role: repositories: Add rhsm_environment and FIPS fix (#483)

* Add Satellite ovirt_repositories_rhsm_environment

* Fix ovirt_repositories_ca_rpm_url for fips

* add changelog

* Move install ca to sep file

* Fix FIPS install

* Add example

* Add force to install the sat ca

changelogs/fragments/483-repositories-add-rhsm_environment.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - repositories - Add ovirt_repositories_rhsm_environment and FIPS fix (https://github.com/oVirt/ovirt-ansible-collection/pull/483).

roles/repositories/README.md

@@ -31,6 +31,8 @@ Role Variables
 | ovirt_repositories_ca_rpm_url              | UNDEF                 | The URL for Satellite rpm will set up host certificates. |
 | ovirt_repositories_ca_rpm_validate_certs   | UNDEF                 | If `False` it will ignore all SSL certificates for the `ovirt_repositories_ca_rpm_url`. |
 | ovirt_repositories_ca_rpm_disable_gpg_check| UNDEF                 | If `True` it will ignore all GPG check for the `ovirt_repositories_ca_rpm_url`. |
+| ovirt_repositories_rhsm_environment        | UNDEF                 | The Satellite environment to specify libraries. |
+
 
 Example Playbook
 ----------------
@@ -39,27 +41,27 @@ Example Playbook
 ---
 - name: Setup repositories using oVirt release package
   hosts: localhost
-
+  vars_files:
+    # Contains encrypted `username` and `password` variables using ansible-vault
+    - passwords.yml
   vars:
     ovirt_repositories_ovirt_release_rpm: http://resources.ovirt.org/pub/yum-repo/ovirt-master-release.rpm
 
   roles:
     - repositories
   collections:
     - @NAMESPACE@.@NAME@
+```
 
-- vars_files:
-    # Contains encrypted `username` and `password` variables using ansible-vault
-    - passwords.yml
-
+```yaml
 - name: Setup repositories using Subscription Manager
   hosts: localhost
 
   vars:
     ovirt_repositories_use_subscription_manager: True
     ovirt_repositories_force_register: True
-    ovirt_repositories_rh_username: "{{ovirt_repositories_rh_username}}"
-    ovirt_repositories_rh_password: "{{ovirt_repositories_rh_password}}"
+    ovirt_repositories_rh_username: "{{ ovirt_repositories_rh_username }}"
+    ovirt_repositories_rh_password: "{{ ovirt_repositories_rh_password }}"
     # The following pool IDs are not valid and should be replaced.
     ovirt_repositories_pool_ids:
       - 0123456789abcdef0123456789abcdef
@@ -69,16 +71,17 @@ Example Playbook
     - repositories
   collections:
     - @NAMESPACE@.@NAME@
+```
 
-
+```yaml
 - name: Setup repositories using Subscription Manager pool name
   hosts: localhost
 
   vars:
     ovirt_repositories_use_subscription_manager: True
     ovirt_repositories_force_register: True
-    ovirt_repositories_rh_username: "{{ovirt_repositories_rh_username}}"
-    ovirt_repositories_rh_password: "{{ovirt_repositories_rh_password}}"
+    ovirt_repositories_rh_username: "{{ ovirt_repositories_rh_username }}"
+    ovirt_repositories_rh_password: "{{ ovirt_repositories_rh_password }}"
     ovirt_repositories_pools:
       - "Red Hat Cloud Infrastructure, Premium (2-sockets)"
 
@@ -87,3 +90,43 @@ Example Playbook
   collections:
     - @NAMESPACE@.@NAME@
 ```
+
+```yaml
+- name: Setup repositories using Subscription Manager with Satellite using username and password
+  hosts: localhost
+
+  vars:
+    ovirt_repositories_use_subscription_manager: true
+    ovirt_repositories_ca_rpm_url: https://example.com/pub/katello-ca-consumer-latest.noarch.rpm
+    ovirt_repositories_ca_rpm_validate_certs: false
+    ovirt_repositories_ca_rpm_disable_gpg_check: true
+    ovirt_repositories_target_host: engine
+    ovirt_repositories_rhsm_environment: Library
+    ovirt_repositories_rh_password: "{{ ovirt_repositories_rh_username }}"
+    ovirt_repositories_rh_username: "{{ ovirt_repositories_rh_password }}"
+    ovirt_repositories_pool_ids:
+      - 8aa508b87f922c3b017f97a785a40068
+
+  roles:
+    - repositories
+  collections:
+    - @NAMESPACE@.@NAME@
+```
+
+```yaml
+- name: Setup repositories using Subscription Manager with Satellite using org and activationkey
+  hosts: localhost
+  vars:
+    ovirt_repositories_use_subscription_manager: true
+    ovirt_repositories_org: "4fc82b1a-7d80-44cf-8ef6-affd8c6daa4f"
+    ovirt_repositories_activationkey: "RHV_CDN_Host"
+    ovirt_repositories_ca_rpm_url: https://example.com/pub/katello-ca-consumer-latest.noarch.rpm
+    ovirt_repositories_ca_rpm_validate_certs: false
+    ovirt_repositories_ca_rpm_disable_gpg_check: true
+    ovirt_repositories_target_host: engine
+
+  roles:
+    - repositories
+  collections:
+    - @NAMESPACE@.@NAME@
+```

roles/repositories/tasks/install-satellite-ca.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Install Satellite certificates wihtout FIPS
+  ansible.builtin.dnf:
+    name: "{{ ovirt_repositories_ca_rpm_url }}"
+    state: present
+    validate_certs: "{{ ovirt_repositories_ca_rpm_validate_certs | default(omit) }}"
+    disable_gpg_check: "{{ ovirt_repositories_ca_rpm_disable_gpg_check | default(omit) }}"
+  when: not ovirt_repositories_fips_enabled
+
+- name: Install Satellite certificates with FIPS block
+  block:
+    - name: Download Satellite certificate rpm
+      ansible.builtin.get_url:
+        url: "{{ ovirt_repositories_ca_rpm_url }}"
+        dest: /tmp/sat_ca.rpm
+        mode: '0644'
+        validate_certs: "{{ ovirt_repositories_ca_rpm_validate_certs | default(omit) }}"
+
+    - name: Install Satellite certificates with FIPS
+      ansible.builtin.command: "rpm -U --nodigest --nofiledigest --force /tmp/sat_ca.rpm" # noqa command-instead-of-module
+      changed_when: true
+
+    - name: Remove downloaded rpm
+      ansible.builtin.file:
+        path: /tmp/sat_ca.rpm
+        state: absent
+  when: ovirt_repositories_fips_enabled

roles/repositories/tasks/main.yml

@@ -10,8 +10,21 @@
   include_tasks: backup-repos.yml
   when: ovirt_repositories_repos_backup
 
+- name: Check if FIPS is enabled
+  ansible.builtin.command: cat /proc/sys/crypto/fips_enabled
+  changed_when: false
+  register: fips_check_command
+
+- name: Set FIPS enabled variable
+  ansible.builtin.set_fact:
+    ovirt_repositories_fips_enabled: "{{ fips_check_command.stdout == '1' }}"
+
 - name: Setup repositories
   block:
+    - name: Install Satellite CA
+      include_tasks: install-satellite-ca.yml
+      when: ovirt_repositories_ca_rpm_url is defined
+
     - name: Setup repositories using Subscription Manager
       include_tasks: rh-subscription.yml
       when: ovirt_repositories_org is not defined and ovirt_repositories_activationkey is not defined

roles/repositories/tasks/rh-subscription.yml

@@ -24,6 +24,7 @@
     --username {{ ovirt_repositories_rh_username }}
     --password {{ ovirt_repositories_rh_password }}
     {% if ovirt_repositories_force_register is defined and ovirt_repositories_force_register|bool %} --force {% endif %}
+    {% if ovirt_repositories_rhsm_environment is defined  %} --environment {{ ovirt_repositories_rhsm_environment }} {% endif %}
     {% if ovirt_repositories_rhsm_server_hostname is defined %} --serverurl {{ ovirt_repositories_rhsm_server_hostname }} {% endif %}
   changed_when: false
   no_log: true

roles/repositories/tasks/satellite-subscription.yml

@@ -4,14 +4,6 @@
     name: subscription-manager
     state: present
 
-- name: Install Satellite certificates
-  ansible.builtin.dnf:
-    name: "{{ ovirt_repositories_ca_rpm_url }}"
-    state: present
-    validate_certs: "{{ ovirt_repositories_ca_rpm_validate_certs | default(omit) }}"
-    disable_gpg_check: "{{ ovirt_repositories_ca_rpm_disable_gpg_check | default(omit) }}"
-  when: ovirt_repositories_ca_rpm_url is defined
-
 - name: Register to subscription manager
   ansible.builtin.command: |
     subscription-manager register