Only pass in Candlepin secrets instead of full configs

src/roles/candlepin/defaults/main.yml

@@ -1,17 +1,6 @@
 ---
 candlepin_ssl_port: 23443
 candlepin_hostname: localhost
-candlepin_tls_versions:
-  - "TLSv1.2"
-candlepin_ciphers:
-  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
-  - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 candlepin_container_image: quay.io/foreman/candlepin
 candlepin_container_tag: "4.4.14"
 candlepin_registry_auth_file: /etc/foreman/registry-auth.json

src/roles/candlepin/tasks/main.yml

@@ -14,36 +14,27 @@
   ansible.builtin.include_tasks:
     file: certs.yml
 
-- name: Create Candlepin configuration
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-candlepin-conf
-    data: "{{ lookup('ansible.builtin.template', 'candlepin.conf.j2') }}"
-    labels:
-      filename: candlepin.conf
-      app: candlepin
+    name: candlepin-db-url
+    data: "jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca_path }}{% endif %}"
   notify:
     - Restart candlepin
 
-- name: Create Tomcat server.xml
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-tomcat-server-xml
-    data: "{{ lookup('ansible.builtin.template', 'server.xml.j2') }}"
-    labels:
-      filename: server.xml
-      app: tomcat
+    name: candlepin-db-username
+    data: "{{ candlepin_database_user }}"
   notify:
     - Restart candlepin
 
-- name: Create Tomcat server configuration
+- name: Create DB URL secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-tomcat-conf
-    data: "{{ lookup('ansible.builtin.template', 'tomcat.conf') }}"
-    labels:
-      filename: tomcat.conf
-      app: tomcat
+    name: candlepin-db-password
+    data: "{{ candlepin_database_password }}"
   notify:
     - Restart candlepin
 
@@ -55,6 +46,14 @@
   notify:
     - Restart candlepin
 
+- name: Create oauth secret
+  containers.podman.podman_secret:
+    state: present
+    name: candlepin-oauth-secret
+    data: "{{ candlepin_oauth_secret }}"
+  notify:
+    - Restart candlepin
+
 - name: Pull the Candlepin container image
   containers.podman.podman_image:
     name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}"
@@ -73,10 +72,14 @@
       - 'candlepin-ca-cert,target=/etc/candlepin/certs/candlepin-ca.crt,mode=0440,type=mount'
       - 'candlepin-ca-key,target=/etc/candlepin/certs/candlepin-ca.key,mode=0440,type=mount'
       - 'candlepin-tomcat-keystore,target=/etc/candlepin/certs/keystore,mode=0440,type=mount'
-      - 'candlepin-candlepin-conf,target=/etc/candlepin/candlepin.conf,mode=0440,type=mount'
-      - 'candlepin-tomcat-server-xml,target=/etc/tomcat/server.xml,mode=440,type=mount'
-      - 'candlepin-tomcat-conf,target=/etc/tomcat/tomcat.conf,mode=440,type=mount'
+      - 'candlepin-tomcat-keystore-password,target=CANDLEPIN_KEYSTORE_PASSWORD,type=env'
       - 'candlepin-db-ca,target={{ candlepin_database_ssl_ca_path }},mode=0440,type=mount'
+      - 'candlepin-db-url,target=CANDLEPIN_DB_URL,type=env'
+      - 'candlepin-db-username,target=CANDLEPIN_DB_USERNAME,type=env'
+      - 'candlepin-db-password,target=CANDLEPIN_DB_PASSWORD,type=env'
+      - 'candlepin-oauth-secret,target=CANDLEPIN_OAUTH_SECRET,type=env'
+    env:
+      CANDLEPIN_PORT: "{{ candlepin_ssl_port }}"
     volumes:
       - /var/log/candlepin:/var/log/candlepin:Z
       - /var/log/tomcat:/var/log/tomcat:Z
@@ -90,7 +93,7 @@
         After=redis.service postgresql.service
         [Service]
         TimeoutStartSec=300
-    healthcheck: curl --fail --insecure https://localhost:23443/candlepin/status
+    healthcheck: "curl --fail --insecure https://localhost:{{ candlepin_ssl_port }}/candlepin/status"
     sdnotify: healthy
 
 - name: Run daemon reload to make Quadlet create the service files

src/vars/images.yml

@@ -20,8 +20,8 @@ iop_vulnerability_frontend_registry_auth_file: "{{ registry_auth_file }}"
 iop_advisor_frontend_registry_auth_file: "{{ registry_auth_file }}"
 
 container_tag_stream: "nightly"
-candlepin_container_image: quay.io/foreman/candlepin
-candlepin_container_tag: "foreman-{{ container_tag_stream }}"
+candlepin_container_image: quay.io/foreman/candlepin-stage
+candlepin_container_tag: on-pr-9a8f5cc0dbaffc38bd9f43273333fc0393e76df9
 foreman_container_image: quay.io/foreman/foreman
 foreman_container_tag: "{{ container_tag_stream }}"
 foreman_proxy_container_image: "quay.io/foreman/foreman-proxy"