[ansible/artifactory] Allow to configure custom trusted certificates

jfrog / JFrog-Cloud-Installers

Template to deploy Artifactory Enterprise cluster.

Apache License 2.0

78 stars 138 forks source link

[ansible/artifactory] Allow to configure custom trusted certificates #368

Open jcoste-orange opened 8 months ago

jcoste-orange commented 8 months ago

Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST

Which installer: Ansible

Which product and version (eg: ansible & collection version - 7.24.2): Artifactory 7.71.10

Which operating system and version(eg: ubuntu & version - 20.4): Ubuntu 20.04

Which product license (Enterprise/Pro): Enterprise

JFrog support reference (if already raised with support team):

What happened: I need to configure a trusted certificate to access an internal S3 server for my binary store. I can't configure it before playing the artifactory role (as folders are not yet created). If I run the role, Artifactory tries to start and fails as it can't access to the S3 server.

What you expected to happen: It would be nice to be able to configure custom trustes certificates in the artifactory role.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:

chukka commented 8 months ago

@jcoste-orange Thanks for reaching out ! can you share more information with an example

jcoste-orange commented 8 months ago

Our S3 server is using a self signed certificate. So we have to store the certificate in /opt/jfrog/artifactory/var/etc/security/keys/trusted/.

Today we have to patch the role to add a task like this :

    - name: copy custom cert
      become: true
      ansible.builtin.copy:
        src: "<local_custom_cert.crt>"
        dest: "/opt/jfrog/artifactory/var/etc/security/keys/trusted/custom.crt"
        owner: "{{ artifactory_user }}"
        group: "{{ artifactory_group }}"
        mode: 0600
        remote_src: true

bbaassssiiee commented 8 months ago

The variables to do this are documentented in this README.md

If you install your own certs, then you can set any path to the key and cert, and set the boolean ssl_certificate_install: false. I prefer to use a subdir under /etc/pki/tls, and not in the product directory.

jcoste-orange commented 8 months ago

No, ssl_certificate_install is to install the certificate that will be used (exposed) by NGinx. What we need is [this] (https://jfrog.com/help/r/artifactory-how-to-debug-ssl-issues-with-artifactory/what-is-the-process-for-importing-ssl-certificates-into-the-jvm-keystore). So I need to be able to put some certificates in /opt/jfrog/artifactory/var/etc/security/keys/trusted/

bbaassssiiee commented 8 months ago

Ok, clear. You could deploy with this variable, and start it after you placed the cert there:

artifactory_start_service: false