diff --git a/README.md b/README.md index e45fd00b..1bcb9ed8 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# artifact-signer-ansible +# RHTAS Ansible Collection Automation to deploy the RHTAS ecosystem on RHEL @@ -13,8 +13,11 @@ The following Sigstore components are deployed as part of this architecture: * [Rekor](https://docs.sigstore.dev/rekor/overview) * [Trillian](https://github.com/google/trillian) + * Optionally a MariaDB instance and a Redis instance, although it is possible to use instances managed outside of Ansible * [Fulcio](https://docs.sigstore.dev/fulcio/overview) * [Certificate Log](https://docs.sigstore.dev/fulcio/certificate-issuing-overview) +* [Timestamp Authority](https://docs.sigstore.dev/verifying/timestamps/#timestamp-authorities) +* [TUF](https://theupdateframework.io/) server An [NGINX](https://www.nginx.com) frontend is placed as an entrypoint to the various backend components. Communication is secured via a set of self-signed certificates that are generated at runtime. @@ -22,7 +25,7 @@ Utilize the steps below to understand how to setup and execute the provisioning. ## Prerequisites -A RHEL 9.2+ server should be used to run the RHTAS components. +RHEL 9.2+ x86\_64 is supported to run the RHTAS components. Ansible must be installed and configured on a control node that will be used to perform the automation. @@ -30,7 +33,7 @@ Perform the following steps to prepare the control node for execution. ### Dependencies -Install the required Ansible collections by executing the following +Install the required Ansible collections by executing the following (this can be skipped if installing from Ansible Automation Hub, as `ansible-galaxy install` will install dependencies automatically). ```shell ansible-galaxy collection install -r requirements.yml @@ -38,7 +41,7 @@ ansible-galaxy collection install -r requirements.yml ### OIDC provider -An installation of Keycloak must be provided to allow for integration with containerized RHTAS. +An installation of an OIDC provider, such as [Keycloak](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/sso/), must be provided to allow for integration with containerized RHTAS. ### Ingress @@ -46,14 +49,15 @@ The automation deploys and configures a software load balancer as a central poin * https://rekor. * https://fulcio. +* https://tsa. * https://tuf. -each of these hostnames must be configured in DNS to resolve to the target machine. The `base_hostname` parameter must be provided -when executing the provisining. To configure hostnames in DNS, edit `/etc/hosts` with the following content: +Each of these hostnames must be configured in DNS to resolve to the target machine. The `base_hostname` parameter must be provided when executing the provisining. To configure hostnames in DNS, edit `/etc/hosts` with the following content: ``` fulcio. fulcio rekor. rekor + tsa. tsa tuf. tuf ``` @@ -68,13 +72,16 @@ In order to deploy RHTAS on a RHEL 9.2+ VM: 1. Create an `inventory` file with a single VM in the `rhtas` group: ``` [rhtas] - 123.123.123.123 become=true + 123.123.123.123 ``` 2. Create a simple Ansible playbook `play.yml`: ``` - hosts: rhtas vars: base_hostname: TODO # e.g. example.com + # access credentials for registry.redhat.io (https://access.redhat.com/RegistryAuthentication) + tas_single_node_registry_username: TODO + tas_single_node_registry_password: TODO tas_single_node_oidc_issuers: - issuer: TODO # your OIDC provider (e.g. keycloak) URL client_id: trusted-artifact-signer @@ -84,16 +91,22 @@ In order to deploy RHTAS on a RHEL 9.2+ VM: - name: Include TAS single node role ansible.builtin.include_role: name: tas_single_node + vars: + ansible_become: true ``` -3. Execute the following command (NOTE: you will have to provide credentials to authenticate to registry.redhat.io: https://access.redhat.com/RegistryAuthentication): +3. Execute the following command if the collection is installed from Ansible Automation Hub: ```shell - ANSIBLE_ROLES_PATH="roles/" ansible-playbook -i inventory play.yml -e registry_username='REGISTRY.REDHAT.IO_USERNAME' -e registry_password='REGISTRY.REDHAT.IO_PASSWORD' + ansible-playbook -i inventory play.yml + ``` +4. Execute the following command if you're running from the collection repository checked out locally: + ```shell + ANSIBLE_ROLES_PATH="roles/" ansible-playbook -i inventory play.yml ``` ### Add the root CA that was created to your local truststore. The certificate can be downloaded from the browser Certificate Viewer by navigating to `https://rekor.`. -Download the _root_ certiicate that issued the rekor certificate. +Download the _root_ certificate that issued the Rekor certificate. In Red Hat based systems, the following commands will add a CA to the system truststore. ```shell diff --git a/galaxy.yml b/galaxy.yml index 77360275..7574e4a3 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -5,9 +5,13 @@ version: 1.0.0 readme: README.md authors: - - Red Hat - - TODO -description: TODO + - Andrew Block + - Firas Ghanmi + - Nina Olear + - Ryan Cook + - Slavek Kabrda + - Tommy Dalton +description: Install and configure RHTAS, a downstream redistribution of the Sigstore project. license_file: Apache-2.0 tags: [sigstore, tas, rhtas, security, cosign] # NOTE: when updating, also update dependencies in requirements.yml @@ -15,7 +19,15 @@ dependencies: containers.podman: ">=1.15.0" repository: https://github.com/securesign/artifact-signer-ansible/ documentation: http://TODO.com -homepage: https://TODO.com +homepage: https://github.com/securesign/artifact-signer-ansible#rhtas-ansible-collection issues: https://github.com/securesign/artifact-signer-ansible/issues -build_ignore: [.ansible-lint, .github, .gitignore, .vscode, requirements-testing.txt, vm-testing] +build_ignore: + - .ansible-lint + - .github + - .gitignore + - .vscode + - ansible-navigator.log + - molecule + - requirements-testing.txt + - vm-testing diff --git a/roles/tas_single_node/meta/main.yml b/roles/tas_single_node/meta/main.yml index 26e5d90a..f1d1fc8a 100644 --- a/roles/tas_single_node/meta/main.yml +++ b/roles/tas_single_node/meta/main.yml @@ -4,53 +4,15 @@ galaxy_info: description: Install RHTAS on a single node company: Red Hat - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 license: Apache-2.0 min_ansible_version: "2.16" + platforms: + - name: EL + versions: + - "9" - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] -# List tags for your role here, one per line. A tag is a keyword that describes -# and categorizes the role. Users find roles by searching for tags. Be sure to -# remove the '[]' above, if you add tags to this list. -# -# NOTE: A tag is limited to a single word comprised of alphanumeric characters. -# Maximum 20 tags per role. - -dependencies: [] -# List your role dependencies here, one per line. Be sure to remove the '[]' above, -# if you add dependencies to this list. + galaxy_tags: [sigstore, tas, rhtas, security, cosign] collections: - containers.podman diff --git a/roles/tas_single_node/tests/inventory b/roles/tas_single_node/tests/inventory deleted file mode 100644 index 878877b0..00000000 --- a/roles/tas_single_node/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/roles/tas_single_node/tests/test.yml b/roles/tas_single_node/tests/test.yml deleted file mode 100644 index cd0879c9..00000000 --- a/roles/tas_single_node/tests/test.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Install TAS locally - hosts: localhost - remote_user: root - roles: - - tas_single_node