511746493d
This commit adds an Ansible Playbook that installs a new certificate to
UEFI secure boot trusted certificates DB in all available hosts and,
optionally, in all subclouds.
Test Plan:
PASS: Build playbookconfig package and image.
PASS: Run playbook in an AIO-SX and check that it added the certificate.
PASS: Run playbook in an AIO-DX and check that it added the certificate
to both controllers.
PASS: Run playbook in a DC and check it added the cert to subcloud
controllers.
PASS: Run playbook in a DC with a subcloud containing a worker node and
check that it added the certificate to all hosts, including
subcloud worker node.
PASS: Run playbook in a DC containing a host with secure boot disabled
and check that it skips that host without failing.
PASS: Run playbook with an expired certificate as input and see it fail.
Story: 2011352
Task: 51687
Change-Id: Ie72fb67059addbe3f0fa341c81d0143c035e3e3d
Signed-off-by: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
60 lines
2.1 KiB
YAML
60 lines
2.1 KiB
YAML
---
|
|
#
|
|
# Copyright (c) 2025 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# This is an example inventory file for use with the
|
|
# usr/share/ansible/stx-ansible/playbooks/update_secure_boot_certificate.yml
|
|
# playbook.
|
|
#
|
|
# To run the playbook, define an overrides file (as shown here)
|
|
# with the required variable settings and pass it as a parameter
|
|
# on the ansible command-line.
|
|
#
|
|
# Example ansible command:
|
|
# ansible-playbook /usr/share/ansible/stx-ansible/playbooks/update_secure_boot_certificate.yml \
|
|
# -i @my-inventory-file.yml \
|
|
# --extra-vars "target_list=localhost,subcloud1"
|
|
|
|
# Use target_list to specify individual subclouds, or a comma-separated
|
|
# list of subclouds such as 'subcloud1,subcloud2'. To target all online
|
|
# subclouds at once, use 'target_list=all_online_subclouds'.
|
|
#
|
|
# To target the system controller or standalone systems, use 'target_list=localhost'.
|
|
#
|
|
all:
|
|
vars:
|
|
# The contents to the secure boot certificate to be installed and the KEK
|
|
# to allow writing in UEFI db.
|
|
secure_boot_cert: <base64_cert>
|
|
key_exchange_key: <base64_key>
|
|
|
|
children:
|
|
# This will be applied to all online subclouds.
|
|
# Use the example below in hosts to override specific settings for a subcloud, such as passwords.
|
|
target_group:
|
|
vars:
|
|
# SSH password to connect to all subclouds
|
|
ansible_ssh_user: sysadmin
|
|
ansible_ssh_pass: <sysadmin-pwd>
|
|
# Sudo password
|
|
ansible_become_pass: <sysadmin-pwd>
|
|
# Add a child group, as shown below, if you need individual
|
|
# overrides for specific subcloud hosts.
|
|
# Use the hosts section to add the list of hosts.
|
|
# Use the vars section to override target_group variables,
|
|
# such as the ssh password.
|
|
# Note that you can also override multiple hosts at once or
|
|
# have multiple child groups if necessary.
|
|
# Example:
|
|
# children:
|
|
# different_password_group:
|
|
# vars:
|
|
# ansible_ssh_user: sysadmin
|
|
# ansible_ssh_pass: <sysadmin-pwd>
|
|
# ansible_become_pass: <sysadmin-pwd>
|
|
# hosts:
|
|
# subcloud1:
|
|
# subcloud2:
|