Merge pull request #8 from nmasse-itix/ca-cert-and-multi-ks

Handle custom CA certificate + generate an ISO image for each device

ansible/build-iso.yaml

@@ -0,0 +1,30 @@
+- debug:
+    msg: "Injecting Kickstart of {{ device.hostname }} into ISO..."
+
+- name: Create kiosk.ks from template
+  ansible.builtin.template:
+    src: "kiosk.ks.j2"
+    dest: "{{ tmp.path }}/kiosk-{{ device.hostname }}.ks"
+
+- name: Validate kiosk.ks using ksvalidator
+  ansible.builtin.command:
+    cmd: "ksvalidator {{ tmp.path }}/kiosk-{{ device.hostname }}.ks"
+
+- name: Create new kiosk.iso file
+  ansible.builtin.command:
+    cmd: "mkksiso -r 'inst.ks' --ks {{ tmp.path }}/kiosk-{{ device.hostname }}.ks {{ tmp.path }}/{{ compose_id }}.iso {{ tmp.path }}/kiosk.iso"
+
+- name: Copy new ISO to /var/www
+  copy:
+    src: "{{ tmp.path }}/kiosk.iso"
+    dest: "{{ www_location }}/kiosk-{{ device.hostname }}.iso"
+    remote_src: true
+  become: true
+
+- name: Cleanup
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: absent
+  loop:
+  - "{{ tmp.path }}/kiosk.iso"
+  - "{{ tmp.path }}/kiosk-{{ device.hostname }}.ks"

ansible/build.yaml

@@ -54,6 +54,11 @@
         spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
         rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
 
+    - name: Build the ca-certificates-custom RPM
+      ansible.builtin.shell: |
+        spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec
+        rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/ca-certificates-custom.spec
+
     - name: Ensure the VENDOR directory exists
       ansible.builtin.file:
         path: "{{ ansible_user_dir }}/rpmbuild/VENDOR"
@@ -86,7 +91,8 @@
 
     - name: Get built RPMS
       ansible.builtin.find:
-        path: "{{ ansible_user_dir }}/rpmbuild/RPMS/x86_64/"
+        path: "{{ ansible_user_dir }}/rpmbuild/RPMS/"
+        recurse: true
         patterns: "*.rpm"
       register: build_rpms
 
@@ -251,25 +257,11 @@
         compose_id: "{{ compose_id }}"
         dest: "{{ tmp.path }}/{{ compose_id }}.iso"
 
-    - name: Create kiosk.ks from template
-      ansible.builtin.template:
-        src: "kiosk.ks.j2"
-        dest: "{{ tmp.path }}/kiosk.ks"
-
-    - name: Validate kiosk.ks using ksvalidator
-      ansible.builtin.command:
-        cmd: "ksvalidator {{ tmp.path }}/kiosk.ks"
-
-    - name: Create new kiosk.iso file
-      ansible.builtin.command:
-        cmd: "mkksiso -r 'inst.ks' --ks {{ tmp.path }}/kiosk.ks {{ tmp.path }}/{{ compose_id }}.iso {{ tmp.path }}/kiosk.iso"
-
-    - name: Copy new ISO to /var/www
-      copy:
-        src: "{{ tmp.path }}/kiosk.iso"
-        dest: "{{ www_location }}/kiosk.iso"
-        remote_src: true
-      become: true
+    - ansible.builtin.include_tasks: build-iso.yaml
+      loop: '{{ kickstart_devices }}'
+      loop_control:
+        label: "{{ device.hostname }}"
+        loop_var: device
 
   post_tasks:
   - ansible.builtin.file:

ansible/group_vars/all/config.yaml

@@ -2,4 +2,3 @@ repo_location: /opt/custom-rpms
 blueprint_admin_ssh_public_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFW62WJXI1ZCMfNA4w0dMpL0fsldhbEfULNGIUB0nQui nmasse@localhost.localdomain
 www_location: /var/www
 compose_timeout: 300
-kickstart_root_disk: /dev/disk/by-path/pci-0000:00:12.0-ata-1

ansible/group_vars/all/devices.yaml

@@ -0,0 +1,10 @@
+kickstart_devices:
+- hostname: kiosk.localdomain
+  storage:
+    root_disk: /dev/disk/by-path/pci-0000:00:12.0-ata-1
+  network:
+    interface: enp1s0
+    ip_address: 192.168.122.23
+    netmask: 255.255.255.0
+    gateway: 192.168.122.1
+    dns: 192.168.122.1

ansible/templates/kiosk.ks.j2

@@ -27,7 +27,7 @@ text
 zerombr
 clearpart --all --initlabel
 reqpart --add-boot
-part pv.01 --size=1024 --grow --ondisk={{ kickstart_root_disk }}
+part pv.01 --size=1024 --grow --ondisk={{ device.storage.root_disk }}
 volgroup rhel pv.01
 logvol /  --fstype="xfs" --size=10240 --name=root --vgname=rhel
 
@@ -36,10 +36,10 @@ logvol /  --fstype="xfs" --size=10240 --name=root --vgname=rhel
 ##
 
 # Configure the first network device
-network  --bootproto=dhcp --device=enp1s0 --noipv6 --activate
+network  --bootproto=static --ip={{ device.network.ip_address }} --netmask={{ device.network.netmask }} --gateway={{ device.network.gateway }} --nameserver={{ device.network.dns }} --device={{ device.network.interface }} --noipv6 --activate
 
 # Configure hostname
-network  --hostname=kiosk.localdomain
+network  --hostname={{ device.hostname }}
 
 ##
 ## Ostree installation

ansible/templates/kiosk.toml.j2

@@ -15,6 +15,10 @@ name = "cockpit"
 name = "microshift-manifests"
 version = "*"
 
+[[packages]]
+name = "ca-certificates-custom"
+version = "*"
+
 [[packages]]
 name = "cockpit-system"
 

imagebuilder/kiosk.toml

@@ -15,6 +15,10 @@ name = "cockpit"
 name = "microshift-manifests"
 version = "*"
 
+[[packages]]
+name = "ca-certificates-custom"
+version = "*"
+
 [[packages]]
 name = "cockpit-system"
 

rpms/SOURCES/.gitignore

@@ -0,0 +1 @@
+custom-ca.key

rpms/SOURCES/custom-ca.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUM86tyWaDXwVh19euAQay1IUhlQ8wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJQ3VzdG9tIENBMB4XDTI0MDUxNTE0MTE1NloXDTI0MDYx
+NDE0MTE1NlowFDESMBAGA1UEAwwJQ3VzdG9tIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAj+BqXKaxWYjLBEP6vTG4XZ6UB/31TSi1rjPYlz7DoGzm
+DTzeVdUiQtV5S8olN8DFRNweRYauGTMvvddT9ZgFquMMe4pgnZp7HUB/qoEmIBRj
+HXqPeT6JYr4nN3eP8MbpYwDwj8uHBHgxkYDbdJJcNGaH982lpbNI8fDvyoDJSaNg
+t6cnNax9j5oUiZ2rWN2dMz2VXDLmsjZMsCUluD+PyYqQsqtKryAG1LgJoHwcO4G9
+dlamPi+bVVPEZTtoxiLDdLFnKKb63FVVbjq+2qbjoW7RcyFk1OBJewdkklmTIG9h
+eGhy+Svk+wxxOv50lRxPpr6SV3OsxIjcq3lSfIv6JwIDAQABo1MwUTAdBgNVHQ4E
+FgQUPsESEvv8B0AIcgnIWewaChcYPR0wHwYDVR0jBBgwFoAUPsESEvv8B0AIcgnI
+WewaChcYPR0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAdFHH
+2GDS8BLHzYtJGArwwaNJPBrL/3lBQCb1k1rjevFGDSiyr3q4UNrd33yxbJbRpAOR
+04VXbs+DtYyGWvn2J1/K22kTr/c+JE/FkYAvMOn1aNDZfNSCAEM//CcLh5/hYnGy
+lNRPdVSJW6PAkmEnHaonHFz2/5MPtTe1Wq7bOaZBP02YaYFquPh9uttZaXyasUfv
+xxAdBULsHBj7bhwHOW70smHlv0xstut0otzLPQlgUHjv7RkQA4WFuzAIk8XJ7AtE
+abQUJ6OSrnwopfcKf1moSFUFRgHM0Z9qfbOUnDTnSswxfDJpz7HBoAhpaODtSZr3
+pZBt84iZo4/iqwsphA==
+-----END CERTIFICATE-----

rpms/SPECS/ca-certificates-custom.spec

@@ -0,0 +1,57 @@
+Name:       ca-certificates-custom
+Version:    0.0.1
+Release:    rh1
+Summary:    Custom CA Certificates
+License:    BSD
+Source0:    custom-ca.crt
+Requires(post): ca-certificates
+Requires(postun): ca-certificates
+BuildArch:  noarch
+
+%description
+Custom CA certificates
+
+# We are evil, we have no changelog !
+%global source_date_epoch_from_changelog 0
+
+%prep
+##
+## If you do not have a real CA certificate, you can generate one with:
+##
+# openssl req -new -nodes -keyout custom-ca.key -out custom-ca.crt -x509 -subj '/CN=Custom CA'
+cp %{S:0} custom-ca.crt
+
+%build
+
+%install
+install -m 0644 -D custom-ca.crt %{buildroot}/etc/pki/ca-trust/source/anchors/custom-ca.crt
+
+%files
+%config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/custom-ca.crt
+
+%post
+##
+## You can verify the post script is working by running the following command
+## after the RPM installation:
+##
+#
+# user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+# Custom CA
+# user@localhost$ echo $?
+# 0
+#
+update-ca-trust extract
+
+%postun
+##
+## You can verify the postun script is working by running the following command
+## after the RPM un-installation:
+##
+#
+# user@localhost$ grep -i custom /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+# user@localhost$ echo $?
+# 1
+#
+update-ca-trust extract
+
+%changelog