From 46eecceacc750f10d6c73f48e736538b80342aa9 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: May 16 2022 07:38:00 +0000 Subject: Modified tls doc for ci now having ansible automation Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/tls.md b/docs/security/tls.md index 994cd74..895cad4 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -240,20 +240,10 @@ koji.mbox.centos.org.crt: OK Let's consider now three infrastructures and how to push renewed certs : -#### CentOS public infra (including .dev. and .stg. infra) -Once it's committed/pushed to pkistore git repo, tobisna (ansible bot) will deploy the renewed TLS certs automatically. +#### CentOS public infra (including .dev. , .stg. and ci infra) +Once it's committed/pushed to pkistore git repo, the ansible bot will deploy the renewed TLS certs automatically. You can still "force" the playbook execution if you want, from ansible bot host but should be done automatically and you can see reports through ARA. -#### CentOS CI infra -There is no dedicated ansible host/management station for ci infra (yet) so you have to run it yourself. -Once you have pushed the renewed certs (through git-crypted pkistore git repo), you can just apply with : -``` -for role in haproxy ocp-admin-node jenkins-server ; do - ansible-playbook playbooks/role-${role}.yml --tags "tls,pki,certs" -done -``` - - #### CentOS Stream infra Same as for other parts of infra, except that you *have* to encrypt with ansible-vault before git commit/git push operations (important). @@ -263,3 +253,5 @@ Once done : ansible-playbook-stream playbooks/role-haproxy.yml --tags "tls,pki" ``` +Also worth knowing that we have to contact Fedora Infra team for the `mirrors.centos.org` one, as it's hosted on their infra so we need to securely transfer needed key/cert files so that they can reload on their setup (mirrormanager) +