From a4ee1575c71103cadc86bdb6b54c922994e65951 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Thu, 30 May 2024 23:01:28 +0200 Subject: [PATCH] tls + custom dns + french keyboard + container image embedding --- ansible/group_vars/all/devices.yaml | 9 +- ansible/prerequisites.yaml | 24 +++++ ansible/templates/kiosk.ks.j2 | 4 + ansible/templates/kiosk.toml.j2 | 74 +++++++++++++- rpms/SOURCES/.gitignore | 1 + rpms/SOURCES/haproxy-tls.crt | 19 ++++ rpms/SOURCES/kiosk-app | 7 +- rpms/SOURCES/kiosk-environment | 4 +- rpms/SOURCES/microshift-main-manifest.yaml | 111 +++++++++++++++++++-- rpms/SPECS/ca-certificates-custom.spec | 4 + 10 files changed, 241 insertions(+), 16 deletions(-) create mode 100644 rpms/SOURCES/haproxy-tls.crt diff --git a/ansible/group_vars/all/devices.yaml b/ansible/group_vars/all/devices.yaml index c3652ba..40cdc02 100644 --- a/ansible/group_vars/all/devices.yaml +++ b/ansible/group_vars/all/devices.yaml @@ -1,8 +1,15 @@ kickstart_devices: -- hostname: kiosk.localdomain +- hostname: kiosk.vm + storage: + root_disk: /dev/vda + network: + bootproto: dhcp + interface: enp1s0 +- hostname: kiosk.baremetal storage: root_disk: /dev/disk/by-path/pci-0000:00:12.0-ata-1 network: + bootproto: static interface: enp1s0 ip_address: 192.168.122.23 netmask: 255.255.255.0 diff --git a/ansible/prerequisites.yaml b/ansible/prerequisites.yaml index ce690b1..30b4724 100644 --- a/ansible/prerequisites.yaml +++ b/ansible/prerequisites.yaml @@ -146,3 +146,27 @@ - python3-toml state: installed delegate_to: localhost + + - name: Create /etc/osbuild-worker + file: + path: /etc/osbuild-worker + state: directory + + - name: Create /etc/osbuild-worker/osbuild-worker.toml + copy: + content: | + [containers] + auth_file_path = "/etc/osbuild-worker/pull-secret.json" + dest: /etc/osbuild-worker/osbuild-worker.toml + + - name: Create /etc/osbuild-worker/pull-secret.json + copy: + content: | + {{ kickstart_microshift_pull_secret }} + dest: /etc/osbuild-worker/pull-secret.json + mode: 0600 + + - name: restart the worker + systemd: + name: osbuild-worker@1 + state: restarted diff --git a/ansible/templates/kiosk.ks.j2 b/ansible/templates/kiosk.ks.j2 index 9038341..d36b522 100644 --- a/ansible/templates/kiosk.ks.j2 +++ b/ansible/templates/kiosk.ks.j2 @@ -36,7 +36,11 @@ logvol / --fstype="xfs" --size=10240 --name=root --vgname=rhel ## # Configure the first network device +{% if device.network.bootproto == "static" %} network --bootproto=static --ip={{ device.network.ip_address }} --netmask={{ device.network.netmask }} --gateway={{ device.network.gateway }} --nameserver={{ device.network.dns }} --device={{ device.network.interface }} --noipv6 --activate +{% else %} +network --bootproto=dhcp --device={{ device.network.interface }} --noipv6 --activate +{% endif %} # Configure hostname network --hostname={{ device.hostname }} diff --git a/ansible/templates/kiosk.toml.j2 b/ansible/templates/kiosk.toml.j2 index bfa1ba2..9e40c89 100644 --- a/ansible/templates/kiosk.toml.j2 +++ b/ansible/templates/kiosk.toml.j2 @@ -11,6 +11,13 @@ version = "*" [[packages]] name = "cockpit" +[[packages]] +name = "microshift" + +# Because we embed microshift images in the ostree, we have to pin +# the microshift version number here. +version = "4.14.27-202405231223.p0.g45fddd1.assembly.4.14.27.el9" + [[packages]] name = "microshift-manifests" version = "*" @@ -26,7 +33,7 @@ name = "cockpit-system" hostname = "kiosk.local" [customizations.services] -enabled = ["cockpit.socket", "sshd", "microshift", "rpm-ostreed", "rpm-ostreed-automatic.timer"] +enabled = ["chronyd", "cockpit.socket", "sshd", "microshift", "rpm-ostreed", "rpm-ostreed-automatic.timer"] [customizations.timezone] timezone = "Europe/Paris" @@ -76,3 +83,68 @@ password = '{{ blueprint_kiosk_password_hash }}' home = "/home/kiosk/" shell = "/bin/bash" +## +## Container image embedding (for offline use) +## + +# Images used by our custom manifests +[[containers]] +source = "docker.io/library/haproxy:latest" + +[[containers]] +source = "quay.io/nmasse_itix/kiosk-app:latest" + +## +## The following lines are generated using: +## +# sudo dnf install -y microshift-release-info +# RELEASE_FILE=/usr/share/microshift/release/release-$(uname -m).json +# jq -r '.images | .[] | ("[[containers]]\nsource = \"" + . + "\"\n")' "${RELEASE_FILE}" >> $PWD/kiosk.toml.j2 + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:00e364011c67e7498c7ba0ee769c97b24e43b0b3863ec39860ea05fb7c15c279" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b0c6e2b7672e5d959a506baa803e18e6c0d73fdfe7534ae28c61f69583e5e5ec" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f699172cd627b0babbc67878fd78883648a1f8bd9c82441e875b67a9c8f5b71a" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:41cf2f6ddbe07a2356bada1196f1f09804bc2ff8b5b588117190ef4e8028f8b2" + +[[containers]] +source = "registry.access.redhat.com/ubi8/openssl@sha256:9e743d947be073808f7f1750a791a3dbd81e694e37161e8c6c6057c2c342d671" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:33745f0814b401a1dfd89ba9bdf374e52521f175d0578cab4900afbd70eff3cb" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0f6ec1e4ec9138491cd9c6b49038c49eabc1e9116a25e5be6ddc709a36339383" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:01c9e7fffa1e6c0cc6b1ded0f8c381ac00a6f34699f1281ac477657717806fe6" + +[[containers]] +source = "registry.redhat.io/lvms4/topolvm-rhel9@sha256:d0c039eba8157965b0a7971ad4e01576d2c1e31b09fe938554163b324cc4dc73" + +[[containers]] +source = "registry.redhat.io/openshift4/ose-csi-node-driver-registrar@sha256:caa0bbab808d8cbed476e8fa3e296ceb90f8d7d253e36588fa77e639ea389d55" + +[[containers]] +source = "registry.redhat.io/openshift4/ose-csi-livenessprobe@sha256:829a8e4d34404abbd22fddb6ebfa0f74daa55f2697fb147da77b83fc8b473d8c" + +[[containers]] +source = "registry.redhat.io/openshift4/ose-csi-external-resizer@sha256:7ee0257998b7f804fcde9c095b4dc240c510eb316d7223e8485f701b5c9f2fbf" + +[[containers]] +source = "registry.redhat.io/openshift4/ose-csi-external-provisioner@sha256:b453a5c76ba4e975a978e31a51531b1d6233723b0d944622caf7844dedf9ad5a" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1ac24a4cc03b5c7fa8c6be5f4de9c9fdc946ddb302f0c028264bcfeea097fbf9" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9b20f6fdc6a4c62300eabbf967ed798ca6a3f5d43a067df4774ec76c5b038656" + +[[containers]] +source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:43b98f22d7383fbd10fcbf271c1a55f5ce90a7e89b5ffe390458cc772ce5a4a9" diff --git a/rpms/SOURCES/.gitignore b/rpms/SOURCES/.gitignore index 6ec41f8..3e77340 100644 --- a/rpms/SOURCES/.gitignore +++ b/rpms/SOURCES/.gitignore @@ -1 +1,2 @@ custom-ca.key +haproxy-tls.key diff --git a/rpms/SOURCES/haproxy-tls.crt b/rpms/SOURCES/haproxy-tls.crt new file mode 100644 index 0000000..ea4df2e --- /dev/null +++ b/rpms/SOURCES/haproxy-tls.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDEzCCAfugAwIBAgIUIQ84bKRNUKGP+FcOZLrRrGFaR8MwDQYJKoZIhvcNAQEL +BQAwEDEOMAwGA1UEAwwFa2lvc2swHhcNMjQwNTMwMTkxMDQyWhcNMzMxMjI5MTkx +MDQyWjAQMQ4wDAYDVQQDDAVraW9zazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBANVf4atqDze/w7JT7iUma8HwQ6EElknAu3iuu0o5nCVgfeHNPV2J+6WS +tx/SS4tClMCcgxFu+xkmEvMEmVVlwyhxuUFCjqmjaJ1rWf8U+sfytVybXeH9ANVU +8XyvyQD6+MR4x/rQHFleqNsbgfnx/+I2R90SatAk/D+9cEaDz5dzedvxx9UZEARH +BdCNy1AD1atriDhoHj5JpV91bPEF+S65rToDdiH+pRycpvq2+yJ2RnzfPDO+s9XV +MIVhtcV1ge0brq71cCmG30I/4s/owV//LYofNcmJM5iBK3mc9G11BFUClQinZs1m +hDiNfd6VpIdgBCQbOqdRMicZzh3r1R0CAwEAAaNlMGMwHQYDVR0OBBYEFLVmzWG0 +Hq6wBDfU9VXtw2h/C8woMB8GA1UdIwQYMBaAFLVmzWG0Hq6wBDfU9VXtw2h/C8wo +MA8GA1UdEwEB/wQFMAMBAf8wEAYDVR0RBAkwB4IFa2lvc2swDQYJKoZIhvcNAQEL +BQADggEBAMIbqF4rhkuo6T3wMIMsOsCqTQtfjiRyGvtsthLX9nZIfV5+Pc5g8z25 +VyND4/g+xDgKLeNw/ZMWIPYDuV+LuKP1rYzCMV9JdZO4212Ir3AKmt7LHcRG1WWD +lxJ4TzoLK1S5tHJXpCnh8ahQHOj+Cf7Bb1lVF+gIBl/wsv/pF5GxE5o/UZlopvjA +BrGzSn+R0O8pozvvOVrFUQp7Qk4WmT304HYidvdUztXTlaBWc7ES2RlrMq9DXTeU +X3OmIbMxQMfkPv/x/wPizoF5K6wY/pQSZDO4UlIH6ms2MNqWn9hv/oJ/SjRtOhSZ +dQRf/WWSd7HGvcgxLirsSYOpxvcO6UQ= +-----END CERTIFICATE----- diff --git a/rpms/SOURCES/kiosk-app b/rpms/SOURCES/kiosk-app index bf9b394..7e50f1b 100644 --- a/rpms/SOURCES/kiosk-app +++ b/rpms/SOURCES/kiosk-app @@ -2,9 +2,12 @@ set -Eeuo pipefail -while ! curl -sf --connect-timeout 5 --expect100-timeout 5 "$KIOSK_URL"; do +# Set the keyboard to French layout +setxkbmap -model pc104 -layout fr,fr + +while ! curl -sf --connect-timeout 5 --expect100-timeout 5 --resolve "$KIOSK_HOSTNAME:443:$KIOSK_IP" "$KIOSK_URL"; do echo "Waiting for the Kiosk APP to become available..." sleep 10 done -exec /usr/bin/google/chrome/chrome --password-store=basic --no-default-browser-check --no-first-run --ash-no-nudges --disable-search-engine-choice-screen -kiosk "$KIOSK_URL" +exec /usr/bin/google/chrome/chrome --host-resolver-rules="MAP $KIOSK_HOSTNAME $KIOSK_IP" --password-store=basic --no-default-browser-check --no-first-run --ash-no-nudges --disable-search-engine-choice-screen -kiosk "$KIOSK_URL" diff --git a/rpms/SOURCES/kiosk-environment b/rpms/SOURCES/kiosk-environment index 47ec70f..ddded60 100644 --- a/rpms/SOURCES/kiosk-environment +++ b/rpms/SOURCES/kiosk-environment @@ -1 +1,3 @@ -export KIOSK_URL=http://10.43.191.230/ +export KIOSK_URL=https://kiosk/ +export KIOSK_HOSTNAME=kiosk +export KIOSK_IP="10.43.191.230" diff --git a/rpms/SOURCES/microshift-main-manifest.yaml b/rpms/SOURCES/microshift-main-manifest.yaml index 51708e0..045c2d2 100644 --- a/rpms/SOURCES/microshift-main-manifest.yaml +++ b/rpms/SOURCES/microshift-main-manifest.yaml @@ -35,28 +35,104 @@ data: timeout check 10s maxconn 3000 - frontend webserver - bind 0.0.0.0:8080 + frontend api + bind 0.0.0.0:8443 ssl crt /usr/local/etc/haproxy-tls/haproxy-tls.pem + default_backend api_main + + backend api_main + http-request set-header Host redhat-kiosk-app.netlify.app + balance roundrobin + # IP Addresses of the Netlify's APEX Load Balancer (apex-loadbalancer.netlify.com) + server svc-main1 75.2.60.5:443 check ssl sni str(redhat-kiosk-app.netlify.app) + server svc-main2 99.83.231.61:443 check ssl sni str(redhat-kiosk-app.netlify.app) + + frontend web + bind 0.0.0.0:1443 ssl crt /usr/local/etc/haproxy-tls/haproxy-tls.pem # The following configuration monitors availability of the main backend # and if there is no more available servers in the main backend (online), # it redirects to the backup backend (local). - acl main_service_failed nbsrv(appserver_main) le 0 - use_backend appserver_backup if main_service_failed - default_backend appserver_main + acl main_service_failed nbsrv(web_main) le 0 + use_backend web_backup if main_service_failed + default_backend web_main - backend appserver_main + backend web_main http-request set-header Host redhat-kiosk-app.netlify.app balance roundrobin # IP Addresses of the Netlify's APEX Load Balancer (apex-loadbalancer.netlify.com) server svc-main1 75.2.60.5:443 check ssl sni str(redhat-kiosk-app.netlify.app) server svc-main2 99.83.231.61:443 check ssl sni str(redhat-kiosk-app.netlify.app) - backend appserver_backup + backend web_backup http-request set-header Host kiosk-app.kiosk-app.svc.cluster.local balance roundrobin server svc-backup1 kiosk-app:8080 check --- +apiVersion: v1 +kind: Secret +metadata: + name: haproxy + namespace: kiosk-app +stringData: + ## + ## The TLS certificate of haproxy has been generated with : + ## + # + # openssl req -nodes -keyout haproxy-tls.key -out haproxy-tls.crt -x509 -subj '/CN=kiosk' -days 3500 -addext 'subjectAltName = DNS:kiosk' + # cat haproxy-tls.key haproxy-tls.crt > haproxy-tls.pem + # + ## + ## You also need to inject it into the system truststore (see ca-certificates-custom RPM) + ## + haproxy-tls.pem: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVX+Grag83v8Oy + U+4lJmvB8EOhBJZJwLt4rrtKOZwlYH3hzT1difulkrcf0kuLQpTAnIMRbvsZJhLz + BJlVZcMocblBQo6po2ida1n/FPrH8rVcm13h/QDVVPF8r8kA+vjEeMf60BxZXqjb + G4H58f/iNkfdEmrQJPw/vXBGg8+Xc3nb8cfVGRAERwXQjctQA9Wra4g4aB4+SaVf + dWzxBfkuua06A3Yh/qUcnKb6tvsidkZ83zwzvrPV1TCFYbXFdYHtG66u9XApht9C + P+LP6MFf/y2KHzXJiTOYgSt5nPRtdQRVApUIp2bNZoQ4jX3elaSHYAQkGzqnUTIn + Gc4d69UdAgMBAAECggEAMIGgCTpOpFNNVzRaToq583g9v5SN381XMPuz6w9Grn6N + j2/7c9DC6uR8CdliQBHORC0wZJ2wqoprw2A3xWChaYfU3/+T8/+IcETvzBvGWP8V + eKx/Prkn39d0IG7LyJPFStDUUXHPCAgLZegOd7YqgA/r7Vda/d9yksDrjbQ4VIrL + C8+O0G9OwQtHVGkWrkX5H7fVtUh5Zsj+sd3JrBrJF7z2M9Z68igeCzj0uyh1PwdW + Hqr30HjF1BODLJsKNSgk+QU2mmI+mpLftbs/JNE7uW2shIF8C8wVm448EmLqDa5d + ZRnzI84HIEGZQtnM7vU7UuD2A4Uo3hCjjigezjTbxwKBgQDv6tqpRA9Z9t/6Vgf4 + pyYMrNtHwrc5rRXRs4p6TlrUIXh6xnSm0VceQQQt/Ux1kz0LBs2ytr/es9aaF1RZ + iALyRE9YfVt9FPvlEsDxpeMA7wBriLmaEf72JZp/ewqaBLqicTYF+urAQHtLe1HF + 5fAh3I/brzJc3cwiHc+ci+Ji9wKBgQDjrYinTMbQkXPs9V1uzak1BS373QjdxoXb + yMbc6wSc5wEoQ+6kjY7opg22bPBPSZIz9fWodie21VF/5Hb4SJN0p08E9+UkbJaw + 8QLHwI5Cx5/q46CfRw7pQAIGX+VmOrR4W2u2LMIBF1CgXs/dc4/UTS2rX7G+1Ake + uzC6quFviwKBgQCbtjra1xB7nE48JLAhwyJf4aSkS40twtfBdZyvysEKovqV/M3j + I0U+noX+70I7oSdiS7Ufg5q+CMyE0BVv0mXPJWS2Ew5Y/VCLmYNekwLlLTmBkYic + pYdr7HX8vTfhRKZ5Ha8pbHQF+RPMpqopHhafc45uz6OJQG7nyZ9ghC2XewKBgQCC + jeOqa3Al8QIUgq5M90lryciQgDKxWUEwwnSmAW3nut8DA9E4MqQb6/w4+0bhcEKR + 4Rw4uWgUg0X0nEFMJfHIFphNNQkEVfAjDlCV0mjBCk89FcHpE4oNXlLK7PpSIJ+T + 1HhzQj8M+R2WmEeBqN500ry5ZGo8DsIcCSLsJ0iV+QKBgQDLro+O6PtLIVS3HuLz + vjl8mdq6bp/E1x4caW28/ndrE0kyPXdQaTUmCN9vua4AvpHd+sGRqlf7yAdOv0xJ + hHzmZYLlfkGcLMgyYuxWQCW+NdU9mopbNYCNQM4/g58E3KqH0w7OiBR0ZbCEQSc8 + O2HIRGcFIGSoeFP13/GpNTL19Q== + -----END PRIVATE KEY----- + -----BEGIN CERTIFICATE----- + MIIDEzCCAfugAwIBAgIUIQ84bKRNUKGP+FcOZLrRrGFaR8MwDQYJKoZIhvcNAQEL + BQAwEDEOMAwGA1UEAwwFa2lvc2swHhcNMjQwNTMwMTkxMDQyWhcNMzMxMjI5MTkx + MDQyWjAQMQ4wDAYDVQQDDAVraW9zazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC + AQoCggEBANVf4atqDze/w7JT7iUma8HwQ6EElknAu3iuu0o5nCVgfeHNPV2J+6WS + tx/SS4tClMCcgxFu+xkmEvMEmVVlwyhxuUFCjqmjaJ1rWf8U+sfytVybXeH9ANVU + 8XyvyQD6+MR4x/rQHFleqNsbgfnx/+I2R90SatAk/D+9cEaDz5dzedvxx9UZEARH + BdCNy1AD1atriDhoHj5JpV91bPEF+S65rToDdiH+pRycpvq2+yJ2RnzfPDO+s9XV + MIVhtcV1ge0brq71cCmG30I/4s/owV//LYofNcmJM5iBK3mc9G11BFUClQinZs1m + hDiNfd6VpIdgBCQbOqdRMicZzh3r1R0CAwEAAaNlMGMwHQYDVR0OBBYEFLVmzWG0 + Hq6wBDfU9VXtw2h/C8woMB8GA1UdIwQYMBaAFLVmzWG0Hq6wBDfU9VXtw2h/C8wo + MA8GA1UdEwEB/wQFMAMBAf8wEAYDVR0RBAkwB4IFa2lvc2swDQYJKoZIhvcNAQEL + BQADggEBAMIbqF4rhkuo6T3wMIMsOsCqTQtfjiRyGvtsthLX9nZIfV5+Pc5g8z25 + VyND4/g+xDgKLeNw/ZMWIPYDuV+LuKP1rYzCMV9JdZO4212Ir3AKmt7LHcRG1WWD + lxJ4TzoLK1S5tHJXpCnh8ahQHOj+Cf7Bb1lVF+gIBl/wsv/pF5GxE5o/UZlopvjA + BrGzSn+R0O8pozvvOVrFUQp7Qk4WmT304HYidvdUztXTlaBWc7ES2RlrMq9DXTeU + X3OmIbMxQMfkPv/x/wPizoF5K6wY/pQSZDO4UlIH6ms2MNqWn9hv/oJ/SjRtOhSZ + dQRf/WWSd7HGvcgxLirsSYOpxvcO6UQ= + -----END CERTIFICATE----- +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -74,17 +150,24 @@ spec: spec: containers: - name: haproxy - image: haproxy:latest + image: docker.io/library/haproxy:latest + imagePullPolicy: IfNotPresent volumeMounts: - name: config-volume mountPath: /usr/local/etc/haproxy/haproxy.cfg subPath: haproxy.cfg + - name: tls-volume + mountPath: /usr/local/etc/haproxy-tls/ ports: - - containerPort: 8080 + - containerPort: 1443 + - containerPort: 8443 volumes: - name: config-volume configMap: name: haproxy + - name: tls-volume + secret: + secretName: haproxy --- apiVersion: v1 kind: Service @@ -98,9 +181,14 @@ spec: ipFamilyPolicy: SingleStack clusterIP: 10.43.191.230 ports: - - port: 80 + - name: web + port: 443 protocol: TCP - targetPort: 8080 + targetPort: 1443 + - name: api + port: 8443 + protocol: TCP + targetPort: 8443 selector: app: haproxy --- @@ -122,6 +210,7 @@ spec: containers: - name: kiosk-app image: quay.io/nmasse_itix/kiosk-app:latest + imagePullPolicy: IfNotPresent ports: - containerPort: 8080 --- diff --git a/rpms/SPECS/ca-certificates-custom.spec b/rpms/SPECS/ca-certificates-custom.spec index 8a4ddbe..ce56825 100644 --- a/rpms/SPECS/ca-certificates-custom.spec +++ b/rpms/SPECS/ca-certificates-custom.spec @@ -4,6 +4,7 @@ Release: rh1 Summary: Custom CA Certificates License: BSD Source0: custom-ca.crt +Source1: haproxy-tls.crt Requires(post): ca-certificates Requires(postun): ca-certificates BuildArch: noarch @@ -20,14 +21,17 @@ Custom CA certificates ## # openssl req -new -nodes -keyout custom-ca.key -out custom-ca.crt -x509 -subj '/CN=Custom CA' cp %{S:0} custom-ca.crt +cp %{S:1} haproxy-tls.crt %build %install install -m 0644 -D custom-ca.crt %{buildroot}/etc/pki/ca-trust/source/anchors/custom-ca.crt +install -m 0644 -D haproxy-tls.crt %{buildroot}/etc/pki/ca-trust/source/anchors/haproxy-tls.crt %files %config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/custom-ca.crt +%config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/haproxy-tls.crt %post ##