Merge pull request #8 from nmasse-itix/ca-cert-and-multi-ks

Handle custom CA certificate + generate an ISO image for each device
2 years ago · 8fe0212832
10 changed files with 140 additions and 24 deletions
--- a/ansible/build-iso.yaml
+++ b/ansible/build-iso.yaml
@ -0,0 +1,30 @@
 - debug:
    msg: "Injecting Kickstart of {{ device.hostname }} into ISO..."
 - name: Create kiosk.ks from template
  ansible.builtin.template:
    src: "kiosk.ks.j2"
    dest: "{{ tmp.path }}/kiosk-{{ device.hostname }}.ks"
 - name: Validate kiosk.ks using ksvalidator
  ansible.builtin.command:
    cmd: "ksvalidator {{ tmp.path }}/kiosk-{{ device.hostname }}.ks"
 - name: Create new kiosk.iso file
  ansible.builtin.command:
    cmd: "mkksiso -r 'inst.ks' --ks {{ tmp.path }}/kiosk-{{ device.hostname }}.ks {{ tmp.path }}/{{ compose_id }}.iso {{ tmp.path }}/kiosk.iso"
 - name: Copy new ISO to /var/www
  copy:
    src: "{{ tmp.path }}/kiosk.iso"
    dest: "{{ www_location }}/kiosk-{{ device.hostname }}.iso"
    remote_src: true
  become: true
 - name: Cleanup
  ansible.builtin.file:
    path: '{{ item }}'
    state: absent
  loop:
  - "{{ tmp.path }}/kiosk.iso"
  - "{{ tmp.path }}/kiosk-{{ device.hostname }}.ks"
--- a/ansible/build.yaml
+++ b/ansible/build.yaml
@ -54,6 +54,11 @@
        spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
        rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
    - name: Build the ca-certificates-custom RPM
      ansible.builtin.shell: |
        spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec
        rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec
    - name: Ensure the VENDOR directory exists
      ansible.builtin.file:
        path: "{{ ansible_user_dir }}/rpmbuild/VENDOR"
@ -86,7 +91,8 @@
    - name: Get built RPMS
      ansible.builtin.find:
-        path: "{{ ansible_user_dir }}/rpmbuild/RPMS/x86_64/"
+        path: "{{ ansible_user_dir }}/rpmbuild/RPMS/"
        recurse: true
        patterns: "*.rpm"
      register: build_rpms
@ -251,25 +257,11 @@
        compose_id: "{{ compose_id }}"
        dest: "{{ tmp.path }}/{{ compose_id }}.iso"
-    - name: Create kiosk.ks from template
+    - ansible.builtin.include_tasks: build-iso.yaml
-      ansible.builtin.template:
+      loop: '{{ kickstart_devices }}'
-        src: "kiosk.ks.j2"
+      loop_control:
-        dest: "{{ tmp.path }}/kiosk.ks"
+        label: "{{ device.hostname }}"
-
+        loop_var: device
    - name: Validate kiosk.ks using ksvalidator
      ansible.builtin.command:
        cmd: "ksvalidator {{ tmp.path }}/kiosk.ks"
    - name: Create new kiosk.iso file
      ansible.builtin.command:
        cmd: "mkksiso -r 'inst.ks' --ks {{ tmp.path }}/kiosk.ks {{ tmp.path }}/{{ compose_id }}.iso {{ tmp.path }}/kiosk.iso"
    - name: Copy new ISO to /var/www
      copy:
        src: "{{ tmp.path }}/kiosk.iso"
        dest: "{{ www_location }}/kiosk.iso"
        remote_src: true
      become: true
  post_tasks:
  - ansible.builtin.file:
--- a/ansible/group_vars/all/config.yaml
+++ b/ansible/group_vars/all/config.yaml
@ -2,4 +2,3 @@ repo_location: /opt/custom-rpms
 blueprint_admin_ssh_public_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFW62WJXI1ZCMfNA4w0dMpL0fsldhbEfULNGIUB0nQui nmasse@localhost.localdomain
 www_location: /var/www
 compose_timeout: 300
 kickstart_root_disk: /dev/disk/by-path/pci-0000:00:12.0-ata-1
--- a/ansible/group_vars/all/devices.yaml
+++ b/ansible/group_vars/all/devices.yaml
@ -0,0 +1,10 @@
 kickstart_devices:
 - hostname: kiosk.localdomain
  storage:
    root_disk: /dev/disk/by-path/pci-0000:00:12.0-ata-1
  network:
    interface: enp1s0
    ip_address: 192.168.122.23
    netmask: 255.255.255.0
    gateway: 192.168.122.1
    dns: 192.168.122.1
--- a/ansible/templates/kiosk.ks.j2
+++ b/ansible/templates/kiosk.ks.j2
@ -27,7 +27,7 @@ text
 zerombr
 clearpart --all --initlabel
 reqpart --add-boot
-part pv.01 --size=1024 --grow --ondisk={{ kickstart_root_disk }}
+part pv.01 --size=1024 --grow --ondisk={{ device.storage.root_disk }}
 volgroup rhel pv.01
 logvol /  --fstype="xfs" --size=10240 --name=root --vgname=rhel
@ -36,10 +36,10 @@ logvol /  --fstype="xfs" --size=10240 --name=root --vgname=rhel
 ##
 # Configure the first network device
-network  --bootproto=dhcp --device=enp1s0 --noipv6 --activate
+network  --bootproto=static --ip={{ device.network.ip_address }} --netmask={{ device.network.netmask }} --gateway={{ device.network.gateway }} --nameserver={{ device.network.dns }} --device={{ device.network.interface }} --noipv6 --activate
 # Configure hostname
-network  --hostname=kiosk.localdomain
+network  --hostname={{ device.hostname }}
 ##
 ## Ostree installation
--- a/ansible/templates/kiosk.toml.j2
+++ b/ansible/templates/kiosk.toml.j2
@ -15,6 +15,10 @@ name = "cockpit"
 name = "microshift-manifests"
 version = "*"
 [[packages]]
 name = "ca-certificates-custom"
 version = "*"
 [[packages]]
 name = "cockpit-system"
--- a/imagebuilder/kiosk.toml
+++ b/imagebuilder/kiosk.toml
@ -15,6 +15,10 @@ name = "cockpit"
 name = "microshift-manifests"
 version = "*"
 [[packages]]
 name = "ca-certificates-custom"
 version = "*"
 [[packages]]
 name = "cockpit-system"
--- a/rpms/SOURCES/.gitignore
+++ b/rpms/SOURCES/.gitignore
@ -0,0 +1 @@
 custom-ca.key
--- a/rpms/SOURCES/custom-ca.crt
+++ b/rpms/SOURCES/custom-ca.crt
@ -0,0 +1,19 @@
 -----BEGIN CERTIFICATE-----
 MIIDCTCCAfGgAwIBAgIUM86tyWaDXwVh19euAQay1IUhlQ8wDQYJKoZIhvcNAQEL
 BQAwFDESMBAGA1UEAwwJQ3VzdG9tIENBMB4XDTI0MDUxNTE0MTE1NloXDTI0MDYx
 NDE0MTE1NlowFDESMBAGA1UEAwwJQ3VzdG9tIENBMIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEAj+BqXKaxWYjLBEP6vTG4XZ6UB/31TSi1rjPYlz7DoGzm
 DTzeVdUiQtV5S8olN8DFRNweRYauGTMvvddT9ZgFquMMe4pgnZp7HUB/qoEmIBRj
 HXqPeT6JYr4nN3eP8MbpYwDwj8uHBHgxkYDbdJJcNGaH982lpbNI8fDvyoDJSaNg
 t6cnNax9j5oUiZ2rWN2dMz2VXDLmsjZMsCUluD+PyYqQsqtKryAG1LgJoHwcO4G9
 dlamPi+bVVPEZTtoxiLDdLFnKKb63FVVbjq+2qbjoW7RcyFk1OBJewdkklmTIG9h
 eGhy+Svk+wxxOv50lRxPpr6SV3OsxIjcq3lSfIv6JwIDAQABo1MwUTAdBgNVHQ4E
 FgQUPsESEvv8B0AIcgnIWewaChcYPR0wHwYDVR0jBBgwFoAUPsESEvv8B0AIcgnI
 WewaChcYPR0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAdFHH
 2GDS8BLHzYtJGArwwaNJPBrL/3lBQCb1k1rjevFGDSiyr3q4UNrd33yxbJbRpAOR
 04VXbs+DtYyGWvn2J1/K22kTr/c+JE/FkYAvMOn1aNDZfNSCAEM//CcLh5/hYnGy
 lNRPdVSJW6PAkmEnHaonHFz2/5MPtTe1Wq7bOaZBP02YaYFquPh9uttZaXyasUfv
 xxAdBULsHBj7bhwHOW70smHlv0xstut0otzLPQlgUHjv7RkQA4WFuzAIk8XJ7AtE
 abQUJ6OSrnwopfcKf1moSFUFRgHM0Z9qfbOUnDTnSswxfDJpz7HBoAhpaODtSZr3
 pZBt84iZo4/iqwsphA==
 -----END CERTIFICATE-----
--- a/rpms/SPECS/ca-certificates-custom.spec
+++ b/rpms/SPECS/ca-certificates-custom.spec
@ -0,0 +1,57 @@
 Name:       ca-certificates-custom
 Version:    0.0.1
 Release:    rh1
 Summary:    Custom CA Certificates
 License:    BSD
 Source0:    custom-ca.crt
 Requires(post): ca-certificates
 Requires(postun): ca-certificates
 BuildArch:  noarch
 %description
 Custom CA certificates
 # We are evil, we have no changelog !
 %global source_date_epoch_from_changelog 0
 %prep
 ##
 ## If you do not have a real CA certificate, you can generate one with:
 ##
 # openssl req -new -nodes -keyout custom-ca.key -out custom-ca.crt -x509 -subj '/CN=Custom CA'
 cp %{S:0} custom-ca.crt
 %build
 %install
 install -m 0644 -D custom-ca.crt %{buildroot}/etc/pki/ca-trust/source/anchors/custom-ca.crt
 %files
 %config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/custom-ca.crt
 %post
 ##
 ## You can verify the post script is working by running the following command
 ## after the RPM installation:
 ##
 #
 # user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 # Custom CA
 # user@localhost$ echo $?
 # 0
 #
 update-ca-trust extract
 %postun
 ##
 ## You can verify the postun script is working by running the following command
 ## after the RPM un-installation:
 ##
 #
 # user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 # user@localhost$ echo $?
 # 1
 #
 update-ca-trust extract
 %changelog