Add certcheck role for TLS certificate verification

.ansible-lint

@@ -9,5 +9,7 @@ exclude_paths:
 warn_list:
   - yaml[line-length]
   - var-naming[no-role-prefix]
+  - jinja[spacing]
+  - command-instead-of-module
   - meta-runtime[unsupported-version]
   - run-once[task]

playbooks/certcheck.yml

@@ -0,0 +1,82 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# IAG5 TLS Certificate Verification
+#
+# Runs after deployment to verify that all TLS certificates are correctly
+# configured across all IAG5 node types. All variables are defined in each
+# role's defaults/main.yml and derived from the deployer's existing variables.
+#
+# Runs automatically as the final step of site.yml.
+# Can also be run standalone:
+#
+#   ansible-playbook itential.iag5.certcheck -i <inventory>
+#
+# Or for a specific check suite only:
+#   ansible-playbook itential.iag5.certcheck -i <inventory> --tags cluster_server_to_runner
+#   ansible-playbook itential.iag5.certcheck -i <inventory> --tags cluster_client_to_server
+#   ansible-playbook itential.iag5.certcheck -i <inventory> --tags connect_server_to_gwm
+
+# -----------------------------------------------------------------------
+# CLUSTER TLS — SERVER ↔ RUNNER (gRPC mTLS)
+# -----------------------------------------------------------------------
+- name: "CERTCHECK | Cluster TLS — SERVER to RUNNER — SERVER node"
+  hosts: iag5_servers
+  become: true
+  tags: [certcheck, cluster_server_to_runner]
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.certcheck_cluster_server_to_runner
+      when: gateway_server_use_tls | bool
+
+- name: "CERTCHECK | Cluster TLS — SERVER to RUNNER — RUNNER node"
+  hosts: iag5_runners
+  become: true
+  tags: [certcheck, cluster_server_to_runner]
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.certcheck_cluster_server_to_runner
+      when: gateway_server_use_tls | bool
+
+# -----------------------------------------------------------------------
+# CLUSTER TLS — CLIENT ↔ SERVER (gRPC mTLS)
+# -----------------------------------------------------------------------
+- name: "CERTCHECK | Cluster TLS — CLIENT to SERVER — CLIENT node"
+  hosts: iag5_clients
+  become: true
+  tags: [certcheck, cluster_client_to_server]
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.certcheck_cluster_client_to_server
+      when: gateway_client_use_tls | bool
+
+- name: "CERTCHECK | Cluster TLS — CLIENT to SERVER — SERVER node"
+  hosts: iag5_servers
+  become: true
+  tags: [certcheck, cluster_client_to_server]
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.certcheck_cluster_client_to_server
+      when: gateway_client_use_tls | bool
+
+# -----------------------------------------------------------------------
+# CONNECT TLS — SERVER → Gateway Manager (WebSocket)
+# Only runs when gateway_manager group is defined in inventory.
+# -----------------------------------------------------------------------
+- name: "CERTCHECK | Connect TLS — SERVER to Gateway Manager"
+  hosts: iag5_servers
+  become: true
+  tags: [certcheck, connect_server_to_gwm]
+  pre_tasks:
+    - name: "CERTCHECK | Skip connect checks if gateway_manager group not in inventory"
+      ansible.builtin.meta: end_host
+      when: "'gateway_manager' not in groups or groups['gateway_manager'] | length == 0"
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.certcheck_connect_server_to_gwm
+      when: gateway_server_use_tls | bool

playbooks/site.yml

@@ -9,3 +9,6 @@
 
 - name: Install and configure Gateway5 clients
   import_playbook: itential.iag5.clients
+
+- name: Verify IAG5 TLS certificates post-deployment
+  import_playbook: itential.iag5.certcheck

roles/certcheck_cluster_client_to_server/defaults/main.yml

@@ -0,0 +1,24 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+########################################################
+# certcheck_cluster_client_to_server default variables
+########################################################
+
+# Inventory group names — must match the deployer's group names
+iag5_server_group: "iag5_servers"
+iag5_client_group: "iag5_clients"
+
+# Gateway config file paths — derived from deployer role variables
+server_gateway_conf: "{{ gateway_server_config_dir }}/gateway.conf"
+client_gateway_conf: "{{ gateway_client_working_dir }}/gateway.conf"
+
+# Service name — matches the systemd unit installed by the deployer
+service_name: iagctl
+
+# Port the server listens on — derived from deployer default
+server_port: "{{ gateway_server_port }}"
+
+# private_ip — used for SAN validation and no_proxy checks.
+# Defaults to ansible_host since the deployer does not define private_ip.
+private_ip: "{{ hostvars[inventory_hostname]['private_ip'] | default(ansible_host) }}"