{ tmp.path }}/kiosk.iso" - dest: "{{ www_location }}/kiosk.iso" - remote_src: true - become: true + - ansible.builtin.include_tasks: build-iso.yaml + loop: '{{ kickstart_devices }}' + loop_control: + label: "{{ device.hostname }}" + loop_var: device post_tasks: - ansible.builtin.file: diff --git a/ansible/group_vars/all/config.yaml b/ansible/group_vars/all/config.yaml index 6ae268f..6e75911 100644 --- a/ansible/group_vars/all/config.yaml +++ b/ansible/group_vars/all/config.yaml @@ -2,4 +2,3 @@ repo_location: /opt/custom-rpms blueprint_admin_ssh_public_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFW62WJXI1ZCMfNA4w0dMpL0fsldhbEfULNGIUB0nQui nmasse@localhost.localdomain www_location: /var/www compose_timeout: 300 -kickstart_root_disk: /dev/disk/by-path/pci-0000:00:12.0-ata-1 diff --git a/ansible/group_vars/all/devices.yaml b/ansible/group_vars/all/devices.yaml new file mode 100644 index 0000000..c3652ba --- /dev/null +++ b/ansible/group_vars/all/devices.yaml @@ -0,0 +1,10 @@ +kickstart_devices: +- hostname: kiosk.localdomain + storage: + root_disk: /dev/disk/by-path/pci-0000:00:12.0-ata-1 + network: + interface: enp1s0 + ip_address: 192.168.122.23 + netmask: 255.255.255.0 + gateway: 192.168.122.1 + dns: 192.168.122.1 diff --git a/ansible/templates/kiosk.ks.j2 b/ansible/templates/kiosk.ks.j2 index 7ffd110..9038341 100644 --- a/ansible/templates/kiosk.ks.j2 +++ b/ansible/templates/kiosk.ks.j2 @@ -27,7 +27,7 @@ text zerombr clearpart --all --initlabel reqpart --add-boot -part pv.01 --size=1024 --grow --ondisk={{ kickstart_root_disk }} +part pv.01 --size=1024 --grow --ondisk={{ device.storage.root_disk }} volgroup rhel pv.01 logvol / --fstype="xfs" --size=10240 --name=root --vgname=rhel @@ -36,10 +36,10 @@ logvol / --fstype="xfs" --size=10240 --name=root --vgname=rhel ## # Configure the first network device -network --bootproto=dhcp --device=enp1s0 --noipv6 --activate +network --bootproto=static --ip={{ device.network.ip_address }} --netmask={{ device.network.netmask }} --gateway={{ device.network.gateway }} --nameserver={{ device.network.dns }} --device={{ device.network.interface }} --noipv6 --activate # Configure hostname -network --hostname=kiosk.localdomain +network --hostname={{ device.hostname }} ## ## Ostree installation