chore(certs): Create an Ansible playbook for generating certificate signing requests

[martyngigg]

Summary

The old method for generating new requests for SSL/TLS certificates was clunky and involved copy the key locally and running an openssl command. This has been replaced with an Ansible playbook that:

• has access to the certificate key in the Vault
• knows the domain name when the correct inventory is selected
• is much more familiar from working with the rest of the deployment setup.

Documentation has been updated.

Summary by CodeRabbit

• Documentation

  • Added certificate management reference to deployment documentation.

• Chores

  • Updated certificate and key file handling in configuration management.
  • Introduced automated certificate signing request generation capability.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request migrates certificate signing request generation from static configuration files in the certs/ directory to an automated Ansible playbook. The new infrastructure generates CSRs dynamically on localhost with parameterised paths and private keys, whilst documentation is updated to reflect the changed structure and old patterns are removed.

Changes

Certificate management infrastructure migration

Layer / File(s)	Summary
Automated CSR generation via Ansible infra/ansible/site_csr.yml, infra/ansible/.gitignore	New Ansible playbook uses community.crypto.openssl_csr to generate certificate signing requests on localhost, parameterising the output path and private key from variables. CSR subject fields (country, region, organisation, common name) are configured with the common name derived from a top_level_domain variable. The Ansible .gitignore is updated to exclude generated *.csr files.
Documentation and configuration cleanup certs/.gitignore, docs-devel/readme.md, docs-devel/deployment/index.md	Removes *.csr and *.key patterns from the certs/ directory .gitignore as they are no longer needed. Repository documentation is updated to remove the certs/ directory from the top-level monorepo structure listing. A new "Certificates" section is added to the deployment documentation with a link to existing certificate management details.

Possibly related PRs

• ISISNeutronMuon/analytics-data-platform#214: Affects the same certificate configuration files and documentation (certs/dev-analytics.isis.cclrc.ac.uk/2026-01/dev-analytics_isis_cclrc_ac_uk.cnf and certs/README.md).

Poem

🐰 The certs hop from folder to playbook so bright,
Ansible orchestrates signing requests in flight!
Old configs retire with a gitignore sweep,
Documentation's refreshed, the infra runs deep.
Automation hops forward—no static files to keep! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: introducing an Ansible playbook for generating certificate signing requests, which is the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@infra/ansible/site_csr.yml`:
- Around line 7-14: The CSR task using community.crypto.openssl_csr currently
sets common_name from top_level_domain but omits subject_alt_name; update the
task that defines community.crypto.openssl_csr (the block with path,
privatekey_content, country_name, state_or_province_name, organization_name,
organizational_unit_name, common_name) to add a subject_alt_name parameter that
includes a DNS entry for the same top_level_domain (e.g. subject_alt_name:
"DNS:{{ top_level_domain }}"), ensuring the generated CSR contains a DNS SAN
matching common_name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 43c271b8-b866-4156-a925-e0d31d8c76de

📥 Commits

Reviewing files that changed from the base of the PR and between b93399d and 8462044.

📒 Files selected for processing (8)

• certs/.gitignore
• certs/README.md
• certs/analytics.isis.cclrc.ac.uk/2025-06/analytics_isis_cclrc_ac_uk.cnf
• certs/dev-analytics.isis.cclrc.ac.uk/2026-01/dev-analytics_isis_cclrc_ac_uk.cnf
• docs-devel/deployment/index.md
• docs-devel/readme.md
• infra/ansible/.gitignore
• infra/ansible/site_csr.yml

💤 Files with no reviewable changes (5)

• docs-devel/readme.md
• certs/README.md
• certs/.gitignore
• certs/dev-analytics.isis.cclrc.ac.uk/2026-01/dev-analytics_isis_cclrc_ac_uk.cnf
• certs/analytics.isis.cclrc.ac.uk/2025-06/analytics_isis_cclrc_ac_uk.cnf