From 5d3de3ece26313d76eeccf483d9f4496c19d5402 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Fri, 1 Sep 2023 15:42:21 -0400
Subject: [PATCH] Complete configuration of API via Ansible

---
 group_vars/default/pvc.yml              | 22 ++++++++++------
 roles/pvc/tasks/pvc/main.yml            | 29 +++++++++++++++-----
 roles/pvc/templates/pvc/pvc-api.yaml.j2 | 35 ++++++++++++++++++++++---
 3 files changed, 69 insertions(+), 17 deletions(-)

diff --git a/group_vars/default/pvc.yml b/group_vars/default/pvc.yml
index d4c9877..ae2d27e 100644
--- a/group_vars/default/pvc.yml
+++ b/group_vars/default/pvc.yml
@@ -1,5 +1,5 @@
 ---
-# Logging
+# Logging configuration
 pvc_log_to_file: True
 pvc_log_to_stdout: True
 pvc_log_keepalives: True
@@ -7,18 +7,24 @@ pvc_log_keepalive_cluster_details: True
 pvc_log_keepalive_storage_details: True
 pvc_log_console_lines: 1000
 
-# Client API authentication configuration
-# > If the key is left blank, the API will listen UNAUTHENTICATED on all IP addresses of the
-#   current primary node; use this with care and not in unsecured environments (e.g. if the
-#   upstream network is untrusted).
-pvc_api_authentication_key: ""              # Use pwgen to generate
+# Client API configuration
 pvc_api_listen_address: "0.0.0.0"
 pvc_api_listen_port: "7370"
+pvc_api_enable_authentication: False
+pvc_api_secret_key: ""
+pvc_api_tokens:
+  - description: "myuser"
+    token: ""
+pvc_api_enable_ssl: False
+pvc_api_ssl_cert: >
+  # A RAW CERTIFICATE FILE, installed to /etc/pvc/api-cert.pem
+pvc_api_ssl_key: >
+  # A RAW KEY FILE, installed to /etc/pvc/api-key.pem
 
-# Ceph storage
+# Ceph storage configuration
 pvc_ceph_storage_secret_uuid: ""            # Use uuidgen to generate
 
-# Database configurations
+# Database configuration
 pvc_dns_database_name: "pvcdns"
 pvc_dns_database_user: "pvcdns"
 pvc_dns_database_password: ""               # Use pwgen to generate
diff --git a/roles/pvc/tasks/pvc/main.yml b/roles/pvc/tasks/pvc/main.yml
index e701f6e..10f3e7b 100644
--- a/roles/pvc/tasks/pvc/main.yml
+++ b/roles/pvc/tasks/pvc/main.yml
@@ -12,21 +12,38 @@
 
 - name: install pvc configurations
   template:
-    src: pvc/{{ item }}.yaml.j2
-    dest: /etc/pvc/{{ item }}.yaml
+    src: pvc/{{ item }}.j2
+    dest: /etc/pvc/{{ item }}
   notify:
-    - restart {{ item }}
+    - restart pvcd
   with_items:
-    - pvcd
-    - pvc-api
+    - pvcd.yaml
+    - pvc-api.yaml
+
+- name: install API SSL certificate file
+  copy:
+    content: "{{ pvc_api_ssl_cert }}"
+    dest: /etc/pvc/api-cert.pem
+    mode: 0644
+  no_log: True
+  when: pvc_api_enable_ssl
+
+- name: install API SSL key file
+  copy:
+    content: "{{ pvc_api_ssl_key }}"
+    dest: /etc/pvc/api-key.pem
+    mode: 0640
+  no_log: True
+  when: pvc_api_enable_ssl
 
 - name: stop and disable unneccessary services
   service:
-    name: "{{ item }}"
+    name: "{{item }}"
     state: stopped
     enabled: no
   with_items:
     - pdns.service
+    - dnsmasq.service
 
 - include: pvc/bootstrap.yml
   when: bootstrap is defined and bootstrap
diff --git a/roles/pvc/templates/pvc/pvc-api.yaml.j2 b/roles/pvc/templates/pvc/pvc-api.yaml.j2
index cb43f1a..e594914 100644
--- a/roles/pvc/templates/pvc/pvc-api.yaml.j2
+++ b/roles/pvc/templates/pvc/pvc-api.yaml.j2
@@ -3,11 +3,40 @@
 # {{ ansible_managed }}
 pvc:
     coordinators:
-{% for node in pvc_nodes if node.is_coordinator %}
-        - {{ node.hostname }}.{{ pvc_cluster_domain }}
-{% endfor %}
     api:
         listen_address: "{{ pvc_api_listen_address }}"
         listen_port: "{{ pvc_api_listen_port }}"
         authentication:
             key: "{{ pvc_api_authentication_key }}"
+
+pvc:
+    coordinators:
+{% for node in pvc_nodes if node.is_coordinator %}
+        - {{ node.hostname }}
+{% endfor %}
+    # api: Configuration of the API listener
+    api:
+        # listen_address: IP address(es) to listen on; use 0.0.0.0 for all interfaces
+        listen_address: "{{ pvc_api_listen_address }}"
+        # listen_port: TCP port to listen on, usually 7370
+        listen_port: "{{ pvc_api_listen_port }}"
+        # authentication: Authentication and security settings
+        authentication:
+            # enabled: Enable or disable authentication (True/False)
+            enabled: {{ pvc_api_enable_authentication }}
+            # secret_key: Per-cluster secret key for API cookies; generate with uuidgen or pwgen
+            secret_key: "{{ pvc_api_secret_key }}"
+            # tokens: a list of authentication tokens; leave as an empty list to disable authentication
+            tokens:
+{% for token in pvc_api_tokens %}
+				- description: "{{ token.description }}"
+				  token: "{{ token.token }}"
+{% endfor %}
+        # ssl: SSL configuration
+        ssl:
+            # enabled: Enabled or disable SSL operation (True/False)
+            enabled: {{ pvc_api_enable_ssl }}
+            # cert_file: SSL certificate file
+            cert_file: "/etc/pvc/api-cert.pem"
+            # key_file: SSL certificate key file
+            key_file: "/etc/pvc/api-key.pem"