Skip to content

Add roles for pesign scripts deployment #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
anfimovdm wants to merge 2 commits into from
Closed

Add roles for pesign scripts deployment #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d54da0f
Update build-node deployment
anfimovdm Mar 12, 2026
b27d04b
Update pesign deployment #2
anfimovdm Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions playbooks/albs_with_separate_build_node.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,6 @@
- separate_build_node
tags:
- build-node-deploy
- pesign
connection: "{{ 'local' if use_local_connection else 'ssh' }}"
...
3 changes: 3 additions & 0 deletions roles/separate_build_node/defaults/main/common.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,10 @@ service_group: albs-builder
build_node_working_directory: "{{ home_dir }}/albs"
build_node_venv_directory: "{{ home_dir }}/.builder-venv"
build_node_requirements_path: "{{ build_node_working_directory }}/albs-node/requirements.txt"
pesign_dir_path: "/opt/pesign"
powertools_repository_name: crb
rpm_sign_server_base: ""
rpm_sign_jwt: ""
working_directories:
- "{{ base_work_dir }}"
- "{{ build_node_working_directory }}"
Expand Down
5 changes: 4 additions & 1 deletion roles/separate_build_node/defaults/main/dnf.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,16 @@ build_node_dnf_packages:
- "cmake"
- "cpio"
- "createrepo_c"
- "ef2sprogs"
- "fedpkg"
- "gcc"
- "gcc-c++"
- "git"
- "htop"
- "kernel-rpm-macros"
- "keyrings-filesystem"
- "libcurl-devel"
- "rustc"
- "cargo"
- "libicu"
- "libicu-devel"
- "mc"
Expand All @@ -29,4 +31,5 @@ build_node_dnf_packages:
- "tree"
- "ubu-keyring"
- "xmlsec1-openssl-devel"
- "rsyslog-logrotate"
...
2 changes: 2 additions & 0 deletions roles/separate_build_node/tasks/create_env.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,6 @@
ansible.builtin.pip:
requirements: "{{ build_node_requirements_path }}"
virtualenv: "{{ build_node_venv_directory }}"
tags:
- update-env
...
1 change: 1 addition & 0 deletions roles/separate_build_node/tasks/dnf.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
gpgcheck: no

- name: Install required system packages packages
become: yes
ansible.builtin.dnf:
name: "{{ build_node_dnf_packages }}"
state: latest
Expand Down
2 changes: 2 additions & 0 deletions roles/separate_build_node/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,7 @@
- include_tasks: dnf.yml
- include_tasks: common.yml
- include_tasks: create_env.yml
- include_tasks: pesign.yml
tags: pesign
- include_tasks: install_systemd_service.yml
...
62 changes: 62 additions & 0 deletions roles/separate_build_node/tasks/pesign.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---

- name: Create pesign dir
ansible.builtin.file:
path: "{{ pesign_dir_path }}"
state: directory
recurse: yes
owner: root
group: root

- name: Create modsign script
ansible.builtin.template:
dest: "{{ pesign_dir_path }}/modsign"
src: modsign.j2
group: root
owner: root
mode: 0755

- name: Create pesign script
ansible.builtin.template:
dest: "{{ pesign_dir_path }}/pesign"
src: pesign.j2
group: root
owner: root
mode: 0755

- name: Create pesign-client script
ansible.builtin.template:
dest: "{{ pesign_dir_path }}/pesign-client"
src: pesign-client.j2
group: root
owner: root
mode: 0755

- name: Deploy rpm-sign config
ansible.builtin.template:
dest: "{{ pesign_dir_path }}/rpm-sign.conf"
src: rpm-sign.conf.j2
owner: root
group: mock
mode: "0640"

- name: Deploy rpm-sign certificates and key
ansible.builtin.template:
dest: "{{ pesign_dir_path }}/{{ item }}"
src: "{{ item }}"
owner: root
group: mock
mode: "0640"
loop:
- rpm-sign-server.pem
- rpm-sign.key
- rpm-sign.pem

- name: Deploy rpm-sign.local script
ansible.builtin.template:
dest: "{{ pesign_dir_path }}/rpm-sign.local"
src: rpm-sign.local
owner: root
group: mock
mode: "0750"
...
7 changes: 7 additions & 0 deletions roles/separate_build_node/templates/modsign.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash

SERVER="{{ alma_pesign_server }}/sign_module/"

JWT="{{ pesign_jwt_token }}"

curl -s --fail -X POST -H "os: $1" -H "Content-Type: multipart/form-data" -H "Cookie: JWT=${JWT}" -F "input_file=@$2" --output "$2" ${SERVER}
56 changes: 56 additions & 0 deletions roles/separate_build_node/templates/pesign-client.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#!/bin/bash

JWT="{{ pesign_jwt_token }}"

while [[ $# -gt 0 ]]; do
key="$1"

case $key in
-t)
sign_token="$2"
shift # past argument
shift # past value
;;
-c)
sign_cert="$2"
shift # past argument
shift # past value
;;
-i)
input_file="$2"
shift # past argument
shift # past value
;;
-o)
output_file="$2"
shift # past argument
shift # past value
;;
-e)
output_sattr="$2"
shift # past argument
shift # past value
;;
-s)
shift # past argument
;;
-C)
export_cert="$2"
shift # past argument
shift # past value
;;
--certdir)
certdir="$2"
shift # past argument
shift # past value
;;
esac
done

if [ "${sign_token}" == "AlmaLinux OS Foundation" ]; then
SERVER="{{ alma_pesign_server }}/sign_efi/"
else
SERVER="{{ common_pesign_server }}/sign_efi/"
fi

curl -s --fail -X POST -H "sign_token: ${sign_token}" -H "sign_cert: ${sign_cert}" -H "Content-Type: multipart/form-data" -H "Cookie: JWT=${JWT}" -F "input_file=@${input_file}" --output "${output_file}" ${SERVER}
56 changes: 56 additions & 0 deletions roles/separate_build_node/templates/pesign.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#!/bin/bash

JWT="{{ pesign_jwt_token }}"

while [[ $# -gt 0 ]]; do
key="$1"

case $key in
-t)
sign_token="$2"
shift # past argument
shift # past value
;;
-c)
sign_cert="$2"
shift # past argument
shift # past value
;;
-i)
input_file="$2"
shift # past argument
shift # past value
;;
-o)
output_file="$2"
shift # past argument
shift # past value
;;
-e)
output_sattr="$2"
shift # past argument
shift # past value
;;
-s)
shift # past argument
;;
-C)
export_cert="$2"
shift # past argument
shift # past value
;;
--certdir)
certdir="$2"
shift # past argument
shift # past value
;;
esac
done

if [ "${sign_token}" == "AlmaLinux OS Foundation" ]; then
SERVER="{{ alma_pesign_server }}/sign_efi/"
else
SERVER="{{ common_pesign_server }}/sign_efi/"
fi

curl -s --fail -X POST -H "sign_token: ${sign_token}" -H "sign_cert: ${sign_cert}" -H "Content-Type: multipart/form-data" -H "Cookie: JWT=${JWT}" -F "input_file=@${input_file}" --output "${output_file}" ${SERVER}
99 changes: 99 additions & 0 deletions roles/separate_build_node/templates/rpm-sign-server.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
$ANSIBLE_VAULT;1.1;AES256
37306161666664383239373261363033313034623762383866393061303330656564663332363330
6561353031376263656631356538656137633936633330650a313962396339346332376533626539
36376363363533303337303334633336393264313730306563356263303237653964616565333233
3032333137323437630a316531386361343231656437316563386565336533623639323538656634
39353861336235336639646639653137346262393161333334353135383032333163373561623431
66383262663136343635646335616264363037313335613536306166643230666237626433323139
66306633653930313539356338303461376133373632633965303735636631356439636465376262
34376232633634383062303138656634653666656430333962373031346164333937626630616636
31656430363263363830313930356566323432306133666464396261653837316661663163313565
36616534323263313864343033623338616535346534623266653035313239343435376139353439
61636533363362633531396261306337386535613065666239656630633364643963626663373766
64336562336163613432353231313265663733643165326335366236373233373933663638353166
62656539366263326137393738613366396237303139386239353135656539633464316561323131
30363538346235396136396564643232353466383137626362653733626334373536346163376339
35656439613934313963653432663936623964666537396462336137656639653163633937323435
66633365346535323964383661646130636430373662623231353136323133326566613961336463
34366136343332666264303562333162396337643439646364653737326161356566373266653463
61336365343561626663383233643130313830343864363833666262336466366138363763333336
63653137386331356138323431643966356462316538316261303366663061366431656266663265
66626263666236333737366539623239346436356138613366343038363034383638656636613164
62383038613462373562333139306232646433363930613062316236613863393430396635353164
37303065356636363562396366396162643063666361633830306237626362623638316135343837
66373761393666306639346433363835336633316135306366656632356266393435353464366565
39363335653537643863346634643363383333333761613436663361666635623439353762393036
32333763653262346266376436326431393038303966656166653239373830353265393330353463
65316162626662303132346133623830313136386535376136333962373466343464353530633834
39626462643230626334653739366364643836333332633965313137323235376538643335366338
32626330313265316537313163643165313434663338623663623666396631623136653832636264
37323663636165363939326633623765613662323264353934323536366361646363393761656438
63636539343738396334636137363266353862383338643065346234303732363965336633356432
33636337616662656637656235343634366365303762613464633464653834393238323061343962
64633437633066633938643532303765396139633135373462393636663739643839646363396130
33373536373663633332626162346263373231346134356361383939633264656663373464373531
63376635303263363634393139363935363736643265613931613937666534656632343039643362
36303863663666353939653938373138336230383233623230333239633031333338336165353066
35373235646631663766636635383731626439326439383931633334386362373363363263643566
30653639303839616166303430663838326432666439373136663064663165613165313936313763
62613235626631623066363139623766363737616664343830626237333036393864353234653138
35353735396366616163636630386662383034393965396432396435373639393664303935336364
30663332343336343936356536363039373037353336333062623138363761646432326464343862
65363934643762633837386139623830623066396333363336623930386566633030336233653938
64323637366161306231653565383862396631343865613065343633643263363137323532303431
34336263626137653333366634386439653666363632353631666332626162386135313365643832
30363933613035636132643263343166653165363666613834396337636461636461323536633139
64626639656563356463373566663362353231656162353561303438333932343638396266366130
30663235353334666532633064386634363462613164386461666332313138373563373663336338
35313932306338656566326432613438653562373338316462656537336534356530396363383135
38326365383264333031363334663263616136363135386430313738376434623833346266336238
39613032366534373635613063363837346131636638366535376165633065356332323566303630
65343936643965633563363366356530303662363164653530373661323030383062653937363237
61303334613737633632633033396565333066363562396562376338633231326131343933373737
61646236666631633439323435666438316438353437346332366536626163313363633631373136
65346664303531666432646365343434393037353937353266303930363064333764313965363639
36323932613236303938396465373831343536613964383538396131376236336539323630373461
30323966333631353161353265646230653834303762363633613463343632303261356436393466
37643835653361326130326631356566343133323566653734613132646231373332653539353261
61336330616162633839633962613461626338636331636536613162353063636262643337323037
34386435386636613066306466393263303231323039336336356166313433393562303636376337
31333336353733643632316264353530623733653833656631316162386561653133663834643139
36343263396630383233393363343535396338383930343530343431383531343161633962613530
32376632653530343036643863316338393033346466663636356239353434343031306535363632
62623262363131656433336134336338656362393338353861356132653637623137343438303932
33666365303732616565393238626461303065396330616132356335316363656536653332346134
61313435653231323637333139623135353962636461313836386239333534313731303866623964
33643935366538373338666634386363356237343938353534653361373335316261633561343136
32323130333331353334313165303836663762613065383632666536383361393862653335363362
64646562623637623036396336366663626633326638343631316437663361626536343136623138
33633435396633393934643465663639306431326430613533316466666632373337346163633862
36366663383066393565336534343263643035616138633231643032613066653338633937643136
64373537303132383563353362663535616465643736333535373963303630666233386565626137
61343733623838613135656465636637626164316437626436643936623636616665373937373034
62613339383964643463326562326263316530343665643762393430343961366238633035346636
34313866663564643431613463313735633063303664363937333430323565363164346237343533
32356563396137666635323266633934663830633364393837626436653564306563326434633935
34373864626266383136343439633562663738313762646436623862616633613561626461353936
33653033656331653064616332356238633437653732383963643432313065396137306364356466
66663665613565313533306139386137633365306465333834326138613332633666633435623365
37313532303337306335346663343131316632363237353835653636383165613030393634666332
32383634336266313638393731303462656663386433316464363733623532336461303062623961
35653535343562613938343963336635346164346133616466323634363439363662633666313963
35366665323236623132633832613764333630323738646434373136646139316138663634363831
66303636623766656436323336613631666234363162613031333836326531303530316539613066
30303161343935323763663766396164623534616562613361653138663565356432323462653263
35343364653261663033313934343631626432623266376539303235383066363935326636356534
38303533346562326539393037326334653234313237356433363430623035363039313035636364
30313666633266653036333661343232616532643264316337636631303035376264623461306163
34303936383435653838663435366164313265383438306632386333363961356662356265363531
32613637613030346331633664626537666164623535653837353836346531313062356239653065
66656161366433326461376333656130353665326433303434653730656333333934623430303863
30663531316461633233333331643966333162346562323634376164626636666334343039353362
61343265663866303533363364626531643861663534643766313966316330363065626537306338
33386430323365323336383331343432613437336663383335366336666134333636343738373062
61383865656136343936396138633833613830313630636337633938353231613330633463643439
37306134356339383032313438356432376138326133373132356365653433663738646661613635
66666539366530306532356239343062383934313030396139343334373566313964643738613635
32303539626566336433643065313537326431353364663537316536613836663862396338616164
30656631663266336233623065653032346232343134393939623130393262643534623834626532
3066323131663935383063373564313564666662356438643833
15 changes: 15 additions & 0 deletions roles/separate_build_node/templates/rpm-sign.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
SCRIPT_DIR="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"

SERVER_BASE="{{ rpm_sign_server_base }}"

# --- Authentication (mTLS is preferred when both are set) ---

# mTLS client certificate (issued by helpers/issue-mtls-cert.sh)
MTLS_CERT="$SCRIPT_DIR/rpm-sign.pem"
MTLS_KEY="$SCRIPT_DIR/rpm-sign.key"

# JWT token (fallback when mTLS cert is not available)
JWT="{{ rpm_sign_jwt }}"

# --- Optional: custom CA for verifying the server certificate ---
SERVER_CA="$SCRIPT_DIR/rpm-sign-server.pem"
Loading
Loading