Add cloud-connector as a native foremanctl feature

development/playbooks/deploy-dev/deploy-dev.yaml

@@ -13,6 +13,11 @@
   vars:
     httpd_foreman_backend: "http://localhost:3000"
   pre_tasks:
+    - name: Check cloud-connector prerequisites
+      ansible.builtin.include_role:
+        name: check_cloud_connector
+      when: "'cloud-connector' in enabled_features"
+
     - name: Set development postgresql databases
       ansible.builtin.set_fact:
         postgresql_databases: >-
@@ -57,6 +62,12 @@
       vars:
         iop_core_foreman_oauth_consumer_key: "{{ foreman_oauth_consumer_key }}"
         iop_core_foreman_oauth_consumer_secret: "{{ foreman_oauth_consumer_secret }}"
+    - role: cloud_connector
+      when:
+        - "'cloud-connector' in enabled_features"
+      vars:
+        cloud_connector_admin_user: "{{ foreman_development_admin_user }}"
+        cloud_connector_admin_password: "{{ foreman_development_admin_password }}"
   post_tasks:
     - name: Stop Foreman development service
       ansible.builtin.include_role:

development/playbooks/deploy-dev/metadata.obsah.yaml

@@ -29,6 +29,9 @@ variables:
   foreman_development_github_username:
     help: GitHub username to add as additional remote for git checkouts
     action: store
+  cloud_connector_http_proxy:
+    parameter: --cloud-connector-http-proxy
+    help: HTTP proxy URL for the cloud connector rhcd service.
 
 include:
   - _flavor_features

src/features.yaml

@@ -50,6 +50,10 @@ rh-cloud:
   hammer: foreman_rh_cloud
   dependencies:
     - katello
+cloud-connector:
+  description: Cloud Connector for Red Hat Hybrid Cloud Console
+  dependencies:
+    - rh-cloud
 iop:
   description: iop services
   dependencies:

src/playbooks/deploy/deploy.yaml

@@ -43,4 +43,7 @@
     - role: hammer
       when:
         - "'hammer' in enabled_features"
+    - role: cloud_connector
+      when:
+        - "'cloud-connector' in enabled_features"
     - post_install

src/playbooks/deploy/metadata.obsah.yaml

@@ -56,6 +56,9 @@ variables:
     parameter: --bmc-redfish-verify-ssl
     help: Verify SSL certificates for Redfish BMC connections.
     type: Boolean
+  cloud_connector_http_proxy:
+    parameter: --cloud-connector-http-proxy
+    help: HTTP proxy URL for the cloud connector rhcd service.
 
 constraints:
   required_together:

src/roles/check_cloud_connector/tasks/main.yaml

@@ -0,0 +1,35 @@
+---
+- name: Verify cloud-connector is not used with iop
+  ansible.builtin.assert:
+    that:
+      - "'iop' not in enabled_features"
+    fail_msg: >-
+      The cloud-connector feature cannot be used together with the iop feature.
+      Remove one of them with --remove-feature before deploying.
+
+- name: Check that consumer certificate exists
+  ansible.builtin.stat:
+    path: /etc/pki/consumer/cert.pem
+  register: check_cloud_connector_consumer_cert
+
+- name: Verify consumer certificate exists
+  ansible.builtin.assert:
+    that:
+      - check_cloud_connector_consumer_cert.stat.exists
+    fail_msg: >-
+      /etc/pki/consumer/cert.pem not found.
+      The system must be registered with subscription-manager.
+
+- name: Check that yggdrasil-worker-forwarder package is available
+  ansible.builtin.command: dnf info yggdrasil-worker-forwarder
+  changed_when: false
+  failed_when: false
+  register: check_cloud_connector_pkg_check
+
+- name: Verify yggdrasil-worker-forwarder is available
+  ansible.builtin.assert:
+    that:
+      - check_cloud_connector_pkg_check.rc == 0
+    fail_msg: >-
+      The yggdrasil-worker-forwarder package is not available.
+      Ensure the appropriate repository is enabled.

src/roles/checks/tasks/main.yml

@@ -7,6 +7,11 @@
     - check_database_connection
     - check_system_requirements
 
+- name: Run cloud connector checks
+  ansible.builtin.include_role:
+    name: check_cloud_connector
+  when: "'cloud-connector' in enabled_features"
+
 - name: Run database index integrity checks
   ansible.builtin.include_role:
     name: check_database_index

src/roles/cloud_connector/defaults/main.yaml

@@ -0,0 +1,7 @@
+---
+cloud_connector_url: "https://{{ ansible_facts['fqdn'] }}"
+cloud_connector_admin_user: admin
+cloud_connector_admin_password: changeme # noqa: no-static-secrets
+cloud_connector_service_user: cloud_connector_admin_user
+cloud_connector_service_password: changeme # noqa: no-static-secrets
+cloud_connector_config_file: /etc/rhc/workers/foreman_rh_cloud.toml

src/roles/cloud_connector/handlers/main.yaml

@@ -0,0 +1,12 @@
+---
+- name: Update system CA trust
+  ansible.builtin.command: update-ca-trust
+  changed_when: true # noqa: no-changed-when
+  listen: Foreman CA changed
+
+- name: Restart rhcd
+  ansible.builtin.systemd_service:
+    name: rhcd
+    state: restarted
+    daemon_reload: true
+  listen: Foreman CA changed

src/roles/cloud_connector/tasks/http_proxy.yaml

@@ -0,0 +1,17 @@
+---
+- name: Create systemd drop-in directory for rhcd
+  ansible.builtin.file:
+    state: directory
+    path: /etc/systemd/system/rhcd.service.d
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Deploy HTTP proxy systemd drop-in for rhcd
+  ansible.builtin.template:
+    src: proxy.conf.j2
+    dest: /etc/systemd/system/rhcd.service.d/proxy.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart rhcd

src/roles/cloud_connector/tasks/main.yaml

@@ -0,0 +1,110 @@
+---
+- name: Install rhc and yggdrasil-worker-forwarder
+  ansible.builtin.package:
+    name:
+      - rhc
+      - yggdrasil-worker-forwarder
+    disable_plugin: foreman-protector
+
+- name: Create cloud connector role
+  theforeman.foreman.role:
+    name: Cloud Connector
+    filters:
+      - permissions:
+          - dispatch_cloud_requests
+    server_url: "{{ cloud_connector_url }}"
+    username: "{{ cloud_connector_admin_user }}"
+    password: "{{ cloud_connector_admin_password }}"
+    ca_path: "{{ foreman_ca_certificate }}"
+    state: present
+
+- name: Create cloud connector service user
+  theforeman.foreman.user:
+    login: "{{ cloud_connector_service_user }}"
+    user_password: "{{ cloud_connector_service_password }}"
+    mail: "{{ cloud_connector_service_user }}@localhost"
+    auth_source: Internal
+    roles:
+      - Cloud Connector
+    admin: false
+    server_url: "{{ cloud_connector_url }}"
+    username: "{{ cloud_connector_admin_user }}"
+    password: "{{ cloud_connector_admin_password }}"
+    ca_path: "{{ foreman_ca_certificate }}"
+    state: present
+
+- name: Configure foreman-rh-cloud worker
+  ansible.builtin.template:
+    src: foreman_rh_cloud.toml.j2
+    dest: "{{ cloud_connector_config_file }}"
+    owner: root
+    group: root
+    mode: '0640'
+  notify: Restart rhcd
+
+- name: Create rhcd worker script
+  ansible.builtin.copy:
+    dest: /usr/libexec/rhc/foreman-rh-cloud-worker
+    content: |
+      #!/bin/bash
+
+      CONFIG_FILE="{{ cloud_connector_config_file }}" exec /usr/libexec/yggdrasil-worker-forwarder
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Add Foreman CA to system trust store
+  ansible.builtin.copy:
+    src: "{{ foreman_ca_certificate }}"
+    dest: /etc/pki/ca-trust/source/anchors/foreman-ca.pem
+    remote_src: true
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Foreman CA changed
+
+- name: Ensure rhcd started and enabled
+  ansible.builtin.service:
+    name: rhcd
+    state: started
+    enabled: true
+
+- name: Read client ID from CN of consumer certificate
+  ansible.builtin.command: openssl x509 -in /etc/pki/consumer/cert.pem -subject -noout
+  register: cloud_connector_cert_output
+  changed_when: false
+
+- name: Set rhc_instance_id in Foreman
+  theforeman.foreman.setting:
+    name: rhc_instance_id
+    value: "{{ cloud_connector_client_id }}"
+    server_url: "{{ cloud_connector_url }}"
+    username: "{{ cloud_connector_admin_user }}"
+    password: "{{ cloud_connector_admin_password }}"
+    ca_path: "{{ foreman_ca_certificate }}"
+  vars:
+    cloud_connector_client_id: "{{ cloud_connector_cert_output.stdout | regex_search('CN\\s?=\\s?([a-z0-9-]+)', '\\1') | first }}"
+
+- name: Enable automatic inventory upload
+  theforeman.foreman.setting:
+    name: allow_auto_inventory_upload
+    value: true
+    server_url: "{{ cloud_connector_url }}"
+    username: "{{ cloud_connector_admin_user }}"
+    password: "{{ cloud_connector_admin_password }}"
+    ca_path: "{{ foreman_ca_certificate }}"
+
+- name: Announce to Sources
+  ansible.builtin.uri:
+    url: "{{ cloud_connector_url }}/api/v2/rh_cloud/announce_to_sources"
+    user: "{{ cloud_connector_admin_user }}"
+    password: "{{ cloud_connector_admin_password }}"
+    method: POST
+    ca_path: "{{ foreman_ca_certificate }}"
+    force_basic_auth: true
+    body_format: json
+    status_code: [200, 201]
+
+- name: Configure HTTP proxy for rhcd
+  ansible.builtin.include_tasks: http_proxy.yaml
+  when: cloud_connector_http_proxy is defined

src/roles/cloud_connector/templates/foreman_rh_cloud.toml.j2

@@ -0,0 +1,8 @@
+exec = "/usr/libexec/yggdrasil-worker-forwarder"
+protocol = "grpc"
+env = [
+  "FORWARDER_USER={{ cloud_connector_service_user }}",
+  "FORWARDER_PASSWORD={{ cloud_connector_service_password }}",
+  "FORWARDER_URL={{ cloud_connector_url }}/api/v2/rh_cloud/cloud_request",
+  "FORWARDER_HANDLER=foreman_rh_cloud"
+]

src/roles/cloud_connector/templates/proxy.conf.j2

@@ -0,0 +1,3 @@
+[Service]
+Environment=HTTPS_PROXY={{ cloud_connector_http_proxy }}
+Environment=NO_PROXY={{ cloud_connector_url | ansible.builtin.urlsplit('hostname') }}

src/vars/base.yaml

@@ -55,3 +55,12 @@ backup_foreman_oauth_consumer_secret: "{{ foreman_oauth_consumer_secret }}"
 backup_foreman_ca_certificate: "{{ foreman_ca_certificate }}"
 backup_foreman_client_certificate: "{{ foreman_client_certificate }}"
 backup_foreman_client_key: "{{ foreman_client_key }}"
+
+cloud_connector_url: "{{ foreman_url }}"
+cloud_connector_admin_user: "{{ foreman_initial_admin_username }}"
+cloud_connector_admin_password: "{{ foreman_initial_admin_password }}"
+cloud_connector_service_user: cloud_connector_user
+cloud_connector_service_password_file: "{{ obsah_state_path }}/cloud-connector-service-password"
+cloud_connector_service_password: >-
+  {{ lookup('ansible.builtin.password', cloud_connector_service_password_file,
+  chars=['ascii_letters', 'digits'], length=32) }}

tests/cloud_connector_test.py

@@ -0,0 +1,38 @@
+import pytest
+
+pytestmark = pytest.mark.feature("cloud-connector")
+
+
+def test_rhc_package_installed(server):
+    assert server.package("rhc").is_installed
+
+
+def test_yggdrasil_worker_forwarder_package_installed(server):
+    assert server.package("yggdrasil-worker-forwarder").is_installed
+
+
+def test_workers_directory_exists(server):
+    workers_dir = server.file("/etc/rhc/workers")
+    assert workers_dir.is_directory
+    assert workers_dir.mode == 0o755
+
+
+def test_worker_config_exists(server):
+    config = server.file("/etc/rhc/workers/foreman_rh_cloud.toml")
+    assert config.is_file
+    assert config.mode == 0o640
+    assert config.contains("FORWARDER_HANDLER=foreman_rh_cloud")
+    assert config.contains("/api/v2/rh_cloud/cloud_request")
+
+
+def test_worker_script_exists(server):
+    script = server.file("/usr/libexec/rhc/foreman-rh-cloud-worker")
+    assert script.is_file
+    assert script.mode == 0o755
+    assert script.contains("yggdrasil-worker-forwarder")
+
+
+def test_rhcd_service_running(server):
+    rhcd = server.service("rhcd")
+    assert rhcd.is_running
+    assert rhcd.is_enabled