Merge pull request #26 from stackhpc/content-guard

Add pulp_content_guard role

Author: markgoddard

README.md

@@ -11,6 +11,7 @@ Tested with the current Ansible 2.9-2.10 releases.
 
 ## Included content
 
+pulp_contentguard role
 pulp_repository role
 
 ## Using this collection

roles/pulp_content_guard/README.md

@@ -0,0 +1,39 @@
+pulp_content_guard
+==================
+
+This role manages Pulp content guards.
+
+Role variables
+--------------
+
+* `pulp_url`: URL of Pulp server. Default is `https://localhost:8080`
+* `pulp_username`: Username used to access Pulp server. Default is `admin`
+* `pulp_password`: Password used to access Pulp server. Default is unset
+* `pulp_validate_certs`: Whether to validate Pulp server certificate. Default is `true`
+* `pulp_content_guard_x509_cert_guards`: List of x509 cert guards. Each item is
+  a dict with the following keys: `name`, `description`, `ca_certificate`,
+  `state`.
+
+
+Example playbook
+----------------
+
+```
+---
+- name: Create Pulp content guards
+  any_errors_fatal: True
+  gather_facts: True
+  hosts: all
+  roles:
+    - role: stackhpc.pulp.pulp_contentguard
+      pulp_username: admin
+      pulp_password: "{{ secrets_pulp_admin_password }}"
+      pulp_content_guard_x509_cert_guards:
+        - name: test_cert_guard
+          description: For testing
+          ca_certificate: |-
+            -----BEGIN CERTIFICATE-----
+            ...
+            -----END CERTIFICATE-----
+          state: present
+```

roles/pulp_content_guard/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+pulp_url: https://localhost:8080
+pulp_username: admin
+pulp_password:
+pulp_validate_certs: true
+
+pulp_content_guard_x509_cert_guards: []

roles/pulp_content_guard/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Ensure x509 cert guards exist
+  pulp.squeezer.x509_cert_guard:
+    pulp_url: "{{ pulp_url }}"
+    username: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    validate_certs: "{{ pulp_validate_certs | bool }}"
+    name: "{{ item.name }}"
+    description: "{{ item.description | default(omit) }}"
+    ca_certificate: "{{ item.ca_certificate | default(omit) }}"
+    state: "{{ item.state }}"
+  with_items: "{{ pulp_content_guard_x509_cert_guards }}"
+  loop_control:
+    label: "{{ item.name }}"

roles/pulp_distribution/README.md

@@ -42,11 +42,12 @@ Example playbook
           base_path: pulp/pulp
           repository: pulp/pulp
           state: present
-        # Distribute version 2 of the pulp/pulp repository.
+        # Distribute version 2 of the pulp/pulp repository with a content guard.
         - name: pulp/pulp
           base_path: pulp/pulp
           repository: pulp/pulp
           version: 2
+          content_guard: secure-content-guard
           state: present
       pulp_distribution_deb:
         # Distribute the latest version of the ubuntu-focal repository.
@@ -60,10 +61,11 @@ Example playbook
           repository: ubuntu-focal-security
           version: 2
           state: present
-        # Distribute the same publication as the ubuntu-focal distribution.
+        # Distribute the same publication as the ubuntu-focal distribution with a content guard.
         - name: ubuntu-focal-production
           base_path: ubuntu-focal-production
           distribution: ubuntu-focal
+          content_guard: secure-content-guard
           state: present
       pulp_distribution_rpm:
         # Distribute the latest version of the centos-baseos repository.
@@ -77,9 +79,10 @@ Example playbook
           repository: centos-appstream
           version: 2
           state: present
-        # Distribute the same publication as the centos-baseos distribution.
+        # Distribute the same publication as the centos-baseos distribution with a content guard.
         - name: centos-baseos-production
           base_path: centos-baseos-production
           distribution: centos-baseos
+          content_guard: secure-content-guard
           state: present
 ```

roles/pulp_distribution/tasks/container.yml

@@ -9,5 +9,6 @@
     base_path: "{{ item.base_path }}"
     repository: "{{ item.repository }}"
     version: "{{ item.version | default(omit) }}"
+    content_guard: "{{ item.content_guard | default(omit) }}"
     state: "{{ item.state }}"
   with_items: "{{ pulp_distribution_container }}"

roles/pulp_distribution/tasks/deb.yml

@@ -46,6 +46,7 @@
     name: "{{ item.name }}"
     base_path: "{{ item.base_path }}"
     publication: "{{ pubs[0].pulp_href if item.state == 'present' else omit }}"
+    content_guard: "{{ item.content_guard | default(omit) }}"
     state: "{{ item.state }}"
   with_items: "{{ pulp_distribution_deb }}"
   when: >-

roles/pulp_distribution/tasks/rpm.yml

@@ -46,6 +46,7 @@
     name: "{{ item.name }}"
     base_path: "{{ item.base_path }}"
     publication: "{{ pubs[0].pulp_href if item.state == 'present' else omit }}"
+    content_guard: "{{ item.content_guard | default(omit) }}"
     state: "{{ item.state }}"
   with_items: "{{ pulp_distribution_rpm }}"
   when: >-