Add verify_cert roles for TLS certificate verification for IAG5#12
Closed
Amunagala-itential wants to merge 2 commits intodevfrom
Closed
Add verify_cert roles for TLS certificate verification for IAG5#12Amunagala-itential wants to merge 2 commits intodevfrom
Amunagala-itential wants to merge 2 commits intodevfrom
Conversation
Amunagala-itential
requested review from
Madias2222,
Nick-Andreano,
kvelarde-itential and
steven-schattenberg-itential
steven-schattenberg-itential
requested changes
Apr 13, 2026
|
|
||
| | Path | Protocol | TLS Type | Cert requirement | Run condition | | ||
| |------|----------|----------|-----------------|---------------| | ||
| | Server ↔ Runner | gRPC over TCP | Mutual TLS (mTLS) | Both `serverAuth` + `clientAuth` in EKU | `gateway_server_use_tls: true` | |
There was a problem hiding this comment.
Can you define what EKU is? I know that it is ExtendedKeyUsage but that might not be well known by others.
| @@ -0,0 +1,34 @@ | |||
| --- | |||
| # Shared summary task — include this at the end of every role | |||
There was a problem hiding this comment.
In the certify functionality for IAP I have template that produces a markdown file on the control node. This can make it easier for a customer to share the results with us for either troubleshooting or for our own records. In addition to this screen output, which is useful, I would like a md file to be produced.
Author
|
Superseded by a new commit with consolidated architecture — verify_cert colocated in gateway_server/gateway_client roles, cluster_id check removed, check numbering cleaned up. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a playbook and three Ansible roles that verify TLS certificate configuration across all IAG5 node types after deployment. Runs against live nodes, reads actual
gateway.conffiles, and performs live TLS handshakes.verify_cert_cluster_server_to_runnergateway_server_use_tls: trueverify_cert_cluster_client_to_servergateway_client_use_tls: trueverify_cert_connect_server_to_gwmgateway_server_use_tls: trueplaybooks/verify_cert.ymlis imported automatically at the end ofsite.ymland can be skipped with--skip-tags verify_cert.What is verified
CA:TRUE, self-signed root, cert count)private_ipandansible_hostserverAuth+clientAuth(mTLS) orclientAuth(connect)no_proxycorrectly excludes gRPC/GWM endpointsAll checks use
ignore_errors: true— every check always runs and results are collected into a single summary per play..ansible-lint changes
command-instead-of-modulesystemctlandcurltasks use pipes which requireansible.builtin.shell— cannot usesystemd/urimodules. The qualifier-specific form[systemctl]did not suppress violations; bare rule ID required.jinja[spacing]check_resultstriggered the rule inconsistently across role files with identical syntax. Suppressed to avoid restructuring a core pattern.