From f79fb605de34b5db1cd716d649bdfe8ffc1d722c Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Fri, 1 Sep 2023 15:42:24 -0400
Subject: [PATCH] Support using existing SSL certs on system

Add the additional pvc_api_ssl_cert_path and pvc_api_ssl_key_path
group_vars options, which can be used to set the SSL details to existing
files on the filesystem if desired. If these are empty (or nonexistent),
the original pvc_api_ssl_cert and pvc_api_ssl_key raw format options
will be used as they were.

Allows the administrator to use outside methods (such as Let's Encrypt)
to obtain the certs locally on the system, avoiding changes to the
group_vars and redeployment to manage SSL keys.
---
 group_vars/default/pvc.yml              | 17 +++++++++++++++--
 roles/pvc/tasks/pvc/main.yml            |  4 ++--
 roles/pvc/templates/pvc/pvcapid.yaml.j2 |  8 ++++++++
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/group_vars/default/pvc.yml b/group_vars/default/pvc.yml
index 0c63820..1eb4138 100644
--- a/group_vars/default/pvc.yml
+++ b/group_vars/default/pvc.yml
@@ -22,17 +22,30 @@
 #pvc_fence_failed_action: None           # What to do with VMs when a fence is failed (migrate, None) - migrate is DANGEROUS without pvc_suicide_intervals set to < pvc_fence_intervals
 #pvc_fence_migrate_target_selector: mem  # The selector to use for migrating VMs after a fence
 
-# Client API configuration
+# Client API basic configuration
 pvc_api_listen_address: "{{ pvc_upstream_floatingip }}"
 pvc_api_listen_port: "7370"
+pvc_api_secret_key: ""                      # Use pwgen to generate
+
+# Client API user tokens
+# Create a token (random UUID or password) for each user you wish to have access to the PVC API.
+# The first token will always be used for the "local" connection, and thus at least one token MUST be defined.
 pvc_api_enable_authentication: True
-pvc_api_secret_key: ""
 pvc_api_tokens:
   - description: "myuser"
     token: "a3945326-d36c-4024-83b3-2a8931d7785a"
+
+# PVC API SSL configuration
+# Use these options to enable SSL for the API listener, providing security over WAN connections.
+# There are two options for defining the SSL certificate and key to use:
+#   a) Set both pvc_api_ssl_cert_path and pvc_api_ssl_key_path to paths to an existing SSL combined (CA + cert) certificate and key, respectively, on the system.
+#   b) Set both pvc_api_ssl_cert and pvc_api_ssl_key to the raw PEM-encoded contents of an SSL combined (CA + cert) certificate and key, respectively, which will be installed under /etc/pvc.
+# If the _path options are non-empty, the raw entries are ignored and will not be used.
 pvc_api_enable_ssl: False
+pvc_api_ssl_cert_path:
 pvc_api_ssl_cert: >
   # A RAW CERTIFICATE FILE, installed to /etc/pvc/api-cert.pem
+pvc_api_ssl_key_path:
 pvc_api_ssl_key: >
   # A RAW KEY FILE, installed to /etc/pvc/api-key.pem
 
diff --git a/roles/pvc/tasks/pvc/main.yml b/roles/pvc/tasks/pvc/main.yml
index e806db9..5ad1c50 100644
--- a/roles/pvc/tasks/pvc/main.yml
+++ b/roles/pvc/tasks/pvc/main.yml
@@ -27,7 +27,7 @@
     dest: /etc/pvc/api-cert.pem
     mode: 0644
   no_log: True
-  when: pvc_api_enable_ssl
+  when: pvc_api_enable_ssl and not pvc_api_ssl_cert_path
 
 - name: install API SSL key file
   copy:
@@ -35,7 +35,7 @@
     dest: /etc/pvc/api-key.pem
     mode: 0640
   no_log: True
-  when: pvc_api_enable_ssl
+  when: pvc_api_enable_ssl and not pvc_api_ssl_key_path
 
 - name: stop and disable unneccessary services
   service:
diff --git a/roles/pvc/templates/pvc/pvcapid.yaml.j2 b/roles/pvc/templates/pvc/pvcapid.yaml.j2
index bb51696..9502933 100644
--- a/roles/pvc/templates/pvc/pvcapid.yaml.j2
+++ b/roles/pvc/templates/pvc/pvcapid.yaml.j2
@@ -30,9 +30,17 @@ pvc:
             # enabled: Enabled or disable SSL operation (True/False)
             enabled: {{ pvc_api_enable_ssl }}
             # cert_file: SSL certificate file
+{% if pvc_api_ssl_cert_path is defined and pvc_api_ssl_cert_path %}
+            cert_file: "{{ pvc_api_ssl_cert_path }}"
+{% else %}
             cert_file: "/etc/pvc/api-cert.pem"
+{% endif %}
             # key_file: SSL certificate key file
+{% if pvc_api_ssl_key_path is defined and pvc_api_ssl_key_path %}
+            key_file: "{{ pvc_api_ssl_key_path }}"
+{% else %}
             key_file: "/etc/pvc/api-key.pem"
+{% endif %}
     # provisioner: Configuration of the Provisioner API listener
     provisioner:
         # database: Backend database configuration