Auto-detect and normalize installer certificates

.github/workflows/test.yml

@@ -58,7 +58,6 @@ jobs:
       matrix:
         certificate_source:
           - default
-          - installer
         security:
           - none
         database:
@@ -68,9 +67,6 @@ jobs:
           - centos/stream10
         iop:
           - enabled
-        exclude:
-          - certificate_source: installer
-            box: centos/stream10
         include:
           - certificate_source: default
             security: fapolicyd
@@ -116,10 +112,6 @@ jobs:
       - name: Configure repositories
         run: |
           ./forge setup-repositories
-      - name: Create installer certificates
-        if: contains(matrix.certificate_source, 'installer')
-        run: |
-          ./forge installer-certs
       - name: Create custom certificates
         if: matrix.certificate_source == 'custom_server'
         run: |
@@ -309,13 +301,86 @@ jobs:
           ## If no one connects after 5 minutes, shut down server.
           wait-timeout-minutes: 5
 
+  migration:
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+      - name: Setup libvirt for Vagrant
+        uses: voxpupuli/setup-vagrant@v0
+      - name: Install Ansible
+        run: pip install --upgrade ansible-core
+      - name: Setup environment
+        run: ./setup-environment
+      - name: Start VMs
+        run: |
+          ./forge vms start --vms "quadlet client"
+      - name: Configure repositories
+        run: |
+          ./forge setup-repositories
+      - name: Mock foreman-installer environment
+        run: |
+          ./forge mock-installer
+      - name: Run image pull
+        run: |
+          ./foremanctl pull-images
+      - name: Run migration preview
+        run: |
+          mkdir -p .var/lib/foremanctl
+          ./foremanctl migrate
+      - name: Run migration
+        run: |
+          ./foremanctl migrate --apply
+      - name: Run deployment
+        run: |
+          ./foremanctl deploy \
+            --tuning development \
+            --add-feature hammer \
+            --add-feature foreman-proxy \
+            --add-feature azure-rm \
+            --add-feature google \
+            --add-feature remote-execution
+      - name: Run tests
+        run: |
+          ./forge test
+      - name: Run smoker
+        run: |
+          ./forge smoker
+      - name: Archive smoker report
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v7
+        with:
+          name: smoker-migration
+          path: "/home/runner/smoker/report/"
+      - name: Generate sos reports
+        if: ${{ always() }}
+        run: ./forge sos
+      - name: Archive sos reports
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v7
+        with:
+          name: sosreport-migration
+          path: sos/
+      - name: Setup upterm session
+        if: ${{ failure() }}
+        uses: owenthereal/action-upterm@v1
+        with:
+          limit-access-to-actor: true
+          wait-timeout-minutes: 5
+
   # A dummy job that you can mark as a required check instead of each individual test
   test-suite:
     if: always()
     needs:
       - tests
       - devel-tests
       - upgrade
+      - migration
       - ansible-lint
       - python-lint
     runs-on: ubuntu-latest

development/playbooks/deploy-dev/deploy-dev.yaml

@@ -5,7 +5,7 @@
   vars_files:
     - "../../../src/vars/defaults.yml"
     - "../../../src/vars/flavors/{{ flavor }}.yml"
-    - "../../../src/vars/{{ certificates_source }}_certificates.yml"
+    - "../../../src/vars/certificates.yml"
     - "../../../src/vars/images.yml"
     - "../../../src/vars/database.yml"
     - "../../../src/vars/foreman.yml"

development/playbooks/mock-installer/mock-installer.yaml

@@ -0,0 +1,7 @@
+---
+- name: Mock foreman-installer environment for migration testing
+  hosts:
+    - quadlet
+  become: true
+  roles:
+    - mock_foreman_installer

development/roles/mock_foreman_installer/tasks/main.yml

@@ -0,0 +1,34 @@
+---
+- name: Enable foreman-installer PR 935 Copr repo
+  community.general.copr:
+    host: copr.fedorainfracloud.org
+    state: enabled
+    name: packit/theforeman-foreman-installer-935
+    chroot: rhel-9-x86_64
+
+- name: Install foreman-installer package
+  ansible.builtin.package:
+    name: foreman-installer-katello
+
+# utilize https://github.com/theforeman/foreman-installer/pull/935
+- name: Generate certs
+  ansible.builtin.command: foreman-certs --apache true --foreman true --candlepin true --iop true
+  changed_when: false
+
+- name: Create installer scenarios directory
+  ansible.builtin.file:
+    path: /etc/foreman-installer/scenarios.d
+    state: directory
+    mode: '0755'
+
+- name: Place answers file fixture
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/../../../tests/fixtures/installer-answers/katello-answers.yaml"
+    dest: /etc/foreman-installer/scenarios.d/katello-answers.yaml
+    mode: '0600'
+
+- name: Place scenario file fixture
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/../../../tests/fixtures/installer-answers/last_scenario.yaml"
+    dest: /etc/foreman-installer/scenarios.d/last_scenario.yaml
+    mode: '0644'

docs/iop.md

@@ -122,18 +122,12 @@ Set in the playbook vars or inventory to match your Foreman deployment:
 
 ### Certificates
 
-Gateway certificates are configured per certificate source:
+Gateway certificates use the default certificate paths:
 
-**Default certificates** (`certificate_source: default`):
 - Server: `/var/lib/foremanctl/certs/certs/localhost.crt`
 - Client: `/var/lib/foremanctl/certs/certs/localhost-client.crt`
 - CA: `/var/lib/foremanctl/certs/certs/ca.crt`
 
-**Installer certificates** (`certificate_source: installer`):
-- Server: `/root/ssl-build/localhost/localhost-iop-core-gateway-server.crt`
-- Client: `/root/ssl-build/localhost/localhost-iop-core-gateway-client.crt`
-- CA: `/root/ssl-build/katello-default-ca.crt`
-
 ### Container Images
 
 All IOP images default to `quay.io/iop/<service>:foreman-3.18`. Each role exposes `iop_<role>_container_image` and `iop_<role>_container_tag` variables to override.

docs/migration-guide.md

@@ -4,7 +4,7 @@
 
 When upgrading from foreman-installer to foremanctl, the `foremanctl migrate` command helps convert your existing configuration to the new format.
 
-This guide explains how to migrate your foreman-installer answer files to foremanctl configuration files.
+By default, `foremanctl migrate` previews the migration without making any changes. Use `--apply` to perform the actual migration.
 
 ## Prerequisites
 
@@ -25,46 +25,69 @@ Before migrating, ensure the following:
 
 ## Migration Workflow
 
-1. **Generate the migrated configuration**:
+1. **Preview the migration** (no changes are made):
    ```bash
-   foremanctl migrate --output /var/lib/foremanctl/parameters.yaml
+   foremanctl migrate
    ```
 
 2. **Review the output** for any warnings about unmapped parameters
 
-3. **Use the migrated configuration** with foremanctl:
+3. **Apply the migration** when satisfied:
+   ```bash
+   foremanctl migrate --apply
+   ```
+
+4. **Deploy using foremanctl**:
    ```bash
    foremanctl deploy
    ```
-   (foremanctl automatically loads configuration from `/var/lib/foremanctl/parameters.yaml`)
 
 ## Command Usage
 
-### Basic Migration
+### Preview Migration
 
-Migrate from the default location (reads the currently active scenario):
+Preview the migrated configuration without making any changes:
 ```bash
-foremanctl migrate --output /var/lib/foremanctl/parameters.yaml
+foremanctl migrate
 ```
 
+This shows:
+- Mapped answer file parameters and their new values
+- Unmappable parameters that need manual review
+- Certificate state detected on the system
+
+### Apply Migration
+
+Perform the actual migration:
+```bash
+foremanctl migrate --apply
+```
+
+This:
+- Writes migrated parameters to the foremanctl configuration
+- Normalizes installer certificates into `/var/lib/foremanctl/certs/`
+- Backs up the original `/root/ssl-build/` directory to `/root/ssl-build.bak/`
+
 ### Custom Answer File
 
 Migrate from a specific answer file:
 ```bash
-foremanctl migrate --answer-file /path/to/custom-answers.yaml --output /var/lib/foremanctl/parameters.yaml
+foremanctl migrate --answer-file /path/to/custom-answers.yaml
+foremanctl migrate --apply --answer-file /path/to/custom-answers.yaml
 ```
 
-### Output to stdout
+### Write to a Custom Path
 
-Preview the migrated configuration without writing a file:
+Write the migrated parameters to a specific file for inspection:
 ```bash
-foremanctl migrate
+foremanctl migrate --output /tmp/migrated.yaml
 ```
 
 ## Command Options
 
+- `--apply` - Perform the migration. Without this flag, only previews what would happen.
 - `--answer-file PATH` - Path to the foreman-installer answer file. If not specified, reads the currently active scenario and extracts the answer file path from it.
-- `--output PATH` - Path for the migrated configuration (default: stdout)
+- `--output PATH` - Path for the migrated configuration. If not specified and `--apply` is used, writes to the foremanctl configuration.
 
 > [!NOTE]
 > Unlike other `foremanctl` commands, migrate does not persist parameters between runs. Each migration is independent.
@@ -117,20 +140,9 @@ These parameters need to be manually reviewed and added to the new configuration
 
 ## Using the Migrated Configuration
 
-Once you've generated and reviewed the migrated configuration:
-
-1. **Save it to the foremanctl parameters file**:
-   ```bash
-   # Either generate directly to the parameters file
-   foremanctl migrate --output /var/lib/foremanctl/parameters.yaml
-
-   # Or copy after review
-   foremanctl migrate --output /tmp/migrated.yaml
-   # Review /tmp/migrated.yaml
-   cp /tmp/migrated.yaml /var/lib/foremanctl/parameters.yaml
-   ```
+Once you've applied the migration:
 
-2. **Deploy using foremanctl**:
+1. **Deploy using foremanctl**:
    ```bash
    foremanctl deploy
    ```