tls + custom dns + french keyboard + container image embedding

2 years ago · a4ee1575c7
10 changed files with 241 additions and 16 deletions
--- a/ansible/group_vars/all/devices.yaml
+++ b/ansible/group_vars/all/devices.yaml
@ -1,8 +1,15 @@
 kickstart_devices:
- hostname: kiosk.localdomain
+- hostname: kiosk.vm
+  storage:
+    root_disk: /dev/vda
+  network:
+    bootproto: dhcp
+    interface: enp1s0
+- hostname: kiosk.baremetal
  storage:
    root_disk: /dev/disk/by-path/pci-0000:00:12.0-ata-1
  network:
+    bootproto: static
    interface: enp1s0
    ip_address: 192.168.122.23
    netmask: 255.255.255.0
--- a/ansible/prerequisites.yaml
+++ b/ansible/prerequisites.yaml
@ -146,3 +146,27 @@
      - python3-toml
      state: installed
    delegate_to: localhost
+
+  - name: Create /etc/osbuild-worker
+    file:
+      path: /etc/osbuild-worker
+      state: directory
+
+  - name: Create /etc/osbuild-worker/osbuild-worker.toml
+    copy:
+      content: |
+        [containers]
+        auth_file_path = "/etc/osbuild-worker/pull-secret.json"
+      dest: /etc/osbuild-worker/osbuild-worker.toml
+
+  - name: Create /etc/osbuild-worker/pull-secret.json
+    copy:
+      content: |
+        {{ kickstart_microshift_pull_secret }}
+      dest: /etc/osbuild-worker/pull-secret.json
+      mode: 0600
+
+  - name: restart the worker
+    systemd:
+      name: osbuild-worker@1
+      state: restarted
--- a/ansible/templates/kiosk.ks.j2
+++ b/ansible/templates/kiosk.ks.j2
@ -36,7 +36,11 @@ logvol /  --fstype="xfs" --size=10240 --name=root --vgname=rhel
 ##

 # Configure the first network device
+{% if device.network.bootproto == "static" %}
 network  --bootproto=static --ip={{ device.network.ip_address }} --netmask={{ device.network.netmask }} --gateway={{ device.network.gateway }} --nameserver={{ device.network.dns }} --device={{ device.network.interface }} --noipv6 --activate
+{% else %}
+network  --bootproto=dhcp --device={{ device.network.interface }} --noipv6 --activate
+{% endif %}

 # Configure hostname
 network  --hostname={{ device.hostname }}
--- a/ansible/templates/kiosk.toml.j2
+++ b/ansible/templates/kiosk.toml.j2
@ -11,6 +11,13 @@ version = "*"
 [[packages]]
 name = "cockpit"

+[[packages]]
+name = "microshift"
+
+# Because we embed microshift images in the ostree, we have to pin
+# the microshift version number here.
+version = "4.14.27-202405231223.p0.g45fddd1.assembly.4.14.27.el9"
+
 [[packages]]
 name = "microshift-manifests"
 version = "*"
@ -26,7 +33,7 @@ name = "cockpit-system"
 hostname = "kiosk.local"

 [customizations.services]
-enabled = ["cockpit.socket", "sshd", "microshift", "rpm-ostreed", "rpm-ostreed-automatic.timer"]
+enabled = ["chronyd", "cockpit.socket", "sshd", "microshift", "rpm-ostreed", "rpm-ostreed-automatic.timer"]

 [customizations.timezone]
 timezone = "Europe/Paris"
@ -76,3 +83,68 @@ password = '{{ blueprint_kiosk_password_hash }}'
 home = "/home/kiosk/"
 shell = "/bin/bash"

+##
+## Container image embedding (for offline use)
+##
+
+# Images used by our custom manifests
+[[containers]]
+source = "docker.io/library/haproxy:latest"
+
+[[containers]]
+source = "quay.io/nmasse_itix/kiosk-app:latest"
+
+##
+## The following lines are generated using:
+##
+# sudo dnf install -y microshift-release-info
+# RELEASE_FILE=/usr/share/microshift/release/release-$(uname -m).json
+# jq -r '.images | .[] | ("[[containers]]\nsource = \"" + . + "\"\n")' "${RELEASE_FILE}" >> $PWD/kiosk.toml.j2
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:00e364011c67e7498c7ba0ee769c97b24e43b0b3863ec39860ea05fb7c15c279"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b0c6e2b7672e5d959a506baa803e18e6c0d73fdfe7534ae28c61f69583e5e5ec"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f699172cd627b0babbc67878fd78883648a1f8bd9c82441e875b67a9c8f5b71a"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:41cf2f6ddbe07a2356bada1196f1f09804bc2ff8b5b588117190ef4e8028f8b2"
+
+[[containers]]
+source = "registry.access.redhat.com/ubi8/openssl@sha256:9e743d947be073808f7f1750a791a3dbd81e694e37161e8c6c6057c2c342d671"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:33745f0814b401a1dfd89ba9bdf374e52521f175d0578cab4900afbd70eff3cb"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0f6ec1e4ec9138491cd9c6b49038c49eabc1e9116a25e5be6ddc709a36339383"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:01c9e7fffa1e6c0cc6b1ded0f8c381ac00a6f34699f1281ac477657717806fe6"
+
+[[containers]]
+source = "registry.redhat.io/lvms4/topolvm-rhel9@sha256:d0c039eba8157965b0a7971ad4e01576d2c1e31b09fe938554163b324cc4dc73"
+
+[[containers]]
+source = "registry.redhat.io/openshift4/ose-csi-node-driver-registrar@sha256:caa0bbab808d8cbed476e8fa3e296ceb90f8d7d253e36588fa77e639ea389d55"
+
+[[containers]]
+source = "registry.redhat.io/openshift4/ose-csi-livenessprobe@sha256:829a8e4d34404abbd22fddb6ebfa0f74daa55f2697fb147da77b83fc8b473d8c"
+
+[[containers]]
+source = "registry.redhat.io/openshift4/ose-csi-external-resizer@sha256:7ee0257998b7f804fcde9c095b4dc240c510eb316d7223e8485f701b5c9f2fbf"
+
+[[containers]]
+source = "registry.redhat.io/openshift4/ose-csi-external-provisioner@sha256:b453a5c76ba4e975a978e31a51531b1d6233723b0d944622caf7844dedf9ad5a"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1ac24a4cc03b5c7fa8c6be5f4de9c9fdc946ddb302f0c028264bcfeea097fbf9"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9b20f6fdc6a4c62300eabbf967ed798ca6a3f5d43a067df4774ec76c5b038656"
+
+[[containers]]
+source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:43b98f22d7383fbd10fcbf271c1a55f5ce90a7e89b5ffe390458cc772ce5a4a9"
--- a/rpms/SOURCES/.gitignore
+++ b/rpms/SOURCES/.gitignore
@ -1 +1,2 @@
 custom-ca.key
+haproxy-tls.key
--- a/rpms/SOURCES/haproxy-tls.crt
+++ b/rpms/SOURCES/haproxy-tls.crt
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIUIQ84bKRNUKGP+FcOZLrRrGFaR8MwDQYJKoZIhvcNAQEL
+BQAwEDEOMAwGA1UEAwwFa2lvc2swHhcNMjQwNTMwMTkxMDQyWhcNMzMxMjI5MTkx
+MDQyWjAQMQ4wDAYDVQQDDAVraW9zazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANVf4atqDze/w7JT7iUma8HwQ6EElknAu3iuu0o5nCVgfeHNPV2J+6WS
+tx/SS4tClMCcgxFu+xkmEvMEmVVlwyhxuUFCjqmjaJ1rWf8U+sfytVybXeH9ANVU
+8XyvyQD6+MR4x/rQHFleqNsbgfnx/+I2R90SatAk/D+9cEaDz5dzedvxx9UZEARH
+BdCNy1AD1atriDhoHj5JpV91bPEF+S65rToDdiH+pRycpvq2+yJ2RnzfPDO+s9XV
+MIVhtcV1ge0brq71cCmG30I/4s/owV//LYofNcmJM5iBK3mc9G11BFUClQinZs1m
+hDiNfd6VpIdgBCQbOqdRMicZzh3r1R0CAwEAAaNlMGMwHQYDVR0OBBYEFLVmzWG0
+Hq6wBDfU9VXtw2h/C8woMB8GA1UdIwQYMBaAFLVmzWG0Hq6wBDfU9VXtw2h/C8wo
+MA8GA1UdEwEB/wQFMAMBAf8wEAYDVR0RBAkwB4IFa2lvc2swDQYJKoZIhvcNAQEL
+BQADggEBAMIbqF4rhkuo6T3wMIMsOsCqTQtfjiRyGvtsthLX9nZIfV5+Pc5g8z25
+VyND4/g+xDgKLeNw/ZMWIPYDuV+LuKP1rYzCMV9JdZO4212Ir3AKmt7LHcRG1WWD
+lxJ4TzoLK1S5tHJXpCnh8ahQHOj+Cf7Bb1lVF+gIBl/wsv/pF5GxE5o/UZlopvjA
+BrGzSn+R0O8pozvvOVrFUQp7Qk4WmT304HYidvdUztXTlaBWc7ES2RlrMq9DXTeU
+X3OmIbMxQMfkPv/x/wPizoF5K6wY/pQSZDO4UlIH6ms2MNqWn9hv/oJ/SjRtOhSZ
+dQRf/WWSd7HGvcgxLirsSYOpxvcO6UQ=
+-----END CERTIFICATE-----
--- a/rpms/SOURCES/kiosk-app
+++ b/rpms/SOURCES/kiosk-app
@ -2,9 +2,12 @@

 set -Eeuo pipefail

-while ! curl -sf --connect-timeout 5 --expect100-timeout 5 "$KIOSK_URL"; do
+# Set the keyboard to French layout
+setxkbmap -model pc104 -layout fr,fr
+
+while ! curl -sf --connect-timeout 5 --expect100-timeout 5 --resolve "$KIOSK_HOSTNAME:443:$KIOSK_IP" "$KIOSK_URL"; do
    echo "Waiting for the Kiosk APP to become available..."
    sleep 10
 done

-exec /usr/bin/google/chrome/chrome --password-store=basic --no-default-browser-check --no-first-run --ash-no-nudges --disable-search-engine-choice-screen -kiosk "$KIOSK_URL"
+exec /usr/bin/google/chrome/chrome --host-resolver-rules="MAP $KIOSK_HOSTNAME $KIOSK_IP" --password-store=basic --no-default-browser-check --no-first-run --ash-no-nudges --disable-search-engine-choice-screen -kiosk "$KIOSK_URL"
--- a/rpms/SOURCES/kiosk-environment
+++ b/rpms/SOURCES/kiosk-environment
@ -1 +1,3 @@
-export KIOSK_URL=http://10.43.191.230/
+export KIOSK_URL=https://kiosk/
+export KIOSK_HOSTNAME=kiosk
+export KIOSK_IP="10.43.191.230"
--- a/rpms/SOURCES/microshift-main-manifest.yaml
+++ b/rpms/SOURCES/microshift-main-manifest.yaml
@ -35,28 +35,104 @@ data:
        timeout check           10s
        maxconn                 3000

-    frontend webserver
-      bind 0.0.0.0:8080
+    frontend api
+      bind 0.0.0.0:8443 ssl crt /usr/local/etc/haproxy-tls/haproxy-tls.pem
+      default_backend api_main
+
+    backend api_main
+      http-request set-header Host redhat-kiosk-app.netlify.app
+      balance roundrobin
+      # IP Addresses of the Netlify's APEX Load Balancer (apex-loadbalancer.netlify.com)
+      server svc-main1 75.2.60.5:443 check ssl sni str(redhat-kiosk-app.netlify.app)
+      server svc-main2 99.83.231.61:443 check ssl sni str(redhat-kiosk-app.netlify.app)
+
+    frontend web
+      bind 0.0.0.0:1443 ssl crt /usr/local/etc/haproxy-tls/haproxy-tls.pem

      # The following configuration monitors availability of the main backend
      # and if there is no more available servers in the main backend (online),
      # it redirects to the backup backend (local).
-      acl main_service_failed nbsrv(appserver_main) le 0
-      use_backend appserver_backup if main_service_failed
-      default_backend appserver_main
+      acl main_service_failed nbsrv(web_main) le 0
+      use_backend web_backup if main_service_failed
+      default_backend web_main

-    backend appserver_main
+    backend web_main
      http-request set-header Host redhat-kiosk-app.netlify.app
      balance roundrobin
      # IP Addresses of the Netlify's APEX Load Balancer (apex-loadbalancer.netlify.com)
      server svc-main1 75.2.60.5:443 check ssl sni str(redhat-kiosk-app.netlify.app)
      server svc-main2 99.83.231.61:443 check ssl sni str(redhat-kiosk-app.netlify.app)

-    backend appserver_backup 
+    backend web_backup
      http-request set-header Host kiosk-app.kiosk-app.svc.cluster.local
      balance roundrobin
      server svc-backup1 kiosk-app:8080 check
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: haproxy
+  namespace: kiosk-app
+stringData:
+  ##
+  ## The TLS certificate of haproxy has been generated with :
+  ##
+  #
+  # openssl req -nodes -keyout haproxy-tls.key -out haproxy-tls.crt -x509 -subj '/CN=kiosk' -days 3500 -addext 'subjectAltName = DNS:kiosk'
+  # cat haproxy-tls.key haproxy-tls.crt > haproxy-tls.pem
+  #
+  ##
+  ## You also need to inject it into the system truststore (see ca-certificates-custom RPM)
+  ##
+  haproxy-tls.pem: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVX+Grag83v8Oy
+    U+4lJmvB8EOhBJZJwLt4rrtKOZwlYH3hzT1difulkrcf0kuLQpTAnIMRbvsZJhLz
+    BJlVZcMocblBQo6po2ida1n/FPrH8rVcm13h/QDVVPF8r8kA+vjEeMf60BxZXqjb
+    G4H58f/iNkfdEmrQJPw/vXBGg8+Xc3nb8cfVGRAERwXQjctQA9Wra4g4aB4+SaVf
+    dWzxBfkuua06A3Yh/qUcnKb6tvsidkZ83zwzvrPV1TCFYbXFdYHtG66u9XApht9C
+    P+LP6MFf/y2KHzXJiTOYgSt5nPRtdQRVApUIp2bNZoQ4jX3elaSHYAQkGzqnUTIn
+    Gc4d69UdAgMBAAECggEAMIGgCTpOpFNNVzRaToq583g9v5SN381XMPuz6w9Grn6N
+    j2/7c9DC6uR8CdliQBHORC0wZJ2wqoprw2A3xWChaYfU3/+T8/+IcETvzBvGWP8V
+    eKx/Prkn39d0IG7LyJPFStDUUXHPCAgLZegOd7YqgA/r7Vda/d9yksDrjbQ4VIrL
+    C8+O0G9OwQtHVGkWrkX5H7fVtUh5Zsj+sd3JrBrJF7z2M9Z68igeCzj0uyh1PwdW
+    Hqr30HjF1BODLJsKNSgk+QU2mmI+mpLftbs/JNE7uW2shIF8C8wVm448EmLqDa5d
+    ZRnzI84HIEGZQtnM7vU7UuD2A4Uo3hCjjigezjTbxwKBgQDv6tqpRA9Z9t/6Vgf4
+    pyYMrNtHwrc5rRXRs4p6TlrUIXh6xnSm0VceQQQt/Ux1kz0LBs2ytr/es9aaF1RZ
+    iALyRE9YfVt9FPvlEsDxpeMA7wBriLmaEf72JZp/ewqaBLqicTYF+urAQHtLe1HF
+    5fAh3I/brzJc3cwiHc+ci+Ji9wKBgQDjrYinTMbQkXPs9V1uzak1BS373QjdxoXb
+    yMbc6wSc5wEoQ+6kjY7opg22bPBPSZIz9fWodie21VF/5Hb4SJN0p08E9+UkbJaw
+    8QLHwI5Cx5/q46CfRw7pQAIGX+VmOrR4W2u2LMIBF1CgXs/dc4/UTS2rX7G+1Ake
+    uzC6quFviwKBgQCbtjra1xB7nE48JLAhwyJf4aSkS40twtfBdZyvysEKovqV/M3j
+    I0U+noX+70I7oSdiS7Ufg5q+CMyE0BVv0mXPJWS2Ew5Y/VCLmYNekwLlLTmBkYic
+    pYdr7HX8vTfhRKZ5Ha8pbHQF+RPMpqopHhafc45uz6OJQG7nyZ9ghC2XewKBgQCC
+    jeOqa3Al8QIUgq5M90lryciQgDKxWUEwwnSmAW3nut8DA9E4MqQb6/w4+0bhcEKR
+    4Rw4uWgUg0X0nEFMJfHIFphNNQkEVfAjDlCV0mjBCk89FcHpE4oNXlLK7PpSIJ+T
+    1HhzQj8M+R2WmEeBqN500ry5ZGo8DsIcCSLsJ0iV+QKBgQDLro+O6PtLIVS3HuLz
+    vjl8mdq6bp/E1x4caW28/ndrE0kyPXdQaTUmCN9vua4AvpHd+sGRqlf7yAdOv0xJ
+    hHzmZYLlfkGcLMgyYuxWQCW+NdU9mopbNYCNQM4/g58E3KqH0w7OiBR0ZbCEQSc8
+    O2HIRGcFIGSoeFP13/GpNTL19Q==
+    -----END PRIVATE KEY-----
+    -----BEGIN CERTIFICATE-----
+    MIIDEzCCAfugAwIBAgIUIQ84bKRNUKGP+FcOZLrRrGFaR8MwDQYJKoZIhvcNAQEL
+    BQAwEDEOMAwGA1UEAwwFa2lvc2swHhcNMjQwNTMwMTkxMDQyWhcNMzMxMjI5MTkx
+    MDQyWjAQMQ4wDAYDVQQDDAVraW9zazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+    AQoCggEBANVf4atqDze/w7JT7iUma8HwQ6EElknAu3iuu0o5nCVgfeHNPV2J+6WS
+    tx/SS4tClMCcgxFu+xkmEvMEmVVlwyhxuUFCjqmjaJ1rWf8U+sfytVybXeH9ANVU
+    8XyvyQD6+MR4x/rQHFleqNsbgfnx/+I2R90SatAk/D+9cEaDz5dzedvxx9UZEARH
+    BdCNy1AD1atriDhoHj5JpV91bPEF+S65rToDdiH+pRycpvq2+yJ2RnzfPDO+s9XV
+    MIVhtcV1ge0brq71cCmG30I/4s/owV//LYofNcmJM5iBK3mc9G11BFUClQinZs1m
+    hDiNfd6VpIdgBCQbOqdRMicZzh3r1R0CAwEAAaNlMGMwHQYDVR0OBBYEFLVmzWG0
+    Hq6wBDfU9VXtw2h/C8woMB8GA1UdIwQYMBaAFLVmzWG0Hq6wBDfU9VXtw2h/C8wo
+    MA8GA1UdEwEB/wQFMAMBAf8wEAYDVR0RBAkwB4IFa2lvc2swDQYJKoZIhvcNAQEL
+    BQADggEBAMIbqF4rhkuo6T3wMIMsOsCqTQtfjiRyGvtsthLX9nZIfV5+Pc5g8z25
+    VyND4/g+xDgKLeNw/ZMWIPYDuV+LuKP1rYzCMV9JdZO4212Ir3AKmt7LHcRG1WWD
+    lxJ4TzoLK1S5tHJXpCnh8ahQHOj+Cf7Bb1lVF+gIBl/wsv/pF5GxE5o/UZlopvjA
+    BrGzSn+R0O8pozvvOVrFUQp7Qk4WmT304HYidvdUztXTlaBWc7ES2RlrMq9DXTeU
+    X3OmIbMxQMfkPv/x/wPizoF5K6wY/pQSZDO4UlIH6ms2MNqWn9hv/oJ/SjRtOhSZ
+    dQRf/WWSd7HGvcgxLirsSYOpxvcO6UQ=
+    -----END CERTIFICATE-----
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -74,17 +150,24 @@ spec:
    spec:
      containers:
      - name: haproxy
-        image: haproxy:latest
+        image: docker.io/library/haproxy:latest
+        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: config-volume
          mountPath: /usr/local/etc/haproxy/haproxy.cfg
          subPath: haproxy.cfg
+        - name: tls-volume
+          mountPath: /usr/local/etc/haproxy-tls/
        ports:
-        - containerPort: 8080
+        - containerPort: 1443
+        - containerPort: 8443
      volumes:
      - name: config-volume
        configMap:
          name: haproxy
+      - name: tls-volume
+        secret:
+          secretName: haproxy
 ---
 apiVersion: v1
 kind: Service
@ -98,9 +181,14 @@ spec:
  ipFamilyPolicy: SingleStack
  clusterIP: 10.43.191.230
  ports:
-  - port: 80
+  - name: web
+    port: 443
    protocol: TCP
-    targetPort: 8080
+    targetPort: 1443
+  - name: api
+    port: 8443
+    protocol: TCP
+    targetPort: 8443
  selector:
    app: haproxy
 ---
@ -122,6 +210,7 @@ spec:
      containers:
      - name: kiosk-app
        image: quay.io/nmasse_itix/kiosk-app:latest
+        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080
 ---
--- a/rpms/SPECS/ca-certificates-custom.spec
+++ b/rpms/SPECS/ca-certificates-custom.spec
@ -4,6 +4,7 @@ Release:    rh1
 Summary:    Custom CA Certificates
 License:    BSD
 Source0:    custom-ca.crt
+Source1:    haproxy-tls.crt
 Requires(post): ca-certificates
 Requires(postun): ca-certificates
 BuildArch:  noarch
@ -20,14 +21,17 @@ Custom CA certificates
 ##
 # openssl req -new -nodes -keyout custom-ca.key -out custom-ca.crt -x509 -subj '/CN=Custom CA'
 cp %{S:0} custom-ca.crt
+cp %{S:1} haproxy-tls.crt

 %build

 %install
 install -m 0644 -D custom-ca.crt %{buildroot}/etc/pki/ca-trust/source/anchors/custom-ca.crt
+install -m 0644 -D haproxy-tls.crt %{buildroot}/etc/pki/ca-trust/source/anchors/haproxy-tls.crt

 %files
 %config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/custom-ca.crt
+%config %attr(0644, root, root) /etc/pki/ca-trust/source/anchors/haproxy-tls.crt

 %post
 ##