From 8005080b8bee23397c8723d82142ac7ba15ce663 Mon Sep 17 00:00:00 2001
From: Patrick Toal <ptoal@takeflight.ca>
Date: Tue, 20 Apr 2021 11:13:29 -0400
Subject: [PATCH] Update LetsEncrypt Certificate process for RHV-M

---
 collections/requirements.yml                  |  7 +-
 rhv_setup.yml                                 | 69 +++++++++++++++----
 roles/acme-certificate                        |  1 -
 ...nsible-role-redhat_satellite6_installation |  1 -
 4 files changed, 61 insertions(+), 17 deletions(-)
 delete mode 120000 roles/acme-certificate
 delete mode 120000 roles/ansible-role-redhat_satellite6_installation

diff --git a/collections/requirements.yml b/collections/requirements.yml
index a40ad78..311e398 100644
--- a/collections/requirements.yml
+++ b/collections/requirements.yml
@@ -7,7 +7,8 @@ collections:
     source: https://galaxy.ansible.com
 
   - name: freeipa.ansible_freeipa
-    source: https://hub.mgmt.toal.ca/api/galaxy/content/published/
+    source: https://galaxy.ansible.com
+    #    source: https://hub.mgmt.toal.ca/api/galaxy/content/published/
 
   - name: redhat.rhv
     source: https://cloud.redhat.com/api/automation-hub/
@@ -26,3 +27,7 @@ collections:
 
   - name: redhat.satellite
     source: https://cloud.redhat.com/api/automation-hub/
+
+  - name: community.crypto
+    source: https://galaxy.ansible.com
+
diff --git a/rhv_setup.yml b/rhv_setup.yml
index da5a312..6fb8015 100644
--- a/rhv_setup.yml
+++ b/rhv_setup.yml
@@ -1,18 +1,29 @@
 ---
+- name: Check for existing cert
+  hosts: rhv.mgmt.toal.ca
+  connection: local
+
+  tasks:
+    - name: Information from existing key
+      community.crypto.x509_certificate_info:
+        path: "keys/{{ acme_certificate_domains|first }}.pem"
+      ignore_errors: yes
+      register: key_info
+
+    - set_fact:
+        have_valid_cert: "{{ (key_info.not_after|to_datetime('%Y%m%d%H%M%SZ')).timestamp() > ansible_date_time.epoch|int + 2592000 }}"
+      when:
+        - not key_info.failed 
+
 # Probably want to split this out into a proper certificate management role for Toal.ca
 - name: Request TLS Certificate from LetsEncrypt
-  hosts: localhost
+  hosts: rhv.mgmt.toal.ca
   connection: local
   gather_facts: false
   # This doesn't belong here
   vars:
-    acme_email: ptoal@takeflight.ca
-    challenge: dns-01
-    dns_provider: dme
-    root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
-    domains:
-      - rhv.mgmt.toal.ca
-      - rhv.lan.toal.ca
+    acme_certificate_root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
+
 
   pre_tasks:
     - name: Ensure Let's Encrypt Account Exists
@@ -25,18 +36,41 @@
             - mailto:ptoal@takeflight.ca
           account_key_content: "{{ acme_key }}"
           acme_version: 2
-  roles:
-    - acme-certificate
 
+    - name: tmpfile for Account Key
+      tempfile:
+        state: file
+      register: acme_tmp_key
+
+    - name: Account Key to File
+      copy:
+        dest: "{{ acme_tmp_key.path }}"
+        content: "{{ acme_key }}"
+        mode: "600"
+
+    - set_fact: 
+        acme_certificate_acme_account: "{{ acme_tmp_key.path }}"
+
+  roles:
+    - name: felixfontein.acme_certificate
+      when: not have_valid_cert
+
+  post_tasks:
+    - name: Remove tempfile
+      file:
+        path: "{{ acme_tmp_key.path }}"
+        state: absent
 
 - name: Install custom CA Certificate in RHV-M
   hosts: rhv.mgmt.toal.ca
   become: true
+  vars:
+    key_files_prefix: "keys/{{ acme_certificate_domains|first }}"
 
   tasks:
     - name: Certificate trust in store
       copy:
-        src: "{{ acme_rootchain_file }}"
+        src: "{{ key_files_prefix}}-rootchain.pem"
         dest: /etc/pki/ca-trust/source/anchors/
       register: rootchain_result
       notify: restart httpd
@@ -48,21 +82,21 @@
 
     - name: CA Rootchain in Apache config
       copy:
-        src: "{{ acme_rootchain_file }}"
+        src: "{{ key_files_prefix }}-rootchain.pem"
         dest: /etc/pki/ovirt-engine/apache-ca.pem
         backup: yes
       notify: restart httpd
 
     - name: Private key installed
       copy:
-        src: "{{ acme_key_file }}"
+        src: "{{ key_files_prefix }}.key"
         dest: /etc/pki/ovirt-engine/keys/apache.key.nopass
         backup: yes
       notify: restart httpd
 
     - name: Certificate installed
       copy:
-        src: "{{ acme_cert_file }}"
+        src: "{{ key_files_prefix }}.pem"
         dest: /etc/pki/ovirt-engine/certs/apache.cer
         backup: yes
       notify: restart httpd
@@ -114,6 +148,13 @@
     # Hack to work around virtualenv python interpreter
     ansible_python_interpreter: "{{ ansible_playbook_python }}"
   tasks:
+    - name: Obtain SSO token for RHV
+      ovirt_auth:
+        url: "{{ ovirt_url }}"
+        username: "{{ ovirt_username }}"
+        insecure: true
+        password: "{{ ovirt_password }}"
+
     - ovirt_network:
         auth: "{{ ovirt_auth }}"
         fetch_nested: true
diff --git a/roles/acme-certificate b/roles/acme-certificate
deleted file mode 120000
index fc6fa7c..0000000
--- a/roles/acme-certificate
+++ /dev/null
@@ -1 +0,0 @@
-../../../ansible-role-dev/acme-certificate/
\ No newline at end of file
diff --git a/roles/ansible-role-redhat_satellite6_installation b/roles/ansible-role-redhat_satellite6_installation
deleted file mode 120000
index 4eb2335..0000000
--- a/roles/ansible-role-redhat_satellite6_installation
+++ /dev/null
@@ -1 +0,0 @@
-/Users/ptoal/Dev/ansible-role-redhat_satellite6_installation
\ No newline at end of file