quay · HammerMeetNail · Jul 20, 2023 · Aug 15, 2023
diff --git a/ansible-runner/context/app/project/roles/mirror_appliance/tasks/upgrade-quay-service.yaml b/ansible-runner/context/app/project/roles/mirror_appliance/tasks/upgrade-quay-service.yaml
@@ -1,3 +1,80 @@
+- name: Check if SSL Cert exists
+  stat:
+    path: /runner/certs/quay.cert
+  delegate_to: localhost
+  register: ssl_cert
+
+- name: Check if SSL Key exists
+  stat:
+    path: /runner/certs/quay.key
+  delegate_to: localhost
+  register: ssl_key
+
+- name: Check if mirror registry created SSL Cert
+  shell: "openssl x509 -in {{ quay_root }}/quay-rootCA/rootCA.pem -noout -text | grep 'O = Quay'"
+  register: ssl_cert_owner
+  ignore_errors: true
+
+- name: Create SSL Certs
+  block:
+    - name: Create necessary directory for Quay rootCA files
+      ansible.builtin.file:
+        path: "{{ quay_root }}/quay-rootCA"
+        state: directory
+        recurse: yes
+
+    - name: Create OpenSSL Config
+      template:
+        src: ../templates/req.j2
+        dest: "{{ quay_root }}/quay-config/openssl.cnf"
+
+    - name: Create root CA key
+      command: "openssl genrsa -out {{ quay_root }}/quay-rootCA/rootCA.key 2048"
+
+    - name: Create root CA pem
+      command: "openssl req -x509 -new -config {{ quay_root }}/quay-config/openssl.cnf -nodes -key {{ quay_root }}/quay-rootCA/rootCA.key -sha256 -days 1024 -out {{ quay_root }}/quay-rootCA/rootCA.pem -addext basicConstraints=critical,CA:TRUE,pathlen:1"
+
+    - name: Create ssl key
+      command: "openssl genrsa -out {{ quay_root }}/quay-config/ssl.key 2048"
+
+    - name: Create CSR
+      command: "openssl req -new -key {{ quay_root }}/quay-config/ssl.key -out {{ quay_root }}/quay-config/ssl.csr -subj \"/CN=quay-enterprise\" -config {{ quay_root }}/quay-config/openssl.cnf"
+
+    - name: Create self-signed cert
+      command: "openssl x509 -req -in {{ quay_root }}/quay-config/ssl.csr -CA {{ quay_root }}/quay-rootCA/rootCA.pem -CAkey {{ quay_root }}/quay-rootCA/rootCA.key -CAcreateserial -out {{ quay_root }}/quay-config/ssl.cert -days 356 -extensions v3_req -extfile {{ quay_root }}/quay-config/openssl.cnf"
+
+    - name: Create chain cert
+      ansible.builtin.shell: cat {{ quay_root }}/quay-config/ssl.cert {{ quay_root }}/quay-rootCA/rootCA.pem > {{ quay_root }}/quay-config/chain.cert
+
+    - name: Replace ssl cert with chain cert
+      command: mv --force {{ quay_root }}/quay-config/chain.cert {{ quay_root }}/quay-config/ssl.cert
+  when: (ssl_cert_owner.rc == 0)
+
+- name: Copy SSL Certs
+  block:
+    - name: Copy SSL certificate
+      copy:
+        src: /runner/certs/quay.cert
+        dest: "{{ quay_root }}/quay-config/ssl.cert"
+
+    - name: Copy SSL key
+      copy:
+        src: /runner/certs/quay.key
+        dest: "{{ quay_root }}/quay-config/ssl.key"
+  when: (ssl_cert.stat.exists == True) and (ssl_key.stat.exists == True) and (ssl_cert_owner.rc == 1)
+
+- name: Set certificate permissions
+  block:
+    - name: Set permissions for key
+      ansible.builtin.file:
+        path: "{{ quay_root }}/quay-config/ssl.key"
+        mode: u=rw,g=r,o=r
+
+    - name: Set permissions for cert
+      ansible.builtin.file:
+        path: "{{ quay_root }}/quay-config/ssl.cert"
+        mode: u=rw,g=r,o=r
+
 - name: Copy Quay systemd service file
   template:
     src: ../templates/quay.service.j2
@@ -6,7 +83,7 @@
 - name: Check if Quay image is loaded
   command: podman inspect --type=image {{ quay_image }}
   register: q
-  ignore_errors: yes
+  ignore_errors: true
 
 - name: Pull Quay image
   containers.podman.podman_image:
@@ -15,6 +92,11 @@
   retries: 5
   delay: 5
 
+- name: Create Quay Storage named volume
+  containers.podman.podman_volume:
+      state: present
+      name: quay-storage
+
 - name: Start Quay service
   systemd:
     name: quay-app.service

diff --git a/cmd/upgrade.go b/cmd/upgrade.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"os/exec"
 	"path"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -31,6 +32,10 @@ func init() {
 	upgradeCmd.Flags().StringVarP(&targetUsername, "targetUsername", "u", os.Getenv("USER"), "The user on the target host which will be used for SSH. This defaults to $USER")
 	upgradeCmd.Flags().StringVarP(&sshKey, "ssh-key", "k", os.Getenv("HOME")+"/.ssh/quay_installer", "The path of your ssh identity key. This defaults to ~/.ssh/quay_installer")
 
+	upgradeCmd.Flags().StringVarP(&sslCert, "sslCert", "", "", "The path to the SSL certificate Quay should use")
+	upgradeCmd.Flags().StringVarP(&sslKey, "sslKey", "", "", "The path to the SSL key Quay should use")
+	upgradeCmd.Flags().BoolVarP(&sslCheckSkip, "sslCheckSkip", "", false, "Whether or not to check the certificate hostname against the SERVER_HOSTNAME in config.yaml.")
+
 	upgradeCmd.Flags().StringVarP(&quayHostname, "quayHostname", "", "", "The value to set SERVER_HOSTNAME in the Quay config.yaml. This defaults to <targetHostname>:8443")
 
 	upgradeCmd.Flags().StringVarP(&imageArchivePath, "image-archive", "i", "", "An archive containing images")
@@ -62,6 +67,10 @@ func upgrade() {
 		quayHostname = targetHostname + ":8443"
 	}
 
+	// Load the SSL certificate and the key
+	err = loadCerts(sslCert, sslKey, strings.Split(quayHostname, ":")[0], sslCheckSkip)
+	check(err)
+
 	// Check that SSH key is present, and generate if not
 	err = loadSSHKeys()
 	check(err)
@@ -173,6 +182,20 @@ func upgrade() {
 		askBecomePassFlag = "-K"
 	}
 
+	// Set the SSL flag if cert and key are defined
+	var sslCertKeyFlag string
+	if sslCert != "" && sslKey != "" {
+		sslCertAbs, err := filepath.Abs(sslCert)
+		if err != nil {
+			check(errors.New("Unable to get absolute path of " + sslCert))
+		}
+		sslKeyAbs, err := filepath.Abs(sslKey)
+		if err != nil {
+			check(errors.New("Unable to get absolute path of " + sslKey))
+		}
+		sslCertKeyFlag = fmt.Sprintf(" -v %s:/runner/certs/quay.cert:Z -v %s:/runner/certs/quay.key:Z", sslCertAbs, sslKeyAbs)
+	}
+
 	// Run playbook
 	log.Printf("Running upgrade playbook. This may take some time. To see playbook output run the installer with -v (verbose) flag.")
 	quayVersion := strings.Split(quayImage, ":")[1]
@@ -181,6 +204,7 @@ func upgrade() {
 		`--workdir /runner/project `+
 		`--net host `+
 		imageArchiveMountFlag+ // optional image archive flag
+		sslCertKeyFlag+ // optional ssl cert/key flag
 		` -v %s:/runner/env/ssh_key `+
 		`-e RUNNER_OMIT_EVENTS=False `+
 		`-e RUNNER_ONLY_FAILED_EVENTS=False `+