Split installation into three distinct phases

.github/workflows/test.yml

@@ -61,6 +61,6 @@ jobs:
           ansible-playbook playbooks/images.yaml
       - name: Run deployment
         run: |
-          ansible-playbook playbooks/deploy.yaml
+          ansible-playbook playbooks/3-stage-deploy.yaml
       - name: Run tests
         run: ./run_tests

playbooks/3-stage-deploy.yaml

@@ -0,0 +1,143 @@
+- name: Generate certificates
+  become: true
+  hosts:
+    - quadlet
+  vars_files:
+    - "../vars/{{ certificate_source }}_certificates.yml"
+  vars:
+    certificate_source: default
+    certificates_hostnames:
+      - "{{ ansible_fqdn }}"
+      - localhost
+    certificates_ca_password: "CHANGEME"
+  roles:
+    - role: certificates
+      when: "certificate_source == 'default'"
+    - role: certificate_checks
+      vars:
+        certificate_checks_certificate: "{{ server_certificate }}"
+        certificate_checks_key: "{{ server_key }}"
+        certificate_checks_ca: "{{ ca_certificate }}"
+
+- name: Install server
+  become: true
+  hosts:
+    - quadlet
+  vars_files:
+    - "../vars/{{ certificate_source }}_certificates.yml"
+    - "../vars/images.yml"
+  vars:
+    certificate_source: default
+    candlepin_db_password: "CHANGEME"
+    candlepin_keystore_password: "CHANGEME"
+    candlepin_oauth_secret: "CHANGEME"
+    candlepin_ca_key_password: "{{ ca_key_password }}"
+    candlepin_ca_key: "{{ ca_key }}"
+    candlepin_ca_certificate: "{{ ca_certificate }}"
+    candlepin_tomcat_key: "{{ localhost_key }}"
+    candlepin_tomcat_certificate: "{{ localhost_certificate }}"
+    candlepin_client_key: "{{ client_key }}"
+    candlepin_client_certificate: "{{ client_certificate }}"
+    foreman_ca_certificate: "{{ ca_certificate }}"
+    foreman_client_key: "{{ client_key }}"
+    foreman_client_certificate: "{{ client_certificate }}"
+    foreman_db_password: "CHANGEME"
+    foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456
+    foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
+    httpd_server_ca_certificate: "{{ ca_certificate }}"
+    httpd_client_ca_certificate: "{{ ca_certificate }}"
+    httpd_server_certificate: "{{ server_certificate }}"
+    httpd_server_key: "{{ server_key }}"
+    pulp_db_password: "CHANGEME"
+    pulp_content_origin: "https://{{ ansible_fqdn }}"
+    pulp_pulp_url: "https://{{ ansible_fqdn }}"
+    postgresql_restarted_state: started
+    postgresql_databases:
+      - name: candlepin
+        owner: candlepin
+      - name: foreman
+        owner: foreman
+      - name: pulp
+        owner: pulp
+    postgresql_users:
+      - name: candlepin
+        password: "{{ candlepin_db_password }}"
+      - name: foreman
+        password: "{{ foreman_db_password }}"
+      - name: pulp
+        password: "{{ pulp_db_password }}"
+    postgresql_hba_entries:
+      - { type: local, database: all, user: postgres, auth_method: ident }
+      - { type: local, database: all, user: all, auth_method: ident }
+      - { type: host, database: all, user: postgres, address: '127.0.0.1/32', auth_method: md5 }
+      - { type: host, database: all, user: postgres, address: '0.0.0.0/0', auth_method: reject }
+      - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
+      - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
+  roles:
+    - geerlingguy.postgresql
+    - redis
+    - candlepin
+    - httpd
+    - pulp
+    - foreman
+
+- name: Install smart-proxy
+  become: true
+  hosts:
+    - quadlet
+  vars_files:
+    - "../vars/{{ certificate_source }}_certificates.yml"
+  vars:
+    certificate_source: default
+    foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456
+    foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
+  pre_tasks:
+    - name: Enable foreman-installer PR 1016 Copr repo
+      community.general.copr:
+        host: copr.fedorainfracloud.org
+        state: enabled
+        name: packit/theforeman-foreman-installer-1016
+        chroot: rhel-9-x86_64
+
+    - ansible.builtin.include_role:
+        name: theforeman.operations.puppet_repositories
+      vars:
+        foreman_puppet_repositories_version: "8"
+
+    - ansible.builtin.include_role:
+        name: theforeman.operations.foreman_repositories
+      vars:
+        foreman_repositories_version: nightly
+        foreman_repositories_katello_version: nightly
+
+    - name: Install foreman-proxy
+      package:
+        name: foreman-proxy
+
+    - name: Deploy default certificates
+      ansible.builtin.copy:
+        src: "{{ item.value }}"
+        dest: "{{ item.key }}"
+        remote_src: true
+        owner: foreman-proxy
+        group: foreman-proxy
+        mode: 440
+      loop: "{{ certs | dict2items }}"
+      vars:
+        certs:
+          '/etc/foreman-proxy/foreman_ssl_ca.pem': "{{ ca_certificate }}"
+          '/etc/foreman-proxy/foreman_ssl_cert.pem': "{{ client_certificate }}"
+          '/etc/foreman-proxy/foreman_ssl_key.pem': "{{ client_key }}"
+          '/etc/foreman-proxy/ssl_ca.pem': "{{ ca_certificate }}"
+          '/etc/foreman-proxy/ssl_cert.pem': "{{ server_certificate }}"
+          '/etc/foreman-proxy/ssl_key.pem': "{{ server_key }}"
+  roles:
+    - role: theforeman.operations.installer
+      vars:
+        foreman_installer_scenario: katello
+        foreman_installer_package: foreman-installer-katello
+        foreman_installer_options:
+          - '--foreman-proxy-oauth-consumer-key {{ foreman_oauth_consumer_key }}'
+          - '--foreman-proxy-oauth-consumer-secret {{ foreman_oauth_consumer_secret }}'
+          - '--no-enable-katello'
+          - '--tuning development'

playbooks/deploy.yaml

@@ -1,7 +1,7 @@
 ---
 - name: Setup quadlet demo machine
   hosts:
-    - quadlet
+    - localhost
   become: true
   vars_files:
     - "../vars/{{ certificate_source }}_certificates.yml"
@@ -22,11 +22,6 @@
     candlepin_tomcat_certificate: "{{ localhost_certificate }}"
     candlepin_client_key: "{{ client_key }}"
     candlepin_client_certificate: "{{ client_certificate }}"
-    foreman_proxy_ca_certificate: "{{ ca_certificate }}"
-    foreman_proxy_server_key: "{{ server_key }}"
-    foreman_proxy_server_certificate: "{{ server_certificate }}"
-    foreman_proxy_client_key: "{{ client_key }}"
-    foreman_proxy_client_certificate: "{{ client_certificate }}"
     foreman_ca_certificate: "{{ ca_certificate }}"
     foreman_client_key: "{{ client_key }}"
     foreman_client_certificate: "{{ client_certificate }}"
@@ -40,6 +35,8 @@
     pulp_db_password: "CHANGEME"
     pulp_content_origin: "https://{{ ansible_fqdn }}"
     postgresql_restarted_state: started
+    pulp_pulp_url: "https://{{ ansible_fqdn }}"
+    postgresql_restarted_state: started
     postgresql_databases:
       - name: candlepin
         owner: candlepin
@@ -62,6 +59,8 @@
       - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
       - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
   roles:
+    - role: foreman_certs
+      when: "certificate_source == 'installer'"
     - role: certificates
       when: "certificate_source == 'default'"
     - role: certificate_checks
@@ -74,5 +73,13 @@
     - candlepin
     - httpd
     - pulp
-    - foreman_proxy
     - foreman
+    - role: theforeman.operations.installer
+      vars:
+        foreman_installer_scenario: katello
+        foreman_installer_package: foreman-installer-katello
+        foreman_installer_options:
+          - '--foreman-proxy-oauth-consumer-key {{ foreman_oauth_consumer_key }}'
+          - '--foreman-proxy-oauth-consumer-secret {{ foreman_oauth_consumer_secret }}'
+          - '--tuning development'
+      when: "certificate_source == 'installer'"

requirements.yml

@@ -6,6 +6,7 @@ collections:
   - name: containers.podman
     version: ">=1.14.0"
   - name: theforeman.foreman
+  - name: theforeman.operations
   - name: https://github.com/theforeman/forklift
     type: git
 

roles/foreman/tasks/main.yaml

@@ -143,8 +143,8 @@
 
 - name: Configure Foreman Proxy
   theforeman.foreman.smart_proxy:
-    name: "{{ ansible_fqdn }}"
-    url: "https://{{ ansible_fqdn }}:9090"
+    name: "{{ ansible_fqdn }}-pulp"
+    url: "https://{{ ansible_fqdn }}/pulp/api/v3/smart_proxy"
     server_url: "http://{{ ansible_fqdn }}:3000"
     username: admin
     password: changeme

roles/foreman_certs/tasks/main.yml

@@ -0,0 +1,3 @@
+# utilize https://github.com/theforeman/foreman-installer/pull/935
+- name: Generate certs
+  ansible.builtin.command: foreman-certs --apache true --foreman true --candlepin true --foreman-proxy true

roles/pulp/defaults/main.yaml

@@ -1,5 +1,5 @@
 ---
-pulp_image: quay.io/pulp/pulp-minimal:3.63
+pulp_image: quay.io/evgeni/pulp-smart:latest
 pulp_api_image: "{{ pulp_image }}"
 pulp_content_image: "{{ pulp_image }}"
 pulp_worker_image: "{{ pulp_image }}"
@@ -14,5 +14,7 @@ pulp_content_container_name: pulp-content
 pulp_worker_container_name: pulp-worker
 
 pulp_content_origin: "http://{{ ansible_fqdn }}:24816"
+pulp_rhsm_url: "https://{{ ansible_fqdn }}/rhsm"
+pulp_pulp_url: "http://{{ ansible_fqdn }}:24817"
 
 pulp_enable_analytics: false

roles/pulp/templates/settings.py.j2

@@ -18,3 +18,6 @@ AUTHENTICATION_BACKENDS=['pulpcore.app.authentication.PulpNoCreateRemoteUserBack
 REMOTE_USER_ENVIRON_NAME="HTTP_REMOTE_USER"
 REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES=('rest_framework.authentication.SessionAuthentication', 'pulpcore.app.authentication.PulpRemoteUserAuthentication')
 ANALYTICS = {{ pulp_enable_analytics | ternary('True', 'False') }}
+
+SMART_PROXY_RHSM_URL="{{ pulp_rhsm_url }}"
+SMART_PROXY_PULP_URL="{{ pulp_pulp_url }}"

tests/foreman_proxy_test.py

@@ -36,8 +36,3 @@ def test_foreman_proxy_version(foreman_proxy_version_curl):
 def test_foreman_proxy_features(foreman_proxy_features_curl):
     assert foreman_proxy_features_curl.succeeded
     assert foreman_proxy_features_curl.stderr == '200'
-
-
-def test_pulpcore_feature(foreman_proxy_features_curl):
-    features = json.loads(foreman_proxy_features_curl.stdout)
-    assert 'pulpcore' in features.keys()

vars/default_certificates.yml

@@ -1,4 +1,5 @@
 ---
+certificates_ca_directory: "/root/certificates"
 ca_key_password: "{{ certificates_ca_directory }}/private/ca.pwd"
 ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
 ca_key: "{{ certificates_ca_directory }}/private/ca.key"

vars/images.yml

@@ -4,7 +4,7 @@ foreman_container_image: "quay.io/evgeni/foreman-rpm"
 foreman_container_tag: "nightly"
 foreman_proxy_container_image: "quay.io/evgeni/foreman-proxy-rpm"
 foreman_proxy_container_tag: "nightly"
-pulp_image: quay.io/pulp/pulp-minimal:3.63
+pulp_image: quay.io/evgeni/pulp-smart:latest
 redis_image: quay.io/sclorg/redis-6-c9s:latest
 
 images: