Adding Support for Custom Ctlog Keys and Config

roles/tas_single_node/defaults/main.yml

@@ -42,6 +42,12 @@ tas_single_node_meta_issuers: []
 
 tas_single_node_trillian_trusted_ca: ""
 
+# CTLog Custom Key Configuration
+tas_single_node_custom_ctlog_private_key: ""
+tas_single_node_custom_ctlog_public_key: ""
+tas_single_node_custom_ctlog_config: ""
+tas_single_node_remote_ctlog_key_deletion: true
+tas_single_node_custom_ctlog_ca_passphrase: ""
 # When adding or altering names for our images, consult the mapping in https://github.com/securesign/structural-tests
 # To avoid breaking our structural tests
 

roles/tas_single_node/tasks/certificates.yml

@@ -127,11 +127,27 @@
           -out '{{ tas_single_node_remote_fulcio_root_ca }}'
         creates: "{{ tas_single_node_remote_fulcio_root_ca }}"
 
-- name: Create CTLog root
+- name: Custom CTLog Root
+  when: ((certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ctlog_private_key) | list | length) == 0
+    or (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ctlog_public_key) | list | length) == 0)
+    and ((tas_single_node_custom_ctlog_private_key != "" ) and (tas_single_node_custom_ctlog_public_key != ""))
+
+  block:
+    - name: Create Custom CTlog Private Key
+      ansible.builtin.shell:
+        cmd: >-
+          echo -n '{{ tas_single_node_custom_ctlog_private_key }}' >> "{{ tas_single_node_remote_ctlog_private_key }}"
+      changed_when: certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ctlog_private_key) | list | length) == 1
+
+    - name: Create Custom CTlog Public Key
+      ansible.builtin.shell:
+        cmd: >-
+          echo -n '{{ tas_single_node_custom_ctlog_public_key }}' >> "{{ tas_single_node_remote_ctlog_public_key }}"
+      changed_when: certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ctlog_public_key) | list | length) == 1
+- name: Generate CTLog root
   when: >
     (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ctlog_private_key) | list | length) == 0
     or (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ctlog_public_key) | list | length) == 0
-
   block:
     - name: Create CTLog private key
       ansible.builtin.shell:

roles/tas_single_node/tasks/podman/ctlog.yml

@@ -12,8 +12,15 @@
   register: remote_ctlog_certificates
 
 - name: Load ctlog config content
-  ansible.builtin.set_fact:
-    ctlog_config_content: "{{ lookup('ansible.builtin.template', 'configs/ctlog-config.j2') }}"
+  block:
+    - name: Use Custom Config
+      when: tas_single_node_custom_ctlog_config != ""
+      ansible.builtin.set_fact:
+        ctlog_config_content: '{{ tas_single_node_custom_ctlog_config }}'
+    - name: Use Template Ctlog Config
+      when: tas_single_node_custom_ctlog_config == ""
+      ansible.builtin.set_fact:
+        ctlog_config_content: "{{ lookup('ansible.builtin.template', 'configs/ctlog-config.j2') }}"
 
 - name: Create ctlog configmap
   ansible.builtin.copy:

roles/tas_single_node/templates/configs/ctlog-config.j2

@@ -1,2 +1,2 @@
 backends:{backend:{name:"trillian"  backend_spec:"{{ tas_single_node_trillian_logserver_pod }}-pod:{{ tas_single_node_trillian_logserver_port_rpc }}"}}  
-log_configs:{config:{log_id:{{ trillian_tree_id }}  prefix:"{{ tas_single_node_ct_logprefix }}"  roots_pem_file:"/ctfe-keys/fulcio-0"  private_key:{[type.googleapis.com/keyspb.PEMKeyFile]:{path:"/ctfe-keys/private"  password:"{{ tas_single_node_ctlog_ca_passphrase }}"}}  ext_key_usages:"CodeSigning"  log_backend_name:"trillian"}}
+log_configs:{config:{log_id:{{ trillian_tree_id }}  prefix:"{{ tas_single_node_ct_logprefix }}"  roots_pem_file:"/ctfe-keys/fulcio-0"  private_key:{[type.googleapis.com/keyspb.PEMKeyFile]:{path:"/ctfe-keys/private"  password:"{%- if tas_single_node_custom_ctlog_ca_passphrase != "" -%}{{ tas_single_node_custom_ctlog_ca_passphrase }}{%- else -%} {{tas_single_node_ctlog_ca_passphrase}} {%- endif -%}"}}  ext_key_usages:"CodeSigning"  log_backend_name:"trillian"}}