add support for providing an own ca

[bochi]

Why are you introducing these changes? (Problem description, related links)

Foremanctl should be able to handle user supplied CAs for signing certificates

partly fixes #297

What are the changes introduced in this pull request?

• New certificate source custom_ca: imports a supplied CA and uses it to sign certificates
• New command line parameters --certificate-ca-certificate, --certificate-ca-key,
  --certificate-ca-key-password
• In case the CA is unencrypted it will be reencrypted so it looks like a generated one to the system, some tools like candlepin seem to want an encrypted CA and doing it differently would introduce many non-trivial changes

How to test this pull request

Steps to reproduce:

• Create a CA
• Deploy with the command line options above

Checklist

• Tests added/updated (if applicable)
• Documentation updated (if applicable)

[stejskalleos]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Warning

Review limit reached

@stejskalleos, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 59 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6511f10a-ddb8-4c46-a58c-75c37fd79c31

📥 Commits

Reviewing files that changed from the base of the PR and between a50989c and 0ace162.

📒 Files selected for processing (6)

• docs/user/certificates.md
• src/playbooks/_certificate_source/metadata.obsah.yaml
• src/playbooks/deploy/deploy.yaml
• src/playbooks/deploy/metadata.obsah.yaml
• src/roles/certificates/tasks/custom_ca.yml
• src/roles/certificates/tasks/main.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[evgeni]

I'd like to see some tests for this, probably very similar how we test custom_server today (also can probably re-use the CA-generation we implemented there).
Very curious to see how well Candlepin will take this.

Also, may I assume, that switching to a custom_ca will invalidate all consumer (client) certs? Sounds like lots of fun :)

[bochi]

TBH haven't thought about switching, and yes, you are right.
Candlepin seems to work fine but only after I started re-encrypting an potentially unencrypted CA

I will write some tests and convert this to draft, I agree that it may take some more work :)