Merge branch 'fix-http-proxy-cert' into 'feat-hpc-factory'

Fix http proxy cert

See merge request !147

ansible/cluster.yml

@@ -9,4 +9,5 @@
     - { name: 'slurm_client', tags: 'slurm_client', when: enable_slurm_client }
     - { name: 'ssh_host_keys', tags: 'ssh_host_keys' }
     - { name: 'ssh_proxy_config', tags: 'ssh_proxy_config', when: enable_ssh_proxy_config }
+    - { name: 'ssl_cert', tags: 'ssl_cert' }
     - { name: 'rsyslog_config', tags: 'rsyslog_config', when: enable_rsyslog_config }

ansible/group_vars/all

@@ -51,3 +51,13 @@
 # rsyslog
   enable_rsyslog_config: false
   rsyslog_target: "*.* @master:514"
+
+# ssl certs
+  ssl_cert_s3_bucket: ""
+  ssl_cert_key_location: "/etc/pki/tls/private"
+  ssl_cert_file_location: "/etc/pki/tls/certs"
+  ssl_cert_key: ""
+  ssl_cert_file: ""
+  ssl_cert_chain_file: ""
+  ssl_apache_config: ""
+  apache_service: "httpd"

ansible/roles/ssl_cert/tasks/main.yaml

+---
+- name: Download SSL Certs from S3
+  aws_s3:
+    mode: get
+    s3_url: "{{ S3_ENDPOINT }}"
+    bucket: "{{ ssl_cert_s3_bucket }}"
+    object: "{{ item }}"
+    dest: "{{ ssl_cert_file_location }}/{{ item }}"
+    aws_access_key: "{{ LTS_ACCESS_KEY }}"
+    aws_secret_key: "{{ LTS_SECRET_KEY }}"
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
+  when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+  loop:
+    - "{{ ssl_cert_file }}"
+    - "{{ ssl_cert_chain_file }}"
+
+- name: Change cert files permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_file_location }}/{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+  loop:
+    - "{{ ssl_cert_file }}"
+    - "{{ ssl_cert_chain_file }}"
+
+- name: Download SSL key from S3
+  aws_s3:
+    mode: get
+    s3_url: "{{ S3_ENDPOINT }}"
+    bucket: "{{ ssl_cert_s3_bucket }}"
+    object: "{{ ssl_cert_key }}"
+    dest: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+    aws_access_key: "{{ LTS_ACCESS_KEY }}"
+    aws_secret_key: "{{ LTS_SECRET_KEY }}"
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
+  when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
+- name: Change key file permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+    owner: root
+    group: root
+    mode: '0400'
+  when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
+- name: Update SSL in Apache config
+  ansible.builtin.replace:
+    path: "{{ ssl_apache_config }}"
+    regexp: "{{ item.regexp }}"
+    replace: "\\1 {{ item.location }}/{{ item.value }}"
+    backup: true
+  when: ssl_apache_config | length > 0 and item.value | length > 0
+  loop:
+    - { regexp: "#?(SSLCertificateFile).*$", location: "{{ ssl_cert_file_location }}", value: "{{ ssl_cert_file }}" }
+    - { regexp: "#?(SSLCertificateChainFile).*$", location: "{{ ssl_cert_file_location }}", value: "{{ ssl_cert_chain_file }}" }
+    - { regexp: "#?(SSLCertificateKeyFile).*$", location: "{{ ssl_cert_key_location }}", value: "{{ ssl_cert_key }}" }
+
+- name: Restart apache service
+  ansible.builtin.service:
+    name: "{{ apache_service }}"
+    state: restarted