From 4c52d4603b423596cc71064f96327bda815d3348 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Thu, 10 Apr 2025 11:44:40 +0200
Subject: [PATCH] Deploy the new RabbitMQ CA in staging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/rabbitmq_cluster/tasks/main.yml | 48 +++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/roles/rabbitmq_cluster/tasks/main.yml b/roles/rabbitmq_cluster/tasks/main.yml
index e462c24fd0..f0bd1fc556 100644
--- a/roles/rabbitmq_cluster/tasks/main.yml
+++ b/roles/rabbitmq_cluster/tasks/main.yml
@@ -35,6 +35,54 @@
   tags:
   - rabbitmq_cluster
   - config
+  when: "env == 'production'"
+
+- name: Create CA certs directory
+  ansible.builtin.file:
+    path: /etc/rabbitmq/cacerts/
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+  tags:
+  - rabbitmq_cluster
+  - config
+
+- name: Deploy CA certificate
+  ansible.builtin.copy:
+    src: "{{private}}/files/rabbitmq/{{env}}/pki/ca.crt"
+    dest: /etc/rabbitmq/cacerts/ca.crt
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+  - rabbitmq_cluster
+  - config
+  when: "env == 'staging'"
+
+- name: Deploy CA certificate
+  ansible.builtin.copy:
+    src: "{{private}}/files/rabbitmq/{{env}}.old-2025-04/pki/ca.crt"
+    dest: /etc/rabbitmq/cacerts/ca.old.crt
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+  - rabbitmq_cluster
+  - config
+  when: "env == 'staging'"
+
+- name: Build combined CA cert
+  ansible.builtin.assemble:
+    src: /etc/rabbitmq/cacerts/
+    dest: /etc/rabbitmq/ca.crt
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+  - rabbitmq_cluster
+  - config
+  when: "env == 'staging'"
 
 - name: Create node cert directory
   ansible.builtin.file: path=/etc/rabbitmq/nodecert/ owner=root group=root mode=0755 state=directory