crypto-policies / ipsilon: set policy to FEDORA40 on ipsilon servers

We need this policy to get bugzilla SAML2 auth working (for now) See https://pagure.io/fedora-infrastructure/issue/12321 Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2024-12-13 10:29:42 -08:00 · 2024-12-13 10:29:42 -08:00 · c11d415d86
commit c11d415d86
parent 97a87b6f86
1 changed files with 11 additions and 1 deletions
--- a/roles/base/tasks/crypto-policies.yml
+++ b/roles/base/tasks/crypto-policies.yml
@ -21,7 +21,7 @@

 - name: Set crypto-policy on fedora 33 and higher hosts back to default
  command: "update-crypto-policies --set DEFAULT"
-  when: "ansible_distribution_major_version|int >= 33 and (currentcryptopolicy.stdout.find('DEFAULT') == -1 or cryptopolicyapplied.rc != 0)"
+  when: "ansible_distribution_major_version|int >= 33 and (currentcryptopolicy.stdout.find('DEFAULT') == -1 or cryptopolicyapplied.rc != 0) and not inventory_hostname.startswith('ipsilon') "
  check_mode: no
  tags:
  - crypto-policies
@ -34,3 +34,13 @@
  tags:
  - crypto-policies
  - base/crypto-policies
+
+# see https://pagure.io/fedora-infrastructure/issue/12321
+# This is needed to get SAML2 auth working with bugzilla.redhat.com
+- name: Set crypto-policy on ipsilon servers to FEDORA40
+  command: "update-crypto-policies --set FEDORA40"
+  when: "inventory_hostname.startswith('ns') and (currentcryptopolicy.stdout.find('FEDORA40') == -1 or cryptopolicyapplied.rc != 0)"
+  check_mode: no
+  tags:
+  - crypto-policies
+  - base/crypto-policies