From e75294e6b1bf1e24b518e5f6a2f92f9732e3c44b Mon Sep 17 00:00:00 2001
From: Paul Belanger <pabelanger@redhat.com>
Date: Tue, 27 Mar 2018 23:01:04 -0400
Subject: [PATCH] Add support to manage SSL cert

Since gear support SSL certs, add in some support to place them into
the SSL folder.  It is possible we might want to move this into an
ansible role, but for now it seems minimal to support it.

Change-Id: I3e4c83c962f550b8cb6aef11a2a9b42288b3f1da
Depends-On: https://review.openstack.org/557428
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
---
 defaults/main.yaml                        | 21 ++++++++++
 tasks/config.yaml                         | 31 ++++++++++++++
 templates/etc/gear/ssl/root-ca.pem        |  4 ++
 templates/etc/gear/ssl/server.key         |  4 ++
 templates/etc/gear/ssl/server.pem         |  4 ++
 templates/etc/systemd/system/gear.service |  2 +-
 tests/test.yaml                           | 49 +++++++++++++++++++++++
 7 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 templates/etc/gear/ssl/root-ca.pem
 create mode 100644 templates/etc/gear/ssl/server.key
 create mode 100644 templates/etc/gear/ssl/server.pem

diff --git a/defaults/main.yaml b/defaults/main.yaml
index e94bf32..818160d 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -24,6 +24,27 @@ gear_user_name: gear
 gear_user_group: gear
 gear_user_home: /var/lib/gear
 
+gear_file_ssl_ca_content:
+gear_file_ssl_ca_dest: /etc/gear/ssl/root-ca.pem
+gear_file_ssl_ca_group: "{{ gear_user_group }}"
+gear_file_ssl_ca_mode: 0644
+gear_file_ssl_ca_owner: "{{ gear_user_name }}"
+gear_file_ssl_ca_src: etc/gear/ssl/root-ca.pem
+
+gear_file_ssl_cert_content:
+gear_file_ssl_cert_dest: /etc/gear/ssl/server.pem
+gear_file_ssl_cert_group: "{{ gear_user_group }}"
+gear_file_ssl_cert_mode: 0644
+gear_file_ssl_cert_owner: "{{ gear_user_name }}"
+gear_file_ssl_cert_src: etc/gear/ssl/server.pem
+
+gear_file_ssl_key_content:
+gear_file_ssl_key_dest: /etc/gear/ssl/server.key
+gear_file_ssl_key_group: "{{ gear_user_group }}"
+gear_file_ssl_key_mode: 0600
+gear_file_ssl_key_owner: "{{ gear_user_name }}"
+gear_file_ssl_key_src: etc/gear/ssl/server.key
+
 # tasks/install.yaml
 gear_git_dest: "{{ ansible_user_dir }}/src/git.openstack.org/openstack-infra/gear"
 gear_git_uri: https://git.openstack.org/openstack-infra/gear
diff --git a/tasks/config.yaml b/tasks/config.yaml
index db0ecc5..0969b97 100644
--- a/tasks/config.yaml
+++ b/tasks/config.yaml
@@ -21,4 +21,35 @@
     state: directory
   with_items:
     - /etc/gear
+    - /etc/gear/ssl
     - /var/log/gear
+
+- name: Install gear ssl ca configuration.
+  become: yes
+  template:
+    dest: "{{ gear_file_ssl_ca_dest }}"
+    group: "{{ gear_file_ssl_ca_group }}"
+    mode: "{{ gear_file_ssl_ca_mode }}"
+    owner: "{{ gear_file_ssl_ca_owner }}"
+    src: "{{ gear_file_ssl_ca_src }}"
+  register: gear_file_ssl_ca
+
+- name: Install gear ssl cert configuration.
+  become: yes
+  template:
+    dest: "{{ gear_file_ssl_cert_dest }}"
+    group: "{{ gear_file_ssl_cert_group }}"
+    mode: "{{ gear_file_ssl_cert_mode }}"
+    owner: "{{ gear_file_ssl_cert_owner }}"
+    src: "{{ gear_file_ssl_cert_src }}"
+  register: gear_file_ssl_cert
+
+- name: Install gear ssl key configuration.
+  become: yes
+  template:
+    dest: "{{ gear_file_ssl_key_dest }}"
+    group: "{{ gear_file_ssl_key_group }}"
+    mode: "{{ gear_file_ssl_key_mode }}"
+    owner: "{{ gear_file_ssl_key_owner }}"
+    src: "{{ gear_file_ssl_key_src }}"
+  register: gear_file_ssl_key
diff --git a/templates/etc/gear/ssl/root-ca.pem b/templates/etc/gear/ssl/root-ca.pem
new file mode 100644
index 0000000..9ae6fba
--- /dev/null
+++ b/templates/etc/gear/ssl/root-ca.pem
@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ gear_file_ssl_ca_content }}
diff --git a/templates/etc/gear/ssl/server.key b/templates/etc/gear/ssl/server.key
new file mode 100644
index 0000000..09dca8d
--- /dev/null
+++ b/templates/etc/gear/ssl/server.key
@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ gear_file_ssl_key_content }}
diff --git a/templates/etc/gear/ssl/server.pem b/templates/etc/gear/ssl/server.pem
new file mode 100644
index 0000000..3c6d142
--- /dev/null
+++ b/templates/etc/gear/ssl/server.pem
@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ gear_file_ssl_cert_content }}
diff --git a/templates/etc/systemd/system/gear.service b/templates/etc/systemd/system/gear.service
index 774f34b..bffd362 100644
--- a/templates/etc/systemd/system/gear.service
+++ b/templates/etc/systemd/system/gear.service
@@ -9,7 +9,7 @@ Type=simple
 Environment="PREFIX=/usr/local"
 Group=gear
 User=gear
-ExecStart=/bin/sh -c "${PREFIX}/bin/geard -d"
+ExecStart=/bin/sh -c "${PREFIX}/bin/geard -d ${ARGS}"
 
 [Install]
 WantedBy=multi-user.target
diff --git a/tests/test.yaml b/tests/test.yaml
index 8491418..54cf027 100644
--- a/tests/test.yaml
+++ b/tests/test.yaml
@@ -21,6 +21,13 @@
     - "{{ rolename }}"
 
   post_tasks:
+    - name: Assert results are registered.
+      assert:
+        that:
+          - gear_file_ssl_ca
+          - gear_file_ssl_cert
+          - gear_file_ssl_key
+
     - name: Ensure gear_user_name is gear.
       shell: /usr/bin/getent passwd gear
       tags: skip_ansible_lint
@@ -60,3 +67,45 @@
         that:
           - gear_git_dest_stat.stat.exists
           - gear_git_dest_stat.stat.isdir
+
+    - name: Register /etc/gear/ssl/root-ca.pem
+      stat:
+        path: /etc/gear/ssl/root-ca.pem
+      register: _gear_file_ssl_ca_stat
+
+    - name: Assert _gear_file_ssl_ca_stat tests.
+      assert:
+        that:
+          - _gear_file_ssl_ca_stat.stat.exists
+          - _gear_file_ssl_ca_stat.stat.isreg
+          - _gear_file_ssl_ca_stat.stat.pw_name == 'gear'
+          - _gear_file_ssl_ca_stat.stat.gr_name == 'gear'
+          - _gear_file_ssl_ca_stat.stat.mode == '0644'
+
+    - name: Register /etc/gear/ssl/server.pem
+      stat:
+        path: /etc/gear/ssl/server.pem
+      register: _gear_file_ssl_cert_stat
+
+    - name: Assert _gear_file_ssl_cert_stat tests.
+      assert:
+        that:
+          - _gear_file_ssl_cert_stat.stat.exists
+          - _gear_file_ssl_cert_stat.stat.isreg
+          - _gear_file_ssl_cert_stat.stat.pw_name == 'gear'
+          - _gear_file_ssl_cert_stat.stat.gr_name == 'gear'
+          - _gear_file_ssl_cert_stat.stat.mode == '0644'
+
+    - name: Register /etc/gear/ssl/server.key
+      stat:
+        path: /etc/gear/ssl/server.key
+      register: _gear_file_ssl_key_stat
+
+    - name: Assert _gear_file_ssl_key_stat tests.
+      assert:
+        that:
+          - _gear_file_ssl_key_stat.stat.exists
+          - _gear_file_ssl_key_stat.stat.isreg
+          - _gear_file_ssl_key_stat.stat.pw_name == 'gear'
+          - _gear_file_ssl_key_stat.stat.gr_name == 'gear'
+          - _gear_file_ssl_key_stat.stat.mode == '0600'