From 20ca8390f83ec240024bb55873a1929778fb465f Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Aug 03 2021 11:25:39 +0000 Subject: Added simple adhoc snippet to force tls push with ansible for ci/stream infra Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/tls.md b/docs/security/tls.md index 426e66d..75f08a4 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -237,7 +237,27 @@ Validating cert [koji.mbox.centos.org.crt] with CAChain [koji.mbox.centos.org-CA koji.mbox.centos.org.crt: OK ``` -Once it's committed/pushed to pkistore git repo, tobisna (ansible bot) will deploy the renewed TLS certs automatically +Let's consider now three infrastructures and how to push renewed certs : +#### CentOS public infra (including .dev. and .stg. infra) +Once it's committed/pushed to pkistore git repo, tobisna (ansible bot) will deploy the renewed TLS certs automatically. +You can still "force" the playbook execution if you want, from ansible bot host but should be done automatically and you can see reports through ARA. + +#### CentOS CI infra +There is no dedicated ansible host/management station for ci infra (yet) so you have to run it yourself. +Once you have pushed the renewed certs (through git-crypted pkistore git repo), you can just apply with : +``` +for role in haproxy ocp-admin-node ; do + ansible-playbook playbooks/role-${role}.yml --tags "tls,pki,certs" +done +``` + +#### CentOS Stream infra +Same as for other parts of infra, except that you *have* to encrypt with ansible-vault before git commit/git push operations (important). +Once done : + +``` +ansible-playbook-stream playbooks/role-haproxy.yml --tags "tls,pki" +```