Enable customer provided cert for Fulcio

securesign · Nov 14, 2024 · ad54901 · ad54901
1 parent 6c62acb
commit ad54901
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 0 deletions.
diff --git a/roles/tas_single_node/README.md b/roles/tas_single_node/README.md
@@ -20,6 +20,9 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti
 | tas_single_node_podman_network | Name of the Podman network for containers to use. | str |  `rhtas`  |
 | tas_single_node_rekor_redis | Details on the Redis connection for Rekor. You can set this to a custom Redis instance. | dict of 'tas_single_node_rekor_redis' options |  `{'database_deploy': True, 'redis': {'host': 'rekor-redis-pod', 'port': 6379, 'password': 'password'}}`  |
 | tas_single_node_trillian | Details on the database connection for Trillian. You can set this to a custom MySQL or MariaDB instance. | dict of 'tas_single_node_trillian' options |  `{'database_deploy': True, 'mysql': {'user': 'mysql', 'root_password': 'rootpassword', 'password': 'password', 'database': 'trillian', 'host': 'trillian-mysql-pod', 'port': 3306}}`  |
+| tas_single_node_fulcio | Details on the certificate settings for Fulcio. You can configure the certificate with the organization's details. | dict of 'tas_single_node_fulcio' options |  `{'certificate': {'organization_name': '', 'organization_email': '', 'common_name': ''}}`  |
+| tas_single_node_fulcio_private_key | Private key for Fulcio, used for signing root certificate. | str |  |
+| tas_single_node_fulcio_root_ca | The root certificate for Fulcio. | str |  |
 | tas_single_node_rekor_public_key_retries | The number of attempts to retrieve the Rekor public key when constructing the trust root. | int |  `5`  |
 | tas_single_node_rekor_public_key_delay | The number of seconds to wait before retrying the retrieval of the Rekor public key when constructing the trust root. | int |  `10`  |
 | tas_single_node_setup_host_dns | Set up DNS on the managed host to resolve URLs of the configured RHTAS services. | bool |  `True`  |
@@ -77,6 +80,20 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti
 | root_password | The root password for the database. | str | no |  |
 | database | The database name to connect to. | str | no |  |
 
+#### Options for main > tas_single_node_fulcio
+
+|Option|Description|Type|Required|Default|
+|---|---|---|---|---|
+| certificate | Details on the certificate attributes for Fulcio. | dict of 'certificate' options | no |  |
+
+#### Options for main > tas_single_node_fulcio > certificate
+
+|Option|Description|Type|Required|Default|
+|---|---|---|---|---|
+| organization_name | The name of the organization. | str | no |  |
+| organization_email | The email address of the organization. | str | no |  |
+| common_name | The common name (e.g., hostname) for the certificate. | str | no |  |
+
 #### Options for main > tas_single_node_oidc_issuers
 
 |Option|Description|Type|Required|Default|

diff --git a/roles/tas_single_node/defaults/main.yml b/roles/tas_single_node/defaults/main.yml
@@ -22,6 +22,12 @@ tas_single_node_trillian:
     host: trillian-mysql-pod
     port: 3306
 
+tas_single_node_fulcio:
+  certificate:
+    organization_name: ""
+    organization_email: ""
+    common_name: ""
+
 tas_single_node_rekor_public_key_retries: 5
 tas_single_node_rekor_public_key_delay: 10
 
@@ -50,6 +56,9 @@ tas_single_node_tsa_ca_passphrase: rhtas
 tas_single_node_tsa_signer_passphrase: rhtas
 tas_single_node_ct_logprefix: rhtasansible
 
+tas_single_node_fulcio_private_key: ""
+tas_single_node_fulcio_root_ca: ""
+
 # When adding or altering names for our images, consult the mapping in https://github.com/securesign/structural-tests
 # To avoid breaking our structural tests
 

diff --git a/roles/tas_single_node/meta/argument_specs.yml b/roles/tas_single_node/meta/argument_specs.yml
@@ -118,6 +118,52 @@ argument_specs:
                 type: "str"
                 required: false
                 version_added: "1.1.0"
+      tas_single_node_fulcio:
+        description: "Details on the certificate settings for Fulcio. You can configure the certificate with the organization's details."
+        type: "dict"
+        required: false
+        version_added: "1.1.1"
+        default:
+          certificate:
+            organization_name: ""
+            organization_email: ""
+            common_name: ""
+        options:
+          certificate:
+            description: "Details on the certificate attributes for Fulcio."
+            type: "dict"
+            required: false
+            version_added: "1.1.1"
+            options:
+              organization_name:
+                description: "The name of the organization."
+                type: "str"
+                required: false
+                version_added: "1.1.1"
+              organization_email:
+                description: "The email address of the organization."
+                type: "str"
+                required: false
+                version_added: "1.1.1"
+              common_name:
+                description: "The common name (e.g., hostname) for the certificate."
+                type: "str"
+                required: false
+                version_added: "1.1.1"
+      tas_single_node_fulcio_private_key:
+        description: >
+          Private key for Fulcio, used for signing root certificate.
+        type: "str"
+        required: false
+        version_added: "1.1.1"
+        default: ""
+      tas_single_node_fulcio_root_ca:
+        description: >
+          The root certificate for Fulcio.
+        type: "str"
+        required: false
+        version_added: "1.1.1"
+        default: ""
       tas_single_node_rekor_public_key_retries:
         description: "The number of attempts to retrieve the Rekor public key when constructing the trust root."
         type: "int"

diff --git a/roles/tas_single_node/tasks/certificates.yml b/roles/tas_single_node/tasks/certificates.yml
@@ -93,6 +93,14 @@
           -out '{{ tas_single_node_remote_fulcio_private_key }}'
           -passout 'pass:{{ tas_single_node_fulcio_ca_passphrase }}'
         creates: "{{ tas_single_node_remote_fulcio_private_key }}"
+      when: tas_single_node_fulcio_private_key == ""
+
+    - name: Load user-provided Fulcio private key
+      ansible.builtin.copy:
+        src: "{{ tas_single_node_fulcio_private_key }}"
+        dest: "{{ tas_single_node_remote_fulcio_private_key }}"
+        mode: '0600'
+      when: tas_single_node_fulcio_private_key != ""
 
     - name: Create Fulcio public key
       ansible.builtin.command:
@@ -108,11 +116,16 @@
         cmd: >-
           openssl req -new -batch
           -key '{{ tas_single_node_remote_fulcio_private_key }}'
+          -subj
+          "/O={{ tas_single_node_fulcio.certificate.organization_name }}
+           /CN={{ tas_single_node_fulcio.certificate.common_name }}
+           /emailAddress={{ tas_single_node_fulcio.certificate.organization_email }}"
           -addext 'basicConstraints=critical,CA:TRUE'
           -addext 'keyUsage = critical,keyCertSign'
           -passin 'pass:{{ tas_single_node_fulcio_ca_passphrase }}'
       register: fulcio_root_csr
       changed_when: false
+      when: tas_single_node_fulcio_root_ca == ""
 
     - name: Create self-signed Fulcio root from CSR
       ansible.builtin.shell:
@@ -126,6 +139,14 @@
           -passin 'pass:{{ tas_single_node_fulcio_ca_passphrase }}'
           -out '{{ tas_single_node_remote_fulcio_root_ca }}'
         creates: "{{ tas_single_node_remote_fulcio_root_ca }}"
+      when: tas_single_node_fulcio_root_ca == ""
+
+    - name: Load user-provided Fulcio root
+      ansible.builtin.copy:
+        src: "{{ tas_single_node_fulcio_root_ca }}"
+        dest: "{{ tas_single_node_remote_fulcio_root_ca }}"
+        mode: '0644'
+      when: tas_single_node_fulcio_root_ca != ""
 
 - name: Create CTLog root
   when: >