Changed the directory structure for certificates for Platform

.gitignore

@@ -7,4 +7,4 @@
 **/*.gz
 **/*.pem
 **/*.log
-**/*.keep
+**/*.keep

roles/platform/defaults/main/webserver.yml

@@ -23,13 +23,13 @@ platform_webserver_https_enabled: false
 platform_webserver_https_port: 3443
 
 # The path to the public key file used for HTTPS connections.
-platform_webserver_https_key: /opt/itential/platform/server/keys/key.pem
+platform_webserver_https_key: "{{ platform_tls_dir }}/private/server.key"
 
 # The passphrase for the private key used to enable TLS sessions.
 platform_webserver_https_passphrase:
 
 # The path to the certificate file used for HTTPS connections.
-platform_webserver_https_cert: /opt/itential/platform/server/keys/cert.pem
+platform_webserver_https_cert: "{{ platform_tls_dir }}/certs/server.crt"
 
 # The set of allowed SSL/TLS protocol versions.
 platform_webserver_https_secure_protocol: TLSv1_2_method

roles/platform/tasks/copy-certs.yml

@@ -2,34 +2,45 @@
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
 
-# TODO:  Do we want to continue to support copying the cert?
-#        Should the cert/key be copied to /etc/ssl?
+- name: Ensure the private directory exists
+  ansible.builtin.file:
+    path: "{{ platform_tls_dir }}/private"
+    state: directory
+    owner: root
+    group: itential
+    mode: '0750'
+
+- name: Ensure the certs directory exists
+  ansible.builtin.file:
+    path: "{{ platform_tls_dir }}/certs"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
 
 - name: Put the HTTPS key file in the correct location
   ansible.builtin.copy:
-    remote_src: true
-    src: "{{ platform_install_dir }}/keys/key.pem"
-    dest: "{{ platform_install_dir }}/keys/itential.key"
-    mode: "0400"
-    owner: "{{ platform_user }}"
-    group: "{{ platform_group }}"
+    src: "{{ platform_keyfile_source }}"
+    dest: "{{ platform_webserver_https_key }}"
+    mode: "0640"
+    owner: root
+    group: itential
 
 - name: Put the HTTPS cert file in the correct location
   ansible.builtin.copy:
-    remote_src: true
-    src: "{{ platform_install_dir }}/keys/cert.pem"
-    dest: "{{ platform_install_dir }}/keys/itential.cert"
-    mode: "0400"
-    owner: "{{ platform_user }}"
-    group: "{{ platform_group }}"
+    src: "{{ platform_certfile_source }}"
+    dest: "{{ platform_webserver_https_cert }}"
+    mode: "0644"
+    owner: root
+    group: root
 
 - name: Copy MongoDB root CA file to the appropriate location
   ansible.builtin.copy:
     src: "{{ platform_mongodb_root_ca_file_source }}"
     dest: "{{ platform_mongodb_root_ca_file_destination }}"
     mode: "0400"
-    group: "{{ platform_group }}"
     owner: "{{ platform_user }}"
+    group: "{{ platform_group }}"
   when:
-    - mongodb_tls_enabled | bool
+    - platform_mongo_tls_enabled | bool
     - platform_mongodb_root_ca_file_source is defined

roles/platform/tasks/main.yml

@@ -102,13 +102,12 @@
           ansible.builtin.include_tasks:
             file: configure-vault.yml
 
-    # TODO: Re-work the copy certs tasks
-    # - name: Copy certs
-    #   tags: copy_certs
-    #   block:
-    #     - name: Copy certs
-    #       ansible.builtin.include_tasks:
-    #         file: copy-certs.yml
+    - name: Copy certs
+      tags: copy_certs
+      block:
+        - name: Copy certs
+          ansible.builtin.include_tasks:
+            file: copy-certs.yml
 
     - name: Configure Platform
       tags: configure_platform

roles/platform/vars/main.yml

@@ -6,3 +6,4 @@ platform_root_dir: /opt/itential/platform
 platform_install_dir: "{{ platform_root_dir }}/server"
 platform_service_dir: "{{ platform_root_dir }}/services"
 platform_config_dir: /etc/itential
+platform_tls_dir: /etc/ssl/itential-platform