SECURESIGN-55 | Monitoring of Sigstore containers with Cockpit (#112)

Author: JasonPowr

README.md

@@ -85,6 +85,18 @@ You can also install a specific version of the collection, for example, if you n
 ansible-galaxy collection install redhat.artifact_signer:==1.1.0
 ```
 
+### Monitoring of containers with Cockpit
+To monitor containers with Cockpit, you need to install the Red Hat Enterprise Linux System Roles Ansible Collection, found [here](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles/) using the following command: `ansible-galaxy collection install redhat.rhel_system_roles:==1.88.9` (NOTE: minimum required version is 1.88.9), authentication with AAH (Ansible Automation Hub) is required for this.
+After installing the collection, you can enable and configure Cockpit as shown below
+
+```
+tas_single_node_cockpit:
+  enabled: true
+  user:
+    create: true
+    username: cockpit-user
+    password: password
+```
 
 ## Downloading CLI tools
    To Download tools to interact with Red Hat Trusted Artifact Signer, you can visit `https://cli-server.<base_hostname>`

roles/tas_single_node/README.md

@@ -46,6 +46,7 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti
 | tas_single_node_tsa_image | Timestamp Authority Image | str |  `registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:3fba2f8cd09548d2bd2dfff938529952999cb28ff5b7ea42c1c5e722b8eb827f`  |
 | tas_single_node_rekor_search_image | Rekor search UI image | str |  `registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:8c478fc6122377c6c9df0fddf0ae42b6f6b1648e3c6cf96a0558f366e7921b2b`  |
 | tas_single_node_podman | Configuration options for Podman. | dict of 'tas_single_node_podman' options |  |
+| tas_single_node_cockpit | Configuration options for Cockpit. | dict of 'tas_single_node_cockpit' options |  `{'enabled': False, 'user': {'create': False, 'username': 'cockpit-user'}}`  |
 
 #### Options for main > tas_single_node_rekor_redis
 
@@ -118,6 +119,21 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti
 | location | The primary registry location for the image. | str | yes |  |
 | mirror | The mirror registry to use for pulling images from the primary registry location. | str | yes |  |
 
+#### Options for main > tas_single_node_cockpit
+
+|Option|Description|Type|Required|Default|
+|---|---|---|---|---|
+| enabled | Whether or not to install Cockpit. | bool | no |  |
+| user | Configuration for the cockpit user. | dict of 'user' options | no |  |
+
+#### Options for main > tas_single_node_cockpit > user
+
+|Option|Description|Type|Required|Default|
+|---|---|---|---|---|
+| create | Whether or not to create the cockpit user. | bool | no |  |
+| username | Username for the cockpit user. | str | no |  |
+| password | Password for the cockpit user. | str | yes |  |
+
 ## Example Playbook
 
 ```

roles/tas_single_node/defaults/main.yml

@@ -94,3 +94,10 @@ tas_single_node_client_server_image:
   "registry.redhat.io/rhtas/client-server-rhel9@sha256:9537329d0166b8d41ffd5f5d79c052fc27abe426a20cba5733c84030013c4e29"
 
 tas_single_node_podman: {}
+
+tas_single_node_cockpit:
+  enabled: false # install redhat.rhel_system_roles before enabling
+  user:
+    create: false
+    username: cockpit-user
+    password: ""

roles/tas_single_node/meta/argument_specs.yml

@@ -375,3 +375,40 @@ argument_specs:
                 type: "str"
                 required: true
                 version_added: "1.1.1"
+      tas_single_node_cockpit:
+        description: "Configuration options for Cockpit."
+        type: "dict"
+        required: false
+        version_added: "1.1.1"
+        default:
+          enabled: false
+          user:
+            create: false
+            username: cockpit-user
+        options:
+          enabled:
+            description: "Whether or not to install Cockpit."
+            type: "bool"
+            required: false
+            version_added: "1.1.1"
+          user:
+            description: "Configuration for the cockpit user."
+            type: "dict"
+            required: false
+            version_added: "1.1.1"
+            options:
+              create:
+                description: "Whether or not to create the cockpit user."
+                type: "bool"
+                required: false
+                version_added: "1.1.1"
+              username:
+                description: "Username for the cockpit user."
+                type: "str"
+                required: false
+                version_added: "1.1.1"
+              password:
+                description: "Password for the cockpit user."
+                type: "str"
+                required: true
+                version_added: "1.1.1"

roles/tas_single_node/tasks/main.yml

@@ -9,6 +9,28 @@
   ansible.builtin.include_tasks: os.yml
   when: not tas_single_node_skip_os_install
 
+- name: Create cockpit-user
+  ansible.builtin.user:
+    name: "{{ tas_single_node_cockpit.user.username }}"
+    shell: /bin/bash
+    group: wheel
+    password: "{{ tas_single_node_cockpit.user.password | password_hash('sha512') }}"
+    create_home: true
+  when:
+    - tas_single_node_cockpit.enabled | bool
+    - tas_single_node_cockpit.user.create | bool
+
+- name: Install Cockpit
+  ansible.builtin.include_role:
+    name: redhat.rhel_system_roles.cockpit
+  vars:
+    cockpit_packages:
+      - cockpit-storaged
+      - cockpit-podman
+      - cockpit
+    cockpit_manage_firewall: true
+  when: tas_single_node_cockpit.enabled | bool
+
 - name: Create Certificates
   ansible.builtin.include_tasks: certificates.yml
 

roles/tas_single_node/tasks/os.yml

@@ -8,14 +8,6 @@
     name: "{{ tas_single_node_system_packages }}"
     state: latest
 
-- name: Install Cockpit
-  ansible.builtin.include_role:
-    name: cockpit
-  vars:
-    cockpit_packages: "{{ tas_single_node_cockpit.cockpit_packages }}"
-    cockpit_manage_firewall: "{{ tas_single_node_cockpit.cockpit_manage_firewall }}"
-  when: tas_single_node_cockpit.enabled | bool
-
 - name: Configure /etc/hosts DNS block
   ansible.builtin.blockinfile:
     dest: /etc/hosts

roles/tas_single_node/vars/main.yml

@@ -5,13 +5,6 @@ tas_single_node_system_packages:
   - podman-plugins
   - firewalld
 
-tas_single_node_cockpit:
-  enabled: false
-  cockpit_packages:
-    - cockpit-storaged
-    - cockpit-podman
-    - cockpit
-  cockpit_manage_firewall: true
 
 tas_single_node_rekor_signer_type: file # to be exposed to users later on
 tas_single_node_rekor_templates: