Skip to content

feat: certificate trust#341

Open
Klaas- wants to merge 3 commits into
linux-system-roles:mainfrom
Klaas-:feature/certificate_trust
Open

feat: certificate trust#341
Klaas- wants to merge 3 commits into
linux-system-roles:mainfrom
Klaas-:feature/certificate_trust

Conversation

@Klaas-

@Klaas- Klaas- commented Jul 9, 2026

Copy link
Copy Markdown

Enhancement:
Fixes #339

Adds a variable to add trusted CA certificates to the system.

Summary by CodeRabbit

  • New Features
    • Added certificate_trust support to manage system trust-store anchors, including adding/removing certificates from inline content, local files, or URLs.
    • Automatically refreshes the system trust store after changes, and skips provider/dependency setup when only trust anchors are configured.
  • Documentation
    • Updated README with certificate_trust variable reference, per-platform trust-store paths/commands, and new add/remove examples.
  • Tests
    • Added end-to-end trust-store validation, including source validation (conflicting inputs), trust verification, and cleanup.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7980a5de-c3cc-4448-8ef2-ab53a8640fa5

📥 Commits

Reviewing files that changed from the base of the PR and between e77e3db and d42042b.

📒 Files selected for processing (5)
  • tasks/certificate_trust.yml
  • tasks/main.yml
  • tests/tests_trust.yml
  • vars/Debian.yml
  • vars/Suse.yml
💤 Files with no reviewable changes (2)
  • vars/Suse.yml
  • vars/Debian.yml
🚧 Files skipped from review as they are similar to previous changes (2)
  • tasks/main.yml
  • tasks/certificate_trust.yml

📝 Walkthrough

Walkthrough

Adds a new certificate_trust feature to manage system CA trust anchors: configuration defaults, platform trust-store settings, validation and lifecycle tasks, provider-task gating, documentation, and end-to-end tests.

Changes

Certificate Trust Store Feature

Layer / File(s) Summary
Default variable and platform trust vars
defaults/main.yml, vars/Debian.yml, vars/Suse.yml, vars/main.yml, .ostree/packages-runtime.txt
Adds certificate_trust: [], platform-specific trust-store paths and update commands, default trust packages, and the ca-certificates OSTree runtime package.
Trust store task implementation and wiring
tasks/certificate_trust.yml, tasks/main.yml
Validates trust entries, installs trust packages, copies or downloads present certificates, removes absent certificates, refreshes the trust store when files change, gates provider setup on certificate_requests, and includes trust tasks when certificate_trust is non-empty.
Tests and documentation for trust anchors
tests/tests_trust.yml, tests/setup-snapshot.yml, README.md
Tests file-based and inline trust anchors, conflicting-source validation, removal, and cleanup; installs required test packages; documents parameters, platform behavior, provider gating, and examples.
🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Description Format ⚠️ Warning PR description has Enhancement but lacks Reason, Result, and Signed-off-by sections required by the template. Add Reason and Result sections, include a Signed-off-by line, and optionally format the issue link under Issue Tracker Tickets.
Description check ❓ Inconclusive The description is brief and missing required Reason, Result, and ticket details from the template. Add the missing Reason, Result, and Issue Tracker Tickets sections with a clearer summary of the change.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title uses Conventional Commits and clearly summarizes the certificate trust feature.
Linked Issues check ✅ Passed The changes implement trusted CA certificate management requested by issue #339.
Out of Scope Changes check ✅ Passed The added tests, docs, vars, and tasks all support the trusted CA certificate feature.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (2)
tests/tests_trust.yml (2)

1-156: 📐 Maintainability & Code Quality | 🔵 Trivial

Add failure scenario tests for certificate_trust.

The path instruction for tests/tests_*.yml states: "Tests should verify both success and failure scenarios." Currently only success paths (install from src, install from content, remove) are tested. Consider adding tests for:

  • Missing required name field
  • Providing more than one of content/src/url when state: present
  • url-based provisioning (if supported)

As per path instructions: "Tests should verify both success and failure scenarios".

[medium_effort_and_high_reward]

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/tests_trust.yml` around lines 1 - 156, The trust role tests only cover
successful install and removal flows; add negative coverage in
tests/tests_trust.yml for certificate_trust validation. Extend the existing
trust scenarios around certificate_trust and linux-system-roles.certificate to
assert failures when name is missing and when more than one of content/src/url
is provided with state: present, and add a url-based case if the role supports
it. Use the current include_role/task structure and existing verify/assert
patterns so the new failure cases are checked alongside the existing success
tests.

Source: Path instructions


94-103: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Verify inline-content trust anchor is actually trusted and has correct ownership.

Play 2 only asserts file existence and mode (0644), but doesn't verify ownership (root:root) or that the certificate is actually trusted via openssl verify — both of which are checked in Play 1 (lines 55–65). Add the same assertions for consistency.

💚 Suggested additions
     - name: Assert that the trust anchor was installed
       assert:
         that:
           - __trust_anchor_content.stat.exists
           - __trust_anchor_content.stat.mode == '0644'
+          - __trust_anchor_content.stat.pw_name == 'root'
+          - __trust_anchor_content.stat.gr_name == 'root'
+
+    - name: Check that the inline test CA certificate is now trusted
+      command: openssl verify {{ __trust_test_ca_cert }}
+      register: __trust_verify_content
+      changed_when: false
+
+    - name: Assert that the inline test CA certificate is now trusted
+      assert:
+        that: "__trust_verify_content.stdout is search(': OK')"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/tests_trust.yml` around lines 94 - 103, Play 2 only checks that the
inline trust anchor file exists and has mode 0644, but it is missing the
ownership and trust verification assertions already used in Play 1. Update the
trust-anchor validation around __trust_anchor_content in tests/tests_trust.yml
to also assert root:root ownership from the stat result and add an openssl
verify check to confirm lsr-trust-test-content.crt is actually trusted, keeping
the assertions consistent with the existing trust-anchor checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tasks/certificate_trust.yml`:
- Around line 10-40: The trust-certificate install flow in certificate_trust.yml
must validate each item before running the install tasks so exactly one source
is provided when state is present. Add a precheck task for certificate_trust
entries that enforces one and only one of content, src, or url is defined, and
fail fast with a clear message if multiple or none are set. Keep the existing
copy and get_url tasks in place, but make them rely on the validation instead of
silently overwriting or skipping items.

In `@tests/tests_trust.yml`:
- Around line 105-156: The trust tests are split across multiple plays and the
cleanup runs only at the end, so failures can leave `/tmp` artifacts behind.
Refactor the trust test flow in tests/tests_trust.yml so the test tasks run
inside a single block with an always section, and move the cleanup for
__trust_test_ca_cert and __trust_test_ca_key into that always section. Make sure
the cleanup task(s) are tagged with tests::cleanup, and keep the existing
trust-anchor removal/assertion logic inside the block so it still references the
same certificate_trust and __trust_* symbols.
- Around line 80-86: The trust test currently calls
linux-system-roles.certificate directly with include_role, but it should use the
wrapper task instead. Update tests/tests_trust.yml to invoke the role through
tasks/run_role_with_clear_facts.yml, and make sure any CA content needed after
facts are cleared is read at evaluation time rather than from
__trust_test_ca_slurp. Refer to the trust test task using certificate_trust and
the wrapper task path when making the change.

---

Nitpick comments:
In `@tests/tests_trust.yml`:
- Around line 1-156: The trust role tests only cover successful install and
removal flows; add negative coverage in tests/tests_trust.yml for
certificate_trust validation. Extend the existing trust scenarios around
certificate_trust and linux-system-roles.certificate to assert failures when
name is missing and when more than one of content/src/url is provided with
state: present, and add a url-based case if the role supports it. Use the
current include_role/task structure and existing verify/assert patterns so the
new failure cases are checked alongside the existing success tests.
- Around line 94-103: Play 2 only checks that the inline trust anchor file
exists and has mode 0644, but it is missing the ownership and trust verification
assertions already used in Play 1. Update the trust-anchor validation around
__trust_anchor_content in tests/tests_trust.yml to also assert root:root
ownership from the stat result and add an openssl verify check to confirm
lsr-trust-test-content.crt is actually trusted, keeping the assertions
consistent with the existing trust-anchor checks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: c16ed6a9-adfc-4d18-9801-c37434e37f7f

📥 Commits

Reviewing files that changed from the base of the PR and between 81a4ff5 and e77e3db.

📒 Files selected for processing (10)
  • .ostree/packages-runtime.txt
  • README.md
  • defaults/main.yml
  • tasks/certificate_trust.yml
  • tasks/main.yml
  • tests/setup-snapshot.yml
  • tests/tests_trust.yml
  • vars/Debian.yml
  • vars/Suse.yml
  • vars/main.yml

Comment thread tasks/certificate_trust.yml
Comment thread tests/tests_trust.yml Outdated
Comment thread tests/tests_trust.yml Outdated
@richm richm changed the title Feature: certificate trust feat: certificate trust Jul 9, 2026
Comment thread tests/tests_trust.yml Outdated
Comment thread tests/tests_trust.yml Outdated
@Klaas-

Klaas- commented Jul 10, 2026

Copy link
Copy Markdown
Author

I can squash it if that is wanted.

Comment thread tests/tests_trust.yml
tasks:
- name: Run certificate_trust tests
block:
- name: Ensure openssl is installed

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: Ensure openssl is installed
- name: Get var __certificate_is_ostree and other role vars
include_role:
name: linux-system-roles.certificate
tasks_from: set_vars.yml
public: true
- name: Ensure openssl is installed

Yes, this is somewhat painful due to ostree

Comment thread tests/tests_trust.yml
- name: Ensure openssl is installed
package:
name: openssl
state: present

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
state: present
state: present
use: "{{ (__certificate_is_ostree | d(false)) |
ternary('ansible.posix.rhel_rpm_ostree', omit) }}"

Comment thread tests/tests_trust.yml
when:
- item.state | d('present') == 'present'
- item.content is defined or item.src is defined
register: __certificate_trust_copied

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
register: __certificate_trust_copied
register: __certificate_trust_copied
no_log: "{{ certificate_secure_logging }}"

I believe content may contain a key - we don't want that to go to the log by default

when:
- item.state | d('present') == 'present'
- item.url is defined
register: __certificate_trust_downloaded

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
register: __certificate_trust_downloaded
register: __certificate_trust_downloaded
no_log: "{{ certificate_secure_logging }}"

Same here - not sure if this could in any way print any of the key material to the log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Handling of trusted CA certificates

2 participants