Modify default variables to install self-signed certificates by default

[sbesson]

Recent changes to OMERO.py removing the ADH ciphers combined with increased security requirements on modern platforms means that an OMERO.server without self-signed certificates is unlikely to be able to function correctly. This changes proposes to set the default value of the internal variable to true so that certificates are generated automatically on startup.

Note this is a backwards-incompatible change and should likely be included in a release increasing the major version number of this role.

[pwalczysko]

Negative test (without this PR, but comment out the omero_server_selfsigned_certificates definition)

1. Comment out the definition of the variable from the used playbook (training-type of playbook, see https://github.com/openmicroscopy/management_tools/pull/1710)

   #omero_server_selfsigned_certificates: True

2. Delete /opt/omero and /OMERO/*, stop and disable server and web services, uninstall postgres and nginx.

3. Make sure the ome.omero_server role is installed (== without this PR)

4. Observe that playbook finishes successfully, but the server is actually not responding to clients, insight, web and cli all claim Ice.ConnectionRefusedException: localhost:4064 isn't running or similar (server not responding for UI clients).

5. omero admin diagnostics see below

Server:     icegridnode                    running
Server:     Blitz-0                        active (pid = 277466, enabled)
Server:     Indexer-0                      active (pid = 277488, enabled)
Server:     OMERO.Glacier2                 inactive (disabled)
Server:     OMERO.IceStorm                 active (pid = 277500, enabled)
Server:     Processor-0                    active (pid = 277499, enabled)
Server:     Tables-0                       active (pid = 277489, enabled)

[pwalczysko]

Positive test (with this PR, and comment out the omero_server_selfsigned_certificates definition)

1. Comment out the definition of the variable from the used playbook (training-type of playbook, see https://github.com/openmicroscopy/management_tools/pull/1710)

   #omero_server_selfsigned_certificates: True

2. Delete /opt/omero and /OMERO/*, stop and disable server and web services, uninstall postgres and nginx.

3. Make sure the pwalczysko.omero_server role is installed (== with this PR) Edit: here was the error, the role was installed, but the changes were not in it...

4. Observe that playbook finishes successfully. Server is responding to clients, insight connects and imports successfully.

5. omero admin diagnostics see below

/opt/omero/server/OMERO.server/bin/omero admin diagnostics
/opt/omero/server/OMERO.server/etc/grid/config.xml read-only

================================================================================
OMERO Diagnostics (admin)
================================================================================

Commands:   java -version                  1.8.0     (/usr/bin/java)
Commands:   python -V                      3.9.18    (/opt/omero/server/venv3/bin/python)
Commands:   icegridnode --version          3.6.5     (/opt/ice/bin/icegridnode)
Commands:   icegridadmin --version         3.6.5     (/opt/ice/bin/icegridadmin)
Commands:   psql --version                 14.10     (/usr/bin/psql)
Commands:   openssl version                3.0.71    (/usr/bin/openssl)

Component:  OMERO.py                       5.17.0
Component:  OMERO.server                   5.6.8-ice36

Server:     icegridnode                    running
Server:     Blitz-0                        active (pid = 426906, enabled)
Server:     Indexer-0                      active (pid = 426927, enabled)
Server:     OMERO.Glacier2                 active (pid = 426928, enabled)
Server:     OMERO.IceStorm                 active (pid = 426925, enabled)
Server:     Processor-0                    active (pid = 426942, enabled)
Server:     Tables-0                       active (pid = 426946, enabled)

[pwalczysko]

Maybe some clue could be inside the play record of the playbook

If the server does not work (==the variable omero_server_selfsigned_certificates is not defined in the playbook), then the outupt of a task (see below) is claiming -certificates -v

TASK [pwalczysko.omero_server : omero server | configuration 00-omero-server.omero] ***
--- before: /opt/omero/server/config/00-omero-server.omero
+++ after: /Users/pwalczysko/.ansible/tmp/ansible-local-85556vivnmgfq/tmpl0v9v3db/00-omero-server-omero.j2
@@ -26,4 +26,3 @@
 config set -- omero.jvmcfg.percent.pixeldata 20
 config set -- omero.server.nodedescriptors master:Blitz-0,Indexer-0,Processor-0,Storm,Tables-0

-certificates -v

changed: [134.36.4.3]

Whereas if it does work, the output of the same task is

TASK [pwalczysko.omero_server : omero server | configuration 00-omero-server.omero] ***
--- before: /opt/omero/server/config/00-omero-server.omero
+++ after: /Users/pwalczysko/.ansible/tmp/ansible-local-88093bz3js2_w/tmpqy1uruu7/00-omero-server-omero.j2
@@ -26,3 +26,4 @@
 config set -- omero.jvmcfg.percent.pixeldata 20
 config set -- omero.server.nodedescriptors master:Blitz-0,Indexer-0,Processor-0,Storm,Tables-0

+certificates -v

changed: [134.36.4.3]

[pwalczysko]

Edit:

Deleted the previous text. The error was on my side, as I trusted too much that the galaxy install will perform as expected. The role was not published correctly, and the changes from this PR were not included, this is why I falsely concluded that this PR is not sufficient.

Sorry for the back and forth.

[pwalczysko]

Actually I do think though that this PR should be rebased on master please @sbesson ? (I tested the changes here in a setup where I cherry-picked them on top of master and then pushed a new role to ansible galaxy - this is why I got a bit entangled in that :) I think that it would be good to have an additional OK from GHA here.

[sbesson]

Merged the mainline including the Rocky9/Ubuntu 22.04 changes

[jburel]

Discussed with @pwalczysko. Happy now that the github actions have been running on Rocky9 and ubuntu 22.04. Merging and tagging