From 17226bf1021ca56fe8cd8800ebfdf8b0c3272109 Mon Sep 17 00:00:00 2001 From: Jason Power Date: Wed, 15 Jan 2025 13:57:14 +0000 Subject: [PATCH] SECURESIGN-55 | Monitoring of Sigstore containers with Cockpit (#112) --- README.md | 12 ++++++ roles/tas_single_node/README.md | 16 ++++++++ roles/tas_single_node/defaults/main.yml | 7 ++++ roles/tas_single_node/meta/argument_specs.yml | 37 +++++++++++++++++++ roles/tas_single_node/tasks/main.yml | 22 +++++++++++ roles/tas_single_node/tasks/os.yml | 8 ---- roles/tas_single_node/vars/main.yml | 7 ---- 7 files changed, 94 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index be5dd3a9..91a8a9e5 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,18 @@ You can also install a specific version of the collection, for example, if you n ansible-galaxy collection install redhat.artifact_signer:==1.1.0 ``` +### Monitoring of containers with Cockpit +To monitor containers with Cockpit, you need to install the Red Hat Enterprise Linux System Roles Ansible Collection, found [here](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles/) using the following command: `ansible-galaxy collection install redhat.rhel_system_roles:==1.88.9` (NOTE: minimum required version is 1.88.9), authentication with AAH (Ansible Automation Hub) is required for this. +After installing the collection, you can enable and configure Cockpit as shown below + +``` +tas_single_node_cockpit: + enabled: true + user: + create: true + username: cockpit-user + password: password +``` ## Downloading CLI tools To Download tools to interact with Red Hat Trusted Artifact Signer, you can visit `https://cli-server.` diff --git a/roles/tas_single_node/README.md b/roles/tas_single_node/README.md index 4226b099..3ce66643 100644 --- a/roles/tas_single_node/README.md +++ b/roles/tas_single_node/README.md @@ -46,6 +46,7 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti | tas_single_node_tsa_image | Timestamp Authority Image | str | `registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:3fba2f8cd09548d2bd2dfff938529952999cb28ff5b7ea42c1c5e722b8eb827f` | | tas_single_node_rekor_search_image | Rekor search UI image | str | `registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:8c478fc6122377c6c9df0fddf0ae42b6f6b1648e3c6cf96a0558f366e7921b2b` | | tas_single_node_podman | Configuration options for Podman. | dict of 'tas_single_node_podman' options | | +| tas_single_node_cockpit | Configuration options for Cockpit. | dict of 'tas_single_node_cockpit' options | `{'enabled': False, 'user': {'create': False, 'username': 'cockpit-user'}}` | #### Options for main > tas_single_node_rekor_redis @@ -118,6 +119,21 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti | location | The primary registry location for the image. | str | yes | | | mirror | The mirror registry to use for pulling images from the primary registry location. | str | yes | | +#### Options for main > tas_single_node_cockpit + +|Option|Description|Type|Required|Default| +|---|---|---|---|---| +| enabled | Whether or not to install Cockpit. | bool | no | | +| user | Configuration for the cockpit user. | dict of 'user' options | no | | + +#### Options for main > tas_single_node_cockpit > user + +|Option|Description|Type|Required|Default| +|---|---|---|---|---| +| create | Whether or not to create the cockpit user. | bool | no | | +| username | Username for the cockpit user. | str | no | | +| password | Password for the cockpit user. | str | yes | | + ## Example Playbook ``` diff --git a/roles/tas_single_node/defaults/main.yml b/roles/tas_single_node/defaults/main.yml index 4bd25fe1..4c702809 100644 --- a/roles/tas_single_node/defaults/main.yml +++ b/roles/tas_single_node/defaults/main.yml @@ -94,3 +94,10 @@ tas_single_node_client_server_image: "registry.redhat.io/rhtas/client-server-rhel9@sha256:9537329d0166b8d41ffd5f5d79c052fc27abe426a20cba5733c84030013c4e29" tas_single_node_podman: {} + +tas_single_node_cockpit: + enabled: false # install redhat.rhel_system_roles before enabling + user: + create: false + username: cockpit-user + password: "" diff --git a/roles/tas_single_node/meta/argument_specs.yml b/roles/tas_single_node/meta/argument_specs.yml index afc8af25..3f3c27f4 100644 --- a/roles/tas_single_node/meta/argument_specs.yml +++ b/roles/tas_single_node/meta/argument_specs.yml @@ -375,3 +375,40 @@ argument_specs: type: "str" required: true version_added: "1.1.1" + tas_single_node_cockpit: + description: "Configuration options for Cockpit." + type: "dict" + required: false + version_added: "1.1.1" + default: + enabled: false + user: + create: false + username: cockpit-user + options: + enabled: + description: "Whether or not to install Cockpit." + type: "bool" + required: false + version_added: "1.1.1" + user: + description: "Configuration for the cockpit user." + type: "dict" + required: false + version_added: "1.1.1" + options: + create: + description: "Whether or not to create the cockpit user." + type: "bool" + required: false + version_added: "1.1.1" + username: + description: "Username for the cockpit user." + type: "str" + required: false + version_added: "1.1.1" + password: + description: "Password for the cockpit user." + type: "str" + required: true + version_added: "1.1.1" diff --git a/roles/tas_single_node/tasks/main.yml b/roles/tas_single_node/tasks/main.yml index f3cbead2..5f99cbb4 100644 --- a/roles/tas_single_node/tasks/main.yml +++ b/roles/tas_single_node/tasks/main.yml @@ -9,6 +9,28 @@ ansible.builtin.include_tasks: os.yml when: not tas_single_node_skip_os_install +- name: Create cockpit-user + ansible.builtin.user: + name: "{{ tas_single_node_cockpit.user.username }}" + shell: /bin/bash + group: wheel + password: "{{ tas_single_node_cockpit.user.password | password_hash('sha512') }}" + create_home: true + when: + - tas_single_node_cockpit.enabled | bool + - tas_single_node_cockpit.user.create | bool + +- name: Install Cockpit + ansible.builtin.include_role: + name: redhat.rhel_system_roles.cockpit + vars: + cockpit_packages: + - cockpit-storaged + - cockpit-podman + - cockpit + cockpit_manage_firewall: true + when: tas_single_node_cockpit.enabled | bool + - name: Create Certificates ansible.builtin.include_tasks: certificates.yml diff --git a/roles/tas_single_node/tasks/os.yml b/roles/tas_single_node/tasks/os.yml index a065f4e9..5f26a7d1 100644 --- a/roles/tas_single_node/tasks/os.yml +++ b/roles/tas_single_node/tasks/os.yml @@ -8,14 +8,6 @@ name: "{{ tas_single_node_system_packages }}" state: latest -- name: Install Cockpit - ansible.builtin.include_role: - name: cockpit - vars: - cockpit_packages: "{{ tas_single_node_cockpit.cockpit_packages }}" - cockpit_manage_firewall: "{{ tas_single_node_cockpit.cockpit_manage_firewall }}" - when: tas_single_node_cockpit.enabled | bool - - name: Configure /etc/hosts DNS block ansible.builtin.blockinfile: dest: /etc/hosts diff --git a/roles/tas_single_node/vars/main.yml b/roles/tas_single_node/vars/main.yml index 247a31d7..c71aaa24 100644 --- a/roles/tas_single_node/vars/main.yml +++ b/roles/tas_single_node/vars/main.yml @@ -5,13 +5,6 @@ tas_single_node_system_packages: - podman-plugins - firewalld -tas_single_node_cockpit: - enabled: false - cockpit_packages: - - cockpit-storaged - - cockpit-podman - - cockpit - cockpit_manage_firewall: true tas_single_node_rekor_signer_type: file # to be exposed to users later on tas_single_node_rekor_templates: